EP3642717A1 - Vorrichtung und verfahren zum ansteuern eines fahrzeugmoduls - Google Patents
Vorrichtung und verfahren zum ansteuern eines fahrzeugmodulsInfo
- Publication number
- EP3642717A1 EP3642717A1 EP18726393.4A EP18726393A EP3642717A1 EP 3642717 A1 EP3642717 A1 EP 3642717A1 EP 18726393 A EP18726393 A EP 18726393A EP 3642717 A1 EP3642717 A1 EP 3642717A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- information
- core
- plausibility check
- processor
- plausibility
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims description 27
- 238000001514 detection method Methods 0.000 claims description 21
- 238000011156 evaluation Methods 0.000 claims description 21
- 238000013473 artificial intelligence Methods 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 claims description 7
- 230000003213 activating effect Effects 0.000 claims description 2
- 230000006870 function Effects 0.000 description 21
- 102100034112 Alkyldihydroxyacetonephosphate synthase, peroxisomal Human genes 0.000 description 9
- 101000799143 Homo sapiens Alkyldihydroxyacetonephosphate synthase, peroxisomal Proteins 0.000 description 9
- 238000000848 angular dependent Auger electron spectroscopy Methods 0.000 description 9
- 230000001105 regulatory effect Effects 0.000 description 7
- 238000013528 artificial neural network Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 230000018109 developmental process Effects 0.000 description 5
- 230000004913 activation Effects 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 3
- 230000007257 malfunction Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 210000004556 brain Anatomy 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 238000005265 energy consumption Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 241000282412 Homo Species 0.000 description 1
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000003750 conditioning effect Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/04—Monitoring the functioning of the control system
- B60W50/045—Monitoring control system parameters
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/0098—Details of control systems ensuring comfort, safety or stability not otherwise provided for
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S13/00—Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
- G01S13/86—Combinations of radar systems with non-radar systems, e.g. sonar, direction finder
- G01S13/865—Combination of radar systems with lidar systems
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S13/00—Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
- G01S13/86—Combinations of radar systems with non-radar systems, e.g. sonar, direction finder
- G01S13/867—Combination of radar systems with cameras
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S13/00—Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
- G01S13/88—Radar or analogous systems specially adapted for specific applications
- G01S13/93—Radar or analogous systems specially adapted for specific applications for anti-collision purposes
- G01S13/931—Radar or analogous systems specially adapted for specific applications for anti-collision purposes of land vehicles
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S17/00—Systems using the reflection or reradiation of electromagnetic waves other than radio waves, e.g. lidar systems
- G01S17/88—Lidar systems specially adapted for specific applications
- G01S17/93—Lidar systems specially adapted for specific applications for anti-collision purposes
- G01S17/931—Lidar systems specially adapted for specific applications for anti-collision purposes of land vehicles
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S7/00—Details of systems according to groups G01S13/00, G01S15/00, G01S17/00
- G01S7/02—Details of systems according to groups G01S13/00, G01S15/00, G01S17/00 of systems according to group G01S13/00
- G01S7/40—Means for monitoring or calibrating
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S7/00—Details of systems according to groups G01S13/00, G01S15/00, G01S17/00
- G01S7/48—Details of systems according to groups G01S13/00, G01S15/00, G01S17/00 of systems according to group G01S17/00
- G01S7/497—Means for monitoring or calibrating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
- G06F11/0754—Error or fault detection not based on redundancy by exceeding limits
- G06F11/0757—Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/186—Passive fault masking when reading multiple copies of the same data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W2420/00—Indexing codes relating to the type of sensors based on the principle of their operation
- B60W2420/40—Photo, light or radio wave sensitive means, e.g. infrared sensors
- B60W2420/403—Image sensing, e.g. optical camera
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W2420/00—Indexing codes relating to the type of sensors based on the principle of their operation
- B60W2420/40—Photo, light or radio wave sensitive means, e.g. infrared sensors
- B60W2420/408—Radar; Laser, e.g. lidar
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W2556/00—Input parameters relating to data
- B60W2556/35—Data fusion
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
- G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/187—Voting techniques
- G06F11/188—Voting techniques where exact match is not required
Definitions
- the invention relates to a device for driving a vehicle module according to claim 1, a control device for a vehicle module according to claim 8 and a driver assistance method according to claim 16.
