Fuel cell stacks constitute a promising future alternative for supplying power to vehicles in road traffic since by using fuel cell stacks it is possible to drastically reduce the environmental load, in particular by exhaust gases.
Such a fuel cell stack constitutes a complex technical system on which open-loop and/or closed-loop control has to be performed using suitable control apparatuses, and a large variety of control apparatuses for vehicles are known from the prior art.
For example, publication DE 10336743 A1 discloses an open-loop control system with a plurality of modules for a drive train of a vehicle, wherein the drive train optionally also comprises a fuel cell. In this open-loop control system it is proposed to provide a first module for integrating a drive train open-loop control and a second module for controlling the power generation and/or transmission, wherein the two modules can be programmed independently of one another.
Document DE 10 2004 008 869 A1 discloses a control unit and a computer program for controlling a drive unit of a vehicle. The control unit comprises a hardware platform on which the computer program runs, wherein a plurality of modules for implementing open-loop control functions, safety functions and/or monitoring functions for the drive unit of the vehicle are implemented in the computer program.
In one embodiment, the invention is based on the object of providing a control apparatus of the type mentioned at the beginning which assists reliable operation of a fuel cell stack in a vehicle.
This object is achieved by means of a control apparatus having an operations control module configured in terms of program technology and/or circuit technology, to control a plurality of normal-operation-related sensor systems or actuator systems, wherein the normal-operation-related sensor systems or actuator systems relate to the operating state of the fuel cell stack during normal operation, and a safety control module, wherein the safety control module is configured in terms of program technology and/or circuit technology to control safety-related sensor systems or actuator systems, wherein the safety-related sensor systems or actuator systems relate to the safety functions of the fuel cell stack, wherein the safety control module is provided as an assembly which operates in an autonomous fashion with respect to the operations control module. Preferred and/or advantageous embodiments are disclosed by the subclaims, the following description and/or the appended FIGURE.
The control apparatus according to the invention is designed and/or suitable for a fuel cell stack, preferably for use in a vehicle, and comprises at least one operations control module and at least one safety control module, wherein both control modules are respectively designed to control sensor systems/actuator systems in terms of program technology and/or circuit technology. The control of a sensor system/actuator system is effected, for example, if measurement signals in digital and/or analog form are transmitted to the control module via one or more sensor systems, the measurement signals are processed in the control module on the basis of an open-loop or closed-loop control, and an actuation signal is transmitted to the assigned actuator system, likewise in digital and/or analog form, as a result of the open-loop or closed-loop control.
For a clear architecture of the control apparatus, the controlled sensor systems/actuator systems are preferably divided into normal-operation-related sensor systems/actuator systems and into safety-related sensor systems/actuator systems. The normal-operation-related sensor systems/actuator systems relate here to the closed-loop or open-loop control of the fuel cell stack within the normal operating mode so that power generation which corresponds to the request, for example, is carried out by means of these sensor systems/actuator systems. These sensor systems/actuator systems ensure, for example, that a sufficient quantity of fuel and oxidant is supplied to the fuel cells, and that the temperature of the individual components of the fuel cell or of the fuel cell stack is optimized for the respective operating state.
The safety-related sensor systems/actuator systems ensure, in contrast, that the fuel cell stack does not go into an unacceptable operating state. An unacceptable operating state occurs, in particular, if there is a risk of damage to the fuel cells or to the fuel cell stack or to components which are connected to the fuel cell stack. Examples of such unacceptable operating states are, for example, pressures or temperatures in the fuel cell stack or components thereof which exceed a predefined safety limiting value.
According to certain embodiments of the invention, the safety control module is embodied as an assembly which operates in an autonomous fashion with respect to the operations control module.
In this embodiment according to the invention, the safety control module is capable of communicating with safety-related sensor systems/actuator systems and controlling them independently of the operations control module.
