Power supply system for safety-relevant systems in a motor vehicle

Abstract

A power supply system for safety-relevant systems in a motor vehicle is provided that includes a first supply path and a second supply path. The first supply path includes a first connection point for a first voltage source, one or more first supply points for a safety-relevant load, and a first fuse between the first connection point and the first supply point. The second supply path is electrically coupled to the first supply path and includes a second connection point for a second voltage source, one or more second supply points for the safety-relevant load, and an electronic second fuse coupled between the second connection point and the second supply point. The safety-relevant load is capable of being electrically coupled to both the first and second supply point. Disconnecting elements are provided to isolate a fault in conformity with ASIL B.

Claims

1. A power supply system for safety-relevant systems in a motor vehicle comprising: a first supply path having a first connection point coupled to a first voltage source, at least one first supply point operable to be coupled to a safety-relevant load, and a first fuse between the first connection point and the first supply point; and a second supply path electrically coupled to the first supply path, the second supply path having a second connection point coupled to a second voltage source, at least one second supply point operable to be coupled to the safety-relevant load, and an electronic second fuse between the second connection point and the second supply point, wherein at least one of the first fuse and the second fuse is a disconnecting element operable to isolate a fault and arranged between the first supply point and the second supply path and between the second supply point and the first supply path.

2. The power supply system according to claim 1, wherein the at least one disconnecting element includes at least one MOSFET and a control device.

3. The power supply system according to claim 2, wherein the at least one MOSFET is a self-locking n-channel MOSFET.

4. The power supply system according to claim 2, wherein the MOSFET is a DMOSFET.

5. The power supply system according to claim 1 further comprising a second disconnecting element configured to act in two directions and arranged between the first supply path and the second supply path.

6. The power supply system according to claim 5, wherein the second disconnecting element is an anti-serial MOSFET switch.

7. The power supply system according to claim 1, wherein a first disconnecting element is arranged between a second disconnecting element and the first supply path and in series to the second disconnecting element.

8. The power supply system according to claim 1, wherein the first fuse is an electronic fuse and is the disconnecting element is arranged between the first supply point and the second supply path.

9. The power supply system according to claim 8, wherein the first electronic fuse is configured differently than the electronic second fuse.

10. The power supply system according to claim 1, wherein the first voltage source is at least one of a first battery and a generator with a first nominal voltage.

11. The power supply system according to claim 10, wherein the second voltage source is a second battery with a second nominal voltage different from the first nominal voltage, wherein the second voltage source is electrically coupled to the second connection point via a DC/DC converter.

12. The power supply system according to claim 11, wherein the DC/DC converter includes at least a first and a second partial converter, wherein the first partial converter is coupled to the first supply path and the second partial converter is coupled to the second supply path, wherein a phase switch-off of the first and second partial converters represents a particular disconnecting element.

13. The power supply system according to claim 12, wherein the first partial converter is coupled to the first supply path via a first disconnecting element.

14. The power supply system according to claim 1, wherein the second supply path is coupled to a backup battery having the first nominal voltage.

15. The power supply system according to claim 14, wherein the backup battery is a lithium-titanate battery.

16. The power supply system according to claim 1 further comprising a plurality of disconnecting elements.

17. The power supply system according to claim 1 further comprising a plurality of equivalent disconnecting elements arranged in parallel and operable to protect a plurality of safety-relevant loads, and a control device configured to actuate a plurality of MOSFETs of the parallel-arranged disconnecting elements.

18. The power supply system according to claim 1 further comprising a plurality of first supply points and a plurality of second supply points.

19. The power supply system according to claim 1, wherein the fault is isolated in conformity with ASIL B.

20. A motor vehicle including the power supply system according to claim 1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) In order that the disclosure may be well understood, there will now be described various forms thereof, given by way of example, reference being made to the accompanying drawings, in which:

(2) FIG. 1 shows a schematic drawing of a power supply system for one or more safety-relevant loads according to the prior art;

(3) FIG. 2 shows a schematic drawing of a power supply system for one or more safety-relevant loads, with two supply paths coupled through a bidirectional and a unidirectional fuse according to the teachings of the present disclosure;

(4) FIG. 3 shows a schematic drawing of a power supply system with two supply paths coupled through a bidirectional fuse, in which one or more safety-relevant load(s) is/are coupled via an electronic fuse;

(5) FIG. 4 shows a schematic drawing of a power supply system according to the form in FIG. 2, with a five-phase DC/DC converter; and

(6) FIG. 5 shows a schematic drawing of a power supply system for one or more safety-relevant loads, with a DC/DC converter divided up into partial converters.