- Control units also called electronic control units, abbreviated ECUs, are electronic components for controlling and regulating.
- ECUs are used in several electronic areas to control and regulate vehicle functions.
- the ECUs known in the prior art each control and regulate a vehicle function, for example, a function for ejecting a CD from a CD player of a car radio is controlled and regulated by an ECU, the function of setting a radio station from another ECU.
- an ECU consumes energy in the form of computing power, the energy consumption increases with each function to be controlled and regulated.
- the aim is not to control and regulate each individual function, each with a single ECU, but to merge several inter-related functions in one ECU, on the one hand to reduce energy consumption and, on the other hand, to evaluate information more efficiently.
- Vehicle areas that form a functional unit have functions that are related to each other. Such vehicle areas are calledakido- mänen.
- vehicle domains are the infotainment system, the chassis, the drive, the interior or the safety.
- Functions for the infotainment system include, for example, operating a radio, a CD player, establishing a telephone connection, connecting to a hands-free unit, etc.
- the music CD is playing, for example, the music is stopped when a telephone connection is made.
- ECUs which control and regulate vehicle domains and thus several interrelated functions, are called domain ECUs.
- ECUs for vehicles must provide the required functionality reliably and safely and be available, especially in the chassis, drive and safety.
- Reliability means that the vehicle should bring occupants without failure from a starting point to a destination point, provided that the vehicle functions properly at the starting point.
- safety means that the vehicle does not pose any danger to humans.
- Availability means that the vehicle is ready for use at any time and not, for example. continuously defective in the workshop stands.
- the Automotive Standard Functional Safety Standard ISO 26262 also requires that in the event of malfunction, in particular electrical malfunction, an ECU, e.g. Failure of the ECU due to a voltage dip, countermeasures in the form of security measures should ensure that unjustifiable injury risks are avoided. An error caused by a voltage dip can be avoided for example by a redundant power supply.
- domain ECUs for driver assistance systems also known as advanced driver assistance systems, abbreviated ADAS
- ADAS systems capture environment of a vehicle by means of environment detection sensors such as a camera, evaluate it, and relay corresponding information to vehicle modules to assist the driver in a safe journey.
- a domain ECU for an ADAS system is called ADAS domain ECU.
- Functions that are controlled and controlled by an ADAS domain ECU are, for example, recognition of driving track markings, vehicles, traffic signs, pedestrians, etc. These functions are centrally controlled and regulated by the ADAS domain ECU.
- ADAS domain ECUs which process data from environment detection sensors
- a camera as an electronic system may be in a good condition, but still misinterpret and misinterpret a detected object.
- the object of the invention is to improve the security of the domain ECUs known from the prior art, in particular of ADAS domain ECUs.
- the vehicle module driver comprises a security processor having at least one information interface at an input of the security processor and a control interface at an output of the security processor, the security processor including at least a first core, a second core, and a third core.
- the first core is designed to execute a first plausibility check of at least one first information passed to the security processor via the information interface with at least one second information passed to the security processor via the information interface, the second core being configured, a second plausibility check of the first information to perform with the second information, the third core is formed, a comparison of a forward to the third core result of the performed on the first core first plausibility control with a forwarded to the third core result of execute the second core trained plausibility check and forward the information for which in the first plausibility check and in the second plausibility check a plausibility has been determined to the control interface, wherein the vehicle module is controlled with the information found to be plausible via the control interface.
- a vehicle module is a component of a vehicle.
- a steering wheel of a vehicle is a vehicle module.
- Electrical / electronic systems abbreviated E / E systems, are also vehicle modules.
- a processor is an electronic circuit that captures and processes commands. As a result of processing instructions, the processor can control and regulate other electrical circuits, thereby promoting a process.
