EP4152293A1

EP4152293A1 - A system for monitoring a driving operation of a vehicle

Info

Publication number: EP4152293A1
Application number: EP21020467.3A
Authority: EP
Inventors: Mohammed AL-SAYED
Original assignee: 2go Solutions Ug Haftungbeschrankt
Current assignee: 2go Solutions Ug Haftungbeschrankt
Priority date: 2021-09-17
Filing date: 2021-09-17
Publication date: 2023-03-22

Abstract

The present invention relates to systems and methods for monitoring driving operations of vehicle travelling along a travel route in an operating area of the system. The system comprising a central data processing and control unit (CECU), a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route, and may further comprise a vehicle control unit (VECU), which is provided in the vehicles. The vehicles comprise a main vehicle control unit that is configured to automatedly control at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle while travelling along the travel route, the main vehicle control unit being configured to send vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and to receive processed drive data (PDD) sent from the CECU. Each of the environmental sensors is configured to detect real-time environmental data for its respective fixed location on and along the travel route, the real-time environmental data including surrounding environmental data on a continuous basis, and wherein each of the environmental sensors is in data connection with the CECU and configured to send the environmental data to the CECU via the data connection. The CECU is located remotely from the plurality of environmental sensors and remotely from the at least one vehicle and comprises various data interfaces for communication with the vehicles and the environmental sensors, respectively.

Description

The present invention relates to systems and methods for monitoring at least one driving operation of at least one vehicle. The system comprises a plurality of environmental sensors that collect real-time environmental sensor surrounding environment data that is sent to a central data processing unit. Vehicle driving data of vehicles in connection with the central data processing unit are also sent to the central processing unit and are combined with the environmental sensor data. The system is thus able to draw a complete map that is used to generate driving operation signals for the vehicles, particularly to monitor driving operations, and in potentially dangerous situations take control by sending a brake control signal to increase safety on the road.

Background

The development of autonomous vehicles is not only filled with innovations, investment, and opportunity, but also with uncertainty, doubt, and risk. The technological advancements seen over the last period are huge, and undeniable, yet striking up a good balance between safety and commercial liability remains in question.
The current autonomous vehicle technology solutions that exist today or are being currently in the development phase have several challenges that can be deemed as "road-blockers". These road-blockers can be summarized as cyber security, and other threats, several regulatory and industrial and technological challenges, and issues related to ensuring safety for all stakeholders. Thus, a balance must be found between the amount of cost and effort needed to achieve an unclearly defined safety level and the risk of not achieving this level, which is very abstract at best. The industrial challenge that requires a solution at the moment is to find a way to achieve simultaneous data acquisition, manipulation, and processing in real time, and to provide output as drive instructions within a safety tolerance time interval.
This is currently not possible due to limited available state-of-the-art processing capabilities / technologies, environmental conditions requirements, or wireless connection requirements. In addition, there is a large amount of data processing needed to be carried out with limited technological capacity, and at the same time there is finite time needed for processing - given safety requirements related to a fault tolerance time interval. These can be summarized as technological and wireless network speed requirements. The existing solutions rely heavily on the vehicle itself to achieve everything, and within very short period of time. This, however, significantly increases system complexity, the need for computer power, which given the finite resources available in the vehicle becomes close to impossible to achieve with current technologies. And at the same time, this reduces the level of safety due to the lack of additional independent layers of protection.

Summary of the invention

It is therefore an object of the present invention to provide a system and method for monitoring at least one driving operation of at least one vehicle that addresses the aforementioned problems. More specifically, it is an object of the present invention to provide a system and method for monitoring a projected drive decision of at least one vehicle and to prevent a potentially dangerous situation by ensuring that a safe state of the vehicle is achieved, such as a stop by activating the brake system of the vehicle. A potentially dangerous situation is to be understood as any undesired event that could lead to undesired consequences on health, environment, assets, etc., such as damage, injuries, loss of life, etc.
For solving the object, systems and methods for monitoring at least one driving operation of at least one vehicle according to the independent claims are provided. Preferred embodiments and further developments are defined in the dependent claims.
According to an aspect, a system for monitoring at least one driving operation of at least one vehicle is provided. The system comprises a central data processing and control unit (CECU) and a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route and connected to the CECU, as well as a vehicle control unit (VECU) that provided in the at least one vehicle. The at least one vehicle comprises a main vehicle control unit that is configured to automatedly control at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle while the vehicle is travelling along the travel route. The main vehicle control unit is in data connection with the CECU to send vehicle driving data to the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit. The main vehicle control unit is further configured to receive processed drive data (PDD) from the CECU.
Each of the environmental sensors is configured to detect real-time environmental data for the respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis, the environmental sensors each being in data connection with the CECU and configured to send the environmental data to the CECU via the respective data connection.
The CECU is located remotely from the plurality of environmental sensors and remotely from the at least one vehicle. The CECU comprises a first CECU data interface, configured to receive the environmental data via the data connection from the plurality of environmental sensors, a second CECU data interface, configured to receive the vehicle driving data sent from the at least one vehicle's main vehicle control unit, and a third CECU data interface, configured to send processed drive data (PDD) to the at least one vehicle's main vehicle control unit.
The CECU is configured to process the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD), wherein the CECU is further configured to compare the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, to obtain a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, to generate an emergency control signal and to send the emergency control signal to the VECU to cause the VECU to initiate an emergency action to prevent a potentially dangerous situation. The VECU is in direct data connection with the CECU to directly receive the emergency control signal from the CECU and is in further data connection to at least one drive control system of the vehicle to cause the drive control system to perform the emergency action.
According to another aspect, a method for monitoring at least one driving operation of at least one vehicle is provided. A system for monitoring at least one driving operation of at least one vehicle is provided, preferably the system described above, the system comprising a central data processing and control unit (CECU), a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route, and a vehicle control unit (VECU), which is provided in the at least one vehicle.
The at least one vehicle comprises a main vehicle control unit that automatedly controls at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the main vehicle control unit being in data connection with the CECU, the method comprising sending, by means of the main vehicle control unit, via the data connection, vehicle driving data to the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and receiving, by means of the main vehicle control unit, via the data connection, processed drive data (PDD) from the CECU.
The method then further comprises the following steps:

detecting, by means of the plurality of environmental sensors, real-time environmental data for the respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis;
sending, by means of the plurality of environmental sensors, the environmental data to the CECU, the environmental sensors each being in data connection with the CECU;
receiving, by means of the CECU at a first CECU data interface, the environmental data via the data connection from the plurality of environmental sensors;
receiving, by means of the CECU at a second CECU data interface, the vehicle driving data sent from the at least one vehicle's main vehicle control unit;
sending, by means of the CECU at a third CECU data interface, processed drive data (PDD) to the at least one vehicle's main control unit;
processing, by means of the CECU, the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD);
comparing, by means of the CECU, the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, and obtaining a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, generating an emergency control signal and sending the emergency control signal to the VECU to cause the VECU to initiate an emergency action to prevent a potentially dangerous situation, wherein in this case, the method further comprises
directly receiving, by means of the VECU, via a direct data connection with the CECU, the emergency control signal from the CECU, wherein the VECU is in further data connection to at least one drive control system of the vehicle to cause the drive control system to perform the emergency action.

