METHOD FOR DETERMINING A PERMISSIBLE STATE VARIABLE BOUNDARY VALUE OF A TECHNICAL SYSTEM IN A VEHICLE

Abstract

A method for determining a permissible state variable boundary value of a technical system in a vehicle. The controllability of a subsystem is ascertained on the basis of an ASIL index and is determined from the controllability of the state variable boundary value.

Claims

1. A method for determining a permissible state variable boundary value of a technical system in a vehicle, via which a driving state variable in the vehicle can be influenced, based on an Automotive Safety Integrity Level (ASIL) index that characterizes a potential hazard of the technical system and is made up of parameters for a probability of occurrence in relation to a frequency distribution of a state variable of a driving situation, a controllability of a risk situation in the case of a malfunction in the driving situation, and a degree of severity of the risk situation, each ASIL index being assigned an ASIL summed index of a sum of the probability of occurrence, controllability, and degree of severity, the method comprising the following steps: defining or determining the ASIL index of a subsystem of the technical system; ascertaining a controllability of the subsystem from the ASIL summed index of the subsystem minus a current probability of occurrence in relation to a frequency distribution of a state variable of the subsystem and minus a current degree of severity, which is ascertained from the state variable of the subsystem; and ascertaining the permissible state variable boundary value of the technical system based on the ascertained controllability of the subsystem and taking into account an ASIL index specified for the technical system and/or for a current driving situation.

2. The method as recited in claim 1, wherein the driving situation is a braking process and/or a steering process in the vehicle.

3. The method as recited in claim 1, wherein the subsystem is a sensor system in the vehicle.

4. The method as recited in claim 1, wherein the technical system in the vehicle is an autonomous or partly autonomous driver assistance system.

5. The method as recited in claim 1, wherein the technical system in the vehicle is an electronic stability control system.

6. The method as recited in claim 1, wherein the technical system in the vehicle is an electronic stability program (ESP).

7. The method as recited in claim 1, wherein the probability of occurrence in relation to the frequency distribution of the state variable of the subsystem is determined from a characteristic curve that indicates a distribution of the state variable in relation to the state variable.

8. The method as recited in claim 1, wherein the state variable of the subsystem is a transverse acceleration of the vehicle.

9. The method as recited in claim 1, wherein the permissible state variable boundary value, which is ascertained from the ascertained controllability of the subsystem, relates to an interfering variable of the technical system.

10. The method as recited in claim 1, wherein the permissible state variable boundary value, which is ascertained from the ascertained controllability of the subsystem, relates to an interfering yaw moment.

11. The method as recited in claim 1, wherein the permissible state variable boundary value of the technical system, which is ascertained on based on the controllability of the subsystem, is calculated from an empirical relation from the controllability of the subsystem.

12. The method as recited in claim 1, wherein the permissible state variable boundary value of the technical system, which is ascertained based on the controllability of the subsystem, is calculated from a physical relation directly or indirectly from the controllability of the subsystem.

13. The method as recited in claim 1, wherein the controllability of the subsystem is set to a value that is smaller than the ASIL summed index of the subsystem minus the current probability of occurrence minus the current degree of severity.

14. A control device configured to determine a permissible state variable boundary value of a technical system in a vehicle, via which a driving state variable in the vehicle can be influenced, based on an Automotive Safety Integrity Level (ASIL) index that characterizes a potential hazard of the technical system and is made up of parameters for a probability of occurrence in relation to a frequency distribution of a state variable of a driving situation, a controllability of a risk situation in the case of a malfunction in the driving situation, and a degree of severity of the risk situation, each ASIL index being assigned an ASIL summed index of a sum of the probability of occurrence, controllability, and degree of severity, the control device being configured to: define or determine the ASIL index of a subsystem of the technical system; ascertain a controllability of the subsystem from the ASIL summed index of the subsystem minus a current probability of occurrence in relation to a frequency distribution of a state variable of the subsystem and minus a current degree of severity, which is ascertained from the state variable of the subsystem; and ascertain the permissible state variable boundary value of the technical system based on the ascertained controllability of the subsystem and taking into account an ASIL index specified for the technical system and/or for a current driving situation.

