Vehicle collision/control systems that detect a collision event and activate safety devices such as airbags by igniting bridgewire or semiconductor squibs are known in the art. These systems are required to operate reliably in the event of a major vehicle impact, but must also be relied upon to not operate in the event of a minor vehicle impact or no vehicle impact. One type of collision/control system is located adjacent to the safety device and acts independently of other such systems. The criteria for activating the safety device by these systems is based on the level of acceleration detected by an associated acceleration sensor. These independent systems do not take into consideration such factors as vehicle speed, acceleration direction, seat position occupancy, etc., and have no means of detecting component failures or communicating these failures to the vehicle operator.

They may or may not employ a microprocessor to control the activation of the associated safety device by firing the associated squib or actuating an electromechanical device. Another type of collision/control system uses a central control unit, usually having an embedded microprocessor, that reads acceleration sensor data and decides whether or not to

activate all of the vehicle safety devices, such as airbags and seat belt tensioners, by igniting the associated squibs or electromechanical devices. These vehicle safety devices are controlled directly from the central control unit. These systems usually have limited means of component failure detection, and do not use data from other vehicle systems such as vehicle speed, acceleration direction, seat position occupancy, etc., in order to decide which safety devices to selectively activate. Yet another problem of activating the vehicle safety devices directly from the central control unit in this configuration is that the safety device activation signals are hardwired directly to the central control unit. In this configuration, cable short circuits of the activation signal to battery voltage or ground could accidentally actuate the safety device. Induced transients and other electromagnetic interference could also have detrimental effects on safety device operation in these configurations. Yet another disadvantage of these systems is that additional components must be added to the central control unit as additional safety devices are added to accommodate different vehicle configurations, such as the number of passenger seats.

This adds to the space required for the central control unit in the vehicle to accommodate the maximum configuration of safety devices.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 shows a block diagram of a vehicle safety system with a plurality of safety device controllers for controlling safety devices, that communicate with an electronic control unit over a communication bus; Fig, 2 shows a block diagram of a vehicle safety system with a plurality of safety device controllers for controlling safety devices, that communicate with an electronic control unit over a point-to-point communication bus; Fig. 3 shows a block diagram of a vehicle safety system with a plurality of safety device controllers for controlling safety devices, that communicate with an electronic control unit over a daisy-chained communication bus; Fig. 4 shows a block diagram of a safety device controller where the vehicle battery provides power to charge the energy storage capacitor directly; Fig. 5 shows a block diagram of a safety device controller where the vehicle battery provides power to a power converter that charges the energy storage capacitor; and Fig. 6 shows a block diagram of a safety device controller where the vehicle battery provides power to a power converter that charges the energy storage capacitor, and a safing sensor is interposed between the energy storage capacitor and the safety device activation means.

DETAILED DESCRIPTION OF THE INVENTION Turning now to Fig. 1, an embodiment of the vehicle safety system 100 is shown in accordance with the present inventive concepts. The vehicle safety system 100 comprises a plurality of safety device controllers 200, each of the safety device controllers controlling a safety device activation and is typically located in close proximity to the associated safety device. Typical safety devices depicted in Fig. 1 include, but are not limited to, a driver airbag assembly 410, a passenger airbag assembly 420, a seat belt tensioner assembly 430, a fuel cutoff switch assembly 440, a battery disconnect switch assembly 450, an emergency notification assembly 460, and a location notification assembly 470. Each of the safety device controllers 200 communicates with an electronic control unit (ECU) 300 over a communication bus 500.