Preferably, the drive control system that is in data connection with the VECU is a brake system of the vehicle, wherein the emergency control signal is a brake control signal that causes the VECU to activate the brake system of the vehicle as the emergency action. Activating the brake system, thereby possibly bringing the vehicle to a full stop, is an effective way to prevent potentially dangerous situations, such as collision with another object.
According to one embodiment, the vehicle's main vehicle control unit is in data connection with the vehicle's VECU, such that the data connection between the main vehicle control unit and the CECU is provided via the VECU, wherein the VECU is configured to receive the vehicle driving data from the main vehicle control unit and forward the vehicle driving data to the CECU, wherein the VECU is further configured to receive the PDD from the CECU and forward the PDD to the main vehicle control unit.
According to another embodiment, the vehicle's main vehicle control unit is in data connection with the CECU, such that the data connection between the main vehicle control unit and the CECU is provided in a direct manner, wherein the main vehicle control unit is configured to directly send the vehicle driving data to the CECU and further to directly receive the PDD from the CECU.
The VECU may be configured as an independent component with respect to the main vehicle control unit, such that the emergency control signal that is sent by the CECU can be received directly by the VECU, which will initiate the emergency action to prevent a potentially dangerous situation unseen or unrecognized by the main vehicle control unit, or to avoid unsafe actions that the main vehicle control unit intends to take. Providing the VECU as an independent component particularly means that the VECU will have the independence to respond to the request of the CECU (e.g. power, etc.) and will also have a higher priority on the emergency action than the main vehicle control unit.
According to another aspect a system for monitoring at least one driving operation of at least one vehicle is provided. The system comprises a central data processing and control unit (CECU), and a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route. The at least one vehicle comprises a main vehicle control unit that is configured to automatedly control at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the main vehicle control unit being in data connection with the CECU to send vehicle driving data to the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and to receive processed drive data (PDD) from the CECU.
ad, wherein Each of the plurality of environmental sensors is configured to detect real-time environmental data for its respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis, and wherein each of the environmental sensors is in data connection with the CECU configured to send the environmental data to the CECU.
The CECU is located remotely from the plurality of environmental sensors and remotely from the at least one vehicle. The CECU comprises a first CECU data interface, configured to receive the environmental data via the data connection from the plurality of environmental sensors, a second CECU data interface, configured to receive the vehicle driving data sent from the at least one vehicle's main vehicle control unit, and a third CECU data interface, configured to send processed drive data (PDD) to the at least one vehicle's main vehicle control unit. The CECU is configured to process the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD), wherein the CECU is further configured to compare the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, to obtain a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, generate an emergency control signal and send the emergency control signal to at least one drive control system of the vehicle to cause the drive control system to perform an emergency action to avoid collision of the vehicle with another object.
The drive control system comprises a drive control unit that may be configured as an independent vehicle control unit with respect to the main vehicle control unit of the respective vehicle, wherein the drive control unit is configured to receive a drive control signal from the main vehicle control unit to control at least one driving operation of the at least one vehicle, and/or further configured to receive the emergency control signal from the CECU to perform the emergency action as the driving operation.
According to still another aspect, a method for monitoring at least one driving operation of at least one vehicle is provided. A system for monitoring at least one driving operation of at least one vehicle is provided, preferably the system described above, the system comprising a central data processing and control unit (CECU), and a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route.
The at least one vehicle comprises a main vehicle control unit that automatedly controls at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the method comprising sending, by means of the main vehicle control unit, vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and receiving, by means of the main vehicle control unit, processed drive data (PDD) sent from the CECU.
The method then further comprises the following steps:

detecting, by means of the plurality of environmental sensors that is placed at a plurality of fixed locations along at least one environmental road, real-time environmental data for the respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis,
sending, by means of the plurality of environmental sensors, the environmental data to the CECU, the environmental sensors each being in data connection with the CECU;
receiving, by means of the CECU at a first CECU data interface, the environmental data via the data connection from the plurality of environmental sensors;
receiving, by means of the CECU at a second CECU data interface, the vehicle driving data sent from the at least one vehicle's main vehicle control unit;
sending, by means of the CECU at a third CECU data interface, processed drive data (PDD) to be received by the at least one vehicle's main control unit;
processing, by means of the CECU, the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD);
comparing, by means of the CECU, the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, and obtaining, by means of the CECU, a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, generating, by means of the CECU, an emergency control signal and sending the emergency control signal to at least one drive control system of the vehicle to cause the drive control system to perform an emergency action to prevent a potentially dangerous situation;

receiving, by the drive control unit, a drive control signal from the main vehicle control unit to control at least one driving operation of the at least one vehicle, or
receiving, by the drive control unit, the emergency control signal from the CECU to perform the emergency action as the driving operation.

Preferably, in the system according to this aspect, the drive control system is a brake system of the vehicle, wherein the emergency control signal is a brake control signal that activates the brake system of the vehicle as the emergency action.
The main vehicle control unit according to this aspect of the invention may either communicate directly with the CECU as described above or via the drive control unit."
In any one of the aforementioned systems, the CECU may be configured to generate the emergency control signal also in case the at least one vehicle's main vehicle control unit is not able to receive the CDD or is not responsive to the CECU sending the CDD.
The vehicle driving data may further comprise drive intention data including information about at least one of a destination, remaining distance and route choice, wherein the CECU may be configured to send the PDD based on the respective drive intention data to the at least one vehicle's main vehicle control unit to support the main vehicle control unit with generating its drive decision data.
The roadside data may include at least one of the environmental sensor's own location, surrounding environment data, the surrounding environment data including at least one of, preferably both of, fixed and time changing data from and around the road on a continuous basis. The surrounding environment data preferably includes real time environment data surrounding the respective environmental sensor, including at least one of a moving object's size, shape, movement speed, movement direction, and GPS coordinates.
In an embodiment, which may likewise apply to all above-described safety systems, the CECU may comprise a fourth CECU data interface, configured to receive at least one of a high-definition 3D life digital map, cloud points, and imaging data.
The CECU may be further configured to assemble all received data in real time and lay them as per its GPS coordinates on corresponding location maps, preferably high-definition 3D maps, and further to obtain the CDD related to vehicle driving data received from the at least one vehicle. The CECU may still further be configured to lay all data as per their GPS coordinates on at least one corresponding location map to create a real-time three-dimensional map, preferably as a high-definition digital map.
Preferably, the data connection between the environmental sensors and the CECU is a wired data connection, preferably a high-speed internet cable connection. Alternatively, a wireless data connection may be provided.
The present invention provides a system and method, particularly an independent system and method, respectively, for monitoring at least one driving operation of at least one vehicle that is capable of providing the needed information within the time needed, thereby enabling or at least increasing, more specifically significantly increasing safe autonomous driving. A vehicle is, however, capable of making its own drive decisions given the sensory data it receives from its own sensors, sending such data to the CECU and further able to receive processed drive data from the CECU, and process it to modify its drive decision. For instance, the system can take a vehicle to a safe state by activating the brake system of the vehicle should the vehicle's drive decision be deemed unsafe by the CECU. Therefore, the system and method according to the invention are referred to as "safety system" and safety method, respectively, throughout this disclosure for the sake of simplicity.
The systems and methods of the present invention are capable of effectively preventing dangerous situations for each vehicle connected. Examples of dangerous situations may include collision with an object, including moving objects (such as other vehicles, persons on the road, animals etc.) and non-moving objects (such as buildings, walls, trees, street infrastructure, or also holes in the road, etc.). Potentially dangerous situations in the sense of the present disclosure may also be referred to as "undesired events or consequences", which generally may include for instance potential loss of life, property, environment, asset, reputation, etc.
The environmental sensors may be arranged along a travel route in various ways. It may be advantageous to use existing infrastructure where the sensors are attached to, such as street-lamps, street signs, buildings, etc. They may, however, also be constructed separately. They are placed at fixed locations along a travel route, such as a road, where it is preferably to choose a distance between the sensors that is suitable to create a complete image without gaps. Apart from that, it will be appreciated that the present disclosure is not limited by referring to a "travel route". The travel road may be a single road but may also comprise one road or a plurality of roads (i.e. "at least one road"). It is further to be understood that term like "travel route" or "road" are to be understood in a general sense that includes any travel path that may be accessible by a vehicle to travel there along. This particularly shall include any routes in any type of traffic or transportation network, including paved and unpaved routes, such as roads, streets, pathways, highways, freeways, other travel routes, etc. The term "environmental" may especially refer to a "roadside" but is to be understood accordingly in a general sense, i.e. not limited to a "side of a road", but may refer to any location along the respective travel route, which is also not limited to a "side" location but shall also comprise any sensor location which is suitable to allow the environmental sensors to detect "real-time environmental data", including e.g. positions above the respective travel route.
The invention will be of great benefit to the automotive industry and in particular the autonomous driving technology. The system and method according to the present invention will achieve the following advantages. It will increase safety by adding redundancy of the safety system sensory, communication, and processing units; It will reduce the required computational load as well as power placed on the autonomic vehicle safety system; and it will reduce the residual risk of cyber security threats.
The features described above and below for the systems equally apply for the respective method.

Brief description of the drawings

Preferred embodiments of the present invention are described in more detail below with reference to the drawings. In the drawings:

Fig. 1: shows a schematic illustration of an embodiment of a system according to the invention.
Fig. 2: shows a schematic representation of components of a system and their connection according to a first embodiment.
Fig. 3: shows a schematic representation of components of a system and their connection according to a second embodiment.
Fig. 4: shows a schematic representation of the components of a system and their connection according to a third embodiment.

Detailed description of the invention

For the sake of better understanding of the invention, various aspects and topics in this technical field are discussed in detail below. Other proposed, developed or even currently tested techniques are compared with the achievements of the present invention. It will be appreciated that all details described above and below for the safety system are also valid for the corresponding method of the present invention. Further below, the invention is discussed with respect to preferred embodiments, which are not intended to be limiting but are described by way of example and illustrated in the drawings.
The following commonly known terms are used in the description: V2V technologies refer to technologies with only vehicle-to-vehicle communication. V21 technologies refer to vehicle-to-infrastructure communication technologies, and technologies implementing both, i.e. vehicle-to-vehicle and vehicle-to-infrastructure are referred to as V2X technologies.

V2V Technologies

V2V (vehicle-to-vehicle) technologies are currently known. Amongst the proposed autonomous technologies is to follow the strategic line of thought that autonomous-driven vehicles will be connected wirelessly, and exchange information and communicate with one another and with the infrastructure also wirelessly. These wireless devices, that may include e.g. WiFi, global navigation satellite systems, information and entertainment systems ("infotainment systems"), cameras, or automated emergency alert system are typically owned and operated by other (third party) companies and built to different codes in different countries. There are several issues with this approach that has to send, receive, and process data that is neither produced by the same technology, up to the same standard, has the same levels of security, or that even meets the same requirements, i.e. such solutions may require to combine systems that may not be totally compatible. V2V or V2I approaches may be very technically challenging from a legal, technical and data protection laws aspects.
There are many advantages associated with this overall system, which will be discussed over the next points in details.
The advantages may include the reduction to computational power needed in the vehicle, the independence of the safety system, the secure network cable connection in comparison to high risk cyber security threats from the various points of interactions with the current technology of an automated vehicle, the ability to have plenty of time to respond to potentially life threatening situations, the elimination of moral legal questions, as probability of such situations will be in essence negligible. Contrary to existing solutions, according to the present invention vehicles are not connected to each other directly. The proposed solution is an independent system to the vehicle, but shared between all vehicles, that will receive data and information from other vehicles via highspeed wireless network connections, and over network cables from infrastructure elements.
The reduction of computation power needed in the vehicle will be achieved because roadside data and other vehicles driving data will not be received or processed in the at least one connected vehicle, but the vehicle will only process its sensory drive data. The vehicle driving data are sent to the CECU and are centrally processed there. The CECU also receives environmental data from the environmental sensors, which particularly include information about moving objects. This may then be combined with static 3D high-definition maps. After data processing at the CECU, the CECU's drive decision is sent to the vehicles, wherein the VECU can be directly connected to stop the vehicle in case a drive decision from the main vehicle control unit would not be safe. This would achieve an independent safety system. The invention allows plenty of time to respond to potentially life-threatening situations because in the current or suggested autonomic technology, the viewing range of the vehicle is limited and, thus, its reaction time may be too short, whereas the CECU has a complete image of the surrounding environment, due to its direct and real-time interface with the environmental sensors that provide environmental data, i.e. a real-time image of full range.
In addition, having one interface for the vehicle to the CECU instead of many interfaces to other vehicles or infrastructures as defined in the method and system significantly reduces cyber security threats.
In the current autonomic technologies, legal, moral and ethical questions may arise in situations where the auto-nomic drive system must decide between two lives. Given the advance warning provided via the environmental sensors and the central data processing and control unit CECU in the proposed invention, such situations will be eliminated. The discussions and legal debates about such situations will also be eliminated allowing the industry to move forward.
The main benefit of the present invention compared to V2V technologies is the improved data and privacy protection, as well as the avoidance of regulatory and standard issues related to V2V connection. Processing of other vehicle's data and all its computational power is reduced because this is done centrally in the CECU. The cyber security threats related to V2V are reduced.
Compared to V21 technologies, the present invention reduces cyber security threats to vehicles, and also the computation power needed is reduced.
The present invention eliminates all regulatory, compliance, privacy, and technical risks and complications related to V2V or V2X by eliminating V2V and V21 or V2X communication. Of course, there is the road speeds, road signs, traffic lights, and so on that the vehicle's sensory system or maps interacts with, but that is not actively sending environmental data signals, but rather a reflection of an image or road information.

Wireless Technology Standards

One of the complications related to V2V is the lack of a standard that governs wireless equipment use in the Autonomous vehicle technology. To this effect three levels of requirements need to be met, country (Radio Equipment Directive), industry-specific, and cellular requirements. This is combined with radio and telecommunications testing under the IECEE's CB scheme. However, it would be better if the issue can be removed entirely.
The safety system according to the present invention will receive wired information from the infrastructure. There will be no exchange of information between vehicles directly, or between active infrastructure and vehicles. All the information generated by all vehicles connected to the system will be sent in parallel to the CECU and plotted on a high-definition live map. A similar map will also be drawn independently by the vehicle auto pilot and sensory systems given its capabilities and on-board computational powers in each of the connected vehicles. The main vehicle control system can be based on the information in the vehicle to motorically control the vehicle. The safety system according to the present invention will not interfere, so long as the data and drive decisions are similar. However, as soon as differences arise either in the data or in the decisions made, the safety system will react by activating the controlled safe stop (emergency control signal sent from the CECU to the VECU) before the vehicle reaches point of interest of difference between the two systems (control and safety).
This wired concept, removes the need and complexity of having different wireless security standards spreading over geographically different regions. The vehicles will be made to the same requirements, but infrastructure requirements need to match the country of origin.
However, it may add a layer of complications relating to highspeed network cables. Therefore, it is foreseen that the present invention will also connect to infrastructure elements wirelessly, where wired connection is not available. The system will have such capability, and it is within the invention patent to include wired and wireless connections. Of course, the benefits of a wired connection outweigh the cost of potential risk, but as risk acceptance levels vary from one region in the world to another, so does the safety system to fit the regional needs.

Data Protection and Privacy Laws

The current industry practice of V2V solution suggests data exchange between vehicles contrary to existing privacy rules. New data privacy legal requirements e.g. in Germany make things a bit clearer and define what type of data to be released and when such data is allowed to be released. However, it would be better if the risk can be removed entirely.
The safety system according to the present invention does not recommend connecting vehicles to each other. On the contrary, the subject vehicle will sense the presence of other vehicles in its vicinity and make drive maneuvers accordingly. Sensory information that the subject vehicle and other vehicles' sense will be sent to the central data base (CECU), where vehicle actions will be accepted or rejected. An example is change of lane where a first vehicle is approaching with a clear path, and a second vehicle wants to change lane due to an obstacle on the path. The obstacle is not visible to the first vehicle. In this case, the first vehicle's motoric action to speed up will be contrary to the driving action calculated by the CECU of the present invention to slow down and allow the other vehicle to go through. It will further prevent changing the lane to where the obstacle is. It will further notify the first vehicle of the obstacle in the lane of the second vehicle.
The CECU will act as the receiver point of all information coming from all vehicles, infrastructure sensors, point references, and maps. Drive information, destinations, point of departure, arrival, etc. are all information that will be filtered out to reduce the clutter of information needed for safe driving, and speedy response and processing times. On the other hand, information on drive situations and sensory signals received, road conditions, congestion, traffic, etc. will be shared to the system and redistributed on a need-to-drive basis. In particular, the CECU will receive drive data via interface 3, roadside data via interface 2, and static data like 3D HD digital maps via interface 4, and will send back to the vehicle main control unit processed data via interface 5.
The advantages of the invention are manifold. First of all, data privacy laws are too complex and are too difficult to get around. In the absence of the need for such an exchange of data, autonomous solutions can find their way more quickly to the market. Furthermore, it is possible that one vehicle sends corrupt or misinformation to another vehicle prompting unsafe action, either deliberately, or due to cyber-attacks. Second, the need to share data with other vehicles, and breakdown privacy rules and regulations will all be removed. Third, it is not recommendable connecting the vehicles directly to each other or to the infrastructure where information can be directly shared before it is validated. This could lead to cyber security threats.

Cyber Security Threats

A major issue related to current or emerging vehicle technology is cyber security and the potential to send vehicles manipulated sensory data prompting sudden reaction or planned wrong actions. An example is giving instructions of a turn on the road, when there is no turn on the road, but rather a mall entrance. In spite of current legal framework that surrounds vehicle approval and testing regimes, it remains a risk that one cannot live with. One can imagine how easily such cyber security attacks motivated by infinite resources, hate, terrorism, and geopolitical risks can suddenly manifest themselves in the everyday lives of people. Such a risk is called a societal risk, which is defined as a single event that could lead to multiple fatalities. Such a risk that has been previously argued (reference safety case for autonomous driving) as one that cannot be borne by the vehicle manufacturer alone. In the presence of infinite resources and all other factors, such threats should no longer be treated as highly unlikely events. Current industry practice is heading towards the management system approach, which allows companies to reduce the risk by evaluating their entire management system against cyber security threats. This is combined with rigorous testing requirements. However, it would be better if the risk can be removed entirely.
The present invention provides an independent system (wired or wireless) connected to infrastructure that is able to validate the life stream of information coming from the vehicle and mandates a motoric safe state total stop from the vehicle in the event of a mismatch. It relies on sensorics information mapped and provided by the hardwired safety system to validate vehicle sensory data and give it the authorization to drive ahead. It provides high integrity data about road conditions, and any active or projected movement in the projected drive direction of the vehicle with more time to response. The motoric actions of the vehicle will be planned and calculated to ensure a safe, uninterrupted and comfortable ride to the passengers and the road users alike.
Strategic cyber security does not only evaluate the vehicle systems and the companies and the supplier's security systems, but also, it addresses the fundamental questions regarding exchange of information with the outside environment, and their need, timing, security, and redundancy, and safety measures, and safe state.
Although the management approach to deal with cyber security threats combined with rigorous testing may reduce the risk, the risk reduction would not be sufficient. The potential to feed in false signals to multiple automated vehicles simultaneously wirelessly requires a high degree of organized effort possibly using AI. This needs to be synchronized with a potential high-risk area to outline the risk picture. However, with the present invention, this risk is eliminated as the data will be validated via the hard-wired infrastructure-based sensory data. It is also defined what data will be exchanged when, and by whom. This overview will aim at closing the door completely to cyber-attacks in hazardous driving situations. It is not foreseen as a likely situation that countries without high-speed internet cables would experience such a risk.

Level of Integrity or Risk

The level of integrity that the safety systems, which are designed for autonomous vehicles, need to meet is currently not clear. This is already a huge concern to governing and certification bodies. It is argued in "CoMapping: Multi-robot Sharing and Generation of 3D-Maps applied to rural and urban scenarios" by Luis Contreras-Samame et al. (https://hal.archives-ouver-tes.fr/hal-01867743) as well as above, that Cyber Security Threats to vehicle safety could potentially lead to societal risks that cannot be addressed via ISO 26262, the highest Integrity level of which is (ASIL D). Societal risks are single events, the occurrence of which could lead to multiple fatalities. The current ISO 26262 addresses at its highest level of integrity individual risks, those that can at worst case lead to a single fatality, or single household fatalities in the case of a single vehicle containing a family. However, societal risks as is the case with cyber security threats, a single event as described above has the potential to lead to multiple fatalities even if all vehicle functions work as intended. With autonomous vehicles, a single cyber security attack leading to an incident, has the potential to cause everything from multiple fatalities - a category unknown in vehicle automotive safety to country-wide disturbances.
Furthermore, current safety level relies heavily on the driver's reaction to control hazardous situations. In absence of that, the controllability part of the ASIL allocation is dropped, requiring all the current vehicle systems to be at a higher level of integrity.
Furthermore, a large percentage of current accidents data can be traced back to driver error. The driver needs to pay a fine, or even serve time in prison with third degree murder or in some cases first degree murder. In the case of an autonomous vehicle error leading to a fatality, the outrage that such an accident would cause will exponentially increase the risk to intolerable, or unacceptable. That is because, responsibility cannot be so easily traced back to a single driver. Of course, taking into account that autonomous vehicles will maintain road rules, and be one or two orders of magnitude safer than current vehicles. The increase of risk due to outrage is much higher, so the net increase in risk, can be expected to be two to three orders of magnitude higher than current levels.
This means that the safety level of vehicles even if it achieves an ASIL D is not going to be enough. However, by adding the infrastructure safety system with a SIL 4, It would reduce the risk to much lower levels.
This is also on an individual risk level. Cyber security threats for autonomous vehicles can be classified as societal risks, and using the F-N curve tolerance threshold can be shown to be much higher than the current risk level.
The present invention combines the life stream of information coming from road network, i.e. the environmental data, which is wired and the life stream of information coming from the vehicle(s), i.e. the vehicle drive data, which is wireless. The invention including the environmental sensors, the CECU and the interfaces to the vehicle may meet IEC 61508 SIL 4 requirements. The vehicle part of the system which may include the VECU, and the interfaces to the vehicle main control unit, also acts as a second sensor, logic and final element will need to meet the ISO 26262 requirements. The combined level of integrity that this solution will have will equivalent to an ASIL D and a SIL 2-4 depending on the region. In effect 10-7 * 10-8 which would result in a level of integrity of 10-15, which would be significantly safer than current solutions. In fact, other industries have already plenty of such high integrity (SIL 4) safety systems in operation protecting millions of lives across many industries starting with nuclear to air-travel and energy.
Using ISO 26262 in combination with IEC 61508 allows the invention to have two redundant safety systems made up of two sensory parts (in vehicles, and in infrastructure (environmental sensors)), two communication channels (wired and wireless), two logic systems (one in the vehicles, one in the central control center (CECU)), and two final elements activations (one normal vehicle brake system (i.e. via the main vehicle control unit), and one brake activation path (via the VECU)) will afford an unprecedented level of safety and control for the autonomous vehicle technology. However, it may occur that it does not completely eliminate the risk. Further passive infrastructure safety systems can also be implemented.

Level of Complexity

The levels of complexity associated with the current proposed solutions driven by the lack of a strategic overview of the safety case for autonomous vehicles needs desperately to be addressed. Currently, the ADAS as well as V2V and V21 or V2X are all combined to provide information to the vehicle OBC unit(s) (i.e. the On-Board Control Units or the vehicle main control unit as per the invention terminology) responsible for driving. This information is not only subject to network speed, but also to processing speed. Assuming various layers of protection exist event-though they will not be independent, the complexity to merge all the data and make sense of it all lends itself to imagery learning as the only option to solve the problem. This is because it is simply too much for an On-Board-Control until to handle. However, what if this complexity can be taken out of the vehicle, and even functions within the vehicle be distributed? This would make testing easier, reduce the computational load and speed processing time.
According to the present invention, the safety system logic and control until is located in a central location (CECU), which could be country specific. All life-feed information from both vehicles (vehicle drive data via interface 3), and infrastructure elements (environmental data via interface 2) will be sent there, where they will be handled and processed in combination with live updates to high-definition maps (via interface 4) producing life maps and decisions (i.e. the PDD produced in the CECU sent to vehicles via interface 5). These drive decisions (CDD) will act like traffic lights to vehicle proposed actions - actions proposed by the vehicle in drive situations based on its life-stream feed of data. When the feed of vehicle data matches infrastructure data, the actions will be the same, and a conformation ("green light") will be given, but when data streams are not the same after allowing for tolerances and blind spots, both data and drive decisions will not be identical. In case of conflict, an emergency signal will be sent to the VECU to activate the emergency control action (brakes), taking the car to a safe stop.
The way the invention is expected to work is like an independent source of sensory data that the vehicle (any vehicle, more specifically at least one connected vehicle) will have access to, and be able to react to, ahead of time. It is the ability to see behind the curve and adjust driving accordingly. There will be no surprises and no need for short-time response.
To address the high level of complexity associated with even lower levels of autonomy, and the infinite number of situations that may be encountered, high-definition maps and drive decisions are derived from object identification, process, and classification outside of the vehicle in the central system (CECU) using hardwired technology that implements robust cyber security system to its signals and protection to its data.
With the present invention, all the high computer power required, and complexity will be removed from the automated vehicle requirements. In addition, since the infrastructure (environmental data sensors) will provide actual (i.e. live environmental data) and projected data streams, there will be plenty of time for the vehicle to respond and plan its path.
Using the present invention, one stays clear from using the camera and imaging which is very dependent on weather conditions, reflections, and is susceptible for corruption and manipulation.

Independence of Safety System

The current autonomous vehicle technologies use multiple safety systems, but as is the case in most vehicle systems, the hardware is shared as well as the central control unite. Cyber security threats targeted at the vehicle could potentially lead to undesired consequences or dangerous situations. The levels of safety achieved are not fit for the risk described and proposed above. When safety systems are described as independent, this must be understood on multiple folds including: use of difference technology, use of different sensorics inputs, use of redundant signal transmission lines / methods, use of different logic elements, use of redundant final element - brake systems.
According to the present invention, all information received to the central system (CECU) will be verified many times over from the hard-wired (or wireless) infrastructure sensory elements (particularly environmental sensors, which may be added to existing infrastructure, such as streetlamps), from other vehicles on road wirelessly, and from other point source data and maps (fixed data), using wired, secure, tried and proved, highspeed network cables. This adds a second independent layer of safety to the wireless technologies. This means that V2V and V2I communication is significantly reduced, which will significantly reduce the cyber security threats, and radio technology regulatory and standard requirements.
The physical independence of the safety system clears the problem that all safety can be targeted by targeting one vehicle. The safety system of the present invention has two redundant sensory parts (in the vehicles, and in the infrastructure), which may use two different technologies (e.g. lidar and radio frequencies), two different communication channels (wired and wireless), two logic systems (one in the vehicle, one in the CECU), and two final elements activations (one normal vehicle brake system, and one brake system provided by the present invention). The VECU will be independent from the main vehicle control unit to receive the emergency signal from the CECU and activate the control signal accordingly. This second system fulfils impendence requirements and will allow for the level of safety described above to be achieved.
Furthermore, the safety system of the present invention will have a security threat management strategy forbidding its systems (e.g. the main vehicle control unit) from receiving on-drive information that may allow for drive-system manipulations. This is achieved by ensuring that only brake information can be received from the central system (CECU) to the vehicle on-board control unit (main vehicle control unit). Only the vehicle (by means of the main vehicle control unit) can give drive actions based solely on the information it has gathered from its own sensory systems. The data received from the safety system (i.e. the PDD and CDD) will be the "green light" or the allowance to drive or the "red light" and the "brake activation". This is key, as manipulated drive information can also be sent wirelessly contradicting the vehicle sensory system. The argument here is that hacking both independent systems simultaneously will have a remote (highly unlikely) probability of occurrence.
Having an independent safety system shared between all the vehicles using numerous sensors and providing planned actions in the form of CDD in case of mismatch between the inputs (vehicle drive data) received from the sensors located in the vehicle and those (PDD) received from the infrastructure as well as other vehicles' drive data will afford the level of safety required.

