[go: up one dir, main page]

WO2018036977A1 - Watchdog controller for an electric vehicle - Google Patents

Watchdog controller for an electric vehicle Download PDF

Info

Publication number
WO2018036977A1
WO2018036977A1 PCT/EP2017/071057 EP2017071057W WO2018036977A1 WO 2018036977 A1 WO2018036977 A1 WO 2018036977A1 EP 2017071057 W EP2017071057 W EP 2017071057W WO 2018036977 A1 WO2018036977 A1 WO 2018036977A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
controller
electric machines
input
watchdog
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2017/071057
Other languages
French (fr)
Inventor
Jeremy Greenwood
Robin BOYD
Chris Clarke
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jaguar Land Rover Ltd
Original Assignee
Jaguar Land Rover Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jaguar Land Rover Ltd filed Critical Jaguar Land Rover Ltd
Priority to DE112017004195.3T priority Critical patent/DE112017004195T5/en
Publication of WO2018036977A1 publication Critical patent/WO2018036977A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60LPROPULSION OF ELECTRICALLY-PROPELLED VEHICLES; SUPPLYING ELECTRIC POWER FOR AUXILIARY EQUIPMENT OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRODYNAMIC BRAKE SYSTEMS FOR VEHICLES IN GENERAL; MAGNETIC SUSPENSION OR LEVITATION FOR VEHICLES; MONITORING OPERATING VARIABLES OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRIC SAFETY DEVICES FOR ELECTRICALLY-PROPELLED VEHICLES
    • B60L3/00Electric devices on electrically-propelled vehicles for safety purposes; Monitoring operating variables, e.g. speed, deceleration or energy consumption
    • B60L3/0023Detecting, eliminating, remedying or compensating for drive train abnormalities, e.g. failures within the drive train
    • B60L3/0084Detecting, eliminating, remedying or compensating for drive train abnormalities, e.g. failures within the drive train relating to control modules
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/035Bringing the control units into a predefined state, e.g. giving priority to particular actuators
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60LPROPULSION OF ELECTRICALLY-PROPELLED VEHICLES; SUPPLYING ELECTRIC POWER FOR AUXILIARY EQUIPMENT OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRODYNAMIC BRAKE SYSTEMS FOR VEHICLES IN GENERAL; MAGNETIC SUSPENSION OR LEVITATION FOR VEHICLES; MONITORING OPERATING VARIABLES OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRIC SAFETY DEVICES FOR ELECTRICALLY-PROPELLED VEHICLES
    • B60L2240/00Control parameters of input or output; Target parameters
    • B60L2240/10Vehicle control parameters
    • B60L2240/14Acceleration
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60LPROPULSION OF ELECTRICALLY-PROPELLED VEHICLES; SUPPLYING ELECTRIC POWER FOR AUXILIARY EQUIPMENT OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRODYNAMIC BRAKE SYSTEMS FOR VEHICLES IN GENERAL; MAGNETIC SUSPENSION OR LEVITATION FOR VEHICLES; MONITORING OPERATING VARIABLES OF ELECTRICALLY-PROPELLED VEHICLES; ELECTRIC SAFETY DEVICES FOR ELECTRICALLY-PROPELLED VEHICLES
    • B60L2240/00Control parameters of input or output; Target parameters
    • B60L2240/10Vehicle control parameters
    • B60L2240/22Yaw angle
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/029Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
    • B60W2050/0295Inhibiting action of specific actuators or systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2520/00Input parameters relating to overall vehicle dynamics
    • B60W2520/10Longitudinal speed
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2520/00Input parameters relating to overall vehicle dynamics
    • B60W2520/10Longitudinal speed
    • B60W2520/105Longitudinal acceleration
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/60Other road transportation technologies with climate change mitigation effect
    • Y02T10/64Electric machine technologies in electromobility

