(19)
(11)EP 3 623 228 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
18.03.2020 Bulletin 2020/12

(21)Application number: 18194195.6

(22)Date of filing:  13.09.2018
(51)Int. Cl.: 
B60R 21/01  (2006.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(71)Applicant: Veoneer Sweden AB
447 83 Vårgårda (SE)

(72)Inventors:
  • Caclard, Laurent
    27440 Touffreville (FR)
  • Patel, Bankim
    Canton, MI 48187 (US)
  • Wantuck, Ron
    Ann Arbor, MI 48108 (US)

(74)Representative: Rusby-Gale, Daniel Matthew 
Forresters IP LLP Skygarden Erika-Mann-Strasse 11
80636 München
80636 München (DE)

  


(54)A VEHICLE SAFETY SYSTEM AND A METHOD OF CONTROLLING A VEHICLE SAFETY SYSTEM


(57) A vehicle safety system (1) comprising a master control module (2) which is configured to be coupled to a data bus (6) and a slave module (3) which is configured to be coupled to the data bus, wherein the slave module (3) comprises a deployment driver module (16) which is configured to activate a safety device (17) in response to a crash signal, the slave module (3) being configured to receive arming state data from the master control module (2) via the data bus (6) and process the arming state data to determine whether the arming state data provides a confirmation of a crash situation, wherein if the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, the deployment driver module (16) is configured to output a deployment signal to activate a safety device (17).




Description


[0001] The present invention relates to a vehicle safety system and a method of controlling a vehicle safety system. The present invention more particularly relates to a vehicle safety system which communicates via a data bus and a method of controlling such a vehicle safety system.

[0002] A conventional vehicle safety system typically comprises an electronic control unit which is connected to a safety device and a crash sensor. The control unit is configured to provide an activation signal to the safety device to activate the safety device in the event that the crash sensor senses a crash situation.

[0003] Some safety devices, such as an air-bag, are single use devices that must be replaced after activation. It can be difficult and costly to replace a safety device so it is desirable to minimise or prevent accidental activation of the safety device.

[0004] In order to minimise or prevent accidental activation of a safety device, a conventional vehicle safety system typically uses one or more arming state signals in conjunction with an activation signal to control the deployment of the safety device. In use, the safety device is only activated if the arming state signal confirms the validity of the activation signal.

[0005] The arming state signal is generated by a safing generator which is coupled via dedicated electrical wiring to a safety device. The safing generator is typically housed within the housing of the vehicle's electronic control unit. In some configurations, the safing engine is provided on the same printed circuit board as the vehicle's electronic control unit. The safing engine is coupled to electrical connectors that are provided on the housing of the vehicle's electronic control unit. Dedicated wiring is connected between the electrical connectors and each safety device to communicate arming state signals from the safing engine to each safety device.

[0006] A problem can occur if the electrical wiring between the connectors on the housing of the vehicle's electronic control unit and a safety device or the connectors themselves become damaged such that it is not possible to communicate an arming state signal to the safety device. If this happens then the safety device can no longer use the arming state signal to confirm whether or not to activate the safety device. To minimise the risk of damage to the safety system during a crash situation, it is desirable to minimise the number of connectors on the housing of a vehicle's electronic control unit and each safety device and to minimise the amount of dedicated wiring between the housing of a vehicle's electronic control unit and each safety device.

[0007] It is also desirable to minimise the number of connectors and the amount of dedicated wiring in a vehicle safety system to reduce the cost and complexity of the vehicle safety system.

[0008] The present invention seeks to provide an improved vehicle safety system and an improved method of controlling a vehicle safety system.

[0009] According to one aspect of the present invention, there is provided a vehicle safety system comprising: a master control module which is configured to be coupled to a data bus; and a slave module which is configured to be coupled to the data bus, wherein the slave module comprises a deployment driver module which is configured to activate a safety device in response to a crash signal, the slave module being configured to receive arming state data from the master control module via the data bus and process the arming state data to determine whether the arming state data provides a confirmation of a crash situation, wherein if the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, the deployment driver module is configured to output a deployment signal to activate a safety device.