For this purpose, the safety control module may be embodied as hardware which is independent of the operations control module and which has, in particular, separate logic circuits and/or one or more separate processing units, in particular microprocessors, DSPs, ASICs, FPGAs or the like. In particular, the safety control module may be embodied as an embedded system with an operation system which runs only on the safety control module.
In certain embodiments, the invention is based on the idea of concentrating safety-related functions of the fuel cell stack in an electronic assembly which can carry out the safety-related functions independently of other functional assemblies or control modules. The safety control module is preferably embodied as a stand-alone system.
This ensures that in the case of disrupted or faulty communication with other control modules, the safety control module can implement the safety functions autonomously and/or independently.
A further advantage of certain embodiments of the invention is that the safety control module is relieved of the control, in particular of the closed-loop or open-loop control, of sensor systems/actuator systems which relate to the normal operating mode of the fuel cell stack. Since the control complexity for a fuel cell stack is enormous; owing to the large number of necessary components to operate a fuel cell stack, separating the safety functions in the safety control module also improves the reaction time and the speed when implementing the safety functions.
It is preferred that the safety control module is designed to control most or all of the safety-related sensor systems/actuator systems of the fuel cell stack. In this context, a gradual implementation of the invention occurs, with preferably all the safety functions being implemented in the safety control module. In less preferred embodiments, a small proportion of the safety functions can also be implemented in the operations control module. Within the scope of the invention it is also possible for a plurality of safety control modules to be used, in which case each safety control module is embodied as an autonomously operating assembly.
It is advantageous if the safety control module is designed to implement the safety functions even when the communication with other control modules, in particular with the operations control module, is disrupted or faulty. In one particularly preferred embodiment, the safety control module has a memory in which all the programs, data and/or parameters which are necessary for initialization are stored, so that when the safety control module starts there is no need for communication with other control modules. In alternative embodiments, the aforesaid programs, data and/or parameters are transferred from other control modules when the safety control module starts, in which case, after initialization, further communication with the other control modules is no longer necessary to operate the safety control module.
In one advantageous embodiment, the safety control module is an electronic safety system. The safety control module preferably comprises a watchdog system, an autonomous power supply system and/or an emergency power supply system and/or permits autonomous system-starting.
The safety control module preferably has interfaces for connecting the sensors and actuators of the safety-related sensor systems/actuator systems. It is possible for these interfaces to be embodied as a BUS interface, for example for a CAN bus. In this case, the safety control module is preferably embodied at the same time as a gateway, so that the BUS system for the sensors and actuators is designed to be independent of a further BUS system with which the safety control module communicates with other functional units or control modules.
Alternatively or additionally there is provision that the sensors and/or actuators are connected individually to the safety control module. The last-mentioned embodiment has the advantage that if one of the data lines between the safety control module and sensor system/actuator system fails, at least the remaining sensor systems/actuator systems can still be driven.
In one embodiment of the invention, the safety control module and the operations control module are embodied as part of a hierarchical control architecture.
In one embodiment, the uppermost hierarchy is formed by a central control unit which is designed to perform open-loop control of a mobile apparatus, in particular of a vehicle.
This central control unit is connected via a BUS system to, among other things, the operations control module. The central control unit and operations control module preferably form a master/slave combination, with the central control unit being embodied as the master. The BUS is, for example, implemented as a CAN BUS or SAE J 1850-BUS or BM-LAN.
The safety control module is either arranged at the master level or at the slave level, in which case at the master level it receives data, in particular operating parameters, from the central control unit, and transfers data, for example in the form of warning instructions, to the central control unit.
As an alternative to this embodiment, the safety control module may be arranged at the slave level, in which case it receives operating instructions from the central control unit.
In order to communicate and pass on data, in particular warning instructions, the safety control module is optionally provisioned to communicate, in particular, via a BUS system with the operations control module and/or the central control unit. As already mentioned above, it is, however, advantageous if the communication with the safety-related sensor systems/actuator systems occurs independently of the BUS system or the BUS systems between the safety control module and the operations control module and/or the central control unit.