CONTROL UNIT FOR A VEHICLE

Abstract

A control unit for a vehicle. The control unit includes: interfaces for the connection to two independently redundant communication networks, messages to and from the control unit being transferrable via a second communication network, and vice versa, in the event of a failure of a first communication network; and interfaces for the electrical supply of the control unit via two independently redundant low-voltage networks. it being possible to electrically supply the control unit via a second low-voltage network, and vice versa, in the event of an error in a first low-voltage network.

Claims

1-14. (canceled)

15. A control unit for a vehicle, comprising: interfaces for connection to two independently redundant communication networks, messages to and from the control unit being transferrable via a second communication network of the redundant communication networks, and vice versa, following a failure of a first communication network of the redundant communication networks; and interfaces for electrical supply of the control unit via two independently redundant low-voltage networks, it being possible to electrically supply the control unit via a second low-voltage network of the redundant low-voltage networks, and vice versa, in the event of an error in a first low-voltage network redundant low-voltage networks.

16. A control system for a vehicle, comprising: two independently redundant high-voltage networks configured to provide electrical energy; two independently redundant low-voltage networks configured to provide electrical control voltage; two independently redundant communication networks configured to transfer messages between control units connected to the communication networks; and a degradation device configured to diagnose errors in the high-voltage, low-voltage, and communication networks and to selectively degrade the control units connected to the high-voltage, low-voltage, and communication networks, the control system offering a sufficient functionality for a driving operation of the vehicle.

17. The control system as recited in claim 16, wherein the degradation device includes a diagnostic module configured to carry out the diagnosis, and a battery management device configured to selectively degrade the control units.

18. The control system as recited in claim 17, wherein a preventive and/or actual diagnosis of lines connected to the high-voltage, low-voltage, and communication networks and a selective shut-off of control units connected to the high-voltage, low-voltage, and communication networks may be initiated and carried out using the diagnostic module.

19. The control system as recited in claim 16, wherein, in the event of an error of a high-voltage network of the high-voltage networks, a DC/DC converter is shut off, and a rechargeable battery for an electrical supply of one of the low-voltage networks is connected.

20. The control system as recited in claim 16, wherein the diagnostic module and the battery management devices are configured to be mutually monitorable.

21. The control system as recited in claim 16, wherein a state of the high-voltage, low-voltage, and communication networks is ascertainable using the battery management devices, corresponding data being transferrable via communication interfaces.

22. A method for operating a vehicle, comprising the following steps: diagnosing, in each case, independently redundantly configured electrical high-voltage, electrical low-voltage, and electrical communication networks of a control system of the vehicle, which are functionally connected to one another; transferring the diagnosis result to independently redundant battery management devices of the control system, an error in a first battery management device not impairing a functionality of a second battery management device, and vice versa; and selectively degrading control devices connected to the electrical high-voltage, electrical low voltage, and electrical communication networks as a function of the diagnosis result in such a way that control units connected to the electrical energy supply, electrical low voltage, and electrical communication networks are still sufficiently functional for a safe driving operation of the vehicle.

23. The method as recited in claim 22, wherein a selective shut-off of electrical consumers is delayed or carried out using predefined degradation control signals.

24. The method as recited in claim 22, wherein a selective shut-off of electrical devices which are not necessary for fulfilling necessary driving functions of the vehicle is carried out.

25. The method as recited in claim 24, wherein the control units includes a braking control unit, a steering control unit, a control unit for driver assistance systems, and a control unit for engine management, and wherein at least one of the control units is kept operational for a driving operation of the vehicle.

26. The method as recited in claim 22, wherein one of the high-voltage networks is connectable to the other high-voltage network via a coupling switch.

27. The method as recited in claim 22, wherein a selective shut-off of electrical consumers connected to the networks, which is carried out based on a diagnosis, results in soft switchovers, during which the vehicle does not carry out any abrupt movements.

28. A non-transitory computer-readable data medium on which is stored a computer program including program code for operating a vehicle, the program code, when executed by a computer, causing the computer to perform the following steps: diagnosing, in each case, independently redundantly configured electrical high-voltage, electrical low-voltage, and electrical communication networks of a control system of the vehicle, which are functionally connected to one another; transferring the diagnosis result to independently redundant battery management devices of the control system, an error in a first battery management device not impairing a functionality of a second battery management device, and vice versa; and selectively degrading control devices connected to the electrical high-voltage, electrical low voltage, and electrical communication networks as a function of the diagnosis result in such a way that control units connected to the electrical energy supply, electrical low voltage, and electrical communication networks are still sufficiently functional for a safe driving operation of the vehicle.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0035] FIG. 1 shows a block diagram of one specific embodiment of a control system for a vehicle, in accordance with the present invention.