Definitions

  • the present disclosure relates to a watchdog and particularly, but not exclusively, to a watchdog controller for a vehicle. Aspects of the invention relate to a controller, to a method, to a non-transitory computer-readable medium, to a computer program product, to a processor, and to a vehicle.
  • controllers that implement functions that determine what output is required from the component in the current operating conditions.
  • functions may use inputs indicative of several parameters including driver inputs and vehicle operating parameters to calculate the required output. Accordingly, the functions may have a high level of complexity and may require significant processing power.
  • Provision of complex functions to calculate the required output from components can significantly improve vehicle performance, as the output from the components can be optimised in the current operating conditions.
  • the complexity of the functions also increases a risk that they will produce an undesired output under an unforeseen set of operating conditions, and also increases the risk that the processor implementing the function will be overloaded, for example because of an undetected bug in the software.
  • Watchdogs are controllers that typically perform a simple calculation to determine a range in which the output of the controller that they are monitoring is expected to fall based on at least some of the inputs that are provided to the controller that they are monitoring. If the watchdog determines that the output of the controller does not fall within the expected range then it may command appropriate corrective action, for example resetting of the controller or inhibiting control of the component by the controller.
  • watchdogs of the type described above are only generally effective if a good estimate of the range within which a controller output will fall can be estimated by a relatively simple function. This has led to difficulties in implementing watchdogs for certain types of component.
  • a watchdog controller for a vehicle comprising:
  • input means configured to receive a first input indicative of at least one vehicle control input and a second input indicative of at least one vehicle dynamic parameter; and control means communicably coupled to said input means,
  • control means are operable to initiate operation of the vehicle in a safe mode thereof upon detection of an error state, said error state being detected in dependence on the first and second inputs,
  • Such a controller is operable to determine when an error state has occurred without duplicating the potentially complex functionality of the controllers that determine what current should be provided to the prime mover, of the electrically powered vehicle, which may be an electric machine.
  • the vehicle dynamic parameter may be a vehicle acceleration or a vehicle angular velocity.
  • the watchdog controller may be a watchdog controller for use on an electrically powered vehicle, for example an electrically powered vehicle having a complex control system.
  • Alternative embodiments may be suitable for use on vehicles that are powered by internal combustion engines, especially vehicles that are provided with complex traction control systems, which may use hydraulic braking to selectively reduce the overall amount of torque applied at individual wheels.
  • acceleration is considered to include any change in velocity with respect to time, in any direction. Accordingly, increases or reductions in the magnitude of the velocity of a vehicle or changes in the direction of travel of a vehicle are all considered to cause “acceleration" of the vehicle. It will be understood that the vehicle may operate in a normal mode when no error state has been detected, and that functionality when the vehicle is operating in the safe mode may be limited relative to the normal mode. Optionally the controller is configured to cause operation of at least one electric machine of the electric vehicle to be inhibited, thereby to initiate operation of the vehicle in said safe mode.
  • control means are operable to open a switch between a battery of the electric vehicle and the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode.
  • this allows the watchdog controller to prevent the electric machine from applying positive torque to the wheels of the vehicle.
  • control means are operable to send an override signal to a controller operable to control the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode.
  • said override signal causes the controller to substantially prevent the electric machine from producing positive torque.
  • the electric vehicle comprises a plurality of electric machines, said plurality of electric machines comprising a first group of one or more electric machines and a second group of one or more electric machines, wherein when the vehicle is operating in the safe mode operation of said first group of electric machines is inhibited and operation of said second group of electric machines is not inhibited.
  • a watchdog controller as defined above may be particularly useful on such an electric vehicle, as a conventional watchdog for such a vehicle may be very complex and therefore susceptible to software bugs.
  • the first group of electric machines are configured to deliver torque to one or more front wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle.
  • the first group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more front wheels of the vehicle. Inhibiting operation of only one group of electric machines may allow the vehicle to continue to be driven when an error condition has been detected.
  • the second input is indicative of a vehicle yaw rate.
  • the error state may be detected when the vehicle yaw rate exceeds a first threshold value.
  • said error state is detected when the vehicle yaw rate exceeds the first threshold value for a threshold time period.
  • the first threshold value may vary in dependence on a currently selected driving mode of the vehicle.
  • said first input comprises an input indicative of a current steering angle and the first threshold value varies in dependence on the current steering angle.
  • said first input comprises one or more inputs indicative of the current accelerator pedal position and the current brake pedal position
  • said second input comprises an input indicative of the vehicle acceleration, wherein the error state is detected when the vehicle acceleration is outside an expected range; and said expected range varies in dependence on the accelerator pedal position and the brake pedal position.
  • the vehicle comprises:
  • each of said electric machines being associated with a respective one of said wheels;
  • powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, the powertrain control means being operable to provide individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals.
  • said powertrain control means is operable to provide individual regenerative breaking request signals to each of said electric machines, said individual regenerative breaking request signals being calculated in dependence on said powertrain control signals.
  • a plurality of vehicle systems are sequentially disabled, and a vehicle response to disabling of each of the systems is monitored by at least one selected from said powertrain control means, said watchdog controller, and another control means.
  • said watchdog controller may allow the watchdog controller to identify the source of the error. Under certain circumstances this may allow the vehicle to continue to operate safely despite the error state.
  • the watchdog controller is further configured to monitor the communication status of one or more subsystem controllers of the vehicle.
  • the watchdog controller may be operable to initiate operation of the vehicle in the safe mode upon detection of a loss of communication with one of said subsystem controllers.
  • the vehicle may comprise one or more accelerometers communicably coupled to the watchdog controller. Said accelerometers may be configured to produce said second input.
  • a method of controlling an electrically powered vehicle comprising:
  • the vehicle dynamic parameter may be a vehicle acceleration or a vehicle angular velocity.
  • the method comprises:
  • the vehicle comprises:
  • each of said electric machines being associated with a respective one of said wheels;
  • powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, wherein the method comprises providing individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals.
  • a computer program product executable on a processor so as to implement a method as described above.
  • a non-transitory computer readable medium carrying computer readable code which when executed by a computer causes a vehicle to carry out a method as described above.
  • a processor arranged to implement a method or a computer program product as described above.
  • watchdog controller is understood to include both a single control means or controller and a plurality of control means or controllers collectively operating to provide the stated control functionality for a watchdog controller.
  • Figure 1 shows a schematic diagram of known vehicle incorporating a watchdog controller
  • FIG. 2 shows a schematic diagram of a vehicle incorporating a dynamic watchdog controller in an embodiment of the present invention
  • Figure 3 shows a vehicle that may incorporate a dynamic watchdog controller in an embodiment of the present invention
  • Figure 4 shows a flow chart illustrating the operation of a dynamic vehicle controller in an embodiment of the present invention.
  • Figure 1 shows a schematic diagram of a prior art vehicle 100 having four wheels 102A-D, of which two wheels 102C, 102D are powered by an AC electric motor 104 via a differential 106. Power is provided to the motor 104 from a battery 108 via controller 1 12 and inverter 1 10. Controller 1 12 controls the electrical supply to inverter 1 10 in dependence on various inputs including the positions of accelerator pedal 1 14 and brake pedal 1 16. Watchdog controller 1 18 is also configured to receive inputs indicative of the positions of the accelerator pedal 1 14 and the brake pedal 1 16, and is also configured to receive an input indicative of the current flowing to inverter 1 10.
  • Watchdog controller 1 18 is configured to calculate an expected range for the current flowing to the inverter 1 10 and to determine whether or not the observed current flowing to the inverter 1 10 falls within the expected range. If the observed current does fall within the expected range then the watchdog controller 1 18 takes no action. However, if the observed current is outside the expected range then the watchdog controller 1 18 determines that an error has occurred and controls a switch (not shown) between the inverter 1 10 and the battery 104 to open, thereby stopping the motor from delivering power to the wheels 102C, 102D.
  • the arrangement shown in figure 1 is effective provided the watchdog controller 1 18 is able to calculate an expected range for the current flowing to the inverter 1 10 that is narrow enough to ensure that a malfunction of the controller 1 12 is detected rapidly but accurate enough that the current is always within the expected range during normal operation.
  • the watchdog controller 1 18 does not simply duplicate the control logic implemented on the controller 1 12, as this could lead to a situation in which a common error occurs on both the watchdog controller 1 18 and the controller 1 12, and is therefore not recognised as an error.
  • Figure 2 shows a vehicle 200 having four wheels 202A-D, each of which is powered by a separate electric motor 204A-D. Power from battery 206 is delivered to the motors 204A-D via controller 208. The power may be supplied to each of the motors 204A-D via an inverter associated with each of the motors (not shown), or the motors 204A-D may be DC motors.
  • the arrangement shown in figure 2 has the advantage that the power provided to each of the wheels 202A-D can be varied substantially independently by controller 208 without applying braking torque to any of the wheels. This may allow the stability and dynamic performance of the vehicle to be improved compared to prior art vehicles in which have more limited control over the power delivered to each of the wheels.
  • the torque to be provided to each of the wheels is calculated by the controller 208 in dependence on the positions of the accelerator pedal 214 and the brake pedal 216, and also on a number of other parameters which may include one or more parameters relating to the available surface traction, one or more wheel parameters relating to wheel slip, a steering wheel position, a vehicle yaw rate and a vehicle speed.
  • the calculation of the torque required at each wheel may be relatively complex, and there may be significant variations between the torque required at each of the wheels, which variations may depend on parameters other than the positions of the brake pedal and the accelerator pedal.
  • the controller 208 may receive inputs indicative of the current rotational velocity at each of the wheels, and may be configured to calculate slip values at each of the wheels in dependence on the rotational velocities of the wheels and an estimate of the velocity of the vehicle, which estimate may be made based on accelerometer readings or other known methods.
  • the controller 208 is operable to estimate the available traction at each of the wheels in dependence on the slip values and the torque provided to each of the wheels by the motors 204A-D. In dependence on the estimates of the available traction the controller may alter the current provided to each of the motors 204A-D so as to provide more torque to the wheels that have relatively high available traction and less torque to wheels that have relatively low available traction.