(7) The drawings described herein are for illustration purposes only and are not intended to limit the scope of the present disclosure in any way.

DETAILED DESCRIPTION

(8) The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses. It should be understood that throughout the drawings, corresponding reference numerals indicate like or corresponding parts and features.

(9) FIG. 1 shows a schematic drawing of a power supply system 100 for one or more safety-relevant loads 102 according to the prior art. A starter battery 104 and a generator 106 are arranged in parallel to feed a first supply path Rim A. An auxiliary heater is electrically connected as a load 112, via a first current distributor 108 having a plurality of fusible cut-outs 110. The first current distributor 108 is coupled to a second current distributor 108, which is coupled to the safety-relevant load 102 through a first supply point 114. A second supply path Rim B is arranged adjacent thereto and is fed by a backup battery 116. A second supply point 118 is coupled through a current distributor 108 and a fusible cut-out 110 of the current distributor 108, and the safety-relevant load 102 is coupled through the second supply point as the redundant supply. The first supply path Rim A and the second supply path Rim B are coupled via a DC/DC converter 122.

(10) For illustration purposes, three faults 120 are shown as octagons with an associated jagged arrow and with a digit inside the form. A short circuit cannot be isolated without disturbances, as will be explained in greater detail below.

(11) In other words, FIG. 1 shows an example of the concept of a dual supply structure as implemented in accordance with a conventional layout. The function 102 (functional safety) according to ASIL D (such as steering), which is important to availability, is internally structured in two channels with two actuators (not shown), to be able to offer the required ASIL safety level. Corresponding to the internal, dual-channel structure, two supply terminals (114, 118) are provided for the external supply. For a redundant supply, they are to be fed from two independent sources. This arrangement has two disadvantages:

(12) First, the independence of the two supply paths Rim A, Rim B is essential for the redundant supply. The DC/DC converter 122 between the two paths thus has to be configured in accordance with ASIL D, which entails considerably effort and expense.

(13) Second, protection against overload is provided in both supply paths Rim A, Rim B solely with fusible cut-outs 110. These fuses have the systemic limitation that they can only disconnect a load very sluggishly. The current required to blow the fuse is so high that so much voltage drops across the impedances of the on-board electrical system (internal resistance of battery, resistance of fuses, cables and chassis ground feedback) that the other consumers 102, 112 in the on-board electrical system move into overvoltage reset.

(14) As a result, a short circuit 120 (1) in the auxiliary heater 112 causes a voltage dip on the upper supply line Rim A. The functional safety function 102 (steering) can then feed itself with stabilized voltage via the lower supply terminal 118, provided that the DC/DC converter 122 reliably disconnects the second supply path Rim B. The technical safety requirement of stable-voltage supply with ASIL D is thus transferred 1 to 1 onto the necessary performance of the converter.

(15) A short circuit 120 at point 3 is important. Due to the sluggishness of the fuse 110, the small backup battery 116 and the DC/DC converter 122 are unable to hold the voltage. All sensors 1 to n 112.sub.1, 112.sub.2, 112.sub.n fail simultaneously, leading to blindness of the autonomous driving function.

(16) An issue with the two inputs 114, 118 of the safety-relevant load 102 (functional safety function) may also lead to a complete failure of both supply paths Rim A and Rim B. For example, the failure of the brake would simultaneously cause failure of the steering. Here it becomes clear that the layout of the supply lines A and B lacks diversity.

(17) FIG. 2 shows a schematic drawing of a power supply system 200 for one or more safety-relevant loads 102, comprising two supply paths Rim A, Rim B coupled via a bidirectional fuse M2 and a unidirectional fuse M1, in a first form of the present disclosure. The fuses M1, M2 are also referred to as disconnecting elements M1, M2. The first supply path Rim A largely corresponds to the form shown in FIG. 1.

(18) The first supply path Rim A is coupled through a first connection point 230 to a first voltage source 104. The second supply path Rim B is fed via a DC/DC converter 222 and the second connection point 232. A current distributor 208 in the second supply path Rim B has electronic fuses M3, M4 as disconnecting elements M3, M4. One electronic fuse M4 is coupled to the second supply point 118 to feed the safety-relevant load 102. A second safety-relevant load 202 is connected via a coupling element 234. The coupling element 234 has an additional first supply point 214 that is electrically connected to a fusible cut-out 110 of a current distributor 108 of the first supply path Rim A, and an additional second supply point 218 that is electrically connected to the electronic fuse M3 of the second supply path Rim B. An outlet of the coupling element 234 is electrically connected to the safety-relevant load 202. The two additional supply points 214, 218 are electrically connected via diodes 236 to the output of the coupling element 234. A safety-relevant load 202 can be fed via the coupling element 234, which has only one supply terminal in this form.

