Method for Operating a Safety-Critical Controller for a Motor Vehicle and Corresponding Motor Vehicle

Abstract

A method is presented for operating a safety-critical controller, wherein the controller monitors correct functioning of the controller, of at least one sensor or at least one actuator, or a plurality of these, and where specific error conditions exist a warning for the driver is generated, wherein for at least a subgroup of error conditions as a warning an appropriate warning message is given to the driver.

If within a specified time span no clearance of the error has been detected, a corresponding data transmission to a vehicle manufacturer and/or service provider takes place, wherein the time span is preferably extended if the driver confirms the warning message by operating a corresponding operating means.

Claims

1. A method of operating a safety-critical controller of a vehicle, comprising: with the controller, monitoring a correct functioning of the controller, at least one sensor, at least one actuator, or a plurality of these, when at least one error among specific error conditions is detected during the monitoring, generating a warning for a driver of the vehicle, wherein for at least a subgroup of the error conditions, an appropriate warning message as the warning is given to the driver, detecting whether the error has been remediated, and transmitting a corresponding data transmission to a vehicle manufacturer and/or a vehicle service provider when a remediation of the error has not been detected within a specified time span.

2. The method according to claim 1, further comprising setting the specified time span to a longer time value, when the driver, by operating a specified operating device, acknowledges the warning, wherein the longer time value is greater than a default time value that applies for the specified time span when the warning is not acknowledged by the driver's operation of the specified operating device.

3. The method according to claim 1, further comprising starting a time window upon the transmitting of the data transmission, and cyclically repeating the transmitting of the data transmission when a remediation of the error has not been detected before expiration of the time window.

4. The method according to claim 2, wherein the data transmission contains at least one of: vehicle-identifying data, a type of error condition represented by the error, a time of occurrence of the error, and/or a time of occurrence of the acknowledging of the warning by the driver's operation of the operating device.

5. A motor vehicle comprising a vehicle body and an apparatus for performing the method according to claim 1, wherein the apparatus comprises the controller configured to perform the monitoring, a warning output device configured to perform the generating of the warning, and a data transmitter configured to perform the transmitting of the data transmission.

Description

[0008] It is therefore provided that a corresponding data transmission to a vehicle manufacturer and/or service provider takes place, if within a specified time span the error has not been cleared. Apart from clearance, if necessary a corresponding error entry can be confirmed as repaired, or deleted, by an appropriate service engineer.

[0009] From the non-prior art DE 10 2015 219 402 from the applicant a method for operating an occupant protection system has previously been described, wherein the occupant protection system comprises at least one controller, at least one sensor and at least one occupant protection means, and a controller monitors the correct functioning of the controller, of at least one sensor or at least one actuator, or a plurality of these, and where specific error conditions exist a warning for the driver is generated. For at least a subgroup of error conditions an appropriate warning message is given as a warning to the driver, which must be confirmed by the driver by operating at least a specified operating means. If the warning message is not confirmed within a specified time span by operating the specified operating means, a corresponding data transmission to a vehicle manufacturer or service provider takes place. In doing so, however, no check is made on whether the error has been cleared. If, however, this should be seen as a partial anticipation, the applicant makes express reference to the scope of protection hereby sought, namely that it is not in any way intended to claim a method according to claim 1 of DE 10 2015 219 402.

[0010] The specified time span for clearing or until data transmission is preferably set at a first longer time value, if the driver, by operating the specified means of operation, confirms the warning message, wherein in addition the longer, second time span is not unlimited. Thus, in an envisaged exemplary embodiment without confirmation the data transmission takes place in a relatively short space of time of between a few minutes and a maximum of days, whereas on the other hand following confirmation for repair between from just a few days up to weeks remains, but in any event following expiry of this second time span a data transmission takes place.

[0011] Here the data transmission preferably takes place via a mobile telephone, an available mobile radio data connection or SMS and in the process preferably contains vehicle-identifying data, the type of error condition and the time of occurrence of the error conditions or expiry of the time span without operation of the operation means having taken place. Through the data transmission the vehicle manufacturer or service provider can then make contact with the driver via other channels, be this telephone, e-mail or similar and avoid continued driving without an intact safety-critical controller.

[0012] With the first data transmission, a new time window is preferably started, and the data transmission is repeated cyclically, where no clearance of the error has been detected before expiration of the time window.

[0013] It makes no difference here if the method is performed in the safety-critical controller or another controller and if only one sensor, an occupant protection means or the correct functioning of the controller itself is monitored. In addition, the warning message to be confirmed by the operation of at least one specified operating means can also be given for just a sub-group of error conditions, and thus not necessarily for all error events.

[0014] The warning message to the driver can be given visually or acoustically, as a pictogram or in various languages and apart from the reference to the malfunction of the occupant protection system preferably contains a reference to an early visit to the workshop, the need for confirmation and the consequences of non-confirmation.

[0015] For confirmation here an operating means, its operation, or a plurality or sequence of operating means is preferably selected such that an inadvertent confirmation, that is, operation without the intention of confirmation during normal driving operations, can be excluded to the greatest possible extent.

[0016] The operation is preferably logged by the driver by operating the specified operating means in a memory, by way of example the time of confirmation is stored in the memory, e.g. it is not for instance just that of the occurrence of the error and the warning, but similarly and separately from this also the actual operation by the driver that is stored.

[0017] If the warning message is not confirmed within a specified time span by operation of the specified operating means, apart from the data transmission a restriction is preferably placed on the vehicle. This is of course wholly dependent on the desired escalation and must be set according to the individual vehicle.

[0018] One or more of the following actions in particular is/are envisaged: [0019] a) that the warning message remains permanently overlaid; [0020] b) that convenience features such as radio are not possible or a telephone can only be used for emergency calls; [0021] c) that a speed restriction is activated; [0022] d) and/or that a restart of the vehicle following a stop is prevented.

[0023] Accordingly, a safety-critical controller, be this the display controller, ESP controller or the occupant protection system, is equipped with a suitable algorithm for performing the method and a data interface with a means for issuing the warning message and for receiving a signal from the specified means of operation or for querying the means of operation and has an interface to data transmission means.

[0024] Thus, in a motor vehicle an appropriately equipped controller and means for issuing the warning message and data transmission are provided or an existing means is arranged to perform the method.