SAFETY SYSTEM FOR A VEHICLE OF A VEHICLE FLEET

Abstract

A pre-crash system has at least one dummy actuator and an adaptive pre-trigger function that is implemented with different parameter sets as a function of a current degree of validation, and evaluates the acquired physical quantities for pre-crash recognition in order to recognize an unavoidable crash, a first parameter set, which limits the pre-trigger function to a dummy operating mode in which the pre-trigger function produces at least one trigger signal for the dummy actuator if the evaluation of the physical quantities permits the inference of an unavoidable crash, being implemented until the current degree of validation satisfies a specified condition, the pre-trigger function comparing the triggering of the dummy actuator with the behavior of the evaluation and control unit, and, as a function of the comparison, rating the triggering of the dummy actuator as “correct” or as a “false positive.”

Claims

1-10. (canceled)

11. A safety system for a vehicle of a fleet of vehicles, comprising: a personal protection device; a contact sensor system for acquiring at least one impact-relevant physical quantity; a pre-crash system that includes an environmental sensor system for acquiring at least one crash-relevant physical quantity in an environment surrounding the vehicle; and an evaluation and control unit that evaluates the physical quantities acquired by the contact sensor system and by the environmental sensor system for impact recognition and for pre-crash recognition, and, as a function of the evaluation and of specified parameters, controls at least one actuator of the personal protection device; wherein the pre-crash system has at least one dummy actuator and an adaptive pre-trigger function that is implemented with different parameter sets as a function of a current degree of validation, and evaluates the acquired physical quantities for pre-crash recognition in order to recognize an unavoidable crash, a first parameter set, which limits the pre-trigger function to a dummy operating mode in which the pre-trigger function produces at least one trigger signal for the dummy actuator if the evaluation of the physical quantities permits the inference of an unavoidable crash, being implemented until the current degree of validation satisfies a specified condition, the pre-trigger function comparing the triggering of the dummy actuator with a behavior of the evaluation and control unit, and, as a function of the comparison, rating the triggering of the dummy actuator as “correct” or as a “false positive.”

12. The safety system as recited in claim 11, wherein the pre-trigger function includes a data recorder that stores the rating of the triggering of the dummy actuator and sums the operating hours.

13. The safety system as recited in claim 11, wherein the pre-trigger function includes a first communication device via which at least one of the rating of the triggering of the dummy actuator and the sum of the operating hours can be transmitted to a central unit.

14. The safety system as recited in claim 13, wherein the first communication device receives one of an updated first parameter set or a second parameter set from the central unit and provides the pre-trigger function, the second parameter set enabling an operation of the pre-trigger function in accordance with its intended function in which the pre-trigger function produces triggering signals for the at least one actuator of the personal protection device.

15. A system for validating a pre-trigger function for a safety systems in vehicles of a fleet of vehicles, comprising: a central unit that includes a computer system, a second communication device, and storage device, the computer system communicating with and exchanging data with the vehicles of the vehicle fleet via the second communication device; wherein the safety system of the individual vehicles of the vehicle fleet includes a personal protection device, a contact sensor system for acquiring at least one impact-relevant physical quantity, a pre-crash system that includes an environmental sensor system for acquiring at least one crash-relevant physical quantity in an environment surrounding the vehicle, and an evaluation and control unit that evaluates the physical quantities acquired by the contact sensor system and by the environmental sensor system for impact recognition and for pre-crash recognition, and, as a function of the evaluation and of specified parameters, controls at least one actuator of the personal protection device, wherein the pre-crash system has at least one dummy actuator and an adaptive pre-trigger function that is implemented with different parameter sets as a function of a current degree of validation, and evaluates the acquired physical quantities for pre-crash recognition in order to recognize an unavoidable crash, a first parameter set, which limits the pre-trigger function to a dummy operating mode in which the pre-trigger function produces at least one trigger signal for the dummy actuator if the evaluation of the physical quantities permits the inference of an unavoidable crash, being implemented until the current degree of validation satisfies a specified condition, the pre-trigger function comparing the triggering of the dummy actuator with a behavior of the evaluation and control unit, and, as a function of the comparison, rating the triggering of the dummy actuator as “correct” or as a “false positive.” and wherein the computer system receives at least one of the ratings of triggerings of the dummy actuators and a sum of the operating hours of vehicles of the vehicle fleet, storing them in the storage device, and evaluating them for the calculation of the current degree of validation of the pre-trigger function and in order to check the first parameter set.

