METHOD AND SYSTEM FOR A SAFETY CONCEPT FOR AN AC BATTERY

Abstract

A method for a safety concept for an AC battery, in which the AC battery includes a central controller, a plurality of battery modules which respectively have a power board with a plurality of switching states, a plurality of contactors, a plurality of current sensors, a fault loop and a high-speed bus and is connected to a traction machine. The central controller has a hardware-programmable processor unit with at least one microprocessor core on which a control program is configured to control the battery modules, the plurality of contactors and the fault loop. A state machine is implemented by the control program. The battery modules are connected, starting from the central controller, via the high-speed bus and the fault loop. If an abort fault occurs, the AC battery is changed to a safe operating state. The safe state is achieved at least by emergency disconnection of the central controller.

Claims

1. A method for a safety concept for an AC battery connected to a traction machine, in which the AC battery comprises (i) a central controller, (ii) a plurality of battery modules which are arranged in at least one string and respectively have a power board with a plurality of switching states, (iii) a plurality of contactors, (iv) a plurality of current sensors, (v) a fault loop and (vi) a high-speed bus, wherein the central controller has a hardware-programmable processor unit with at least one microprocessor core on which a control program is configured to control the battery modules, the plurality of contactors and the fault loop, wherein a state machine is implemented by the control program, wherein the battery modules are connected, starting from the central controller, via the high-speed bus and the fault loop, said method comprising the steps of: upon detecting an abort fault, changing the AC battery to a safe operating state by the central controller by virtue of each battery module being requested by the central controller via the high-speed bus to assume a “bypass” switching state by virtue of each contactor assuming a respective safety switching position and by virtue of the central controller finally being disconnected.

2. The method as claimed in claim 1, in which the abort fault is obtained if an event from the following list is present: a wire break, a fault loop carries a trigger, or a CAN bus connected to the central controller specifies an incorrect operating state.

3. The method as claimed in claim 1, in which a current sensor and a module controller with a microprocessor are arranged in each battery module, and the method comprises the module controller passing the trigger to the fault loop if the abort fault is detected.

4. The method as claimed in claim 1, in which the AC battery has at least one peripheral unit comprising a low-voltage DC/DC converter, a current sensor for a respective phase current of the traction machine, and/or a charging plug, and wherein the at least one peripheral unit is connected to the fault loop, and the at least one peripheral unit passes the trigger to the fault loop if the abort fault is detected.

5. The method as claimed in claim 1, in which an FPGA is selected as the hardware-programmable processor unit, and the state machine is implemented by the control program on the at least one microprocessor core.

6. A system for a safety concept for an AC battery connected to a traction machine, in which the AC battery comprises a central controller, a plurality of battery modules which are arranged in at least one string and respectively have a power board with a plurality of switching states, a plurality of contactors, a plurality of current sensors, a fault loop and a high-speed bus, wherein the central controller has a hardware-programmable processor unit with at least one microprocessor core on which a control program is configured to control the battery modules, the plurality of contactors and the fault loop, wherein a state machine is implemented by the control program, wherein the battery modules are connected, starting from the central controller, via the high-speed bus and the fault loop, wherein, if an abort fault is detected, the central controller is configured to change the AC battery to a safe operating state, which comprises requesting each battery module via the high-speed bus to assume a “bypass” switching state, ordering a respective safety switching position in each contactor and finally disconnecting the central controller.

7. The system as claimed in claim 6, in which the abort fault is present in the case of an event from the following list: a wire break, a fault loop carries a trigger, or a CAN bus connected to the central controller specifies an incorrect operating state.

8. The system as claimed in claim 6, in which a current sensor and a module controller with a microprocessor are arranged in each battery module, and wherein the module controller is configured to pass the trigger to the fault loop if the abort fault is detected.

9. The system as claimed in claim 6, in which the AC battery has at least one peripheral unit comprising a low-voltage DC/DC converter and/or a current sensor for a respective phase current of the traction machine, wherein the at least one peripheral unit is connected to the fault loop and the at least one peripheral unit is configured to pass the trigger to the fault loop if an abort fault is detected.

10. The system as claimed in claim 6, in which the hardware-programmable processor unit is an FPGA, and the state machine is implemented by the control program on the at least one microprocessor core.

Description

BRIEF DESCRIPTION OF THE DRAWING FIGURES

[0060] FIG. 1 shows a block diagram of a central controller for handling an abort fault in one configuration of the system according to aspects of the invention.

[0061] FIG. 2 shows a block diagram of a module controller for handling an abort fault in a further configuration of the system according to aspects of the invention.