[0036] FIG. 2 shows a schematic block diagram of a control unit, in accordance with an example embodiment of the present invention.

[0037] FIG. 3 shows a schematic representation of a method for operating a control system for a vehicle, in accordance with an example embodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0038] Hereafter, the term ‘automated vehicle’ is used synonymously in the meanings of fully automated vehicle, semi-automated vehicle, fully autonomous vehicle and semi-autonomous vehicle (synonymously: SAE Level 2/3, 4/5).

[0039] Most errors that jeopardize a safe vehicle guidance of an automated vehicle are based, among other things, on cascades in which, e.g., an error in a high-voltage battery results in shut-offs, which via a DC/DC converter may affect a 12 V battery. When the 12 V voltage supply or a communication to a control electronics of an electric motor (inverter) is interrupted, the control electronics may open battery contactors and reduce energy of the high-voltage network via windings of the electric motor. Due to various predefined high-voltage rules, the following shut-off cascades must be implemented, which result in a high-voltage shut-off: [0040] failure of terminal 15, fuse triggered, high-voltage enable line, wire break [0041] failure of communication to inverter, battery management systems, control unit for recording a driver request (VCU), etc. [0042] HV interlock (fuse function as protection against high-voltage influencing) [0043] inverter error, high-voltage battery error, errors of other consumers (e.g., radiator/fan, etc.) [0044] critical EMC influences [0045] erroneous states (such as e.g., erroneous crash detection)

[0046] All described errors, before they result in the active shut-off, may cause massive pulsations in the high-voltage and low-voltage networks of the vehicle, which, generally speaking, are tolerated by the inertia of the shut-off elements (e.g., fuse, thresholds in the software, etc.). The pulsations undesirably apply a load onto the 12 V battery and may massively reduce its service life. Many of the 12 V consumers, such as for example radiator fan motor, EPS motor, ESP motor or actuator, etc., also have the potential to feed electrical energy into the vehicle electrical system in certain situations, which may further intensify the pulsations in the vehicle electrical system. Furthermore, the vehicle may become destabilized due to vibrations in the drive train and/or the driver may become massively confused by the behavior of the pedals or of the steering wheel.

[0047] Since such errors may occur in all consumers and in the interposed lines, a selective shut-off of elements or devices of a control system for a vehicle is provided. In the process, a cause of the malfunction is recognized or preventatively diagnosed and, as a consequence, a selective shut-off of elements or devices of the control system is carried out in such a way that a fundamental driving function of the vehicle is still provided.

[0048] This is achieved in that a piece of malfunction information diagnosed by a diagnostic module is transferred to a battery management system which, in combination with the diagnostic module, shuts off the affected electrical circuits, and switches an energy supply of the low-voltage network over to available DC/DC energy sources or other electrical energy sources. This is achieved in that the diagnostic module acts as a selective shut-off or switch-over device.

[0049] FIG. 1 shows an electrical/electronic architecture (E/E architecture) of a described control system 100 for a vehicle, which may provide a described functionality. Two independently redundant high-voltage batteries 1a, 1b (having, e.g., 400 V DC voltage) are apparent, which each feed a high-voltage network HN1, HN2 and are each connected to or disconnected from high-voltage network HN1, HN2 via an assigned battery management device 2a, 2b. Furthermore, a switch S for the defined switching (e.g., charging, equalizing charging energy, connecting in series, etc.) of high-voltage batteries 1a, 1b may be activated with the aid of battery management devices 2a, 2b. An electric motor M1, M2 of high-voltage networks HN1, HN2 is activated in each case via a respective power electronics 11a, 11b.

[0050] Furthermore, a first low-voltage network NV1 and a second low-voltage network NV2 are apparent in control system 100, which are each supplied with electrical 12 V energy (electrical control voltage) by a DC/DC converter 3a, 3b. Advantageously, a 12 V rechargeable battery 4 may be connected to one of low-voltage networks NV1 in the event of an error, which is particularly useful, for example, when, due to a failure of high-voltage batteries 1a, 1b, subsequently also DC/DC converters 3a, 3b no longer provide any 12 V supply voltage for low-voltage networks NN1, NN2. Furthermore, instead of DC/DC converter 3b, a charger 12 may also be connected to low-voltage network NN2. 12 V rechargeable battery 4 may be charged with the aid of charger 12.