16. The system as recited in claim 15, wherein the computer system ascertains the number of “false positives” of the dummy actuators in vehicles of the vehicle fleet and ascertains the sum of the operating hours of the vehicles of the vehicle fleet and calculates the current degree of validation of the pre-trigger function as the number of “false positives” of the dummy actuators in the vehicles for a time unit.

17. The system as recited in claim 16, wherein the computer system compares the calculated current degree of validation of the pre-trigger function with a specified threshold value that represents a required degree of robustness of the pre-trigger function, the computer system outputting the second parameter set to vehicles of the vehicle fleet when the number of “false positives” of the dummy actuators in the vehicles for a time unit is below the specified threshold value.

18. The system as recited in claim 15, wherein the computer system communicates with the first communication devices of the vehicles of the vehicle fleet via the second communication device directly or via a third communication device.

19. The system as recited in claim 18, wherein the third communication device is situated in a workshop and reads out the data recorder of the pre-trigger function via the first communication device during a diagnosis.

20. The system as recited in claim 19, wherein the communication devices are IP nodes.

Description

BRIEF DESCRIPTION OF THE DRAWING

[0017] FIG. 1 shows a schematic block diagram of a system for validating a pre-trigger function for safety systems in vehicles of a vehicle fleet, with an exemplary embodiment of the safety system according to the present invention for a vehicle of a vehicle fleet.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0018] As can be seen in FIG. 1, a vehicle fleet 1 comprises a plurality of vehicles of which three vehicles 1A, 1B, 1C are shown as examples. Each of these vehicles 1A, 1B, 1C has a safety system 2 that is shown in more detail in a first vehicle 1A of vehicle fleet 1.

[0019] As is further visible in FIG. 1, safety system 2 includes personal protection devices 7, a contact sensor system 4 for acquiring at least one physical quantity relevant to impacts, a pre-crash system 10 that includes an environmental sensor system 3 for acquiring at least one crash-relevant physical quantity in the environment surrounding the vehicle, and an evaluation and control unit 5.1 that evaluates the physical quantities acquired by contact sensor system 4 and by environmental sensor system 3 for impact recognition and for pre-crash recognition, and, as a function of the evaluation and of specified parameters, controls at least one actuator 14A, 14B, 14C of personal protection devices 7. According to the present invention, pre-crash system 10 has at least one dummy actuator 14D and an adaptive pre-trigger function 12 that is implemented with different parameter sets as a function of the current degree of validation, and that evaluates the acquired physical quantities for pre-crash recognition in order to recognize an unavoidable crash, a first parameter set, which limits pre-trigger function 12 to a dummy operating mode in which pre-trigger function 12 produces at least one triggering signal for dummy actuator 14D if the evaluation of the physical quantities permits the inference that a crash is unavoidable, being implemented until the current degree of validation satisfies a specified condition, pre-trigger function 12 comparing the triggering of dummy actuator 14D with the behavior of evaluation and control unit 5.1, and, as a function of the comparison, rating the triggering of dummy actuator 14D as “correct” or as a “false positive.” In the depicted exemplary embodiment, in the dummy operation enabled by the first parameter set, given a low degree of validation for example only uncritical interventions with reversible measures or interventions with a stronger limitation of the field of action are possible, in order in this way to provide a high degree of robustness of safety system 2 even when there is a low degree of validation.

[0020] In the depicted exemplary embodiment, pre-trigger function 12 includes a data recorder 18 that stores the rating of the triggering of dummy actuator 14D and that sums the operating hours, and a first communication device 16 via which the rating of the triggering of dummy actuator 14D and/or the sum of the operating hours can be transmitted to a central unit 20. In addition, first communication device 16 receives an updated first parameter set or a second parameter set from central unit 20, and provides it to pre-trigger function 12. The second parameter set enables operation of pre-trigger function 12 in accordance with its intended function, in which pre-trigger function 12 produces triggering signals for the at least one actuator 14A, 14B, 14C of personal protection devices 7.

