Vehicle electrical systems are used to supply a plurality of electrical consumers or loads with electric energy. Semiconductor switches, for example, can be used as high-side switches for switching these loads, which selectively supply the respective consumers with electric energy or shut the loads down.
Excess electric currents can occur in a vehicle electrical system as electrical malfunctions, which are caused by an overload or an electric short circuit, for example. With respect to the short circuits, for example, an undesirable electrical connection between a voltage-conducting electrical line and ground, or an undesirable electrical connection between two electrical lines conducting a voltage, may occur sporadically or permanently and to varying degrees. Protecting the vehicle electrical system against undesirable excess electric currents and/or short circuits is necessary for the functional reliability of a vehicle and to ensure protection against thermal overload.
When protection against thermal overload is a safety objective for functional reliability, the residual error probability that this safety objective is not achieved by the device should not be greater than a predefined metric (for example, 100 failures in time). Diagnostic coverage of at least 90%, for example, is part of the safety concept for this purpose. This means that 90% of latent faults, which could prevent the thermal overload from being detected and shut down, must be detected before damage occurs, for example as a result of a short circuit. If the diagnosis detects that the short circuit detection does not function, for example, then a latent fault is present. The fault is latent because a short circuit must occur in addition to the failure of short circuit detection for damage to occur. If the diagnosis detects a (latent) fault, the device must be brought into a predefined, safe state. The safe state OFF (load path is shut down) is an example of the safety objective involving the protection against thermal overload.
Typically, to satisfy vehicle safety requirements numerous vehicle functions need to switch into a type of “emergency off” as the safe state when an electrical malfunction exists. For example, an anti-lock braking system in which an electrical malfunction exists is shut down for driving safety, and the driver is notified. In the event of a fault, the forced shutdown of the respective vehicle function is thus a common safe state for vehicle functions.
In connection with more extensive vehicle functions, as implemented for autonomous driving and/or so-called drive-by-wire systems of a vehicle, for example, the availability-relevant supply of safety-critical functions is added as a new safety objective. Diagnostic coverage must also be implemented for this safety objective. The diagnosis detects whether the availability-relevant supply is jeopardized by latent faults in the system. If such latent faults are detected, the safe state must be assumed, for example ON, or at least ON until the vehicle can be shut down safely and the availability-relevant function can be shut down.
For a device that protects an electrical system component, the challenge is to satisfy the two safety objectives of protection against thermal overload and availability-relevant supply of safety-critical functions at the same time. If the diagnosis associated with the safety objective involving the protection against thermal overload detects a latent fault (for example, a fault in the short circuit detection), the system would have to be brought into the safe OFF state (even if no short circuit is present yet). The safe OFF state of the first safety objective, however, is also the unsafe state of the second safety objective involving the availability-relevant supply of safety-critical functions and thus results in violation of the second safety objective.
During autonomous driving, for example, it is understandable that a forced shutdown of a safety-relevant vehicle function for driving based on the detection of a latent fault as part of a diagnosis is not desirable. Rather, it is desirable in the case of such vehicle functions that an availability-relevant supply of the vehicle function, for example of an electrical consumer or an electrical load, with electric energy continues to take place reliably. In the case of such vehicle functions, a common safe state is thus to maintain the energy supply so as to prevent the shutdown.
This results in a conflict of objectives with respect to the two opposing safe states, namely between shutting down and maintaining the energy supply. A desire therefore exists to solve this conflict of objectives.