Safety engineering is a growing field in which engineers use redundancy techniques in order to mitigate adverse consequences if an error occurs. For example, space vehicles and aircrafts include redundant systems so that if an engine control component fails during flight, for example, another engine control component can be activated to allow the aircraft to land safely.
In a similar regard, timed input/output (I/O) signals in safety conscious systems can be generated and then subsequently checked to ensure they were actually delivered correctly. This can be useful in any number of applications. For example, in an automotive system, if an output drive signal (e.g., sparkplug signal from an engine controller) is provided to an automobile's engine, a feedback signal (which is derived from the output drive signal that was actually delivered to the engine) can be compared with the original output drive signal to determine whether the output drive signal was, in fact, delivered correctly. Thus, if there is a “bad” connection between the engine controller and the engine itself (or if some other error event occurs), a comparison of the original drive signal and the feedback signal can detect this error, thereby allowing a control system to notify the driver, for example, by illuminating a “check engine” light on the driver's dashboard. In this way, a driver can be informed that an engine problem (e.g., a sparkplug misfire) has occurred, and can then get the vehicle serviced to remedy any corresponding problems.
In safety-critical power systems with power switches (e.g., metal-oxide-semiconductor field-effect transistors (MOSFETs) or insulated gate bipolar transistors (IGBTs)) there is the need to analyze functional blocks in the power system before starting the operation of the system to avoid damages in case of malfunction of some functional blocks. Furthermore, diagnosis capability is needed during runtime to detect aging effects or analyze sudden failures.
A standard output of a normal control device is not capable of driving directly the control input (gate) of a power switch. Therefore, a gate driver component with its own power supply is needed to amplify the control signals and to adapt them to the needs of power switches. To avoid losses and to ensure correct switching behavior, the gate driver components are normally located near the power switch.
In some cases, the gate driver component introduces a galvanic isolation barrier between the control device and the power switch since they do not refer to the same potential. Here, the gate driver comprises a “low-voltage” primary side which is connected to the “low-power” control device and a “high-voltage” secondary side connected to the power switch, wherein the primary side and the secondary side are separated by a galvanic isolation barrier. As a consequence, the diagnosis capability of the complete system is reduced, since it is rather expensive to handle analog values under these conditions.
Especially when doing a Failure Mode and Effects Analysis (FMEA), run-time tests, in particular sanity check mechanisms, are very helpful for implementing a safety concept containing the specification that a device has to react in a defined way even if pin connections fail, for example.
In addition, some applications require a so-called “limp home” functionality. Even if a component fails, other parts of the system have to continue working to achieve a minimum functionality over a certain time (a 3-phase motor can run with two phases, but with lower performance, for example). Depending on the root cause of the failure, different limp home strategies have to be applied. Therefore, detailed knowledge about the cause of an error, i.e., diagnostic capability, is needed.
Therefore, there, e.g., exists a need for an apparatus and method offering a sanity check mechanism for driver units for switches, in particular power switches, which is flexible and cost effective.