[0010] Preferably, the system further comprises: a data bus which is coupled to the master control module and the slave module to communicate data between the master control module and the slave module.

[0011] Conveniently, the data bus is a serial peripheral interface bus and the master control module and the slave module each incorporate a respective serial peripheral interface which is coupled to the serial peripheral interface bus.

[0012] Advantageously, the master control module comprises a safing module which is configured to generate the arming state data.

[0013] Preferably, the deployment driver module is coupled to a safety device and configured to activate the safety device in response to a crash signal and the slave module determining that the arming state data provides a confirmation of a crash situation.

[0014] Conveniently, the safety device is a vehicle safety device selected from a group including an air-bag, a seat belt tensioner or a bonnet lifter, a pyrotechnic actuator or fuse or an electrically activated roll bar.

[0015] Advantageously, the master control module comprises a master data register which is configured to store the arming state data.

[0016] Preferably, the slave module comprises a slave data register which is configured to store arming state data received by the slave module. Conveniently, the system comprises a plurality of slave modules which are configured to be coupled to the data bus to receive arming state data from the master control module, wherein each slave module is identified by a unique identifier.

[0017] Advantageously, the master control module is configured to transmit arming state data comprising at least one of the identifiers and each slave module is configured to only activate a safety device if the slave module detects that the arming state data comprises an identifier that matches the identifier of the slave module.

[0018] According to another aspect of the present invention, there is provided a method of controlling a vehicle safety system, the method comprising: transmitting arming state data from a master control module to a slave module via a data bus, wherein the slave module comprises a deployment driver module which is configured to activate a safety device in response to a crash signal; processing the arming state data at the slave module to determine whether the arming state data provides a confirmation of a crash situation; and if the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, outputting a deployment signal from the deployment driver to activate a safety device.

[0019] Preferably, the data bus is a serial peripheral interface bus and the master control module and the slave module each incorporate a respective serial peripheral interface which is coupled to the serial peripheral interface bus.

[0020] Conveniently, the method further comprises: storing the arming state data in a master data register at the master control module; and storing the arming state data in a slave data register at the slave module.

[0021] Advantageously, the method further comprises: transmitting the arming state data from the master control module to a plurality of slave modules via the data bus, wherein each slave module is identified by a unique identifier.

[0022] Preferably, the method further comprises: transmitting arming state data comprising at least one of the identifiers from the master control module to the slave modules; processing the arming state data at each of the slave modules to identify an identifier; and if the arming state data provides a confirmation of a crash situation, only outputting a deployment signal from the deployment driver to activate a safety device if the slave module detects that the arming state data comprises an identifier that matches the identifier of the slave module.

[0023] So that the present invention may be more readily understood, embodiments of the present invention will now be described, by way of example, with reference to the accompanying drawings, in which:

Figure 1 is a schematic diagram of part of a vehicle safety system of some embodiments,

Figure 2 is a schematic diagram of part of a vehicle safety system of some embodiments,

Figure 3 is a schematic diagram of part of a vehicle safety system of some embodiments, and

Figure 4 is a flow diagram showing the operation of a vehicle safety system of some embodiments.



[0024] Referring initially to figure 1 of the accompanying drawings, a vehicle safety system 1 of some embodiments comprises a master control module 2 and at least one slave module 3-5. In this embodiment, the vehicle safety system 1 comprises three slave modules 3-5 but it is to be appreciated that other embodiments may incorporate a greater or fewer number of slave modules. In some embodiments, the master control module 2 and/or each of the slave modules 3-5 are implemented in a microcontroller.

[0025] The master control module 2 and the slave modules 3-5 are each configured to be coupled to a data bus 6. In this embodiment, the data bus 6 is a serial peripheral interface (SPI) data bus. The SPI data bus is a four-wire serial bus and the master control module 2 and the slave modules 3-5 each comprise electrical connectors which connect to each of the four wires of the SPI data bus.