- a kernel is a part of a processor which forms a computing unit and which itself is capable of executing one or more instructions.
- the security processor is thus a multi-core processor in which a plurality of cores are arranged on a single chip, that is, a semiconductor device. Multi-core processors achieve higher computing power and are more cost effective to implement in a single chip than multiple cores.
- the security processor is also called multicore micro control unit, abbreviated multicore MCU.
- An interface is a device between at least two functional units at which an exchange of logical quantities, for example data or physical quantities, for example electrical signals, takes place, either only unidirectionally or bidirectionally.
- the exchange can be analog or digital.
- An interface may exist between software and software, hardware and hardware, and software and hardware, and hardware and software.
- Plausibility check is a method by which a value, or generally a result, is superimposed to check whether it is at all plausible, ie acceptable, plausible and / or comprehensible or not. Plausibility checks can be carried out both in hardware and in software. Plausibility checks are, in particular, the monitoring of signals that may only occur in certain combinations and sequences. For example, measured values can be checked for their plausible value range and their time course.
- the plausibility check of a variable is a plausibility check.
- two or more sensors which detect different information, are compared with each other during operation in order to detect disturbances, such as deviations or failure.
- short circuits and / or ground contacts can be detected by means of plausibility checks.
- the first information is a subset of knowledge that a sender can convey to a receiver through a particular medium.
- the first information is preferably different from the second information.
- subject objects in a digital camera image that the camera transmits via electrical power to a processor for further processing are certain first image information. Spatial distances of the objects to the camera form the second information.
- First information is plausible to second information if the content of the first information is acceptable in terms of the content of the second information. If the first information matches in content with the content of the second information, then the first information is plausible to the second information.
- the first plausibility check and the second plausibility check may differ in their respective procedures.
- hardware and software with which the plausibility checks are carried out can be checked for errors.
- measured values can be checked in a first plausibility check as integers, in a second plausibility check as floating point numbers.
- the device according to the invention has the advantage that the vehicle module is not directly controlled with processed information. Processing information itself can be compliant with ISO 26262. However, the information may pose further security risks that can not be mapped with ISO 26262. For example, environment information may incorrectly reflect the environment. In order to avoid these additional security risks, the information in the security processor is first checked for plausibility in order to exclude further security risks.
- the plausibility checks determine whether the hardware and software are functioning without errors and which information is correct for the safe control of the vehicle module. If an information in the plausibility check is detected as faulty, it is not forwarded to the control interface. The vehicle module is thus controlled only with plausible information. The vehicle module, which is controlled with the information found to be plausible, is then in a safe state. Driving with information also means that when there is more information, the information is first merged and the vehicle module is driven with the information or information resulting from the merger. In particular, the invention thus provides a security architecture for ADAS domain ECUs.
- a secure state for the vehicle module is thus in particular acceptable in the event that an environment is detected incorrectly, since in this case the vehicle module is controlled with plausible information. Due to the redundant signal conditioning of the different sensor signals such as camera, radar or lidar, it is possible to carry out a plausibility check. Thus, it is possible to detect the faulty signal in the event of an error. In the event of a fault, damage is minimized by triggering with plausible information.
- the device is thus fail-safe, also called fail-safe.
- the fact that the first plausibility check on the first core and the second plausibility check on the second core are executed, wherein the second plausibility check in the procedure may differ from the first plausibility check, has the advantage that both hardware and software errors are detected.
- the first core calculates the same as the second core, preferably with different approaches. If a deviation from the result obtained with the second core is found on the third core when comparing the result obtained with the first core, there is a hardware and / or software error.
- the first core is designed to execute the first plausibility check for the first information, the second information and at least one third information supplied to the security processor via the information interface, the first information the second information and the third information each against each other for plausibility are controllable. This makes it possible to detect incorrect information comparatively easily. For example, if the first information is plausible with the second information and with the third information, and the second information is plausible with the third information, no information is erroneous. If, for example, the first information is not plausible with the second information and not plausible with the third information, but the second information is plausible with the third information, then the first information is erroneous.
