Method and device for the plausibility check of safety-relevant variables

Abstract

A method for a plausibility check of safety-relevant variables, wherein a first safety-relevant variable and a further safety-relevant variable are dependent on one another and are each provided to be raised from a lower safety level to a higher safety level. The plausibility check of the first safety-relevant variable is performed in a first time interval of a cycle of a clock by implementing a first plausibility rule, and upon a successful plausibility check during the first time interval, is raised from the lower safety level to the higher safety level for the safety-relevant variable. The plausibility check of the further safety-relevant variable is performed in a second time interval of the cycle of the clock by implementing a further plausibility rule, and upon a successful plausibility check during the second time interval, is raised from the lower safety level to the higher safety level for the further safety-relevant variable.

Claims

1. A method for raising plausibility of interdependent safety-relevant electrical variables of an electrical DC-DC converter, the safety-relevant variables being selected from the group consisting of DC current and DC voltage from a high voltage side and a low voltage side of the electrical converter, the method comprising: providing a first safety-relevant variable and at least one further safety-relevant variable measured on the electrical DC-DC converter to an input of a data processing unit controlling the electrical DC-DC converter and are each and configured to raise the first safety-relevant variable and at least one further safety-relevant variable from a lower safety-level to a higher safety level; performing with the data processing unit a first plausibility check of the first safety-relevant variable in a first time interval of a cycle of a clock by implementing a first plausibility rule, wherein the first safety-relevant variable is raised from the lower safety level to the higher safety level for the first safety-relevant variable upon a successful first plausibility check during the first time interval of the cycle of the clock; performing with the data processing unit a second plausibility check of the further safety-relevant variable in a second time interval of a cycle of a clock by implementing a further plausibility rule, wherein the further safety-relevant variable is raised from the lower safety level to the higher safety level for the further safety-relevant variable upon a successful second plausibility check during the second time interval of the cycle of the clock; and with the data processing unit controlling electrical variables of the electrical DC-DC converter commensurate with the safety-relevant variable and the further safety-relevant variable being raised from the lower safety level to the higher safety level.

2. The method of claim 1, wherein the plausibility rules each have a calculation function configured to perform the plausibility checks of the safety-relevant variables at the higher safety level.

3. The method of claim 2, wherein in addition to the safety-relevant variables, at least one additional calculation variable is included in the calculation function of the plausibility rules.

4. The method of claim 1, wherein a cycle duration of the cycle of the clock, within which the plausibility checks of the first safety-relevant variable and the further safety-relevant variable and the raising from the lower safety level to the higher safety level is performed, does not exceed a latency time for a safety event to be monitored, wherein the latency time is that time required to monitor an exceeding of the variable.

5. The method of claim 4, wherein the first time interval of the cycle of the clock and the second time interval of the cycle of the clock have a same duration.

6. The method of claim 4, wherein the first time interval of the cycle of the clock and the second time interval of the cycle of the clock do not have a same duration.

7. The method of claim 1, wherein the first plausibility rule and/or the further plausibility rule includes a comparison operation for determining success of the plausibility check, configured to compare the safety-relevant variables, which are to be raised from the lower safety level to the higher safety level, with the safety-relevant variables which are provided but not yet plausibility checked by the plausibility rules.

8. The method of claim 1, wherein the method is repeatedly performed by repeating the clock cycle.

9. A data processing unit controlling an electrical DC-DC converter, comprising: a first input for receiving a first safety-relevant variable measured on the DC-DC converter; at least one further input for receiving at least one further safety-relevant variable, the first safety-relevant variable and the further safety-relevant variable being selected from the group consisting of DC current and DC voltage from a high voltage side and a low voltage side of an electric converter, wherein the first safety-relevant variable and the further safety-relevant variable are dependent on one another; at least one additional input for receiving at least one additional calculation variable; a first output for outputting the first safety-relevant variable, said first output being plausibility checked with a first plausibility rule during a first part of a clock cycle and raised to a higher safety level when a deviation between the first safety-relevant variable and the plausibility-raised first safety-relevant variable is acceptable within previously defined tolerances; and at least one further output for outputting the further safety-relevant variable, said at least one further output being plausibility checked with a second plausibility rule during a second part of a clock cycle and raised to the higher safety level when the deviation between the further safety-relevant variable and the plausibility-raised further safety-relevant variable is acceptable within previously defined tolerances, said data processing unit configured to control electrical variables of the electrical DC-DC converter commensurate with the safety-relevant variable and the further safety-relevant variable being raised from the lower safety level to the higher safety level.