[0021] As is also visible in FIG. 1, personal protection devices 7 include reversible restraint devices 7.1 such as electromotoric safety belts or active engine hoods that are triggered by a first actuator 14A, irreversible restraint devices 7.2, such as interior and/or exterior airbags, triggered by a second pyrotechnic actuator 14B, and adaptive crash structures 7.3 triggered by a third actuator 14C. In addition, actuators can be provided that carry out active interventions in the vehicle brake system, steering, chassis, and/or suspension system, and/or that produce an additional braking effect.

[0022] Environmental sensor system 3 includes for example radar, video, ultrasound, or lidar systems for acquiring the crash-relevant physical quantities in the environment surrounding the vehicle. Contact sensor system 4 includes for example pressure and/or acceleration sensors for acquiring the impact-relevant physical quantities. Evaluation and control unit 5.1 and the components of pre-crash system 10 are implemented in a common control device 5 in the depicted exemplary embodiment. In addition, evaluation and control unit 5.1 and pre-trigger function 12 can combine arbitrary data from sensor information from environmental sensor system 3 and from contact sensor system 4 in order to recognize an impending impact. Thus, for example using an intelligent data fusion of at least two physically redundant sensor signals from environmental sensor system 3, such as radar signals, that are suitable for location and speed measurements, and video signals that are suitable for object classification, an adequately good and reliable pre-crash recognition can be provided. However, even if such an estimation shows this possibility of pre-crash recognition, the requirement of secure validation of safety system 2 according to the present invention against undesired false positives remains.

[0023] Therefore, the depicted system for validating a pre-trigger function 12 for safety systems 2 in vehicles 1A, 1B, 1C of a fleet of vehicles 1 includes a central unit 20 that includes a computer system 22, a second communication device 24, and storage device 28. Computer system 22 communicates with vehicles 1A, 1B, 1C of vehicle fleet 1 via second communication device 24, and exchanges data with vehicles 1A, 1B, 1C of vehicle fleet 1. Computer system 22 receives the ratings of triggerings of dummy actuators 14D and/or the sum of the operating hours of vehicles 1A, 1B, 1C of vehicle fleet 1, stores these data in storage device 28, and evaluates these data in order to calculate the current degree of validation of pre-trigger function 12 and to check the first parameter set.

[0024] Computer system 22 ascertains as needed the number of “false positives” of dummy actuators 14D in vehicles 1A, 1B, 1C of vehicle fleet 1, and the sum of the operating hours of these vehicles 1A, 1B, 1C of vehicle fleet 1, and calculates the current degree of validation of pre-trigger function 12 as the number of “false positives” of dummy actuators 14D in vehicles 1A, 1B, 1C of vehicle fleet 1 for a time unit. Computer system 22 compares the calculated current degree of validation of pre-trigger function 12 with a specified threshold value that represents a required degree of robustness of pre-trigger function 12. Here, computer system 22 outputs the second parameter set to vehicles 1A, 1B, 1C of vehicle fleet 1 if the number of “false positives” of dummy actuators 14D in vehicles 1A, 1B, 1C is below the specified threshold value for a time unit. Given a high degree of validation, the second parameter set enables the activation of interventions with a higher safety risk, or of irreversible measures and interventions with a broader field of action, because these are made secure by the high degree of validation.

[0025] As can also be seen in FIG. 1, computer system 22 can communicate with first communication devices 16 of vehicles 1A, 1B, 1C of vehicle fleet 1 via second communication device 24 directly or via a third communication device 26. Third communication device 26 can be situated for example in a workshop, and can read out data recorder 18 of pre-trigger function 12 via first communication device 16 during a diagnosis.

[0026] In the depicted exemplary embodiment, communication devices 16, 24, 26 are each realized as IP nodes. This advantageously enables the authorization or parameterization of software components of pre-trigger function 12 through a corresponding communication connection between second communication device 24 or third communication device 26 with first communication device 16 in vehicle 1A, 1B, 1C with an authorized and protected download function. In this way, the parameter sets can be transmitted from central unit 20, for example directly via second communication connection 24 to first communication device 16, or indirectly via second communication connection 24 and third communication connection 26 to first communication device 16. In addition, the data can be exchanged between central unit 20 and vehicles 1A, 1B, 1C of vehicle fleet 1 via a cloud. Because this is an activation of safety-critical functions, the data transmission takes place in protected fashion and only through an authorized agent, regardless of the form in which it takes place. Central unit 20 can for example be set up by the vehicle manufacturer, a supplier, or a service provider that can continuously evaluate the collected data.