Infrastructure Restrictions

The current V2I works on sending information wirelessly directly to the vehicle so it is combined to create a life-picture of the external environment in the vehicle, based on which drive decisions can be made. The V2I is not intended to act as a safety system or interfere in the motoric operation of the vehicle. The information is compiled using High-Definition maps, and point source data, and map generation and layering algorithms that allows images obtained from the vehicle sensory system to be better interpreted based on the geographic location of the point reference on an actual map. It also allows for a recalibration of the car actual location on the GPS system. All of this happens within the vehicle's On-Board Control Unit (main vehicle control unit).
A major component of the safety system of the present invention are the environmental sensors, preferably configured as radio sensors that will be located in street-lamps, and connected via high-speed hardware cables to the central control unit (CECU) of the safety system according to the present invention, which will be located external to the vehicle in a physical location that is local, regional, or national, or international depending on the jurisdiction in question. The safety system of the present invention in contrary to the current technologies, will combine information received from the infrastructure radio sensors collected via highspeed wired network cables (or wirelessly if wired is not available), with the up-to-date high-definition maps and point data systems, as well as the sensory data received from the vehicle sensory system wirelessly. All of this data will be used to: first validate the wireless data received from the vehicles, and second act as an intendent safety system to control vehicle motoric movement in case of a discrepancy between the two sets of data received wirelessly and over wired cables. When the data does not match, and this would have an impact on the drive decision of the vehicle, the drive decision would also be different. This will be an equivalent to a "red light", and the safety system will request the vehicle to come to a safe stop by activating the brake system.
The safety system will not be located in the vehicle but will communicate with the vehicle to send the stop request in case of a potential safety breach, and/or a safety risk. In case the stop request is not executed, safety system will activate the brakes, via the redundant channel (VECU) which will have superiority over the On-Board Control Unit (the vehicle main control unit), as it will have a higher integrity level SIL 4, which is a higher level of integrity than an ASIL D, which is comparable to a SIL 3.
The advantages of the safety system of the present invention can be quickly described as a redundant sensory system (comprising the environmental sensors) that is hard-wired to a redundant logic and processing unite (CECU) that is external to the vehicle, but has access to the vehicle brake activation system (VECU), far exceed its cost of implementation. However, in this particular case, in comparison to existing technology, where V2I is suggested, the safety system will be superior as it will reduce the risk of cyber security threats - falsified data received from the sensors of the infrastructure prompting unsafe vehicle actions, which is one example of a cyber security threat. It will also reduce the computing load demands on the vehicle On-Board Control Unite. The response time is increased, i.e. the time between detection of obstacles and maneuver to avoid collision and safety risk. This is achieved as the life-stream of data to the safety system will be possible to manage without the limitations of mobile technology. The safety system will achieve better sensory data as it will be independent of weather or light conditions. Last but not least, the safety system will achieve a high safety level due to the redundant sensory elements used across its sensory, communication, logic, and final elements
Referring now to Fig. 1, an exemplary overview is illustrated of how a safety system according to an embodiment of the invention is expected to work. The system can be applied on vehicles that contain some level of autonomy already. This is illustrated in the depicted vehicle that contains at least one sensor (three are shown in the drawing) and the main drive control unit, which already exists within most vehicles that contain ADAC systems.
Data interfaces with the CECU to send vehicle driving data (b) are depicted in the arrow leaving the vehicle from the antenna which depicted as the data interface with the CECU. The vehicle driving data compromising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit. The vehicle sensory data includes information about at least one of a destination, remaining distance, route choice, and information from its sensors including the GPS position of the vehicle depicted also on the drawing in the centre of the vehicle. The at least one connected vehicle also receives PDD and CDD from the CECU. The PDD comprises the processed driving data which is compiled from the environmental sensors data and other vehicles driving data. The CDD comprises the CECU drive decision. This is depicted with microwaves leaving the building (e) where the CECU is located. The vehicle would receive the PDD and CECU with the depicted antenna.
Furthermore, examples of the endless possibilities of objects that can be seen in the environment are depicted, as well as major component of the safety system which is the environmental sensor, which in this example located in the streetlamps is illustrated as (c). The at least one sensor (c) connected to the CECU via the hardwired connection of the streetlamp to the main "building" is illustrated with (a), where the environmental data will be transferred as depicted in (d). The environmental data includes at least one of the environmental sensor's own location (illustrated with the GPS symbol on the drawing, surrounding environment data, which includes at least one , preferably both of fixed and time changing data from and around the road on a continuous basis, wherein the surrounding environment data preferably includes real time environment data surrounding the respective environmental sensor including at least one of the moving object's size, shape, movement speed and movement direction.
Fig. 2 illustrates a first example embodiment of the invention, particularly the interrelationships between the components of the system, including the central data processing unit (CECU), the roadside components and the components in a vehicle that is connected to the system.
Fig. 2 shows the following objects:

A. The External Environment
B. The Static High Definition Maps and cloud points that make up the external environment as data input in digital maps in data source
C. The environmental data including fixed and time changing surrounding environment data that surrounds the environmental sensors.
D. The environmental sensors which get input from the external environment - Part of invention
E. An example environmental sensor with interface to external environment and interface to CECU - Part of invention
F. An example vehicle that is connected to the CECU
G. Vehicle driving data sent via an interface to the CECU -― Part of invention
H. Other vehicles
I. Example vehicle sensory / actuator system
J. Sensors in the vehicle
K. Actuator 1 (electric motor)
L. Actuator 2 (Steering)
M. Actuator 3 (Brakes)
N. Vehicle Main Control Unit
O. Drive control system 1 (Electrical drive control unit)
P. Drive control system 2 (Steering control unit)
Q. Drive control system 3 (brake control unit)
R. VECU - Vehicle Electric control unit - Part of invention
S. CECU - Central Electrical Control Unit - Part of invention
T. CECU - Part 1 Data Receival and processing unit - part of invention
U. CECU - Part 2 Data control and sending unit - Part of invention
V. CECU - interface between part 1 and part 2 data exchange.

Fug. 2 also shows the following interfaces for data communication:

1. Interface between environmental sensors and CECU to send roadside data from environmental sensors (D and E) to CECU (S part 1 or T)
2. Interface between environmental sensors and CECU to receive roadside data from environmental sensors (D and E) to CECU (S part 1 or T)
3. Interface between Vehicle main control unit (N) and CECU (S) to receive vehicle driving data from example vehicle (F) as well as other connected vehicles (H) main control unit (N) by CECU (S part 1 or T)
4. Interface between Static high definition maps and cloud points data source (B) located based on external environment (A) and CECU to receive preferably Static high definition maps and cloud points data from data source (B) in environment (A) to CECU (S part 1 or T).
5. Interface between CECU (S part 2 or U) and the vehicle main control unit (N) to send from CECU Processed Drive Data (PDD) to vehicle main control unit.
6. Interface between CECU (S part 2 or U) and the VECU (R) to send emergency control action (brake signal) from CECU (S part 2 or U) to VECU (R).
7. Interface between the Vehicle's main control unit (N) and the CECU (S part 1 or T) to send vehicle driving data from example vehicle (F) as well as other connected vehicles (H) main control unit (N) to CECU (S part 1 or T)
8. Interface between the CECU (S part 2 or U) and main control unit (N) to receive PDD sent from CECU (S Part 2 or U) to vehicle main control unit (N).
9. Interface between VECU (R) and drive control system Actuator 3 (Brakes) (M) to send brake signal from VECU (R) to Actuator 3 (Brakes) (M)
10. Interface between VECU (R) and CECU (S part 2 or U) to receive safety signal sent from CECU (S part 2 or U) to VECU (R).

Fig. 3 illustrates a second example embodiment of the invention similar to that of Fig. 2 where like parts are denoted with like reference signs as in Fig. 2. Insofar it is referred to the description above in connection with Fig. 2. Unlike in the embodiment of Fig. 2, in the embodiment shown in Fig. 3 the CECU only communicates with the VECU, not with the main control unit of the vehicle.
Fig. 3 shows the following objects:

A. The External Environment
B. The Static High Defition Maps and cloud points that make up the external environment as data input in digital maps in data source
C. The environemtnal data including fixed and time changing surrounding environment data that surrounds the environmental sensors.
D. The environmental sensors which get input from the external environment - Part of invention
E. An example environmental sensor with interface to external environment and interface to CECU - Part of invention
F. An example vehicle that is connected to the CECU
G. Vehicle driving data sent via an interface to the CECU - Part of invention
H. Other vehicles
I. Example vehicle sensory / actuator system
J. Sensors in the vehicle
K. Actuator 1 (electric motor)
L. Actuator 2 (Steering)
M. Actuator 3 (Brakes)
N. Vehicle Main Control Unit
O. Drive control system 1 (Electrical drive control unit)
P. Drive control system 2 (Steering control unit)
Q. Drive control system 3 (brake control unit)
R. VECU - Vehicle Electric control unit - Part of invention
S. CECU - Central Electrical Control Unit - Part of invention
T. CECU - Part 1 Data receiving and processing unit - part of invention
U. CECU - Part 2 Data control and sending unit - Part of invention
V. CECU - interface between part 1 and part 2 data exchange.

Fig. 3 also shows the following interfaces:

1. Interface between environmental sensors and CECU to send roadside data from environmental sensors (D and E) to CECU (S part 1 or T)
2. Interface between environmental sensors and CECU to receive roadside data from environmental sensors (D and E) to CECU (S part 1 or T)
3. Interface between VECU (R) and CECU (S) to receive vehicle driving data from example vehicle (F) as well as other connected vehicles (H) VECU (R) by CECU (S part 1 or T)
4. Interface between Static high definition maps and cloud points data source (B) located based on external environment (A) and and CECU to receive preferably Static high definition maps and cloud points data from data source (B) in environment (A) to CECU (S part 1 or T).
5. Interface between CECU (S part 2 or U) and the vehicle main control unit (N) to send from CECU Processed Drive Data (PDD) to vehicle main control unit.
6. Interface between CECU (S part 2 or U) and the VECU (R) to send emergency control action (brake signal) from CECU (S part 2 or U) to VECU (R).
7. Interface between the VECU (R) and CECU (S part 1 or T) to send vehicle driving data from example vehicle (F) as well as other connected vehicles (H) main control unit (N) to CECU (S part 1 or T) via this VECU (R)
7'. Interface between Vehicle Main Control Unit (N) and VECU (R) to send vehicle driving data to CECU (S part 1 or T) via VECU (R).
8. Interface between the CECU (S part 2 or U) and VECU (R) to receive PDD sent from CECU (S Part 2 or U) to vehicle main control unit (N) via VECU (R).
8'. Interface between the VECU (R) and the Vehicle main control unit (N) to receive PDD sent from CECU (S part 2 or U) to Vehicle main control unit (N) via VECU (R).
9. Interface between VECU (R) and drive control system Actuator 3 (Brakes) (M) to send brake signal from VECU (R) to Actuator 3 (Brakes) (M)
10. Interface between VECU (R) and CECU (S part 2 or U) to receive safety signal sent from CECU (S part 2 or U) to VECU (R).

Fig. 4 illustrates a third example embodiment of the invention different to those of Fig. 2 and Fig. 3 described above.
Fig. 4 contains the following objects:

A. The External Environment
B. The Static High Definition Maps and cloud points that make up the external environment as data input in digital maps in data source
C. The environemtnal data including fixed and time changing surrounding environment data that surrounds the environmental sensors.
D. The environmental sensors which get input from the external environment - Part of invention
E. An example environmental sensor with interface to external environment and interface to CECU - Part of invention
F. An example vehicle that is connected to the CECU
G. Vehicle driving data sent via an interface to the CECU -― Part of invention
H. Other vehicles
I. Example vehicle sensory / actuator system
J. Sensors in the vehicle
K. Actuator 1 (electric motor)
L. Actuator 2 (Steering)
M. Actuator 3 (Brakes)
N. Vehicle Main Control Unit
O. Drive control system 1 (Electrical drive control unit)
P. Drive control system 2 (Steering control unit)
Q. N/A
R. Drive control System 3 (braking Control unit) ― which in this case also serves as VECU.
S. CECU - Central Electrical Control Unit - Part of invention
T. CECU - Part 1 Data Receival and processing unit - part of invention
U. CECU - Part 2 Data control and sending unit - Part of invention
V. CECU - interface between part 1 and part 2 data exchange.

Fig. 4 also shows the following interfaces:

Claims

A system for monitoring at least one driving operation of at least one vehicle travelling along a travel route in an operating area of the system, the system comprising a central data processing and control unit (CECU), a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route, and a vehicle control unit (VECU), which is provided in the at least one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit that is configured to automatedly control at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle while travelling along the travel route, the main vehicle control unit being configured to send vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and to receive processed drive data (PDD) sent from the CECU;

wherein each of the environmental sensors is configured to detect real-time environmental data for its respective fixed location along the travel route, the real-time environmental data including surrounding environmental data on a continuous basis, and wherein each of the environmental sensors is in data connection with the CECU and configured to send the environmental data to the CECU via the data connection;

wherein the CECU is located remotely from the plurality of environmental sensors and remotely from the at least one vehicle and comprises:
- a first CECU data interface, configured to receive the environmental data via the data connection from the plurality of environmental sensors;

- a second CECU data interface, configured to receive the vehicle driving data sent from the at least one vehicle's main vehicle control unit; and

- a third CECU data interface, configured to send processed drive data (PDD) to be received by the at least one vehicle's main vehicle control unit;

wherein the CECU is configured to process the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD), wherein the CECU is further configured to compare the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, and, in case the comparison does not cause a conflict, to obtain a confirmation of the drive decision, or, in case the comparison causes a conflict, to generate an emergency control signal and to send the emergency control signal to the VECU to cause the VECU to initiate an emergency action to prevent a potentially dangerous situation, wherein the VECU is in direct data connection with the CECU to directly receive the emergency control signal from the CECU and is in further data connection to at least one drive control system of the vehicle to cause the drive control system to perform the emergency action.
The system of claim 1, wherein the drive control system that is in data connection with the VECU is a brake system of the vehicle, and wherein the emergency control signal is a brake control signal that causes the VECU to activate the brake system of the vehicle as the emergency action.
The system of claim 1 or 2, wherein the vehicle's main vehicle control unit is in data connection with the vehicle's VECU, such that a data connection between the main vehicle control unit and the CECU is provided via the VECU, wherein the VECU is configured to receive the vehicle driving data from the main vehicle control unit via the data connection, and forward the vehicle driving data to the CECU, wherein the VECU is further configured to receive the PDD from the CECU via the data connection and forward the PDD to the main vehicle control unit.
The system of claim 1 or 2, wherein the vehicle's main vehicle control unit is in data connection with the CECU, such that the data connection between the main vehicle control unit and the CECU is provided in a direct manner, wherein the main vehicle control unit is configured to directly send the vehicle driving data to the CECU via the data connection, and further to directly receive the PDD from the CECU via the data connection.
The system of claim 4, wherein the VECU is configured as an independent component with respect to the main vehicle control unit, such that the emergency control signal that is sent by the CECU can be received directly by the VECU, which will initiate the emergency action to prevent a potentially dangerous situation unseen or unrecognized by the main vehicle control unit, or to avoid unsafe actions that the main vehicle control unit intends to take.
A system for monitoring at least one driving operation of at least one vehicle travelling along a travel route in an operating area of the system, the system comprising a central data processing and control unit (CECU), and a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route;
wherein the at least one vehicle comprises a main vehicle control unit that is configured to automatedly control at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the main vehicle control unit being configured to send vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and to receive processed drive data (PDD) sent from the CECU;

wherein each of the environmental sensors is configured to detect real-time environmental data for its respective fixed location along the travel route, the real-time environmental data including surrounding environment data on a continuous basis, and wherein each of the environmental sensors is in data connection with the CECU and configured to send the environmental data to the CECU via the data connection;

wherein the CECU is located remotely from the plurality of environmental sensors and remotely from the at least one vehicle and comprises:
- a first CECU data interface, configured to receive the environmental data via the data connection from the plurality of environmental sensors;