Referring to Fig. 1, the ECU 300 comprises an ECU communication interface 320, an ECU external data interface 330, an ECU diagnostic port interface 350, an ECU acceleration sensor 340, an ECU memory 360, and an ECU control circuit 310. The ECU communication interface 320 is connected to the ECU control circuit 310 for control and data interchange. The ECU communication interface 320 comprises a device for sending safety device activation commands and integrity data commands to the safety device controllers 200 over the communication bus 500. The ECU communication interface 320 also comprises a device for receiving integrity data and fault warning messages from the safety device controllers 200 over the communication bus 500, and manages the communication protocol used for sending and receiving

data onto the communication bus 500. The safety device activation commands and the integrity data commands are comprised of a binary coded address part for selecting a particular safety device controller 200, and a binary coded command part that specifies the action to be performed by the selected safety device controller 200. The ECU external data interface 330 is connected to the ECU control circuit 310 for control and data interchange. The ECU external data interface 330 sends and receives data from other systems in the vehicle, including but not limited to velocity data from an antilock brake system, rollover data from an active suspension system, rollover data from a steering system, and passenger seat occupancy data from a passenger seat occupancy system. The ECU diagnostic port interface 350 is connected to the ECU control circuit 310 for control and data interchange. The ECU diagnostic port interface 350 comprises a device for an external device to perform service diagnostic tests on the vehicle safety system 100. This includes reading the contents of the ECU memory 360, performing diagnostic tests on the ECU 300, causing the safety device controllers 200 to perform diagnostic tests on themselves by collecting integrity data and generating fault warning messages, and accessing integrity data and fault warning messages from the safety device controllers 200. A version of the vehicle safety system 100 comprises an ECU diagnostic port interface 350 that complies with International Standards Organization standard 9141. The ECU acceleration sensor 340 is connected to the ECU control circuit 310 for control and data interchange.

The ECU acceleration sensor 340 is firmly attached to the vehicle and measures acceleration magnitude and

direction along one or more axes of vehicle motion and provides this data to the ECU control circuit 310.

The data from the ECU acceleration sensor 340 provides data relating to the severity and direction of impact resulting from a vehicle crash. The ECU memory 360 is connected to the ECU control circuit 310 for control and data interchange. The ECU memory 360 comprises a device for storing vehicle crash parameters, passenger configuration parameters, data from the ECU acceleration sensor 340, system integrity data and fault warning messages from ECU 300 and the safety device controllers 200, vehicle crash algorithms, and safety device activation logic. The ECU memory 360 is a nonvolatile memory in that the content is not lost when power is removed. The ECU control circuit 310 comprises a device for controlling and interchanging data with the ECU communication interface 320, with the ECU external data interface 330, with the ECU diagnostic port interface 350, with the ECU acceleration sensor 340, and with the ECU memory 360, and for performing control algorithms. Performing the control algorithms by the ECU control circuit 310 in order to decide whether to activate a safety device comprises performing vehicle crash algorithms in response to vehicle crash parameters and data from the ECU acceleration sensor 340, and performing safety device activation logic in response to passenger seat configuration parameters and the vehicle crash algorithms. The ECU control circuit 310 also performs system diagnostic tests and may provide fault notification to vehicle driver through the ECU external data interface 330. An example of a function performed by the crash algorithms is to determine if a vehicle crash is severe enough to warrant activation of safety devices based on vehicle velocity and

acceleration. A further improvement would be to utilize roll-over data from a vehicle suspension system or a vehicle steering system as input to the crash algorithms to determine safety device activation. The ECU control circuit 310 can also utilize vehicle harness type data from the ECU external data interface 330 to determine vehicle type and configuration, and use this data as input data to the crash control algorithms and safety device activation logic. The vehicle velocity is typically derived from a vehicle antilock brake system. An example of a function performed by the safety device activation logic is to selectively enable activation of a safety device only where a passenger is located based on passenger seat occupancy data. The preferred embodiment of the ECU control circuit 310 comprises a microprocessor for performing the functions of the ECU control circuit 310 including controlling and interchanging data with the ECU communication interface 320, the ECU external data interface 330, controlling the ECU diagnostic port interface 350, controlling the ECU acceleration sensor 340, and controlling the ECU memory.