[0051] Furthermore, a first communication network KN1 and a second communication network KN2 are provided in control system 100, which may be designed, for example, as a CAN bus, Ethernet, etc. Central communication interfaces 9a, 9b (gateways) and a braking control device 8 (e.g., integrated power brake (IPB)) for locally controlling a braking by wire or deceleration of the vehicle are connected to communication networks KN1, KN2. Messages for activating electronic control units of control system 100 are transferred via the described communication networks KN1, KN2. In the process, a steering control device 5, a control unit for recording a driver request 6, a control unit for automated driving 7, and a braking control device 8 may be provided as electronic control units. In addition, further electronic control units not illustrated in FIG. 1 are also possible. A so-called “degradability” of networks and consumers of control system 100 is, in particular, controlled by a diagnostic module 10 which, in cooperation with battery management systems 2a, 2b, carries out a preventive diagnosis (e.g., ascertainment of changes in resistance due to line breakage, aging effects, vibrations, temperature effects, short-term critical electrical voltage demands, etc.) of all lines of all networks, HN1, HN2, NN1, NN2, KN1, KN2, and thereby causes a selective switching of the consumers and producers or control units connected to control system 100 in such a way that fundamental driving functions (e.g., steering, braking, controlling, navigating, etc.) of the vehicle are still provided even when the defect is present.

[0052] Using the described control system 100 for a vehicle, in this way the following advantageous functions, which hereafter are only mentioned by way of example, are possible:

[0053] The electrical control voltage of 12 V low-voltage networks NN1, NN2 is assigned to the communication level including communication networks KN1, KN2 and the available redundancies. This means that, due to the existence of the two independently redundant low-voltage networks NN1, NN2 and the two independently redundant communication networks KN1, KN2, the electronic control units are in each case connected to the same strand (low-voltage and communication network) since otherwise the availability is reduced in the event of a failure of the 12 V supply and the communication. Even though an electronic control unit may fail completely, e.g., when using the described method, the remaining available control units are able to maintain the nominal function (usually at reduced performance) of the failed control unit, or provide a degraded function of the failed function. Due to the independent redundancy, it is advantageously possible in this way that an error in one of networks NN1, NN2, KN1, KN2, HN1, HN2 cannot impair a functionality of a respective other network NN1, NN2, KN1, KN2, HN1, HN2 assigned to the respective network NN1, NN2, KN1, KN2, HN1, HN2.

[0054] Essential systems of the vehicle for safeguarding the driving operation up to a safe standstill or state (fail state or fail operational state), such as brake and steering, are each connected to the two communication networks KN1, KN2 and to the two 12 V low-voltage networks NN1, NN2, which are each galvanically or “sufficiently safely” isolated from one another.

[0055] All high-voltage consumers are preferably connected to the two high-voltage networks HN1, HN2, so that high-voltage shut-offs only affect one strand (including high-voltage, low-voltage and communication networks), and a high-voltage consumer is thus even still functional in the event of a complete shut-off of a high-voltage network. The respective strand should preferably be assigned once to the first and once to the second low-voltage and communication network, so that errors in the high-voltage network as well as high-voltage operational shut-offs cannot result in errors in other networks.

[0056] Diagnostic module 10 is, in particular, provided for preventive diagnoses of the lines of all networks, including detection and/or simulation of electrical line resistances and of electrical currents, and may provide appropriate pieces of information to the consumers connected to the networks, so that defined consumers may be preventatively shut-off or evacuated from the assigned network before an error occurs.

[0057] The degradable consumers include, for example, a control unit 7 for driver assistance systems, which is preferably connected to a different low-voltage network NN1, NN2 than a control unit 6 for a motor and thermal management. Advantageously, this supports the fact that a failure or shut-off of control unit 7 for driver assistance systems may be at least partially compensated for by control unit 6 for a motor and thermal management, and vice versa.

[0058] It is thus apparent that control units, energy systems, drives and networks are situated and functionally connected to one another in the described control system 100 in such a way that, in the event of an error of the vehicle (e.g., due to an accident), never is it the case that all control units, energy systems, drives and networks are damaged or may fail simultaneously.

[0059] The line diagnosis by diagnostic module 10 should thus not only implement the diagnosis of high-voltage networks HV1, HV2, but additionally also a diagnosis of low-voltage networks NV1, NV2, and should consolidate this into a potential degradation. Using diagnostic module 10, a switching and shut-off of all devices connected to the networks may be carried out anticipatorily (predictive maintenance).