10. An electrical DC-DC converter for an electric or hybrid vehicle, said electrical DC-DC converter comprising a a data processing unit which controls the electrical DC-DC converter and includes a first input for receiving a first safety-relevant variable, at least one further input for receiving at least one further safety-relevant variable, the first safety-relevant variable and the further safety-relevant variable being selected from the group consisting of DC current and DC voltage from a high voltage side and a low voltage side of an electric converter, wherein the first safety-relevant variable and the further safety-relevant variable are dependent on one another, at least one additional input for receiving at least one additional calculation variable, a first output for outputting the first safety-relevant variable, said first output being plausibility checked with a first plausibility rule during a first part of a clock cycle and raised to a higher safety level when a deviation between the first safety-relevant variable and the plausibility-raised first safety-relevant variable is acceptable within previously defined tolerances; and at least one further output for outputting the further safety-relevant variable, said at least one further output being plausibility checked with a second plausibility rule during a second part of a clock cycle and raised to the higher safety level when the deviation between the further safety-relevant variable and the plausibility-raised further safety-relevant variable is acceptable within previously defined tolerances, said electrical DC-DC converter configured to convert high-voltage DC current to low-voltage DC current commensurate with the safety-relevant variable and the further safety-relevant variable received from the data processing unit that have been raised from the lower safety level to the higher safety level.

11. The electrical converter of claim 10, wherein the electrical converter comprises a traction converter for operating an electrical machine.

Description

BRIEF DESCRIPTION OF THE DRAWING

(1) Other features and advantages of the present invention will be more readily apparent upon reading the following description of currently preferred exemplified embodiments of the invention with reference to the accompanying drawing, in which:

(2) FIG. 1 shows a schematic representation of a DC voltage converter of the present invention, electrically connected between a high-voltage DC voltage circuit and a low-voltage DC voltage circuit with safety-relevant variables selected by way of example;

(3) FIG. 2 shows a schematic representation of the method of the present invention, by means of which selected safety-relevant variables are plausibility checked at a higher safety level;

(4) FIG. 3 shows a schematic representation of a data processing unit for performing the method of the present invention;

(5) FIG. 4 shows a first schematic representation of an electric or hybrid vehicle having an electrical converter, which is a DC voltage converter according to FIG. 1 and a data processing unit according to FIG. 3; and

(6) FIG. 5 shows a further schematic representation of an electric or hybrid vehicle having an electrical converter, which is a traction converter and has a DC voltage converter according to FIG. 1 and a data processing unit according to FIG. 3.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

(7) Throughout all the figures, same or corresponding elements may generally be indicated by same reference numerals. These depicted embodiments are to be understood as illustrative of the invention and not as limiting in any way. It should also be understood that the figures are not necessarily to scale and that the embodiments are sometimes illustrated by graphic symbols, phantom lines, diagrammatic representations and fragmentary views. In certain instances, details which are not necessary for an understanding of the present invention or which render other details difficult to perceive may have been omitted.

(8) Turning now to the drawing, and in particular to FIG. 1, there is shown a schematic representation of a DC voltage converter 22 electrically connected between a high-voltage DC voltage circuit 13 on the high-voltage side energy store 25 and a low-voltage DC voltage circuit 14 on the low-voltage side energy store 26. FIG. 1 is a suitable example of showing electrical variables which physically characterize a safety-relevant component or system and can be identified and evaluated as safety-relevant variables for safety functions according to the ASIL method.

(9) By way of example, at least the high-voltage side DC current I-HV and the low-voltage side DC current I-LV were identified here as safety-relevant variables in FIG. 1, wherein if applicable the high-voltage side DC voltage U-HV and the low-voltage side DC voltage U-LV can also be evaluated in this sense. In application, these values are, among other things, determined for safe control and regulation functions of an electrical converter 20, in other words the DC voltage converter 22 shown here, via calculation algorithms or measurements.