- the second core is designed to execute the second plausibility check for the first information, the second information and at least one third information supplied to the security processor via the information interface, wherein the first information, the second information and the third information can each be checked for plausibility.
- three pieces of information can be compared to the third core.
- the result of the first plausibility check carried out on the first core and / or the result of the second plausibility check carried out on the second core is a majority selection of the information with a majority plausibility.
- the information which is mostly not plausible with the other information, is faulty.
- the majority vote is also known as voting. If three pieces of information are checked for plausibility, and if one of the three pieces of information is detected as being defective, only two of the three pieces of information are forwarded to the control interface for activating the vehicle module. This majority voting is also known as 2oo3 voting, that is, two out of three.
- the safety processor in particular in each case the first core, the second core and the third core, preferably has a redundant power supply. Redundancy is the additional presence of functionally identical or comparable resources of a technical system, if they are normally not required for trouble-free operation. If a power supply fails due to an error, the device is in a manageable state due to the additional redundant power supply. With a voltage dip in a single power supply to the security processor, the entire security processor would fail with the first, second, and third cores. Such a multi-component failure that occurs as a result of a single failure cause or a single event is called common cause failure. The redundant power supply thus prevents a common cause failure caused by a voltage dip in a power supply.
- the security processor preferably has in each case the first core, the second core and the third core, a monitoring device.
- the monitoring device also known as watchdog, is a component of a system that monitors the functions of other components, in this case the security processor, in particular the first, the second and the third core. If a possible malfunction is detected, this is either signaled according to the security agreement or a suitable jump instruction is initiated, which corrects the pending problem.
- watchdog includes both hardware watchdogs and software watchdogs.
- the hardware watchdog is an electronic component with communication to the component being controlled.
- the software watchdog is a checking software in the component to be checked, which checks whether all important program modules are executed correctly within a given time frame or whether a module is not allowed to be used for the required length of time. needed.
- watchdogs can be implemented in safety-critical applications and allow monitoring of E / E systems for compliance with IS026262.
- the information interface is preferably a redundant information interface. Thus, in the event that an information interface fails, an additional information interface is available, which keeps the device in a manageable state.
- the inventive control device for a vehicle has a device according to the invention and a power processor, wherein the information interface of the device is arranged between the power processor and the security processor, with the features that the power processor has a detection device and an evaluation device, the detection device is formed, at least one to acquire, ie to acquire, the first signal and a second signal, the evaluation device is designed to generate at least first information from the first signal and second information from the second signal, and at least the first signal generated from the first signal by means of the information interface Information and the second information generated from the second signal to the security processor is controllable for driving the vehicle module.
- the control device has the advantage that the information generated by the evaluation of the signals are not used directly for driving the vehicle module, but are previously checked for plausibility by means of the device according to the invention. This ensures that the vehicle module is controlled only with plausible information and not with faulty information.
- the power processor has at least a first channel and a second channel separated from the first channel, wherein the first signal can be detected in the first channel and the first information can be generated from the detected first signal, and wherein in the second channel second signal detectable and the second information can be generated independently of the first information.
- the power processor in particular in each case the first channel and the second channel or respectively the detection device and the evaluation device, preferably has a redundant power supply.
- the redundant power supply prevents a common cause failure caused by a voltage dip in a power supply.
- the power processor in particular in each case at least the first channel and the second channel, has a monitoring device, a so-called watchdog.
- the watchdog can be a hardware and / or software watchdog.
- the evaluation device on an artificial intelligence means recreating a human-like intelligence, that is, trying to build or program a computer that can handle problems on its own.
- Artificial intelligence can be realized in particular with artificial neural networks.
- An artificial neural network is an algorithm that is executed on an electronic circuit and programmed on the model of the neural network of the human brain.
- Functional units of an artificial neural network are artificial neurons whose output is generally evaluated as the value of an activation function over a weighted sum of the inputs plus a systematic error, the so-called bias.
- By testing multiple predetermined inputs with different weighting factors and activation functions artificial neural networks, similar to the human brain, are trained or trained.
- the training of artificial intelligence by means of predetermined inputs is called machine learning.
- a subset of machine learning is deep learning, in which a series of hierarchical layers of neurons, so-called hidden layer, is used to perform the process of machine learning.
- An evaluation device with an artificial intelligence can process signals more efficiently than a deterministic evaluation device.
- the algorithm underlying the artificial intelligence can be executed on a graphics processor, a so-called Graphics Processor Unit, abbreviated GPU.
- a GPU has the advantage of being able to process several processes simultaneously, which increases the efficiency of the evaluation device.
- signals detected by the detection device are the signals of surroundings detection sensors, in particular camera signals, radar signals and / or lidar signals.
- Surround detection sensors provide input to driver assistance systems. For example, if the device of the present invention determines that the camera information is not plausible with the radar information but is plausible with the lidar information, and the radar information is not plausible with the lidar information, then the radar information is the erroneous information.
- the vehicle module is a vehicle domain, in particular infotainment, chassis, drive, interior and / or security.
- a driver assistance system comprising an inventive control device is also provided.
- driver assistance method an inventive control unit is used.
- the driver assistance method according to the invention has the following steps:
- driver assistance method it is ensured that only those information items are used to control the vehicle module, which were classified as safe by means of the plausibility checks.
- FIG. 1 shows an embodiment of a device according to the invention
- Fig. 2 an embodiment of a control device according to the invention
- FIG 3 shows an exemplary embodiment of a driver assistance method according to the invention.
- the device 1 shows a device 1 according to the invention for driving a vehicle module 2.
- the device 1 has an information interface 20, a safety processor 10 and a control interface 21.
- a first information 31, a second information 32 and a third information 33 is passed to the security processor 10.
- the security processor 10 has a first core 11, a second core 12 and a third core 13.
- Each individual core is connected to a redundant power supply 14.
- each core is controlled by a monitoring device 15.
- the first information 31, the second information 32 and the third information 33 each enter the device 1 as a two-channel object.
- the information 31, 32 and 33 are mutually checked for plausibility in a first plausibility check 30.
- the information 31, 32 and 33 are mutually checked for plausibility by means of a second plausibility check 40, which is different from the first plausibility check 30.
- the majority selection is based on the following scheme of majority scheme : 1: not plausible majority voter
- the device 1 recognizes that the lidar information 33 is faulty.
- the information 31, 32 and 33 determined to be mutually plausible in the first plausibility check 30 and in the second plausibility check 40 are passed on to the third core 13, in which a comparison 45 of the incoming information is made. If the information found to be mutually plausible in the first core 11 is also recognized as the plausible information in the core 12, which can be determined by a comparison 45, the vehicle module 2 is actuated via the control interface 21 with the mutually plausible information.
- the third core 13 will detect a hardware and / or software error.
- control device 3 shows an exemplary embodiment of a control device 3 according to the invention.
- the control device 3 is used to connect a power processor 50 with a security process. sor 10 via the information interface 20, which is arranged between the power processor 50 and the security processor 10, brought together.
- the power processor has a detection device 51 and an evaluation device 52.
- the detection device 51 has a redundant power supply 14.
- a first signal 53, a second signal 54 and a third signal 55 are collected.
- the signals 53, 54 and 55 may be, for example, signals from environment detection sensors.
- the first signal 53 may be a signal from a camera sensor
- the second signal 54 may be the signal from a radar sensor
- the third signal 55 may be a signal from a lidar sensor.
- the signals 53, 54 and 55 are detected and processed in separate channels of the power processor, namely a first channel 56, a second channel 57 and a third channel 58.
- corresponding information 31, 32, 33 are generated from the signals 53, 54 and 55, which arrive via the information interface 20 in the security processor 1.
- the information from, for example, a camera signal 53 is then a corresponding camera image.