[0060] The pieces of diagnostic information regarding the low-voltage and high-voltage networks are provided to battery management devices 2a, 2b in real time, to the extent possible, so that these pieces of diagnostic information are detected together with battery states of high-voltage batteries 1a, 1b. In this way, battery management devices 2a, 2b may selectively disconnect or shut off the corresponding high-voltage networks HN1, HN2 with the aid of contactors and/or power switches 12a, 12b to avoid error propagation. Battery management devices 2a, 2b are control units which are connected to other control units via different hard-wired signals, and also via bus systems (e.g., CAN bus, etc.). Errors in the high-voltage networks, in the connections, in the communication, in the cooling water, etc., often result in requirements that battery management device 2a, 2b thereby opens contactors, and thus disconnects circuits.

[0061] In addition, a so-called “degradation manager” (not shown) may be provided for controlling the described selective degradation.

[0062] Critical consumers in low-voltage networks NN1, NN2 may be identified and selectively shut off by the described monitoring system, as long as no availability of an essential vehicle guidance function is jeopardized thereby. Since all vehicle guidance functions even today have redundant 12 V power supplies, critical circuits may be shut off with the aid of battery management devices 2a, 2b, as is required for an emergency operation of the automated vehicle.

[0063] Furthermore, battery management devices 2a, 2b may thus also switch off critical circuits, as is necessary for an emergency operation of control system 100. With the aid of the battery management devices, the 12 V supply may be maintained via DC/DC converters 3a, 3b, as long as high-voltage batteries 1a, 1b are able to maintain the electrical energy supply at a low level.

[0064] Furthermore, battery management devices 2a, 2b may also initiate the selective shut-off of high-voltage networks HN1, HN2 and of low-voltage networks NN1, NN2, depending on the cause of the errors.

[0065] Using the described control system 100, a degradation of the networks and of the devices connected to the networks may be carried out in such a way that a vehicle equipped with control system 100 is transferrable into a safe state.

[0066] For this purpose, it is provided that messages transferred to the control devices are checked for consistency and plausibility regarding the functionality of driving functions of the vehicle.

[0067] FIG. 2 shows a schematic block diagram of a control unit or of a control device, in this case a steering control unit 5 of the vehicle. Two inputs 5a, 5b for connecting to the two communication networks KN1, KN2 and two inputs 5c, 5d for connecting to low-voltage networks NN1, NN2 for providing a 12 V power supply are apparent. Interfaces 5a, 5b and 5c, 5d are each independently redundantly configured, which means that a failure of a connected network KN1, KN2, NN1, NN2 cannot disadvantageously impair a function of the control unit. A galvanic isolation of inputs 5a, 5c from inputs 5b, 5d, which supports a functional independence of the described inputs, is graphically illustrated by separating lines in FIG. 2. In this way, it is ensured that both the transferred messages via communication networks KN1, KN2 and the electrical supply via low-voltage networks NN1, NN2 are ensured at all times, i.e., also in the event of an error of the vehicle.

[0068] FIG. 3 shows a schematic sequence of one specific embodiment of the described method.

[0069] In a step 200, a diagnosis is made of in each case independently redundantly configured electrical high-voltage, low-voltage and electrical communication networks HN1, HN2, NN1, NN2, KN1, KN2 of a control system 100 of the vehicle, which are functionally connected to one another.

[0070] In a step 210, a transfer is made the diagnosis result to independently redundant battery management devices 2a, 2b of control system 100, an error in a first battery management device not impairing a functionality of a second battery management device, and vice versa.

[0071] In a step 220, a selective degrading of devices of the electrical high-voltage, electrical control voltage and electrical communication networks HN1, HN2, NN1, NN2, KN1, KN2 as a function of the diagnosis result takes place in such a way that devices connected to the electrical energy supply, electrical control voltage and electrical communication networks HN1, HN2, NN1, NN2, KN1, KN2 are still sufficiently functional.

[0072] Advantageously, the described method may be implemented in the form of a software program including suitable program code, which runs on diagnostic module 10 and battery management devices 2a, 2b. This enables an easy adaptability of the method.

[0073] As a result, a system made up of mutually interconnected control units may thus be implemented, which for a defined functionality provides at least one control unit, which provides assigned pieces of information or data via a communication network, and an assigned control unit which receives the pieces of information via the communication network and converts them into actuation for the vehicle.

[0074] A typical application scenario of the present invention could be an automated vehicle including functions higher than SAE Level 2, in which, during the driving operation, the driver is replaced by a machine system for a defined period of time.

[0075] Those skilled in the art will suitably modify the features of the present invention and/or combine them with one another, without departing from the core of the present invention, in view of the disclosure herein.