15. A technical system in a vehicle for influencing a driving state variable, comprising: a control device configured to determine a permissible state variable boundary value of the technical system, via which the driving state variable in the vehicle can be influenced, based on an Automotive Safety Integrity Level (ASIL) index that characterizes a potential hazard of the technical system and is made up of parameters for a probability of occurrence in relation to a frequency distribution of a state variable of a driving situation, a controllability of a risk situation in the case of a malfunction in the driving situation, and a degree of severity of the risk situation, each ASIL index being assigned an ASIL summed index of a sum of the probability of occurrence, controllability, and degree of severity, the control device being configured to: define or determine the ASIL index of a subsystem of the technical system; ascertain a controllability of the subsystem from the ASIL summed index of the subsystem minus a current probability of occurrence in relation to a frequency distribution of a state variable of the subsystem and minus a current degree of severity, which is ascertained from the state variable of the subsystem; and ascertain the permissible state variable boundary value of the technical system based on the ascertained controllability of the subsystem and taking into account an ASIL index specified for the technical system and/or for a current driving situation.

16. The technical system as recited in claim 14, wherein the technical system is an electronic stability program (ESP) system.

17. A non-transitory computer-readable medium on which is stored a computer program having program code for determining a permissible state variable boundary value of a technical system in a vehicle, via which a driving state variable in the vehicle can be influenced, based on an Automotive Safety Integrity Level (ASIL) index that characterizes a potential hazard of the technical system and is made up of parameters for a probability of occurrence in relation to a frequency distribution of a state variable of a driving situation, a controllability of a risk situation in the case of a malfunction in the driving situation, and a degree of severity of the risk situation, each ASIL index being assigned an ASIL summed index of a sum of the probability of occurrence, controllability, and degree of severity, the program code, when executed by a computer, causing the computer to perform the following steps: defining or determining the ASIL index of a subsystem of the technical system; ascertaining a controllability of the subsystem from the ASIL summed index of the subsystem minus a current probability of occurrence in relation to a frequency distribution of a state variable of the subsystem and minus a current degree of severity, which is ascertained from the state variable of the subsystem; and ascertaining the permissible state variable boundary value of the technical system based on the ascertained controllability of the subsystem and taking into account an ASIL index specified for the technical system and/or for a current driving situation.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] FIG. 1 shows a schematic diagram with method steps for determining a permissible state variable boundary value of a technical system in a vehicle, taking into account ASIL indexes, according to an example embodiment of the present invention.

[0021] FIG. 2 shows the final block of FIG. 1 in an enlarged representation.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0022] The sequence of the method for determining a permissible state variable boundary value is shown in FIG. 1. The state variable boundary value relates to a technical system in a vehicle, such as an electronic stability program ESP, with which an autonomous intervention in the brake system can be carried out. The ESP system is based on sensor information acquired in block 1 via a sensor system of the vehicle. This information is, in particular, driving state variables in the vehicle longitudinal and transverse direction, on the level of speed and acceleration. The yaw moment about the vehicle vertical axis can also be acquired.

[0023] Block 1, with the sensor system, is a subsystem in the technical system (ESP system) of the vehicle. The subsystem according to block 1 can be regarded as a part of the technical system, the sensor information also being provided to further systems in vehicles.

[0024] The aim of the method is to provide, at the output of block 5, a permissible state variable boundary value that is not to be exceeded in the technical system for safety reasons. In the specific exemplary embodiment according to FIGS. 1 and 2, the permissible state variable boundary value is a permissible interfering yaw moment.

[0025] The method uses ASIL indexes both for the subsystem of the sensor system according to block 1 and for the overall technical system. The ASIL indexes are each made up additively of parameters for the probability of occurrence E in relation to the frequency distribution of a state variable, the controllability C of a hazardous situation in the event of a malfunction in the driving situation, and the degree of severity S of the hazardous situation. The ASIL summed index N, from the sum of the probability of occurrence E, controllability C, and degree of severity S, can assume a maximum value of 10. The probability of occurrence E lies between the whole-numbered values 1 and 4, where 1 stands for extremely rare and 4 stands for constant. The controllability C lies between the whole-numbered values 0 and 3, where 0 means controllable by anyone and 3 means less than 90% controllable for a group of persons. The degree of severity S lies between the whole-numbered values 0 and 3, where 0 means no hazard and 3 means potentially severe injury and death.

[0026] The ASIL summed index N standardly lies in a range of values between 7 and 10. N = 7 is designated ASIL A, N = 8 is ASIL B, N = 9 is ASIL C and N = 10 is ASIL D. ASIL A is the lowest safety level and ASIL D is the highest safety level.

[0027] Safety-relevant technical systems in the vehicle such as the brake system are standardly rated ASIL D.

[0028] In order to avoid a hazardous situation in a technical system with adequate safety, the sum of the parameters for the probability of occurrence E, controllability C, and degree of severity S has to be smaller than the associated ASIL summed index N.

[00001]$\text{E}+\text{C}+\text{S}<\text{n}\left(\text{ASIL}\right)$

Because for example the technical system is rated ASIL D (N = 10), the sum of E + C + S must not be greater than 9.

[0029] The sensor system according to block 1 supplies a transverse acceleration value a.sub.y for which, in the exemplary embodiment, an index ASIL C is set. In the next method step according to block 2 the measured transverse acceleration a.sub.y is mapped onto a current probability of occurrence E, which is done with the aid of empirical field data. In the exemplary embodiment, the probability of occurrence E has the value 3.

[0030] In the following method step according to block 3, the associated value of the controllability C is ascertained. Block 3 receives, as input variable, the probability of occurrence E, the degree of severity S, and the ASIL index of the subsystem from block 1, i.e. the sensor system. For safety reasons, the degree of severity S is set to a maximum value of 3. The ASIL index is C, which corresponds to the ASIL summed index N = 9. Using these input variables, from the relation

[00002]$\text{C}<\text{n}\left(\text{ASIL}\right)-\text{E}-\text{S}$

the controllability C of the subsystem according to block 1 can be ascertained. For N = 9, E = 3, and S = 3, from the above inequality there results a value for the controllability C that has to be smaller than 3 and is thus set to the value 2.

[0031] This value for the controllability C is an input variable to the following block 4, in which, from the controllability C, a maximum permissible interfering yaw rate

[00003]${\dot{\psi }}_{\max }$

is ascertained that establishes the relation between the effect of an erroneous intervention and the resulting controllability. The interfering yaw rate

[00004]${\dot{\psi }}_{\max }$

can be ascertained from an empirical relation.

[0032] The permissible interfering yaw rate

[00005]${\dot{\psi }}_{\max }$

ascertained in block 4 is an input variable to the following block 5, in which a permissible interfering yaw moment M.sub.Zmax is ascertained. This takes place on the basis of a physical relation, for example based on a mathematical analogous model of the vehicle. Both the ascertaining of the interfering yaw rate

[00006]${\dot{\psi }}_{\max }$

in block 4 and the ascertaining of the interfering yaw moment M.sub.Zmax in block 5 are based on an ASIL index D for the technical system.

[0033] FIG. 2 shows block 5 in detail. The cases of turning into a curve (blocks 5.1, 5.2) and turning out of a curve (blocks 5.3, 5.4) are considered separately, due to the physics and the resulting different amplitudes. However, the physical models used as a basis for the cases of turning into a curve and turning out of a curve are identical; they merely have different signs for the permissible interfering yaw rate

[00007]${\dot{\psi }}_{\max }$

at the input side.

[0034] In block 5.1, for the case of turning into a curve there first takes place a permissible yaw rate change that is given as input variable to block 5.2, in which the permissible yaw moment for the case of turning into a curve is ascertained from a physical relation. In blocks 5.3 and 5.4, a corresponding ascertaining for the case of turning out of a curve takes place. At the output of block 5, a corridor is obtained of the permissible interfering yaw moments M.sub.Zmax that is bounded by the permissible yaw moments for the cases of turning into and turning out of a curve.