(19) The upper supply path (Rim A) is a conventional feed branch with fusible cut-outs 110. It can be part of the conventional on-board electrical system that is also used in vehicles without an autonomous driving function. The lower supply path Rim B is the part of the on-board electrical system that has been added to power the functional safety functions 102, 202. It uses an electronic safeguard 208 to avoid a disturbance in the form of a voltage dip upon overload on the Rim B and A.

(20) A short circuit 120 in the normal on-board electrical system function of auxiliary heater 112 causes a voltage drop on the upper supply path Rim A. It is isolated from the lower supply path Rim B via two independent ASIL B instances. First of all, M1 closes, then M2, which as an anti-serial MOSFET switch can close in both directions.

(21) A short circuit 120 labeled 3 on the lower supply, i.e., via the second supply path Rim B and the second supply point 118, is isolated disturbance-free by the disconnecting element M4. There is another, additional fallback level that exists to provide that the disconnecting element M4 is not the only instance to be given the safety level ASIL D. This additional level constitutes isolation by disconnecting element M2 in the event that disconnecting element M4 fails and cannot disconnect. Thus, the upper supply path Rim A is isolated from the short circuit 120 designated as 3 by disconnecting element M4 and as needed by disconnecting element M2. The important thing is that a specific electronic safeguard M3, M4 is provided in the lower/second supply path Rim B for each functional safety-relevant load 102, 202.

(22) The disconnecting elements M1, M2 and M3, M4 are independent, but they are also advantageously integrated into a module 238. A complete failure of the upper functional safety function 102 with short circuits at (2.) and (3.) does not result in complete failure of the supply, since the second supply path Rim B is isolated via the disconnecting element M4 and therefore the second supply path Rim B can supply the other functional safety functions 202. Therefore, diversity in the supply is given.

(23) As already indicated above, the safety-relevant load 102 is fed via the first supply point 114, which is coupled to the first supply path Rim A with starter battery 104, i.e. a first power source 104; and it is fed via the second supply point 118, which is coupled to the second supply path Rim B with high-voltage battery or 48-V battery 216, i.e. a second power source 216. Both the two power sources 104, 216 and the supply paths Rim A, Rim B connected to them are independent of one another. The first supply path Rim A and the first supply point 114 coupled to it are protected by fusible cut-outs 110. The second supply path Rim B and the second supply point 118 coupled to it are protected by unidirectional electronic fuses M3, M4. Here the inhomogeneity in the redundancy of the protection becomes clear at first glance, implemented here by a classic fuse 110 as opposed to a semiconductor fuse M3, M4 or MOSFET 240.

(24) To achieve a comparable inhomogeneity of the redundancy in the form described below and illustrated in FIG. 3, the electronic fuses M5, M6 should be designed differently from the electronic fuses M3, M4. This refers to the selection of the electronic components used within the electronic fuses M3, M4, M5, M6, and to the design tool used during development.

(25) The disconnecting elements M1 and M2 can advantageously be controlled via the battery voltage. A short circuit 120 on the upper/first supply path Rim A, i.e., for example, the short circuits 120 designated as 1 or 2, leads to a voltage dip in the battery 104. A short circuit 120 on the lower/second supply path Rim B, i.e., for example, a short circuit 120 designated as 3, also leads to a voltage drop in the battery 104, if it has not been disconnected via the disconnecting elements M3 or M4. Thus, opening the disconnecting elements M1 and M2 when the battery voltage drops to below 11 V, for example, results in the isolation of a voltage drop, either on the first supply path Rim A or the second supply path Rim B.

(26) Optionally, as shown in FIG. 1, for instance in vehicles with internal combustion engines, a generator may be provided, which is arranged parallel to the starter battery 104 and which, on the one hand, supplies the first supply path Rim A with power and, on the other hand, charges the starter battery 104. An optional charging device (not shown here either) fed via an external voltage source is provided here for electric vehicles or plug-in hybrid vehicles.

(27) The disconnecting elements M1, M2, M3, M4 each include a MOSFET 240 and a control device 242. The control device 242 is connected to gate G, also referred to as gate terminal G, of the MOSFET 240. The MOSFET 240 is a self-locking n-channel MOSFET 240.

(28) The disconnecting element M2 includes at least two MOSFETs 240, which is configured as an anti-serial MOSFET switch due to their arrangement. A second disconnecting element M2 acting in two directions is the result. For this purpose, the two sources S of the two MOSFETs 240 of the second disconnecting element M2 are directly electrically interconnected.