A generic communication bus 500 is depicted in Fig. 1. Fig. 2 depicts the same vehicle safety system 100 of Fig. 1, but with a point-to point communication bus 510 configuration. Fig. 3 depicts the same vehicle safety system 100 of Fig. 1, but with a daisy-chain communication bus 520 configuration.

The point-to-point communication bus 510 configuration depicted in Fig. 2 is relatively complex and more expensive than the daisy-chain communication bus 520 configuration depicted in Fig. 3, since every safety device controller 200 shown in Fig. 2 requires a separate cable to be connected to the ECU 300. The

daisy-chain communication bus 520 configuration depicted in Fig. 3 requires less cable and is easier to install than the point-to-point communication bus 510 configuration shown in Fig. 2. However, the communication bus configuration shown in Fig. 2 is more reliable the that shown in Fig. 3, since a broken cable in the Fig. 2 configuration will only disable one safety device controller, while a broken cable in the Fig. 3 configuration could, conceivably, disable all safety device controllers. In practice, a combination of both point-to-point and daisy-chain bus configurations would be utilized in a vehicle safety system. The preferred embodiment of the bus configurations shown in Fig. 1, Fig. 2, and Fig. 3 is a high speed, digital electronic bi-directional serial communication bus. Alternative embodiments include a high speed, digital electronic bi-directional parallel communication bus, and a high speed, digital fiber- optic bi-directional serial communication bus. A version of the high speed, digital electronic bi- directional serial communication bus is implemented using two electrical conductor cable. This two electrical conductor cable may be used to carry electrical energy to power the safety device controllers 200, as well as safety device activation commands, integrity data commands, safety device controller integrity data and fault warning messages.

The safety device controllers 200 are typically located in close proximity to the associated safety device, and usually activate a squib or an electromechanical device such as a latching relay, which then cause the safety device to be activated.

The safety device controllers 200 are typically installed in and activate a wide variety of safety device assemblies including, but not limited to,

driver airbag assemblies 410, passenger airbag assemblies 420, seat belt tensioner assemblies 430, fuel cutoff switch assemblies 440, battery disconnect switch assemblies 450, emergency notification assemblies 460, and location notification assemblies 470.

Turning now to Fig. 4, a block diagram of a safety device controller (SDC) 200 for controlling activation of a safety device 400 in a vehicle safety system, is depicted. The SDC 200 is normally located in close proximity to an associated safety device 400, and is connected to a source of power, such as a vehicle positive battery voltage 610 and a vehicle negative battery voltage 620, and a communication bus 500. The SDCs 200 are typically installed in and activate a wide variety of safety device assemblies including, but not limited to driver airbag assemblies, passenger airbag assemblies, seat belt tensioner assemblies, fuel cutoff switch assemblies, battery disconnect switch assemblies, emergency notification assemblies, and location notification assemblies. The SDC 200 may activate the safety device 400 directly, may ignite a squib that causes the safety device 400 to activate, or may actuate an electromechanical device, such as a latching relay, that causes the safety device 400 to activate. The SDC 200 comprises an SDC power converter 260 that receives its power from the vehicle positive battery voltage 610 and the vehicle negative battery voltage 620, and provides power to an SDC energy storage capacitor 240. The SDC energy storage capacitor 240 is connected to an SDC safing sensor 270, which is connected to an SDC safety device activation circuit 230. The SDC 200 also comprises an SDC communication interface 220 which connects to the communication bus 500 and an SDC control circuit 210.

The SDC control circuit 210 is also connected to an SDC diagnostic circuit 250 and the SDC safety device activation circuit 230. The SDC safety device activation circuit 230 is also connected to the safety device 400.