(10) The DC currents I-HV, L-HV identified as safety-relevant variables have an electrical, in other words, physical dependency. Indeed, if at least one of the DC currents I-HV, L-HV was, if applicable, already determined via measurement or preceding calculation, both DC currents I-HV, I-LV are however not yet plausibility checked for a higher safety level.

(11) With the aid of additionally known variables, such as the high-voltage side DC voltage U-HV, the low-voltage side DC voltage U-LV and the electrical efficiency level of the DC voltage converter 22 and further calculation variables, such as the high-voltage side power P-HV (here power draw of the DC-DC converter 22) and the low-voltage side power P-LV (here output power of the DC voltage converter 22), this dependency can be mathematically described as follows:
P-HV=U-HV*I-HV
P-LV=P-HV*
I-LV=P-LV/U-LV

(12) The indicated dependency of the two DC currents I-HV, I-LV identified by way of example as safety-relevant variables can thus basically be used, by means of the known variables U-HV, U-LV, q, which are if necessary safety-relevant and already plausibility checked at a higher safety level, to determine the safety-relevant variables of the DC currents I-HV, I-LV, to plausibility check the same and thus likewise to raise them to a higher safety level.

(13) The schematic representation in FIG. 2 is now described in detail as to how, by means of the method of the present invention, a plausibility check 5, 5a, 5b of the DC currents I-HV, I-LV already identified as safety relevant variables 1, 2 in FIG. 1 in the example of the DC voltage converter 20, which are to be plausibility checked in each case from a lower safety level 3 to a higher safety level 4, is performed.

(14) FIG. 2 visualizes that a clock 7 is predetermined, which alternately assumes a state with an upper clock level T_HIGH and a lower clock level T_LOW.

(15) Together the two clock levels T_HIGH, T_LOW correspond in time to a cycle 6, wherein a first time interval 9 runs in the presence of the upper clock level T_HIGH and a second time interval 11 of cycle 6 runs in the presence of the lower clock level T_LOW. Both time intervals 9, 11 together produce the cycle duration 12 of the cycle 6 of the clock 7.

(16) If the inventive method starts with the present upper clock level T_HIGH of the clock 7 for instance, in the first time interval 9 of the cycle 6, a first safety-relevant variable 1 previously assigned to the lower safety level 3 is plausibility checked by a first plausibility rule 8. The first plausibility rule 8 in most cases takes place in the form of a calculation, such as was indicated for instance in the description relating to FIG. 1. Additional calculation variables 28 can also be included in the calculation function.

(17) For improved understanding, the entire event of the plausibility check 5 is graphically divided once again into the plausibility check 5a of the first safety-relevant variable 1 and into the plausibility check 5b of a further safety-relevant variable 2.

(18) If the first safety-relevant variable 1 is present as a measured value of a measurement, for example, before the start of the plausibility check 5a, this originally measured value can be compared with the first safety-relevant variable 1 calculated during performance of the first plausibility rule 8. Upon a successful comparison, these are then raised to the higher safety level 4 as a safety-relevant variable 1.

(19) The comparison is generally successful if there is no deviation greater than a predetermined tolerance range between the values of the first safety relevant variable 1 to be compared.

(20) The plausibility check 5a must be concluded for the first safety-relevant variable 1 within the first time interval 9 of the cycle 6 of the clock 7 (upper clock level T_HIGH).

(21) As with the plausibility check 5a of the first safety-relevant variable 1 at the higher safety level 4, the plausibility check 5b of the further safety-relevant variable 2, which is still disposed on the lower safety level 3, can now be performed once the lower clock level T_LOW of the clock 7 is present. In the second time interval 11 of the cycle 6 of the clock 7, the further safety-relevant variable 2 is plausibility checked at the higher safety level 4 by means of a further plausibility rule 10. Similar to the plausibility check 5a of the first safety-relevant variable 1, this also in most cases takes place in the form of a calculation, as shown by way of example in the description of FIG. 1. Additional calculation variables 28 can also be included here in the calculation function.