  • the controller 208 may alter the current provided to each of the motors 202A-D to reduce or prevent wheel slip and to control the vehicle yaw rate to substantially match a target yaw rate which may be calculated in dependence on a user steering input.
  • the torque required at each wheel and therefore the current supplied to each of the motors 204A-D for a given position of the accelerator pedal 214 and brake pedal 216 can therefore vary significantly and in a relatively complex manner. Accordingly, a watchdog controller operable to calculate an expected range of the current supplied to each of the motors 204A- D would need to account for other inputs besides the positions of the accelerator and brake pedals.
  • the watchdog controller would also have to perform a similarly complex calculation to be able to calculate an expected range that was narrow enough to reliably detect errors when they occur, and it may be necessary for the watchdog controller to duplicate a significant amount of the functionality of the controller 208. This introduces a risk that a common fault could occur in both the watchdog controller and the controller 208, which would result in the fault not being detected. Accordingly, one or more watchdog controllers comparing the actual current supplied to the motors 202A-D with an expected range may not provide sufficient protection against potential error states.
  • the controller 208 is provided with a dynamic watchdog controller 218.
  • Dynamic watchdog controller 218 is operable to detect an error state in the controller 208 (or in one of the motors 204A-D that are controlled by the controller 208), and to open switch 210 to inhibit the controller 208 from controlling the motors 204A-D upon detection of the error state.
  • the operation of dynamic watchdog controller 218 will be described in more detail below.
  • Dynamic watchdog controller 218 is operable to receive inputs indicative of the vehicle acceleration and rotation about three mutually perpendicular axes (X, Y, Z) from six degree of freedom accelerometer 220 and inputs indicative of the position of the accelerator pedal 214, the position of the brake pedal 216 and the current vehicle speed.
  • the dynamic watchdog controller may be further configured to receive an input indicative of a current steering input such as the position of a steering wheel of the vehicle and/or the torque applied to the steering wheel by a driver of the vehicle.
  • Figure 3 shows a vehicle 200 along with a coordinate system showing the directions of axes X, Y, Z.
  • axis X is aligned with the direction of travel of the vehicle
  • axis Y is transverse to the direction of travel and is horizontal when the vehicle is located on level ground
  • axis Z is vertical when the vehicle is located on level ground.
  • the accelerometer 220 is also operable to produce an output indicative of the angular velocity about each of the axes X, Y and Z.
  • rotation about axis X is conventionally referred to as "roll”
  • rotation about axis Y is conventionally referred to as "pitch”
  • rotation about axis Z is conventionally referred to as "yaw”.
  • Alternative coordinate systems to the one shown in figure 3 would also be possible, although the system showed in figure 3 generally simplifies the calculations that are performed by the system.
  • Dynamic watchdog controller 218 is operable to calculate an expected range of vehicle dynamic behaviour in dependence on the positions of the accelerator pedal 214, the brake pedal 216 and the steering wheel.
  • the expected range may comprise upper and lower thresholds on acceleration in the 'X' direction and yaw rate (i.e. rotational velocity about the 'X' axis), which limits may vary in dependence on the driver inputs to the accelerator pedal 214, the brake pedal 216 and the steering wheel.
  • the limits may also vary in dependence on one or more features of the terrain that the vehicle is currently driving on, for example the surface topology or the available surface traction.
  • the limits may also vary in dependence on the currently selected driving mode. For example, the limits may be range of expected dynamic behaviour may be wider if a "sport" or "race” driving mode is selected.
  • the watchdog controller 218 may have access to an electronic memory having a look up table relating the driver inputs to the accelerator pedal, the brake pedal and the steering wheel to the upper and lower limits for acceleration in the X direction and yaw rate.
  • the upper and lower limits stored in the lookup table may be determined empirically during vehicle calibration based upon the observed range of vehicle dynamic behaviour for given sets of inputs. In the event that the observed dynamic behaviour falls outside the expected range of dynamic behaviour the watchdog controller 218 may be configured to determine that an error state has occurred. Accordingly, watchdog controller 218 may initiate operation of the vehicle in a safe mode thereof, for example by controlling switch 210 to open, thereby electrically disconnecting the battery 206 from the controller 208.
  • watchdog controller 218 may also implement absolute limits on vehicle dynamic performance. If an observed dynamic parameter exceeds one of the absolute limits then an error state may be considered to have occurred irrespective of what control inputs are provided by the driver. Accordingly, operation in the safe mode may be initiated whenever a vehicle dynamic parameter exceeds an absolute limit on vehicle dynamic performance.
  • Watchdog control routine 300 begins at step 302 and immediately proceeds to step 304, in which the watchdog controller 218 receives inputs indicative of the accelerator and brake pedal positions, a current steering input and the current vehicle speed.
  • step 306 in which the expected ranges of vehicle dynamic performance are calculated in dependence on the inputs received in step 304.
  • expected ranges of yaw rate and acceleration in the X direction are calculated, although it will be understood that expected ranges for other dynamic parameters may be calculated in addition or instead in other embodiments.
  • step 306 the control routine proceeds to step 308, in which the watchdog controller 218 receives inputs indicative of the current dynamic behaviour of the vehicle from accelerometer 220.
  • step 310 the watchdog controller 218 determines whether or not the observed acceleration and/or yaw rate are within the expected ranges calculated in step 306. If the observed acceleration and/or yaw rate are not within the expected ranges then the watchdog controller 218 determines that an error condition has occurred and the control routine proceeds to step 316 in which the watchdog controller 218 initiates operation of the vehicle 200 in a safe mode thereof.
  • the watchdog controller 218 may wait for a predetermined amount of time (eg one second, two seconds or five seconds) after a determination that a vehicle dynamic parameter is outside the expected range has been made. If the dynamic parameter returns to the expected range within the predetermined time then the watchdog 218 may not determine that an error state has occurred and accordingly the control routine may proceed to step 312 rather than step 316. If the dynamic parameter does not return to the expected range within the predetermined time then the watchdog controller determines that an error has occurred and proceeds to step 316 in which operation in the safe mode is initiated. Operation in the safe mode will be described in greater detail below. If the observed acceleration and yaw rate are determined to be within the expected ranges then the control routine proceeds to step 312.
  • a predetermined amount of time eg one second, two seconds or five seconds
  • step 312 the watchdog controller 218 determines whether or not any of the observed dynamic parameters are outside predetermined absolute limits on vehicle dynamic performance. If any of the dynamic parameters are within the absolute limits on dynamic performance then the control routine proceeds to step 316. Otherwise the control routine proceeds to step 314.
  • step 314 the watchdog controller 218 determines whether or not communications with one or more other subsystem controllers (not shown in figure 2) are normal.
  • the other subsystem controllers may be arranged to control a steering system of the vehicle, one or more friction brakes of the vehicle or any other system. It will be understood that some of the other subsystem controllers may be associated with safety-critical systems whilst others may be associated with non-safety-critical subsystems.
  • the other subsystem controllers are all be arranged to send a signal indicating that they are working normally to the watchdog controller 218 at predetermined time intervals. If the watchdog controller has received all of the expected signals from the other subsystem controllers then the watchdog controller 218 determines that no error states have occurred, and the control routine returns to step 304. If the watchdog controller does not receive a signal from signal from one or more of the other subsystem controllers within the predetermined time interval then the watchdog controller 218 may determine that communications with that subsystem controller have been lost and therefore an error state has occurred. Accordingly, the control routine proceeds to step 316 in which the vehicle enters the safe mode.
  • the watchdog controller 218 initiates operation of the vehicle 200 in a safe mode thereof.
  • the vehicle 200 operates in the safe mode functionality of the vehicle is limited compared to when the vehicle is operating normally.
  • the watchdog controller 218 may be operable to control the switch 210 to open whenever an error state is detected, thereby preventing the electric machines 204A-D from providing positive torque to the wheels 202A-D. The driver is then able to bring the vehicle 200 to rest at a safe location using the brakes and steering.
  • the action that is taken when the vehicle enters the safe mode may vary in dependence on the error state that caused the watchdog controller 218 to initiate operation in the safe mode.
  • the watchdog controller may be configured to output a warning and inhibit operation of the subsystem with which communication has been lost when the safe mode is entered.
  • the watchdog controller 218 may be configured to send override signals to disable one or more components of the vehicle 200 when an error state has been detected. For example, if the observed vehicle dynamic behaviour is outside the range of expected vehicle dynamic behaviour then the watchdog controller 218 may be configured to send an override signal to controller 208, which override signal causes the controller 208 to control some or all of the electric machines 204A-D to provide substantially zero positive drive torque.
  • the watchdog controller 218 may be configured to initially send a first override signal that causes zero torque to be produced by motors 204A and 204B, which are associated with the front wheels 202A, 202B.
  • the watchdog controller (or another controller) determines that the error state has been corrected by inhibiting motors 204A, 204B from operating then the first override signal is maintained and continued operation of the vehicle using motors 204C, 204D is performed. If the first override signal does not cause the error state to be resolved within a predetermined time limit (for example five seconds) then the watchdog controller 218 may stop sending the first override signal and may instead send a second override signal, which signal causes the controller 208 to control electric machines 204C, 204D to produce substantially zero torque.
  • a predetermined time limit for example five seconds
  • the watchdog controller determines that the error state has been corrected by inhibiting motors 204C, 204D from operating then the first override signal is maintained and continued operation of the vehicle using motors 204A, 204B is performed. Otherwise a third override signal that causes all four electric machines 204A-D to produce substantially zero positive drive torque is sent to controller 208 by watchdog controller 218.
  • the watchdog controller may be configured to control switch 210 to open only if the third override signal does not correct the error state. It will be understood that the order in which the operation of the front and rear electric machines are disabled by the first and second override signals may be reversed in some embodiments.
  • the watchdog controller 218 may cause a warning to be displayed to the driver indicating that functionality of the vehicle is limited whenever operation in the safe mode is initiated. Furthermore, depending on the action that is taken by the controller to initiate operation in the safe mode, the controller may also be configured to cause an external warning to be issued to warn other road users that performance of the vehicle 200 is limited. Such an external warning may comprise initiating flashing of the hazard warning lights of the vehicle 200. It will be understood that the order of the steps in control routine 300 is merely an example, and could be changed. Furthermore, some of the steps may be performed simultaneously with other steps, or may be omitted.
  • the determination of whether the acceleration and yaw rates are within the expected ranges in step 310 may be performed simultaneously with the determination of whether any of the dynamic parameters are outside the absolute limits in step 312 and/or the determination of whether communications with any of the other ECUs have been lost in step 314.
  • Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape.
  • volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not
  • memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape.
  • the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention. Accordingly, embodiments provide a program comprising code for implementing a system or method as claimed in any preceding

