The safety functions that battery controllers need to implement are often relatively simple checks on threshold value breaches by safety-related parameters such as voltage, current and/or temperature. Such functions can easily be implemented in hardware (for example comparators). The standard safety concept for battery controllers therefore usually comprises two redundant paths—monitoring by means of hardware and monitoring by means of software. This diversified redundancy can be used to achieve an adequate measure of safety.
In contrast to battery controllers, it is known practice to provide what is known as a three-level concept for motor controllers for monitoring safety-oriented functions on a microcontroller. In this case, level 1 is the function level, level 2 is the function monitoring level and level 3 is the computer monitoring level. This concept can be used to achieve safety integrity of up to ASIL-B (ASIL=Automotive Safety Integrity Level). The three-level concept is based on a 1oo1D system (cf. FIG. 1). In such a system 100, measured variables are captured by sensors 110 which are monitored by a function computer 120. The reliability of the function computer 120 is monitored by a diagnosis unit 130. The measured variables are taken as a basis for controlling actuators 140.
In general, an MooN system is an evaluation logic unit which compares N measured values, at least M of which need to satisfy prescribed criteria (M out of N).
An MooND system is an MooN system with a self-check.
Besides Moo1D systems, there are also 1oo2D systems 200, which, by way of example, additionally involve the performance of reciprocal monitoring 150 of two function computers 120, 121 (cf. FIG. 2).
New safety standards (such as ISO 26262) place great requirements on controllers on which safety-oriented functions are carried out. The classification is provided using the “ASIL”, on levels ASIL-A to ASIL-D, where ASIL-D places the greatest requirements. A high rating results in high levels of procedural outlay. In addition, more stringent requirements are placed on the verification of compliance with standard.
The conventional safety concept for battery controllers having a hardware path and a software path for the redundant monitoring of the safety-oriented variables has the following disadvantages:
Costs of the Hardware Path:
Since high voltage battery systems for automotive applications usually comprise a large number of cells (for example 400 V is attained by one hundred 4 V cells connected in series), implementation of the hardware path is costly. The reason is that the safety-oriented parameters need to be monitored individually for each cell (or each module of six cells, for example). This means that each cell (each module) requires the relevant hardware elements (for example comparators) to be installed.
Restricted Complexity of the Monitoring Functions:
Hardware elements can usually provide only simple monitoring functions (for example threshold value monitoring operations). More complex functions, for example the processing of multiple and/or dynamic signals, can be implemented only with a high level of outlay.
The publication DE 11 2004 001 276 T5 discloses a battery set charge/discharge controller in which an apparent charge state value is calculated by a controller. However, this solution has no provision for reduction of the hardware outlay for the implementation of the requisite safety functions.