(22) It is possible to compare the further safety-relevant variable 2 already determined before the plausibility check 5b but still not at the lower safety level 3 and accordingly still not plausibility checked with the further safety-relevant variable 2 which is calculated during the further plausibility rule 10 and then, with a successful comparison, to raise this to the higher safety level 4 as a further safety-relevant variable 2.

(23) The comparison is generally successful, as previously described, if there is no deviation greater than a predetermined tolerance range between the values of the further safety relevant variable 2 to be compared.

(24) The plausibility check 5b of the further safety-relevant variable 2 must therefore be concluded within the second time interval 11 of the cycle 6 of the clock 7 (lower clock level T_LOW).

(25) If both the first and also the further safety-relevant variable 1, 2, which were raised to a higher safety level 4 within a cycle 6 of a clock 7, are required in order to validate or check the plausibility of a safety function of a safety event within a latency time 27, the plausibility check 5a, 5b of the respective safety-relevant variable 1, 2 must be concluded within the cycle duration 12 of the cycle 6 of the clock 7. Similarly, the safety function to be checked by including the plausibility-checked safety-relevant variables 1, 2 must then be evaluated.

(26) There is thus a requirement that the cycle duration 12 for the two safety-relevant variables 1, 2 to be plausibility checked is not permitted to exceed the latency time 27 of the safety function associated with the safety event.

(27) A data processing unit 19 which executes the inventive method, in other words the plausibility check 5, 5a, 5b of safety-relevant variables 1, 2, by plausibility rules 8, 10, is shown schematically in FIG. 3.

(28) A data processing unit 19 has a first input 15 for receiving a first safety-relevant variable 1 still disposed at a lower safety level 3, a second input 16 for receiving a further safety-relevant variable 2 still disposed at the lower safety level 3, and an additional input 29 for receiving at least one additional calculation variable 28.

(29) Furthermore, the data processing unit 19 has a first output 17 for outputting the first safety-relevant variable 1 disposed at a higher safety level 4 and a second output for outputting the further safety-relevant variable 2 disposed at the higher safety level 4.

(30) A first schematic representation of an electric or hybrid vehicle 21 with an electrical converter 20 is shown in FIG. 4, wherein the electrical converter 20 has a DC voltage converter 22 according to FIG. 1 and a data processing unit 19 according to FIG. 3.

(31) DC voltage converters 22 are often used repeatedly in electric or hybrid vehicles 21 and are required for a conversion of different DC voltage planes. As previously described, they are in most cases also part of safety-relevant components or systems or themselves represent a safety-relevant component or system of this type. The DC voltage converter 22 is provided in FIG. 4 to perform the conversion of DC voltages U-HV, U-LV between a high-voltage DC voltage circuit 13 and a low-voltage DC voltage circuit 14.

(32) A further schematic representation of an electric or hybrid vehicle 21 is shown in FIG. 5 with an electrical converter 20, wherein this electrical converter 20 is embodied as a traction converter 23, by means of which an electric machine 24 can be operated. The traction converter 23 has a DC voltage converter 22 according to FIG. 1 and a data processing unit 19 according to FIG. 3. The DC voltage converter 22 is provided within the traction converter 23 to perform a conversion of DC voltages U-HV, U-LV between a high-voltage DC voltage circuit 13 and a low-voltage DC voltage circuit 14.

(33) In the exemplary embodiment in FIG. 5, the data processing unit 19 is provided as an autonomous safety-relevant component within the traction converter 23 and in this case has an additional connection for a data exchange of the required safety-relevant variables or the additional calculation variables with the DC voltage converter 22. An integration of the data processing unit 19 into the DC voltage converter 22 is entirely meaningful and possible here, as already shown in FIG. 4.

(34) While the invention has been illustrated and described in connection with currently preferred embodiments shown and described in detail, it is not intended to be limited to the details shown since various modifications and structural changes may be made without departing in any way from the spirit and scope of the present invention. The embodiments were chosen and described in order to explain the principles of the invention and practical application to thereby enable a person skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated.