The present invention relates to a method for checking the plausibility of safety-relevant variables, a data processing unit for performing the method and to an electrical converter for an electric or hybrid vehicle with the data processing unit.
The following discussion of related art is provided to assist the reader in understanding the advantages of the invention, and is not to be construed as an admission that this related art is prior art to this invention.
Products which are manufactured for industrial applications but also for end consumers must be technically and functionally designed such that their use does not put the safety of persons and the environment at risk. In the event of malfunctions, safe use with or without restrictions can in most cases be maintained for the vehicles offered by the automotive industry for instance. A safe shutdown must at least be ensured. To this end, safety-relevant components and systems which have to fulfill special safety requirements are identified in the motor vehicles.
Faulty functions, an inadequate availability or a complete failure of these safety-relevant components or systems can put persons, dependent components and systems and also processes in danger such that there is potential risk which has to be observed more closely.
A known method from the industrial environment referred to as Safety Integrity Level (SIL) is applied in order to determine the potential risks to which persons, the dependent components and systems, as well as the processes are exposed in the event of malfunctions of industrial products, for example, and which they are able to withstand.
The basis for the specifications, the design and operation of potentially high-risk components or systems in products or industrial systems forms an International Electrotechnical Commission (IEC) standard with the reference IEC 61508.
Particularly for the automotive industry, but also for the development and use of electric or hybrid vehicles, an automotive standard with the reference ISO 26262 was introduced, which replaces the current SIL industry specifications with a more suitable Automotive Safety Integrity Level (ASIL). The basic idea behind the method of ASIL is to evaluate functions of components or system and to provide these with respect to potential risks. ASIL thus notably evaluated the risks of potentially safety-relevant functions, which occur in the event of a malfunction in the vehicle and may have an impact on the integrity of the driver and other road users.
The ASIL method has four levels of risk. The ASIL levels of risk are labeled with the letters A, B, C and D. Each level of risk determines a risk potential which is ten times higher than that of the previous level. While ASIL-A has the lowest level of risk, ASIL-D accordingly has a risk potential which is ten thousand times higher than ASIL-A.
The safety-relevant functions which are identified and evaluated for electric or hybrid vehicles by means of the ASIL method and which are implemented for instance in the form of regulation functions in the converter of the electric drive system in most cases require a plurality of external and internal parameters for their implementation, which are attributable both to the measured and also the calculated variables.
These measured or calculated variables which process or generate the safety-relevant functions are therefore safety-relevant variables and must also be evaluated by means of the ASIL method. In this context, it is irrelevant whether the safety-relevant variable has a physical basis or another basis, such as an exclusively mathematical basis, for example.
Decisive for the use of the safety-relevant variables in conjunction with the safety-relevant functions which are classified by ASIL is the need for the safety-relevant variables for the correspondingly specified or required ASIL level of risk, also referred to below as safety level or ASIL level, to be evaluated and provably checked, in other words plausibility checked.
If a safety-relevant variable is required for instance, which should correspond to the requirements of the ASIL level D, but until now only fulfilled the requirements of the ASIL level A, measures must be taken to ensure that this safety-relevant variable will take the requirements of the higher ASIL level into account. This means that a safety-relevant variable which is assigned to a higher ASIL level can be used for safety-relevant functions, the potential failure of which is associated with a higher potential risk.
To ensure that a safety-relevant variable can be raised from a lower safety level to a higher safety level, a plausibility check of the safety-relevant variable is therefore generally performed, wherein specific plausibility rules are applied hereto.
A plausibility rule may mean that instead of one measurement, at least two or more independent measurements of the safety relevant variable have to be performed for the higher safety level. A valid statement can be achieved by means of known evaluation methods to determine whether the safety-relevant variable can be applied to the requirements of the higher safety level. With for instance three independent measurements, a known evaluation method of selecting “two out of three” can be applied. As a result, the requirements of the higher safety level can still be fulfilled for the safety-relevant variable even if one measurement fails.
Nevertheless, the technical and administrative outlay cannot be ignored if a number of measurements have to be retained for one safety-relevant variable. The need for maintenance measures is thus also clearly apparent from the use of a plurality of suitable measuring points.
One further possibility of determining and checking the plausibility of a safety-relevant variable is its calculation, in particular, including one or a number of additional safety-relevant variables, which already correspond to the requirements of a higher safety level. These additional safety-relevant variables have a physical or mathematical dependency in relation to the safety-relevant variable which is still to be plausibility checked and allow a transformation to a higher safety level by means of the technical facts.
If a safety-relevant variable is plausibility checked for a higher safety level in accordance with the known procedure, this is however only possible during operation by a time-continuous plausibility check of this one safety-relevant variable by means of the transformation. If a number of safety-relevant variables, which are disposed below one another in the previously mentioned dependency, are to be plausibility checked as simultaneously as possible and raised to a higher safety level, the plausibility check takes place by a plurality of transformations which run in parallel in each case, wherein the software functions or corresponding hardware functions designed for this purpose are called up and performed in parallel at the same time. These time-continuous plausibility functions which run in parallel in the form of software functions often generate a permanently high computing load, wherein the outlay for suitable hardware is also to be taken into account.
It would therefore be desirable and advantageous to provide an improved method for checking the plausibility of safety-relevant variables which obviates prior art shortcomings and is of simple and inexpensive structure while yet being reliable in operation.