- the camera image may be an apron image, a rear field image or a side field image of a vehicle.
- the evaluation device 52 has an artificial intelligence.
- Artificial intelligence is an artificial neural network that is trained to recognize traffic situations.
- the function of the power processor 50 is controlled by a watchdog 15.
- FIG. 3 shows an exemplary embodiment of a driver assistance method 5 according to the invention that can be executed with a driver assistance system 4.
- the signals 53, 54 and 55 are first detected by means of the detection device 51 in the method step 60 of the detection. Subsequently, the evaluation 61 of the signals 53, 54 and 55 takes place in the evaluation device 52. The detection 60 and the evaluation 61 of the signals 53, 54 and 55 for the information 31, 32 and 33 takes place in the power processor 50.
- the evaluated information 31, 32 and 33 are sent via the information interface in the method step 62 of forwarding the information in the security processor 10.
- the following method steps take place in the security processor 10:
- the execution of the first plausibility check 30 takes place in the first core 11.
- Execution 64 of the second plausibility check 40 is carried out in the second core 12.
- the results of the first plausibility check 30 carried out on the first core 1 1 and the results of the second plausibility check 40 carried out on the second core 12 are forwarded to the third in the method step 65 Core 13 of the security processor headed.
- a comparison 66 of the results of the plausibility checks 30 and 40 is carried out in the third core 13 of the security processor 10.
- the information is forwarded 67 for which a plausibility has been determined in the first plausibility check 30 and in the second plausibility check 40 Control interface 22 to the vehicle module 2, wherein the vehicle module 2 is controlled in the method step 68 of the control with the information determined to be plausible.
- the activation of a vehicle module can take place in such a way that the activation is perceptible in a haptic manner.
- a steering wheel can be controlled in a detected non-compliance of a traffic lane so that the steering wheel vibrates, what the driver perceives with his sense of touch.
- the control can also be done visually or acoustically or via actuators, in particular mechatronic actuators.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Radar, Positioning & Navigation (AREA)
- Remote Sensing (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Computer Networks & Wireless Communication (AREA)
- Automation & Control Theory (AREA)
- Mechanical Engineering (AREA)
- Transportation (AREA)
- Human Computer Interaction (AREA)
- Electromagnetism (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Traffic Control Systems (AREA)
- Control Of Driving Devices And Active Controlling Of Vehicle (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102017210156.3A DE102017210156B4 (de) | 2017-06-19 | 2017-06-19 | Vorrichtung und Verfahren zum Ansteuern eines Fahrzeugmoduls |
PCT/EP2018/062496 WO2018233934A1 (de) | 2017-06-19 | 2018-05-15 | Vorrichtung und verfahren zum ansteuern eines fahrzeugmoduls |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3642717A1 true EP3642717A1 (de) | 2020-04-29 |
Family
ID=62222629
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18726393.4A Withdrawn EP3642717A1 (de) | 2017-06-19 | 2018-05-15 | Vorrichtung und verfahren zum ansteuern eines fahrzeugmoduls |
