Method for shutting down an electrically controlled component of a vehicle in a case of error of a processing unit controlling the component
09903300 ยท 2018-02-27
Assignee
Inventors
Cpc classification
F02D41/26
MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
F02D41/20
MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
International classification
F02D41/26
MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
F02D41/22
MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
F02D41/20
MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
Abstract
A method for shutting down an electrically controlled component of a vehicle in a case of error of a processing unit, the component being controlled by a control circuit, which receives at least one control signal from the processing unit and controls the component as a function of the at least one received control signal, the processing unit outputting the at least one control signal to a control terminal, the processing unit being designed for outputting an error signal having a defined level to the control terminal in a case of error.
Claims
1. A method for shutting down an electrically controlled component of a vehicle in a case of error of a processing unit, the electrically controlled component being controlled by a control circuit, the method comprising: outputting, by the processing unit via a control terminal of the processing unit, at least one control signal; receiving, by the control circuit, the control signal from the processing unit via a trigger lead connected to the control terminal; triggering, by the control circuit, a function of the electrically controlled component based on the received control signal, the electrically controlled component performing the function based on the triggering; detecting, by the processing unit, an error; and continuously outputting, by the processing unit, an error signal based on the detecting of the error, the error signal being a signal at a defined constant level, the error signal being continuously output by the processing unit via the same control terminal via which the control signal is output and the error signal is received by the control circuit via the same trigger lead via which the control circuit receives the control signal, the error signal blocking a further triggering of the function of the electrically controlled component.
2. The method as recited in claim 1, wherein the at least one control signal is one of: a trigger signal, an analog signal, or a data signal.
3. The method as recited in claim 1, wherein the processing unit outputs the error signal as a signal having a HIGH level to the control terminal based on detecting the error.
4. The method as recited in claim 1, wherein for purposes of control, the control circuit connects the component to an energy source.
5. The method as recited in claim 4, wherein the component is connected by the control circuit directly to an energy source via internal output stages.
6. The method as recited in claim 1, further comprising: checking proper functioning of the shutdown by outputting, on the control terminal, a test signal having a LOW level, subsequently outputting the error signal as a signal having a HIGH level, and checking a resulting total signal.
7. The method as recited in claim 1, wherein the processing unit is a microcontroller.
8. The method as recited in claim 1, wherein the control circuit is an ASIC.
9. The method as recited in claim 1, wherein the electrically controlled component is one of an injector, an integrated circuit, a microcontroller or a processing unit, of an internal combustion engine.
10. The method as recited in claim 1, wherein the error is detected by a monitoring module superordinated to the processing unit.
11. The method as recited in claim 1, wherein the error is detected by an error monitoring process of the processing unit.
12. A system in a vehicle, comprising: a processing unit having a control terminal, the processing unit being configured to output, via the control terminal, at least one control signal; a control circuit connected to the control terminal of the processing unit via a trigger lead, the control circuit configured to receive the control signal from the processing unit via the trigger lead connected to the control terminal; and an electrically controlled component of the vehicle, the control circuit being configured to control the electrically controlled component, and to trigger a function of the electrically controlled component of the vehicle based on the received control signal, the electrically controlled vehicle being configured to perform the function based on the trigger; wherein the processing unit is configured to detect an error, and to continuously output, via the same control terminal via which the control signal is output, an error signal, the error signal being a signal at a defined constant level, the error signal blocking a further triggering of the function of the electrically controlled component, and the error signal is received by the control circuit via the same trigger lead via which the control circuit receives the control signal.
13. The system as recited in claim 12, wherein the electrically controlled component is an injector of an internal combustion engine of the vehicle, and the control circuit is an ASIC.
14. The system as recited in claim 12, wherein the processing unit includes a monitoring module, the processing unit detecting the error via the monitoring module.
Description
BRIEF DESCRIPTION OF THE DRAWING
(1)
DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
(2) An injection system, in which a preferred specific embodiment of the present invention is implemented, is represented schematically and in the form of a circuit diagram in
(3) Injection system 1 is used for supplying fuel to an internal combustion engine 2. Injection system 1 includes an engine control unit 100 as well as a high-pressure fuel area 200 including a high-pressure accumulator (common rail) 201, a pressure control valve 204 attached to it, injectors 202 and associated supply lines 203.
(4) Control unit 100 has, among other things, a processing unit designed as a microcontroller 110, a monitoring module 120, an output stage circuit 130 designed, for example, as an ASIC and a control circuit 140 designed, for example, as an ASIC for injectors 202.