[0062] FIG. 3 shows a block diagram of the AC battery shown connected to a traction machine.

DETAILED DESCRIPTION OF THE INVENTION

[0063] FIG. 1 shows a block diagram of a central controller 100 for handling an abort fault in one configuration of the system according to aspects of the invention, wherein processes 101, 102 take place on the central controller, indicated by an arrow with reference sign 103, and signals are transmitted 134, 143 to a control board, indicated by an arrow with reference sign 104. The processes 101 on at least one dedicated microprocessor of the central controller 100 are formed by monitoring devices, such as on-chip temperature monitoring 110, a current sensor check 111, error line conductor interruption detection 112, and HSB_Data timeout monitoring 113, that is to say monitoring for when a signal transmission time is exceeded in a high-speed bus for transmitting data, and report an abort fault to a traction system state machine 114. A fatal error IRQ 115, which was triggered by an HSB_CMD block 127, can also be reported to the traction system state machine 114. For its part, the traction system state machine 114 in turn reports an abort fault to the HSB_CMD block 127. The processes on a hardware-programmable processor unit 102, here an FPGA, take place by means of blocks with an analog/digital converter such as Sync. ADC 120 and “ADC_RAW within predefined range” 121 and also take place in blocks such as a scaler 122, a resolver/decoder 123, a permanent magnet synchronous motor controller 124, a delta-sigma modulator 125 and a scheduler which report an abort fault to the HSB_CMD block 127. The HSB_CMD block 127 also directly receives such an abort fault message from the “ADC_RAW signal is within the predefined range” block 121, the zero-sequence current/resolver 128 and the saturation/power limit block 129. The HSB_CMD block 127 transmits commands as HSB_CMD 134 to a control board, to which all battery modules are connected, for example, and monitors a fault loop 143 which is connected to the control board.

[0064] FIG. 2 shows a block diagram of a module controller 200 for handling an abort fault in a further configuration of the system according to aspects of the invention, wherein processes 201, 202 take place on the module controller, indicated by an arrow with reference sign 203, and signals are transmitted 234, 243 to the control board or to electrical connections to this control board, indicated by an arrow with reference sign 204. The processes 201 on at least one dedicated microprocessor of the module controller 200 are formed by monitoring devices, such as on-chip temperature monitoring 210, current sensor conductor interruption detection 211 and a “current sensor threshold value reaches signal” block 212, and report an abort fault to a module state machine 213. For its part, the module state machine 213 in turn reports an abort fault to the HSB_CMD block 221 in the battery module. In a process on a hardware-programmable processor unit 202 of the module controller 200, also an FPGA here for example, an abort fault is reported to the HSB_CMD block 221 in the battery module by an “undervoltage/overvoltage detection” module. The HSB_CMD block 221 in the battery module receives commands as HSB_CMD 234 and is connected to a fault loop 243.

[0065] The AC battery connected to a traction machine is shown in FIG. 3.

LIST OF REFERENCE SIGNS

[0066] 200 Control board fault handling [0067] 201 Processes on the microprocessor of the module controller [0068] 202 Processes on the FPGA module controller [0069] 203 Processes on the central controller [0070] 204 From the module controller to the control board [0071] 210 On-chip temperature monitoring [0072] 211 Current sensor conductor interruption detection [0073] 212 Current sensor threshold value reaches signal [0074] 213 Module state machine [0075] 220 Undervoltage/overvoltage detection module [0076] 221 HSB_CMD [0077] 234 HSB_CMD from control board [0078] 243 Error line to control board [0079] 100 Central controller [0080] 101 Processes on the microprocessor of the central controller [0081] 102 Processes on the FPGA central controller [0082] 103 Processes on the central controller [0083] 104 From the central controller to the control board [0084] 110 On-chip temperature monitoring [0085] 111 Current sensor check [0086] 112 Error line conductor interruption detection [0087] 113 HSB_Data timeout monitoring [0088] 114 Traction system state machine [0089] 115 Fatal error IRQ [0090] 120 Sync. ADC [0091] 121 ADC_RAW in range [0092] 122 Scaler [0093] 123 Resolver/decoder [0094] 124 Permanent magnet synchronous motor controller [0095] 125 Delta-sigma modulator [0096] 126 Scheduler [0097] 127 HSB_CMD block [0098] 128 Zero-sequence current/resolver [0099] 129 Saturation/power limit [0100] 134 HSB_CMD to control board [0101] 143 Fault loop of control board