The SDC energy storage capacitor 240 shown in Fig. 4 stores safety device activation energy, and is charged to a voltage level supplied by the SDC power converter 260 which receives its power from the vehicle positive battery voltage 610 and the vehicle negative battery voltage 620. The voltage difference between the vehicle positive battery voltage 610 and the vehicle negative battery voltage 620 is typically twelve volts. The voltage supplied to the SDC energy storage capacitor 240 by the SDC power converter 260 is typically twenty five volts. The SDC power converter 260 is typically a DC-to-DC converter. In an alternate configuration of the safety device controller 200, the SDC power converter 260 also supplies regulated voltages to the electronic circuits that comprise the safety device controller. In another variation of the described embodiment of the safety device controller 200, the SDC power converter 260 derives power from a two electrical conductor cable used to implement a serial communication bus rather than from separate vehicle battery connections. The SDC energy storage capacitor 240 is also connected to the SDC safety device activation circuit 230 through the SDC safing sensor 270. The SDC safing sensor 270 is an electromechanical acceleration sensor that protects against inadvertent or false activation of the safety device 400. The safety device controller (SDC) 200 also comprises the SDC communication interface 220 for receiving safety device activation commands and

integrity data commands from the communication bus 500, which are forwarded to the SDC control circuit. These commands typically comprise a binary coded address part that selects a particular safety device controller 200, and a binary coded command part that determines the action to be taken. The SDC communication interface 220 also manages communication bus protocol, and sends safety device controller integrity data and fault warning messages onto the communication bus 500 from the SDC control circuit 210 in response to an integrity data command. The communication bus 500 may comprise one of several variations: a high speed, digital electronic bi- directional serial communication bus in the preferred embodiment; a high speed, digital electronic bi- directional parallel communication in an alternate embodiment; or a high speed, digital fiber-optic bi- directional serial communication bus in another alternate embodiment. The SDC communication interface 220 is connected to the SDC control circuit 210 for control and data interchange.

The safety device controller (SDC) 200 of Fig. 4 also comprises the SDC control circuit 210 which is a microprocessor in the preferred embodiment, for controlling the SDC communication interface 220, the SDC diagnostic circuit 250 and the SDC safety device controller 230. The SDC control circuit 210 generates an SDC safety device activation signal 280 which is sent to the SDC safety device activation circuit 230 in response to a safety device activation command from the SDC communication interface 220 and safety device controller integrity data from an SDC diagnostic circuit 250 that does not indicate a malfunction. The SDC diagnostic circuit 250, which typically comprises a multiplexer and an analog-to-digital converter,

comprises a device for reading the safety device controller integrity data, which includes integrity data for the SDC safing sensor 270, for the safety device 400, for the SDC energy storage capacitor 240, and for the SDC safety device activation circuit 230, and for reading functionality data of the SDC power converter 260. This data is provided to the SDC control circuit 210. Also, when the SDC control circuit 210 receives an integrity data command from the SDC communication interface, it reads the safety device controller integrity data from the SDC diagnostic circuit 250, compares the safety device integrity data with predetermined limit values, and generates fault warning messages if the predetermined limit values are exceeded. Then the safety device integrity data and any generated fault warning messages are sent to the communication bus 500 by the SDC communication interface 220. Upon receipt of the SDC safety device activation signal 280 from the SDC control circuit 210, the SDC safety device activation circuit 230 couples the energy stored on the SDC energy storage capacitor 240 to the safety device 400 in response to the safety device activation signal 280, if the SDC safing sensor 270 is activated.

This results in discharging the SDC energy storage capacitor 240 through the safety device 400, causing the safety device 400 to activate. The SDC safety device activation circuit 230 is typically comprised of current switches.

Fig. 4 depicts a safety device controller 200 that has the features described above. However, there are a number of variations to the safety device controller 200 that can be made without exceeding the scope of the present embodiment description. In one example depicted in Fig. 5, the SDC safing sensor 270 has been eliminated from the depiction of Fig. 4.

Another example depicted in Fig. 6, both the SDC safing sensor 270 and the SDC power converter have been eliminated from the depiction of Fig. 4.