Country Status (6)
Country | Link |
---|---|
US (1) | US20210146939A1 (de) |
EP (1) | EP3642717A1 (de) |
JP (1) | JP7089026B2 (de) |
CN (1) | CN110770707A (de) |
DE (1) | DE102017210156B4 (de) |
WO (1) | WO2018233934A1 (de) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109101011A (zh) * | 2017-06-20 | 2018-12-28 | 百度在线网络技术(北京)有限公司 | 无人驾驶车辆的传感器监控方法、装置、设备及存储介质 |
DE102019202527A1 (de) * | 2019-02-25 | 2020-08-27 | Robert Bosch Gmbh | Sicherheitssystem und Verfahren zum Betreiben eines Sicherheitssystems |
JP7298323B2 (ja) * | 2019-06-14 | 2023-06-27 | マツダ株式会社 | 外部環境認識装置 |
DE102020123920B3 (de) | 2020-09-15 | 2021-08-19 | Dr. Ing. H.C. F. Porsche Aktiengesellschaft | Verfahren und System zum automatischen Labeling von Radardaten |
DE102021104917A1 (de) | 2021-03-02 | 2022-09-08 | Bayerische Motoren Werke Aktiengesellschaft | Fahrerüberwachungssystem für kraftfahrzeug |
DE102021204239A1 (de) | 2021-04-09 | 2022-10-13 | Continental Autonomous Mobility Germany GmbH | Verfahren zum Betrieb eines Assistenzsystems sowie Assistenzsystem |
EP4403881A1 (de) * | 2023-01-19 | 2024-07-24 | Leuze electronic GmbH + Co. KG | Sensoranordnung und verfahren zum betrieb einer sensoranordnung |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19527323A1 (de) * | 1995-07-26 | 1997-01-30 | Siemens Ag | Schaltungsanordnung zum Steuern einer Einrichtung in einem Kraftfahrzeug |
DE19829126A1 (de) * | 1997-11-22 | 1999-05-27 | Itt Mfg Enterprises Inc | Elektromechanisches Bremssystem |
DE10148348B4 (de) * | 2001-09-29 | 2004-04-15 | Daimlerchrysler Ag | Redundate Spannungsversorgung für dreikanaligen elektrischen Verbraucher |
US7421478B1 (en) * | 2002-03-07 | 2008-09-02 | Cisco Technology, Inc. | Method and apparatus for exchanging heartbeat messages and configuration information between nodes operating in a master-slave configuration |
DE102006062300B4 (de) * | 2006-12-18 | 2011-07-21 | Arnold, Roland, 72539 | Schaltung zur Steuerung eines Beschleunigungs-, Brems- und Lenksystems eines Fahrzeugs |
DE102010013349B4 (de) * | 2010-03-30 | 2013-06-13 | Eads Deutschland Gmbh | Computersystem und Verfahren zum Vergleichen von Ausgangssignalen |
DE102010013943B4 (de) * | 2010-04-06 | 2018-02-22 | Audi Ag | Verfahren und Vorrichtung für eine Funktionsprüfung einer Objekt-Erkennungseinrichtung eines Kraftwagens |
DE102013202253A1 (de) * | 2013-02-12 | 2014-08-14 | Paravan Gmbh | Schaltung zur Steuerung eines Beschleunigungs-, Brems- und Lenksystems eines Fahrzeugs |
DE102013218812A1 (de) * | 2013-09-19 | 2015-03-19 | Robert Bosch Gmbh | Fahrerassistenzsystem für ein Kraftfahrzeug |
DE102013021231A1 (de) * | 2013-12-13 | 2015-06-18 | Daimler Ag | Verfahren zum Betrieb eines Assistenzsystems eines Fahrzeugs und Fahrzeugsteuergerät |
JP5867495B2 (ja) * | 2013-12-20 | 2016-02-24 | 株式会社デンソー | 電子制御装置 |
DE102014217321A1 (de) * | 2014-08-29 | 2016-03-03 | Continental Teves Ag & Co. Ohg | Mikrocontrollersystem und Verfahren für sicherheitskritische Kraftfahrzeugsysteme sowie deren Verwendung |
FR3034882B1 (fr) * | 2015-04-07 | 2018-12-07 | Valeo Equipements Electriques Moteur | Procede d'implementation d'une fonction d'un vehicule automobile conforme a des niveaux asil standards, systeme correspondant et vehicule automobile comprenant un tel systeme |
WO2016163249A1 (ja) * | 2015-04-08 | 2016-10-13 | 日立オートモティブシステムズ株式会社 | パワーステアリング装置および車両搭載機器の制御装置 |