- a second CECU data interface, configured to receive the vehicle driving data sent from the at least one vehicle's main vehicle control unit;

- a third CECU data interface, configured to send processed drive data (PDD) to be received by the at least one vehicle's main vehicle control unit;

wherein the CECU is configured to process the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD), wherein the CECU is further configured to compare the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, to obtain a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, to generate an emergency control signal and to send the emergency control signal to at least one drive control system of the vehicle to cause the drive control system to perform an emergency action to prevent a potentially dangerous situation;

wherein the drive control system comprises a drive control unit that is configured as an independent vehicle control unit with respect to the main vehicle control unit of the respective vehicle, wherein the drive control unit is configured to receive a drive control signal from the main vehicle control unit to control at least one driving operation of the at least one vehicle, and further configured to receive the emergency control signal from the CECU to perform the emergency action as the driving operation.
The system of claim 6, wherein the drive control system is a brake system of the vehicle, and wherein the emergency control signal is a brake control signal that activates the brake system of the vehicle as the emergency action.
The system of any one of the preceding claims, wherein the CECU is configured to generate the emergency control signal also in case the at least one vehicle's main vehicle control unit is not able to receive the CDD or is not responsive to the CDD.
The system of any one of the preceding claims, wherein the vehicle driving data further comprise drive intention data including information about at least one of a destination, remaining distance and route choice, wherein the CECU is configured to send the PDD based on the respective drive intention data to the at least one vehicle's main vehicle control unit to support the main vehicle control unit with further refining and modifying its drive decision data.
The system of any one of the preceding claims, wherein the environmental data includes at least one of the environmental sensor's own location, surrounding environment data, the surrounding environment data including at least one of, preferably both of, fixed and time changing data from and around the environmental on a continuous basis, wherein the surrounding environment data preferably includes real time environment data surrounding the respective environmental sensor, including at least one of a moving object's size, shape, movement speed, movement direction, and GPS coordinates.
The system of any one of the preceding claims, wherein the CECU comprises a fourth CECU data interface, configured to receive at least one of a high-definition 3D life digital map, cloud points, and imaging data.
The system of any one of the preceding claims, wherein the CECU is further configured to assemble all received data in real time and lay them as per its GPS coordinates on corresponding location maps, preferably high-definition 3D maps, and further to obtain the CDD related to vehicle driving data received from the at least one vehicle.
The system of claim 12, wherein the CECU is further configured to lay all data as per their GPS coordinates on at least one corresponding location map to create a real-time three-dimensional map, preferably as a high-definition digital map.
The system of any one of the preceding claims, wherein data connection between the environmental sensors and the CECU is a wired data connection, preferably a high-speed internet cable connection, or a wireless data connection.
A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one vehicle, preferably the system of claim 1, the system comprising a central data processing and control unit (CECU), a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route, and a vehicle control unit (VECU), which is provided in the at least one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit that automatedly controls at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the method comprising sending, by means of the main vehicle control unit, vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and receiving, by means of the main vehicle control unit, processed drive data (PDD) sent from the CECU;

- detecting, by means of the plurality of environmental sensors, real-time environmental data for the respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis;

- sending, by means of the plurality of environmental sensors, the environmental data to the CECU, the environmental sensors each being in data connection with the CECU;

- receiving, by means of the CECU at a first CECU data interface, the environmental data via the data connection from the plurality of environmental sensors;

- receiving, by means of the CECU at a second CECU data interface, the vehicle driving data sent from the at least one vehicle's main vehicle control unit;

- sending, by means of the CECU at a third CECU data interface, processed drive data (PDD) to be received by the at least one vehicle's main control unit;

- processing, by means of the CECU, the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD);

- comparing, by means of the CECU, the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, and, in case the comparison does not cause a conflict, obtaining a confirmation of the drive decision, or, in case the comparison causes a conflict, generating, by means of the CECU, an emergency control signal and sending the emergency control signal to the VECU to cause the VECU to initiate an emergency action to prevent a potentially dangerous situation, wherein in this case, the method further comprises

- directly receiving, by means of the VECU, via a direct data connection with the CECU, the emergency control signal from the CECU, wherein the VECU is in further data connection to at least one drive control system of the vehicle to cause the drive control system to perform the emergency action.
A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one vehicle, preferably the system of claim 6, the system comprising a central data processing and control unit (CECU), and a plurality of environmental sensors placed at a respective plurality of fixed locations distributed in the operating area at least along the travel route;
wherein the at least one vehicle comprises a main vehicle control unit that automatedly controls at least one driving operation of the vehicle based on vehicle sensory driving data obtained by at least one sensor of the vehicle, the method comprising sending, by means of the main vehicle control unit, vehicle driving data to be received by the CECU, the vehicle driving data comprising the vehicle sensory driving data and drive decision data generated by the main vehicle control unit, and receiving, by means of the main vehicle control unit, processed drive data (PDD) sent from the CECU;

- detecting, by means of the plurality of environmental sensors, real-time environmental data for the respective fixed location, the real-time environmental data including surrounding environment data on a continuous basis,

- sending, by means of the plurality of environmental sensors, the environmental data to the CECU, the environmental sensors each being in data connection with the CECU;

- receiving, by means of the CECU at a first CECU data interface, the environmental data via the data connection from the plurality of environmental sensors;

- receiving, by means of the CECU at a second CECU data interface, the vehicle driving data sent from the at least one vehicle's main vehicle control unit;

- sending, by means of the CECU at a third CECU data interface, processed drive data (PDD) to be received by the at least one vehicle's main control unit;

- processing, by means of the CECU, the received data, including the environmental data and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU drive decision (CDD);

- comparing, by means of the CECU, the drive decision received from the at least one vehicle's main vehicle control unit with the obtained CDD, and obtaining, by means of the CECU, a confirmation of the drive decision in case the comparison does not cause a conflict, or in case the comparison causes a conflict, generating, by means of the CECU, an emergency control signal and sending the emergency control signal to at least one drive control system of the vehicle to cause the drive control system to perform an emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured as an independent vehicle control unit with respect to the main vehicle control unit of the respective vehicle, wherein the method further comprises:
- receiving, by the drive control unit, a drive control signal from the main vehicle control unit to control at least one driving operation of the at least one vehicle, or

- receiving, by the drive control unit, the emergency control signal from the CECU to perform the emergency action as the driving operation.