[0026] The vehicle safety system 1 further comprises a data bus controller 7. In this embodiment, the data bus controller 7 is an SPI controller which is configured to manage data communicated via the data bus 6. In this embodiment, the data bus controller 7 is the master controller of the data bus 6 in the sense that it controls the data communicated via the data bus 6. The master control module 2, on the other hand, is a master controller in the sense of the vehicle safety system in that it is configured to control the slave modules 3-5.

[0027] The master control module 2 further comprises a safing module 8 which is configured to generate arming state data for transmission to one or more of the slave modules 3-5. The safing module 8 generates the arming state data based on signals from one or more sensors (not shown) which are indicative of the operation of the vehicle.

[0028] In some embodiments, the safing module 8 receives signals from one or more crash sensors within a vehicle which are configured to sense whether the vehicle is involved in a crash situation. The safing module 8 generates arming state data based on the crash sensor data such that the arming state data can confirm whether or not it is appropriate to activate a safety device.

[0029] The master control module 2 further comprises a master data register 9 which is configured to store arming state data generated by the safing module 8. In this embodiment, the master data register 9 is a shift register which receives and stores the arming state data sequentially from the safing module 8.

[0030] The master control module 2 further comprises an SPI interface 10 which is coupled to the master data register 9. The SPI interface 10 is configured to be connected to and communicate with the data bus 6. The SPI interface 10 is configured to receive data from the master data register 9 and to transmit the data to the data bus 6. The SPI interface 10 is also configured to receive data from the data bus 6 and to transmit the received data to the master data register 9 as indicated generally by arrow 11 in figure 1.

[0031] Each of the slave modules 3-5 comprises a slave module SPI interface 12-14 which is configured to communicate with the data bus 6. Each slave module SPI interface 12-14 is coupled for communication with the data bus 6.

[0032] Each slave module 3-5 comprises a slave data register. Figure 1 only shows the slave data register 15 of the first slave module 3 but it is to be appreciated that the other slave modules 4-5 also comprise slave data registers. The slave data registers of each of the slave modules 3-5 are coupled for communication with the SPI interfaces of each slave module 3-5. The slave data registers store data sequentially that is received from the data bus 6 and also output data to the data bus 6 via the SPI interfaces 12-14.

[0033] Each slave module 3-5 further comprises a deployment driver module. In figure 1, a deployment driver module 16 is only visible for the first slave module 3 but it is to be appreciated that the other slave modules 4-5 also comprise deployment driver modules. Each deployment driver module is coupled for communication with a respective one of the slave data registers to receive arming state data from the slave data register. Each deployment driver module is configured to receive a crash signal from a crash sensor (not shown) or another component that is configured to output a crash signal in the event that the vehicle is involved in a crash situation or an anticipated crash situation.

[0034] Each deployment driver module is configured to output a deployment signal to activate a safety device if it is appropriate to activate the safety device. In figure 1, a safety device 17 is shown coupled to the deployment driver module 16 of the first slave module 3. The safety device 17 may be any kind of vehicle safety device, such as, but not limited to, an air-bag, a seat belt tensioner, a hood or bonnet lifter, a pyrotechnic actuator or fuse or an electrically activated roll bar.

[0035] When the vehicle safety system 1 is in operation, the master control module 2 transmits arming state data via the data bus 6 to each of the slave modules 3-5. In this embodiment, the same arming state data is received by each of the slave modules 3-5. The arming state data is stored in the slave module data registers of each slave module 3-5. The arming state data is then processed by each slave module 3-5 to determine whether the arming state data provides a confirmation of a crash situation. If the arming state data provides a confirmation of a crash situation then the slave module communicates a confirmation signal to the deployment driver module. The deployment driver module uses the confirmation signal together with a crash signal to confirm that the deployment driver module should output a deployment signal to activate a safety device.