(29) The power path of the MOSFET switch 240 of the two disconnecting elements M1, M2 lies between the two supply paths Rim A, Rim B. Thus, source S of the MOSFET 240 of the first disconnecting element M1 is coupled to the first supply path Rim A, drain D of the same MOSFET 240 is electrically connected to drain D of one of the MOSFETs 240 of the second disconnecting element M2. Drain D of the second MOSFET 240 of the second disconnecting element M2 is coupled to the second supply path Rim B.

(30) The MOSFETs 240 of the electric fuses M3, M4 are arranged in such a manner that source S points toward the load(s) 102, 112, 202 and drain D points toward the voltage supply accordingly, i.e. in this case high-voltage or 48-V battery 216.

(31) In the remaining Figures, to facilitate legibility, the reference numbers 240, 242 will be omitted.

(32) FIG. 3 shows a schematic drawing of a power supply system 200 with two supply paths Rim A, Rim B coupled via a bidirectional fuse M2, in which the one or more safety-relevant loads 102, 202 is/are each coupled on via an electronic fuse M3, M4 in accordance with one form of the present disclosure. The form shown in FIG. 3 corresponds to the form shown in FIG. 2, with the difference that the current distributor 108 with fusible cut-outs 110 as shown in FIG. 2 has been replaced with current distributor 108 with electronic fuses M5, M6, M7, M8. Thus, the unidirectional electronic fuse M1 can be omitted, since the electronic fuses M5, M6, M7, M8 can assume the task of a disconnecting element M5, M6, M7, M8. The electronic fuses M5, M6, M7, M8 are unidirectional.

(33) One special feature of the two electronic fuses M7, M8, both of which have a MOSFET, is that one control unit is configured to actuate both MOSFETs. Thus, one control unit is connected to GATE of both MOSFETs.

(34) The two supply paths Rim A and Rim B shown in the form represented in FIG. 3 have an inhomogeneous redundancy. The electronic fuses M5, M6 in the first supply path Rim A differ from the electronic fuses M3, M4 in the second supply path Rim B. Thus, MOSFETs and actuators that are not equivalent are used on both supply paths Rim A and Rim B for the electronic fuses in order to achieve the desired decomposition of an ASIL D classification.

(35) In other words, FIG. 3 shows a variant that works exclusively with electronic protection M1, M2, M3, M4, M5, M6, M7, M8. A short circuit 120 and the accompanying voltage drop is isolated (first instance in ASIL B) in each case by the electronic fuse M3, M4, M5, M6, M7, M8 specific to the particular path. As a second instance (ASIL B) the switch M2 can disconnect the respective other supply path Rim A, Rim B to inhibit spreading of the voltage drop.

(36) FIG. 4 shows a schematic diagram of a power supply system 200 according to the form shown in FIG. 2, with a five-phase DC/DC converter 422 according to another form of the present disclosure. The drawing is a slightly reduced version of the drawing of the form from FIG. 2, with the DC/DC converter 422 being configured as a five-phase DC/DC converter.

(37) In other words, FIG. 4 shows an integrated DC/DC converter 422 that includes the intelligent protection and switching functions according to FIG. 2. Thus, as a singular unit the converter is a suitable addition to a conventional on-board electrical system to enhance the on-board power supply network for availability-relevant functional safety functions 102. The adequate independence of the modules shown is provided in the structural concept.

(38) FIG. 5 shows a schematic drawing of a power supply system 200 for one or more safety-relevant loads 102, with a DC/DC converter 522 subdivided into partial converters 550, 552, in accordance with another form of the present disclosure. FIG. 5 shows an integrated DC/DC converter 522 subdivided into two partial converters 550, 552 to supply both paths Rim A, Rim B. Since only a portion of the converter capacity here (phase 4 and phase 5) is available for supplying the redundant path Rim B, a backup battery 554 (here a lithium-titanate battery 554) may be kept available, depending on the maximum power request. In this arrangement, there are again two disconnecting elements each M1, M3, M4, 550, 552, that are capable of interrupting a fault on a supply path Rim A, Rim B, these being for the upper/first supply path Rim A the electronic fuse M1 and the phases (switch-off) 1 to 3 of the first partial converter 550, and for the lower/second supply path Rim B the particular electronic fuses M3, M4, and the phase switch-off for phases 4 and 5 of the second partial converter 552.

(39) The description of the disclosure is merely exemplary in nature and, thus, variations that do not depart from the substance of the disclosure are intended to be within the scope of the disclosure. Such variations are not to be regarded as a departure from the spirit and scope of the disclosure.