Landscapes

  • Engineering & Computer Science (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Sustainable Development (AREA)
  • Sustainable Energy (AREA)
  • Power Engineering (AREA)
  • Automation & Control Theory (AREA)
  • Human Computer Interaction (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)

Abstract

Embodiments of the present invention provide watchdog controllers for electric vehicles. The watchdog controllers are operable to compare an observed vehicle dynamic response to an expected range of vehicle dynamic responses calculated based on one or more vehicle control inputs. In the event that the observed dynamic response is not within expected range of dynamic responses the controller is operable to cause the vehicle to operate in a safe mode in which functionality of the vehicle is at least partially limited.

Description

WATCHDOG CONTROLLER FOR AN ELECTRIC VEHICLE
TECHNICAL FIELD
The present disclosure relates to a watchdog and particularly, but not exclusively, to a watchdog controller for a vehicle. Aspects of the invention relate to a controller, to a method, to a non-transitory computer-readable medium, to a computer program product, to a processor, and to a vehicle.
BACKGROUND
In modern motor vehicles critical components such as engines, brakes or steering actuators are often controlled by controllers that implement functions that determine what output is required from the component in the current operating conditions. Such functions may use inputs indicative of several parameters including driver inputs and vehicle operating parameters to calculate the required output. Accordingly, the functions may have a high level of complexity and may require significant processing power.
Provision of complex functions to calculate the required output from components can significantly improve vehicle performance, as the output from the components can be optimised in the current operating conditions. However, the complexity of the functions also increases a risk that they will produce an undesired output under an unforeseen set of operating conditions, and also increases the risk that the processor implementing the function will be overloaded, for example because of an undetected bug in the software.
Although automotive manufacturers make every effort to ensure that bugs and unexpected conditions are eliminated, watchdogs have been provided to monitor the output of the controllers and to ensure that unsafe conditions do not occur as a result of controller malfunctions. Watchdogs are controllers that typically perform a simple calculation to determine a range in which the output of the controller that they are monitoring is expected to fall based on at least some of the inputs that are provided to the controller that they are monitoring. If the watchdog determines that the output of the controller does not fall within the expected range then it may command appropriate corrective action, for example resetting of the controller or inhibiting control of the component by the controller.
It is important that the calculation performed by a watchdog is independent of that performed by the controller that it is watching, as otherwise a bug may be duplicated on both the controller and its watchdog. Accordingly, watchdogs of the type described above are only generally effective if a good estimate of the range within which a controller output will fall can be estimated by a relatively simple function. This has led to difficulties in implementing watchdogs for certain types of component.
It is an object of embodiments of the invention to at least mitigate one or more of the problems of the prior art.
SUMMARY OF THE INVENTION
Aspects and embodiments of the invention provide a watchdog controller, a method, a computer program product, a non-transitory computer readable medium, a processor and a vehicle as claimed in the appended claims.
According to an aspect of the invention, there is provided a watchdog controller for a vehicle, the controller comprising:
input means configured to receive a first input indicative of at least one vehicle control input and a second input indicative of at least one vehicle dynamic parameter; and control means communicably coupled to said input means,
wherein the control means are operable to initiate operation of the vehicle in a safe mode thereof upon detection of an error state, said error state being detected in dependence on the first and second inputs,
wherein functionality of the vehicle is at least partially limited when the vehicle is operating in said safe mode. Such a controller is operable to determine when an error state has occurred without duplicating the potentially complex functionality of the controllers that determine what current should be provided to the prime mover, of the electrically powered vehicle, which may be an electric machine. The vehicle dynamic parameter may be a vehicle acceleration or a vehicle angular velocity. Optionally, the watchdog controller may be a watchdog controller for use on an electrically powered vehicle, for example an electrically powered vehicle having a complex control system. Alternative embodiments may be suitable for use on vehicles that are powered by internal combustion engines, especially vehicles that are provided with complex traction control systems, which may use hydraulic braking to selectively reduce the overall amount of torque applied at individual wheels.
It will be understood that within the scope of the present application the term "acceleration" is considered to include any change in velocity with respect to time, in any direction. Accordingly, increases or reductions in the magnitude of the velocity of a vehicle or changes in the direction of travel of a vehicle are all considered to cause "acceleration" of the vehicle. It will be understood that the vehicle may operate in a normal mode when no error state has been detected, and that functionality when the vehicle is operating in the safe mode may be limited relative to the normal mode. Optionally the controller is configured to cause operation of at least one electric machine of the electric vehicle to be inhibited, thereby to initiate operation of the vehicle in said safe mode.
Further optionally the control means are operable to open a switch between a battery of the electric vehicle and the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode. Advantageously, this allows the watchdog controller to prevent the electric machine from applying positive torque to the wheels of the vehicle. Optionally, the control means are operable to send an override signal to a controller operable to control the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode. Optionally said override signal causes the controller to substantially prevent the electric machine from producing positive torque. In an embodiment the electric vehicle comprises a plurality of electric machines, said plurality of electric machines comprising a first group of one or more electric machines and a second group of one or more electric machines, wherein when the vehicle is operating in the safe mode operation of said first group of electric machines is inhibited and operation of said second group of electric machines is not inhibited. A watchdog controller as defined above may be particularly useful on such an electric vehicle, as a conventional watchdog for such a vehicle may be very complex and therefore susceptible to software bugs.
Optionally, the first group of electric machines are configured to deliver torque to one or more front wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle. In an embodiment the first group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more front wheels of the vehicle. Inhibiting operation of only one group of electric machines may allow the vehicle to continue to be driven when an error condition has been detected.
Optionally the second input is indicative of a vehicle yaw rate. The error state may be detected when the vehicle yaw rate exceeds a first threshold value. Optionally, said error state is detected when the vehicle yaw rate exceeds the first threshold value for a threshold time period. The first threshold value may vary in dependence on a currently selected driving mode of the vehicle. Optionally, said first input comprises an input indicative of a current steering angle and the first threshold value varies in dependence on the current steering angle.
In an embodiment said first input comprises one or more inputs indicative of the current accelerator pedal position and the current brake pedal position;
said second input comprises an input indicative of the vehicle acceleration, wherein the error state is detected when the vehicle acceleration is outside an expected range; and said expected range varies in dependence on the accelerator pedal position and the brake pedal position. According to another aspect of the present invention for which protection is sought there is provided an electrically powered vehicle comprising a watchdog controller as described above.
Optionally, the vehicle comprises:
a plurality of wheels;
a plurality of electric machines, each of said electric machines being associated with a respective one of said wheels; and
powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, the powertrain control means being operable to provide individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals.
Optionally, said powertrain control means is operable to provide individual regenerative breaking request signals to each of said electric machines, said individual regenerative breaking request signals being calculated in dependence on said powertrain control signals.
In an embodiment, when said vehicle operates in said safe mode a plurality of vehicle systems are sequentially disabled, and a vehicle response to disabling of each of the systems is monitored by at least one selected from said powertrain control means, said watchdog controller, and another control means. Advantageously this may allow the watchdog controller to identify the source of the error. Under certain circumstances this may allow the vehicle to continue to operate safely despite the error state.
Optionally, the watchdog controller is further configured to monitor the communication status of one or more subsystem controllers of the vehicle. The watchdog controller may be operable to initiate operation of the vehicle in the safe mode upon detection of a loss of communication with one of said subsystem controllers.
In an embodiment the vehicle may comprise one or more accelerometers communicably coupled to the watchdog controller. Said accelerometers may be configured to produce said second input.
According to another aspect of the present invention for which protection is sought there is provided a method of controlling an electrically powered vehicle comprising:
receiving a first input indicative of at least one vehicle control input and a second input indicative of at least one vehicle dynamic parameter; and
initiating operation of the vehicle in a safe mode thereof upon detection of an error state, said error state being detected in dependence on the first and second inputs,
wherein functionality of the vehicle is at least partially limited when the vehicle is operating in said safe mode. The vehicle dynamic parameter may be a vehicle acceleration or a vehicle angular velocity.
Optionally the method comprises:
causing operation of at least one electric machine of the electric vehicle to be inhibited upon detection of said error state, thereby to initiate operation of the vehicle in the safe mode.
Optionally the vehicle comprises:
a plurality of wheels;
a plurality of electric machines, each of said electric machines being associated with a respective one of said wheels; and
powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, wherein the method comprises providing individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals. According to another aspect of the present invention for which protection is sought there is provided a computer program product executable on a processor so as to implement a method as described above. According to another aspect of the present invention for which protection is sought there is provided a non-transitory computer readable medium carrying computer readable code which when executed by a computer causes a vehicle to carry out a method as described above. According to another aspect of the present invention for which protection is sought there is provided a processor arranged to implement a method or a computer program product as described above.
As used herein the term "watchdog controller" is understood to include both a single control means or controller and a plurality of control means or controllers collectively operating to provide the stated control functionality for a watchdog controller.
Within the scope of this application it is expressly intended that the various aspects, embodiments, examples and alternatives set out in the preceding paragraphs, in the claims and/or in the following description and drawings, and in particular the individual features thereof, may be taken independently or in any combination. That is, all embodiments and/or features of any embodiment can be combined in any way and/or combination, unless such features are incompatible. The applicant reserves the right to change any originally filed claim or file any new claim accordingly, including the right to amend any originally filed claim to depend from and/or incorporate any feature of any other claim although not originally claimed in that manner.
BRIEF DESCRIPTION OF THE DRAWINGS
One or more embodiments of the invention will now be described by way of example only, with reference to the accompanying drawings, in which:
Figure 1 shows a schematic diagram of known vehicle incorporating a watchdog controller;
Figure 2 shows a schematic diagram of a vehicle incorporating a dynamic watchdog controller in an embodiment of the present invention; Figure 3 shows a vehicle that may incorporate a dynamic watchdog controller in an embodiment of the present invention; and
Figure 4 shows a flow chart illustrating the operation of a dynamic vehicle controller in an embodiment of the present invention.
DETAILED DESCRIPTION
Figure 1 shows a schematic diagram of a prior art vehicle 100 having four wheels 102A-D, of which two wheels 102C, 102D are powered by an AC electric motor 104 via a differential 106. Power is provided to the motor 104 from a battery 108 via controller 1 12 and inverter 1 10. Controller 1 12 controls the electrical supply to inverter 1 10 in dependence on various inputs including the positions of accelerator pedal 1 14 and brake pedal 1 16. Watchdog controller 1 18 is also configured to receive inputs indicative of the positions of the accelerator pedal 1 14 and the brake pedal 1 16, and is also configured to receive an input indicative of the current flowing to inverter 1 10. Watchdog controller 1 18 is configured to calculate an expected range for the current flowing to the inverter 1 10 and to determine whether or not the observed current flowing to the inverter 1 10 falls within the expected range. If the observed current does fall within the expected range then the watchdog controller 1 18 takes no action. However, if the observed current is outside the expected range then the watchdog controller 1 18 determines that an error has occurred and controls a switch (not shown) between the inverter 1 10 and the battery 104 to open, thereby stopping the motor from delivering power to the wheels 102C, 102D.
The arrangement shown in figure 1 is effective provided the watchdog controller 1 18 is able to calculate an expected range for the current flowing to the inverter 1 10 that is narrow enough to ensure that a malfunction of the controller 1 12 is detected rapidly but accurate enough that the current is always within the expected range during normal operation. However, it is important that the watchdog controller 1 18 does not simply duplicate the control logic implemented on the controller 1 12, as this could lead to a situation in which a common error occurs on both the watchdog controller 1 18 and the controller 1 12, and is therefore not recognised as an error.
Figure 2 shows a vehicle 200 having four wheels 202A-D, each of which is powered by a separate electric motor 204A-D. Power from battery 206 is delivered to the motors 204A-D via controller 208. The power may be supplied to each of the motors 204A-D via an inverter associated with each of the motors (not shown), or the motors 204A-D may be DC motors. The arrangement shown in figure 2 has the advantage that the power provided to each of the wheels 202A-D can be varied substantially independently by controller 208 without applying braking torque to any of the wheels. This may allow the stability and dynamic performance of the vehicle to be improved compared to prior art vehicles in which have more limited control over the power delivered to each of the wheels. The torque to be provided to each of the wheels is calculated by the controller 208 in dependence on the positions of the accelerator pedal 214 and the brake pedal 216, and also on a number of other parameters which may include one or more parameters relating to the available surface traction, one or more wheel parameters relating to wheel slip, a steering wheel position, a vehicle yaw rate and a vehicle speed. The calculation of the torque required at each wheel may be relatively complex, and there may be significant variations between the torque required at each of the wheels, which variations may depend on parameters other than the positions of the brake pedal and the accelerator pedal. In an embodiment the controller 208 may receive inputs indicative of the current rotational velocity at each of the wheels, and may be configured to calculate slip values at each of the wheels in dependence on the rotational velocities of the wheels and an estimate of the velocity of the vehicle, which estimate may be made based on accelerometer readings or other known methods. The controller 208 is operable to estimate the available traction at each of the wheels in dependence on the slip values and the torque provided to each of the wheels by the motors 204A-D. In dependence on the estimates of the available traction the controller may alter the current provided to each of the motors 204A-D so as to provide more torque to the wheels that have relatively high available traction and less torque to wheels that have relatively low available traction. This may improve the dynamic performance of the vehicle in situations where limited traction is available. Similarly, when the vehicle 200 is turning the controller 208 may alter the current provided to each of the motors 202A-D to reduce or prevent wheel slip and to control the vehicle yaw rate to substantially match a target yaw rate which may be calculated in dependence on a user steering input. The torque required at each wheel and therefore the current supplied to each of the motors 204A-D for a given position of the accelerator pedal 214 and brake pedal 216 can therefore vary significantly and in a relatively complex manner. Accordingly, a watchdog controller operable to calculate an expected range of the current supplied to each of the motors 204A- D would need to account for other inputs besides the positions of the accelerator and brake pedals. The watchdog controller would also have to perform a similarly complex calculation to be able to calculate an expected range that was narrow enough to reliably detect errors when they occur, and it may be necessary for the watchdog controller to duplicate a significant amount of the functionality of the controller 208. This introduces a risk that a common fault could occur in both the watchdog controller and the controller 208, which would result in the fault not being detected. Accordingly, one or more watchdog controllers comparing the actual current supplied to the motors 202A-D with an expected range may not provide sufficient protection against potential error states.
As shown in figure 2, the controller 208 is provided with a dynamic watchdog controller 218. Dynamic watchdog controller 218 is operable to detect an error state in the controller 208 (or in one of the motors 204A-D that are controlled by the controller 208), and to open switch 210 to inhibit the controller 208 from controlling the motors 204A-D upon detection of the error state. The operation of dynamic watchdog controller 218 will be described in more detail below.
Dynamic watchdog controller 218 is operable to receive inputs indicative of the vehicle acceleration and rotation about three mutually perpendicular axes (X, Y, Z) from six degree of freedom accelerometer 220 and inputs indicative of the position of the accelerator pedal 214, the position of the brake pedal 216 and the current vehicle speed. The dynamic watchdog controller may be further configured to receive an input indicative of a current steering input such as the position of a steering wheel of the vehicle and/or the torque applied to the steering wheel by a driver of the vehicle.
Figure 3 shows a vehicle 200 along with a coordinate system showing the directions of axes X, Y, Z. As can be seen in figure 3, axis X is aligned with the direction of travel of the vehicle, axis Y is transverse to the direction of travel and is horizontal when the vehicle is located on level ground, and axis Z is vertical when the vehicle is located on level ground. The accelerometer 220 is also operable to produce an output indicative of the angular velocity about each of the axes X, Y and Z. It will be understood that rotation about axis X is conventionally referred to as "roll", rotation about axis Y is conventionally referred to as "pitch" and rotation about axis Z is conventionally referred to as "yaw". Alternative coordinate systems to the one shown in figure 3 would also be possible, although the system showed in figure 3 generally simplifies the calculations that are performed by the system.
Dynamic watchdog controller 218 is operable to calculate an expected range of vehicle dynamic behaviour in dependence on the positions of the accelerator pedal 214, the brake pedal 216 and the steering wheel. The expected range may comprise upper and lower thresholds on acceleration in the 'X' direction and yaw rate (i.e. rotational velocity about the 'X' axis), which limits may vary in dependence on the driver inputs to the accelerator pedal 214, the brake pedal 216 and the steering wheel. The limits may also vary in dependence on one or more features of the terrain that the vehicle is currently driving on, for example the surface topology or the available surface traction. The limits may also vary in dependence on the currently selected driving mode. For example, the limits may be range of expected dynamic behaviour may be wider if a "sport" or "race" driving mode is selected.
The watchdog controller 218 may have access to an electronic memory having a look up table relating the driver inputs to the accelerator pedal, the brake pedal and the steering wheel to the upper and lower limits for acceleration in the X direction and yaw rate. The upper and lower limits stored in the lookup table may be determined empirically during vehicle calibration based upon the observed range of vehicle dynamic behaviour for given sets of inputs. In the event that the observed dynamic behaviour falls outside the expected range of dynamic behaviour the watchdog controller 218 may be configured to determine that an error state has occurred. Accordingly, watchdog controller 218 may initiate operation of the vehicle in a safe mode thereof, for example by controlling switch 210 to open, thereby electrically disconnecting the battery 206 from the controller 208.
In addition to limits that are calculated in dependence on the control inputs provided by the driver, watchdog controller 218 may also implement absolute limits on vehicle dynamic performance. If an observed dynamic parameter exceeds one of the absolute limits then an error state may be considered to have occurred irrespective of what control inputs are provided by the driver. Accordingly, operation in the safe mode may be initiated whenever a vehicle dynamic parameter exceeds an absolute limit on vehicle dynamic performance. The operation of a watchdog controller 218 in a particular embodiment of the present invention will now be described in more detail with respect to figure 4. Watchdog control routine 300 begins at step 302 and immediately proceeds to step 304, in which the watchdog controller 218 receives inputs indicative of the accelerator and brake pedal positions, a current steering input and the current vehicle speed. The method then proceeds to step 306, in which the expected ranges of vehicle dynamic performance are calculated in dependence on the inputs received in step 304. In the present embodiment only expected ranges of yaw rate and acceleration in the X direction are calculated, although it will be understood that expected ranges for other dynamic parameters may be calculated in addition or instead in other embodiments.
After step 306 the control routine proceeds to step 308, in which the watchdog controller 218 receives inputs indicative of the current dynamic behaviour of the vehicle from accelerometer 220. Next, the control routine proceeds to step 310, in which the watchdog controller 218 determines whether or not the observed acceleration and/or yaw rate are within the expected ranges calculated in step 306. If the observed acceleration and/or yaw rate are not within the expected ranges then the watchdog controller 218 determines that an error condition has occurred and the control routine proceeds to step 316 in which the watchdog controller 218 initiates operation of the vehicle 200 in a safe mode thereof. In some embodiments the watchdog controller 218 may wait for a predetermined amount of time (eg one second, two seconds or five seconds) after a determination that a vehicle dynamic parameter is outside the expected range has been made. If the dynamic parameter returns to the expected range within the predetermined time then the watchdog 218 may not determine that an error state has occurred and accordingly the control routine may proceed to step 312 rather than step 316. If the dynamic parameter does not return to the expected range within the predetermined time then the watchdog controller determines that an error has occurred and proceeds to step 316 in which operation in the safe mode is initiated. Operation in the safe mode will be described in greater detail below. If the observed acceleration and yaw rate are determined to be within the expected ranges then the control routine proceeds to step 312.
In step 312 the watchdog controller 218 determines whether or not any of the observed dynamic parameters are outside predetermined absolute limits on vehicle dynamic performance. If any of the dynamic parameters are within the absolute limits on dynamic performance then the control routine proceeds to step 316. Otherwise the control routine proceeds to step 314. In step 314 the watchdog controller 218 determines whether or not communications with one or more other subsystem controllers (not shown in figure 2) are normal. The other subsystem controllers may be arranged to control a steering system of the vehicle, one or more friction brakes of the vehicle or any other system. It will be understood that some of the other subsystem controllers may be associated with safety-critical systems whilst others may be associated with non-safety-critical subsystems. In the illustrated embodiment the other subsystem controllers are all be arranged to send a signal indicating that they are working normally to the watchdog controller 218 at predetermined time intervals. If the watchdog controller has received all of the expected signals from the other subsystem controllers then the watchdog controller 218 determines that no error states have occurred, and the control routine returns to step 304. If the watchdog controller does not receive a signal from signal from one or more of the other subsystem controllers within the predetermined time interval then the watchdog controller 218 may determine that communications with that subsystem controller have been lost and therefore an error state has occurred. Accordingly, the control routine proceeds to step 316 in which the vehicle enters the safe mode.
When the control routine 300 proceeds to step 316 the watchdog controller 218 initiates operation of the vehicle 200 in a safe mode thereof. When the vehicle 200 operates in the safe mode functionality of the vehicle is limited compared to when the vehicle is operating normally. In some embodiments the watchdog controller 218 may be operable to control the switch 210 to open whenever an error state is detected, thereby preventing the electric machines 204A-D from providing positive torque to the wheels 202A-D. The driver is then able to bring the vehicle 200 to rest at a safe location using the brakes and steering. However, in other embodiments the action that is taken when the vehicle enters the safe mode may vary in dependence on the error state that caused the watchdog controller 218 to initiate operation in the safe mode. For example, if the error state that caused operation in the safe mode was loss of communication with a non-safety-critical vehicle subsystem then the watchdog controller may be configured to output a warning and inhibit operation of the subsystem with which communication has been lost when the safe mode is entered.
In some embodiments the watchdog controller 218 may be configured to send override signals to disable one or more components of the vehicle 200 when an error state has been detected. For example, if the observed vehicle dynamic behaviour is outside the range of expected vehicle dynamic behaviour then the watchdog controller 218 may be configured to send an override signal to controller 208, which override signal causes the controller 208 to control some or all of the electric machines 204A-D to provide substantially zero positive drive torque. The watchdog controller 218 may be configured to initially send a first override signal that causes zero torque to be produced by motors 204A and 204B, which are associated with the front wheels 202A, 202B. If the watchdog controller (or another controller) determines that the error state has been corrected by inhibiting motors 204A, 204B from operating then the first override signal is maintained and continued operation of the vehicle using motors 204C, 204D is performed. If the first override signal does not cause the error state to be resolved within a predetermined time limit (for example five seconds) then the watchdog controller 218 may stop sending the first override signal and may instead send a second override signal, which signal causes the controller 208 to control electric machines 204C, 204D to produce substantially zero torque. If the watchdog controller (or another controller) determines that the error state has been corrected by inhibiting motors 204C, 204D from operating then the first override signal is maintained and continued operation of the vehicle using motors 204A, 204B is performed. Otherwise a third override signal that causes all four electric machines 204A-D to produce substantially zero positive drive torque is sent to controller 208 by watchdog controller 218. In some embodiments the watchdog controller may be configured to control switch 210 to open only if the third override signal does not correct the error state. It will be understood that the order in which the operation of the front and rear electric machines are disabled by the first and second override signals may be reversed in some embodiments.
The watchdog controller 218 may cause a warning to be displayed to the driver indicating that functionality of the vehicle is limited whenever operation in the safe mode is initiated. Furthermore, depending on the action that is taken by the controller to initiate operation in the safe mode, the controller may also be configured to cause an external warning to be issued to warn other road users that performance of the vehicle 200 is limited. Such an external warning may comprise initiating flashing of the hazard warning lights of the vehicle 200. It will be understood that the order of the steps in control routine 300 is merely an example, and could be changed. Furthermore, some of the steps may be performed simultaneously with other steps, or may be omitted. In one embodiment the determination of whether the acceleration and yaw rates are within the expected ranges in step 310 may be performed simultaneously with the determination of whether any of the dynamic parameters are outside the absolute limits in step 312 and/or the determination of whether communications with any of the other ECUs have been lost in step 314.
Although the present invention has been described with regard to an electric vehicle having individual electric machines associated with each wheel, it will be understood that embodiments of the invention would also be applicable to electric vehicles having one electric machine configured to power all of the wheels. Furthermore, some embodiments may be applicable to hybrid vehicles that are partially powered by a combustion engine or vehicles that are powered solely by a combustion engine. It will be appreciated that embodiments of the present invention can be realised in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention. Accordingly, embodiments provide a program comprising code for implementing a system or method as claimed in any preceding claim and a machine readable storage storing such a program. Still further, embodiments of the present invention may be conveyed electronically via any medium such as a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of any foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed. The claims should not be construed to cover merely the foregoing embodiments, but also any embodiments which fall within the scope of the claims.

Claims

1 . A watchdog controller for an electrically powered vehicle, the controller comprising: input means configured to receive a first input indicative of at least one vehicle control input and a second input indicative of at least one of a vehicle acceleration and a vehicle rotational velocity; and
control means communicably coupled to said input means,
wherein the control means are operable to initiate operation of the vehicle in a safe mode thereof upon detection of an error state, said error state being detected in dependence on the first and second inputs,
wherein functionality of the vehicle is at least partially limited when the vehicle is operating in said safe mode.
2. A controller as claimed in claim 1 , wherein the controller is configured to cause operation of at least one electric machine of the electric vehicle to be inhibited, thereby to initiate operation of the vehicle in said safe mode.
3. A controller as claimed in claim 2, wherein the control means are operable to open a switch between a battery of the electric vehicle and the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode.
4. A controller as claimed in claim 2, wherein the control means are operable to send an override signal to a controller operable to control the electric machine upon detection of said error state, thereby to initiate operation of the vehicle in said safe mode.
5. A controller as claimed in claim 4, wherein said override signal causes the controller to substantially prevent the electric machine from producing positive torque.
6. A controller as claimed in any one of claims 2-5, wherein the electric vehicle comprises a plurality of electric machines, said plurality of electric machines comprising a first group of one or more electric machines and a second group of one or more electric machines, wherein when the vehicle is operating in the safe mode operation of said first group of electric machines is inhibited and operation of said second group of electric machines is not inhibited.
7. A controller as claimed in claim 6, wherein the first group of electric machines are configured to deliver torque to one or more front wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle.
8. A controller as claimed in claim 6, wherein the first group of electric machines are configured to deliver torque to one or more rear wheels of the vehicle and the second group of electric machines are configured to deliver torque to one or more front wheels of the vehicle.
9. A controller as claimed in any preceding claim, wherein the second input is indicative of a vehicle yaw rate.
10. A controller as claimed in claim 9, wherein said error state is detected when the vehicle yaw rate exceeds a first threshold value.
1 1 . A controller as claimed in claim 10, wherein said error state is detected when the vehicle yaw rate exceeds the first threshold value for a threshold time period.
12. A controller as claimed in claim 10 or claim 11 , wherein the first threshold value varies in dependence on a currently selected driving mode of the vehicle.
13. A controller as claimed in any one of claims 10-12, wherein:
said first input comprises an input indicative of a current steering angle; and the first threshold value varies in dependence on the current steering angle.
14. A controller as claimed in any preceding claim, wherein:
said first input comprises one or more inputs indicative of the current accelerator pedal position and the current brake pedal position;
said second input comprises an input indicative of the vehicle acceleration, wherein the error state is detected when the vehicle acceleration is outside an expected range; and said expected range varies in dependence on the accelerator pedal position and the brake pedal position.
15. An electrically powered vehicle comprising a watchdog controller as claimed in any preceding claim.
16. A vehicle as claimed in claim 15 and comprising:
a plurality of wheels;
a plurality of electric machines, each of said electric machines being associated with a respective one of said wheels; and
powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, the powertrain control means being operable to provide individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals.
17. A vehicle as claimed in claim 16, wherein said powertrain control means is operable to provide individual regenerative breaking request signals to each of said electric machines, said individual regenerative breaking request signals being calculated in dependence on said powertrain control signals.
18. A vehicle as claimed in claim 16 or claim 17, wherein, when said vehicle operates in said safe mode a plurality of vehicle systems are sequentially disabled, and a vehicle response to disabling of each of the systems is monitored by at least one selected from said powertrain control means, said watchdog controller, and another control means.
19. A vehicle as claimed in any one of claims 15-18, wherein the watchdog controller is further configured to monitor the communication status of one or more subsystem controllers of the vehicle.
20. A vehicle as claimed in claim 19, wherein the watchdog controller is operable to initiate operation of the vehicle in the safe mode upon detection of a loss of communication with one of said subsystem controllers.
21 . A vehicle as claimed in any one of claims 15-20 and comprising one or more accelerometers communicably coupled to the watchdog controller.
22. A method of controlling an electrically powered vehicle comprising:
receiving a first input indicative of at least one vehicle control input and a second input indicative of at least one of a vehicle acceleration and a vehicle rotational velocity; and initiating operation of the vehicle in a safe mode thereof upon detection of an error state, said error state being detected in dependence on the first and second inputs, wherein functionality of the vehicle is at least partially limited when the vehicle is operating in said safe mode.
23. A method as claimed in claim 22 and comprising:
causing operation of at least one electric machine of the electric vehicle to be inhibited upon detection of said error state, thereby to initiate operation of the vehicle in the safe mode.
24. A method as claimed in claim 22 or claim 23, wherein the vehicle comprises:
a plurality of wheels;
a plurality of electric machines, each of said electric machines being associated with a respective one of said wheels; and
powertrain control means operable to receive a plurality of powertrain control signals indicative of a plurality of vehicle parameters including the at least one vehicle control input, wherein the method comprises providing individual torque request signals to each of said electric machines, said individual torque request signals being calculated in dependence on said powertrain control signals.
25. A computer program product executable on a processor so as to implement a method as claimed in any one of claims 22-24.
26. A non-transitory computer readable medium carrying computer readable code which when executed by a computer causes a vehicle to carry out the method of any one of claims 22-24.
27. A processor arranged to implement the method of any one of claims 22-24 or the computer program product of claim 25.
28. A watchdog controller, a computer program product, a non-transitory computer readable medium, a processor , a method or a vehicle substantially as described herein with reference to the accompanying figures 2-4.
PCT/EP2017/071057 2016-08-24 2017-08-21 Watchdog controller for an electric vehicle Ceased WO2018036977A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE112017004195.3T DE112017004195T5 (en) 2016-08-24 2017-08-21 WATCHDOG CONTROL UNIT

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1614410.7A GB2553121B (en) 2016-08-24 2016-08-24 Watchdog controller
GB1614410.7 2016-08-24

Publications (1)

Publication Number Publication Date
WO2018036977A1 true WO2018036977A1 (en) 2018-03-01

Family

ID=57045559

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/071057 Ceased WO2018036977A1 (en) 2016-08-24 2017-08-21 Watchdog controller for an electric vehicle

Country Status (3)

Country Link
DE (1) DE112017004195T5 (en)
GB (1) GB2553121B (en)
WO (1) WO2018036977A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102022125539A1 (en) 2022-10-04 2024-04-04 Audi Aktiengesellschaft Method for operating a vehicle with X-by-wire device using a fleet watchdog and vehicle
GB2634775A (en) * 2023-10-20 2025-04-23 Jaguar Land Rover Ltd Control system for a torque-limited vehicle

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2404176A (en) * 2003-07-23 2005-01-26 Ford Global Tech Llc Hybrid electric vehicle hill hold control
US20140156127A1 (en) * 2011-04-07 2014-06-05 Klaus Ebert Method for operating a vehicle
WO2015032994A1 (en) * 2013-09-09 2015-03-12 Jaguar Land Rover Limited Vehicle control system and method
EP3040233A1 (en) * 2013-08-30 2016-07-06 Hitachi Automotive Systems, Ltd. Electric vehicle control system
GB2534886A (en) * 2015-02-03 2016-08-10 Jaguar Land Rover Ltd Control system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE602005019499D1 (en) * 2004-07-15 2010-04-08 Hitachi Ltd Vehicle control system
US8847535B2 (en) * 2011-11-08 2014-09-30 Autoliv Asp, Inc. System and method to determine the operating status of an electrical system having a system controller and an actuator controller
KR101558359B1 (en) * 2013-12-18 2015-10-08 현대자동차 주식회사 Method for monitoring torque in hybrid elecric vehicle
KR101646210B1 (en) * 2014-09-23 2016-08-05 국민대학교산학협력단 Motor control system for considering functional safety

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2404176A (en) * 2003-07-23 2005-01-26 Ford Global Tech Llc Hybrid electric vehicle hill hold control
US20140156127A1 (en) * 2011-04-07 2014-06-05 Klaus Ebert Method for operating a vehicle
EP3040233A1 (en) * 2013-08-30 2016-07-06 Hitachi Automotive Systems, Ltd. Electric vehicle control system
WO2015032994A1 (en) * 2013-09-09 2015-03-12 Jaguar Land Rover Limited Vehicle control system and method
GB2534886A (en) * 2015-02-03 2016-08-10 Jaguar Land Rover Ltd Control system

Also Published As

Publication number Publication date
GB2553121A (en) 2018-02-28
GB201614410D0 (en) 2016-10-05
DE112017004195T5 (en) 2019-05-29
GB2553121B (en) 2019-02-06

Similar Documents

Publication Publication Date Title
US10036341B2 (en) Method and device for operating a drive system for a motor vehicle including an acceleration monitoring system
US9688284B2 (en) Method and device for monitoring a drive of a motor vehicle
US7245995B2 (en) Fault-tolerant vehicle stability control
JP5229341B2 (en) Accelerator pedal misoperation device and program for accelerator pedal misoperation device
JP6235609B2 (en) System and method for monitoring an estimated wheel speed of a vehicle using a transmission output shaft sensor
US10458356B2 (en) Vehicle control apparatus
US20160133064A1 (en) Method and device for determining whether an error condition is present in a motor vehicle
JP6407732B2 (en) Vehicle control device
GB2545463A (en) Method for controlling a vehicle
JP6779379B2 (en) Vehicle control unit
KR20150115667A (en) Method and device for avoiding an unintended acceleration of a motor vehicle
CN106379314B (en) Maintain the method and system of vehicle stabilization
JP2011161956A (en) Central control unit
KR101888454B1 (en) Apparatus and method for controlling fail-safe of intergrated electronic unit
WO2018036977A1 (en) Watchdog controller for an electric vehicle
KR102496881B1 (en) Method and Apparatus for Determining Whether an Fault Condition Exists in a Motor Vehicle
CN106458211B (en) Control device for vehicle
US12187255B2 (en) Vehicle control device
CN111479744A (en) Method for supervising the operation of a power steering system
CN104816723B (en) Method for monitoring a drive
CN113492690B (en) Motor torque control method, device, equipment and automobile
EP3889004B1 (en) Auxiliary control system and method for a vehicle
KR102741710B1 (en) Operating system of main brake for breakdown of autonomous driving function
JP7287011B2 (en) Wheel control system and wheel control method
KR20230051281A (en) Activate yaw rate control

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17758480

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17758480

Country of ref document: EP

Kind code of ref document: A1