[0036] In this embodiment, each of the slave modules 3-5 is identified by a unique identifier which is encoded or stored in the arming state data. The master control module 2 transmits arming state data comprising at least one of the identifiers via the data bus 6. Each slave module 3-5 receives the arming state data via the data bus 6 and detects whether the arming state data comprises an identifier that matches the identifier of the slave module. If the slave module detects that the arming state data comprises an identifier that matches the slave module's identifier, the slave module processes the arming state data to determine whether or not the arming state data provides a confirmation of a crash situation. If the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, the deployment driver module outputs a deployment signal to activate a safety device.

[0037] If, on the other hand, a slave module does not detect an identifier in the arming state data which matches the slave module's identifier, the slave module does not process the arming state data. In this instance, the slave module does not provide a confirmation signal to the deployment driver module or the slave module provides a confirmation signal to the deployment driver module confirm that there is no crash situation. Consequently, the deployment driver module does not output a deployment signal and the safety device is not activated.

[0038] Referring now to figure 2 of the accompanying drawings, the four-wire SPI data bus 6 of the vehicle safety system 1 is shown in further detail. The four wires of the data bus 6 are identified respectively as Master Output Slave Input (MOSI), Master Input Slave Output (MISO), Serial Clock (CLK) and Chip Select (CS_Master). The four wires of the data bus are connected to the master control module 2, each of the slave modules 3-5 and the data bus controller 7.

[0039] In this embodiment, an Auxiliary Chip Select (CS_AUX) wire is provided between the data bus controller 7 and each of the slave modules 3-5. The CS_AUX wire provides a notification to the slave modules 3-5 which notifies the slave modules 3-5 of the SPI frame in the data transmitted from the master control unit 2 which carries the arming state data. This removes the need for the slave modules 3-5 to inspect every SPI frame received via the data bus 6 and improves the reliability of the system since the slave modules 3-5 are notified directly of the relevant SPI frame.

[0040] The SPI interfaces 10, 12 of the master control module 2 and each of the slave modules 3-5 are configured to transmit and receive data via the SPI data bus 6 using SPI synchronous serial communication. The master control module 2 transmits the arming state data sequentially via the MISO wire to the data bus controller 7 and to each of the slave modules 3-5.

[0041] Each slave modules 3-5 monitors data communicated via the MISO and the MOSI connections when the slave modules 3-5 detects a chip select high signal provided via the CS_Master or CS_AUX wires.

[0042] The vehicle safety system of this embodiment provides a robust system for activating a safety device while minimising the risk of accidental activation. The use of the data bus to carry the arming state data minimises the number of electrical pins on each slave module since it removes the need for dedicated pins to be provided to receive arming signals. This also serves to reduce the wiring on the printed circuit board within each slave module as compared with conventional approaches which rely on dedicated electrical connection to carry arming signals.

[0043] The vehicle safety system of this embodiment is also more robust than conventional systems because the arming state data can carry parity check data and the unique identifier for each slave module. The same arming information is available to all slave modules since all slave modules are connected to the same data bus. The system also enables additional data, such as system or device state data, to be communicated to each slave module via the data bus in addition to the arming state data.

[0044] Referring now to figure 3 of the accompanying drawings, a vehicle safety system 18 of a further embodiment comprises two master control modules 19, 20 and three slave modules 21-23. The master control modules 19, 20 are coupled for communication with a global SPI data bus to permit synchronous operation of the two master control modules 19, 20. The vehicle safety system 18 further comprises a sensor data bus which is a separate SPI data bus from the global data bus in order to reduce the SPI bandwidth on the global data bus. In this embodiment, both the global data bus and the sensor data bus are controlled by an SPI controller 24.

[0045] The master control modules 19, 20 and each of the slave modules 21-23 comprise a global data bus connection G_SPI which is connected to the global data bus and an S_SPI connection which is connected to the sensor data bus.

[0046] Referring now to figure 4 of the accompanying drawings, each of the master control modules 19, 20 is configured to monitor arming state data provided by the other master control module 19, 20 via the global data bus. Each master control module 19, 20 is configured to process the arming state data and to output arming state data to each slave module 21-23 that is connected to the master control module 19, 20. Each slave module 21-23 processes the arming state data to determine whether the arming state data provides a confirmation of a crash situation in the manner described above.