(5) Processing unit 110 is programmed for providing the proper functioning of engine control unit 100 and in particular for controlling injectors 202. For controlling injectors 202, control circuit 140 is provided, which controls injectors 202 according to four control leads formed here as trigger leads 115, which are in particular connected to voltage sources of varying levels, as is basically conventional. For this purpose, trigger signals are transferred to control circuit 140 on trigger leads 115 by processing unit 110, a separate control lead 115 being present for each injector 202 to be controlled. Control leads 115 are connected to control terminals 111 of processing unit 110.
(6) The precise sequence of the control action, i.e., how long the injectors are acted upon using specific voltage levels, is predefined by control circuit 140 according to an internal program code. The program code is transferred to control circuit 140, in particular also by processing unit 110 via an additional connection (not shown), such as a bus.
(7) Monitoring module 120 is designed for monitoring processing unit 110 and deactivating it in the case of error. For increasing the monitoring reliability, output stage circuit 130 (if it is torque-relevant) is also deactivated in the case of error by monitoring module 120 for redundancy reasons. In the process, monitoring module 120 is also able to deactivate control circuit 140 via output stage circuit 130 via signal lead 118. Simultaneously, processing unit 110 is also able to deactivate output stage circuit 130 and also control circuit 140 in the case of error. The corresponding signal leads 116, 117 are shown in the FIGURE.
(8) Output stage circuit 130 is, for example, connected to pressure control valve 204 at high-pressure accumulator 201. In the case of the deactivation of output stage circuit 130, pressure control valve 204 is thus also opened, so that the pressure in high-pressure accumulator 201 is reduced and consequently it is not possible for an injection to be carried out with the aid of injectors 202.
(9) In order to provide a redundant disconnecting path even in systems that do not have a pressure control valve for shutoff, the specific embodiment shown has a disconnecting path according to one preferred specific embodiment of the present invention, control terminals 111 of processing unit 110 being designed in such a way that they continuously output a HIGH level in the case of error. Subsequently, it is no longer possible to output a trigger signal via control terminals 111, so that another result of this is that it is no longer possible to inject fuel via injectors 202. Different error detection sources make it possible for control terminals 111 to carry out the error response HIGH level:
(10) a) Monitoring module 120 detects an error in processing unit 110 (using the question-answer communication between monitoring module 120 and processing unit 110 via a connection 119 formed here as an SPI/MSC bus) and activates disconnecting path 117, which transfers an error signal directly to the processing unit via path 116. Via the PES configuration, the error pin activation automatically deactivates control terminals 111. No software function of the processing unit is necessary for the switching.
(11) b) Using safety mechanisms (self-monitoring-on-chip such as command errors, memory errors (ECC . . . )), processing unit 110 detects an error and activates the control terminals via the EMM.
(12) The redundant disconnecting path shown in the FIGURE is advantageous, since activation of the disconnecting path prevents any additional injection or torque buildup immediately and without a time delay and no dependencies of operating states are present.
(13) If for safety reasons, it is necessary or advantageous to check this disconnecting path, this may preferably occur early or immediately after current is supplied to control unit 100 (in particular before the start of travel). In the case of such a startup, various tests and checks are carried out in any case in the related art. In particular, the proper functioning of the disconnecting path may be checked in a particularly simple manner, before control circuit 140 is started up. In this case, the signal levels on control leads 115 may still be set arbitrarily, without this having effects on internal combustion engine 2.
(14) For an exemplary test, control terminals 111 are initially configured in particular as GPIO (general purpose inputs/outputs), and a test signal having a LOW level is output to each of control terminals 111. Subsequently, it is advantageously checked if a LOW level is actually present at control terminals 111.
(15) Furthermore, control terminals 111 are configured in such a way that they output an error signal having a HIGH level (e.g., PES) in the case of error.
(16) Subsequently, a case of error is simulated and the signal actually output at control terminals 111 is checked. If it is a signal having a HIGH level, the proper functioning of the disconnecting path is established.
(17) Subsequently, control terminals 111 are again configured properly, i.e., they are configured in such a way that the trigger signals are output for controlling injectors 202.
(18) Should the error or PES configuration for control terminals 111 be obstructive during the continued startup operation and the further ramp-up of control unit 100, this may be deactivated temporarily until normal operation is achieved.
(19) If, however, normal operation is finally achieved (i.e., in particular, all shown components 110 through 140 are ready for operation), control terminals 111 are again configured in such a way that they now continuously output an error signal having a HIGH level in the case of error.
(20) The present invention may be used not only for control leads in relation to the injection system, but instead also for switching off data transmission lines, for example, CAN, FlexRay or Ethernet transmissions, etc., in particular if they transmit monitoring-relevant messages and are to be switched off in the case of error of the processing unit.