[0047] When used in this specification and claims, the terms "comprises" and "comprising" and variations thereof mean that the specified features, steps or integers are included. The terms are not to be interpreted to exclude the presence of other features, steps or components.

[0048] The features disclosed in the foregoing description, or the following claims, or the accompanying drawings, expressed in their specific forms or in terms of a means for performing the disclosed function, or a method or process for attaining the disclosed result, as appropriate, may, separately, or in any combination of such features, be utilised for realising the invention in diverse forms thereof.


Claims

1. A vehicle safety system comprising:

a master control module which is configured to be coupled to a data bus; and

a slave module which is configured to be coupled to the data bus, wherein the slave module comprises a deployment driver module which is configured to activate a safety device in response to a crash signal, the slave module being configured to receive arming state data from the master control module via the data bus and process the arming state data to determine whether the arming state data provides a confirmation of a crash situation, wherein if the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, the deployment driver module is configured to output a deployment signal to activate a safety device.


 
2. The system of claim 1, wherein the system further comprises:

a data bus which is coupled to the master control module and the slave module to communicate data between the master control module and the slave module.


 
3. The system of claim 2, wherein the data bus is a serial peripheral interface bus and the master control module and the slave module each incorporate a respective serial peripheral interface which is coupled to the serial peripheral interface bus.
 
4. The system of any one of the preceding claims, wherein the master control module comprises a safing module which is configured to generate the arming state data.
 
5. The system of any one of the preceding claims, wherein the deployment driver module is coupled to a safety device and configured to activate the safety device in response to a crash signal and the slave module determining that the arming state data provides a confirmation of a crash situation.
 
6. The system of claim 5, wherein the safety device is a vehicle safety device selected from a group including an air-bag, a seat belt tensioner or a bonnet lifter, a pyrotechnic actuator or fuse or an electrically activated roll bar.
 
7. The system of any one of the preceding claims, wherein the master control module comprises a master data register which is configured to store the arming state data.
 
8. The system of any one of the preceding claims, wherein the slave module comprises a slave data register which is configured to store arming state data received by the slave module.
 
9. The system of any one of the preceding claims, wherein the system comprises a plurality of slave modules which are configured to be coupled to the data bus to receive arming state data from the master control module, wherein each slave module is identified by a unique identifier.
 
10. The system of claim 9, wherein the master control module is configured to transmit arming state data comprising at least one of the identifiers and each slave module is configured to only activate a safety device if the slave module detects that the arming state data comprises an identifier that matches the identifier of the slave module.
 
11. A method of controlling a vehicle safety system, the method comprising:

transmitting arming state data from a master control module to a slave module via a data bus, wherein the slave module comprises a deployment driver module which is configured to activate a safety device in response to a crash signal;

processing the arming state data at the slave module to determine whether the arming state data provides a confirmation of a crash situation; and

if the deployment driver module receives a crash signal and the arming state data provides a confirmation of a crash situation, outputting a deployment signal from the deployment driver to activate a safety device.


 
12. The method of claim 11, wherein the data bus is a serial peripheral interface bus and the master control module and the slave module each incorporate a respective serial peripheral interface which is coupled to the serial peripheral interface bus.
 
13. The method of claim 11 or claim 12, wherein the method further comprises:

storing the arming state data in a master data register at the master control module; and

storing the arming state data in a slave data register at the slave module.


 
14. The method of any one of claims 11 to 13, wherein the method further comprises:

transmitting the arming state data from the master control module to a plurality of slave modules via the data bus, wherein each slave module is identified by a unique identifier.


 
15. The method of claim 14, wherein the method further comprises:

transmitting arming state data comprising at least one of the identifiers from the master control module to the slave modules;

processing the arming state data at each of the slave modules to identify an identifier; and

if the arming state data provides a confirmation of a crash situation, only outputting a deployment signal from the deployment driver to activate a safety device if the slave module detects that the arming state data comprises an identifier that matches the identifier of the slave module.


 




Drawing