EP3085596B1 (de) * | 2015-04-20 | 2017-11-29 | Autoliv Development AB | Elektronisches fahrzeugsicherheitssteuerungssystem |
EP3357778B1 (de) * | 2015-09-30 | 2022-10-26 | Sony Group Corporation | Antriebssteuerungsvorrichtung, antriebssteuerungsverfahren und programm |
-
2017
- 2017-06-19 DE DE102017210156.3A patent/DE102017210156B4/de active Active
-
2018
- 2018-05-15 JP JP2020519835A patent/JP7089026B2/ja active Active
- 2018-05-15 EP EP18726393.4A patent/EP3642717A1/de not_active Withdrawn
- 2018-05-15 US US16/622,210 patent/US20210146939A1/en not_active Abandoned
- 2018-05-15 WO PCT/EP2018/062496 patent/WO2018233934A1/de unknown
- 2018-05-15 CN CN201880040724.5A patent/CN110770707A/zh active Pending
Also Published As
Publication number | Publication date |
---|---|
JP7089026B2 (ja) | 2022-06-21 |
DE102017210156A1 (de) | 2018-12-20 |
DE102017210156B4 (de) | 2021-07-22 |
WO2018233934A1 (de) | 2018-12-27 |
JP2020524352A (ja) | 2020-08-13 |
US20210146939A1 (en) | 2021-05-20 |
CN110770707A (zh) | 2020-02-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102017210156B4 (de) | Vorrichtung und Verfahren zum Ansteuern eines Fahrzeugmoduls | |
WO2018233935A1 (de) | Vorrichtung und verfahren zur ansteuerung eines fahrzeugmoduls in abhängigkeit eines zustandssignals | |
EP2972607B1 (de) | Verfahren zur behandlung von fehlern in einem zentralen steuergerät sowie steuergerät | |
DE102014220781A1 (de) | Ausfallsichere E/E-Architektur für automatisiertes Fahren | |
DE102019201382A1 (de) | Vorrichtung und verfahren zum steuern eines fahrzeugs auf dergrundlage von redundanter architektur | |
DE102012024818A1 (de) | Verfahren zur Verbesserung der funktionalen Sicherheit und Steigerung der Verfügbarkeit eines elektronischen Regelungssystems sowie ein elektronisches Regelungssystem | |
DE102018002156A1 (de) | Ein verbessertes Steuerungssystem und ein verbessertes Steuerungsverfahren für das autonome Steuern eines Kraftfahrzeugs | |
DE112018006702T5 (de) | Bestimmung der zuverlässigkeit von fahrzeugsteuerbefehlen unter verwendung eines abstimmungsmechanismus | |
EP3709166B1 (de) | Verfahren und system zur sicheren signalmanipulation für den test integrierter sicherheitsfunktionalitäten | |
DE102017214531A1 (de) | Verfahren und Vorrichtung zum Betreiben eines Kraftfahrzeugs in einem automatisierten Fahrbetrieb sowie Kraftfahrzeug | |
DE102018114192B4 (de) | Steuersystem mit mehrstufiger wahlsteuerung und verfahren zum betreiben eines steuersystems zum ausgeben eines gewählten befehls an eine aktuatorvorrichtung | |
DE102017218438A1 (de) | Verfahren und System zum Betreiben eines Fahrzeugs | |
WO2022268270A1 (de) | Steuereinrichtung sowie assistenzsystem für ein fahrzeug | |
DE102013220526A1 (de) | Ausfallsicherere Sensorarchitektur für Fahrerassistenzsysteme | |
WO2017080942A1 (de) | Verfahren zum betreiben eines steuergeräts eines kraftfahrzeugs | |
EP4007891B1 (de) | Verfahren und vorrichtung zur lokalisierung eines fahrzeugs in einer umgebung | |
EP3341843B1 (de) | Verfahren und vorrichtung zum überwachen eines zustandes einer elektronischen schaltungseinheit eines fahrzeugs | |
DE102009012887B4 (de) | Verfahren zum Prüfen einer nicht korrekten Installation von Fahrzeugsensoren | |
DE102012221277A1 (de) | Fahrzeugsteuervorrichtung | |
DE102021208459B4 (de) | Verfahren zur authentischen Datenübertragung zwischen Steuergeräten eines Fahrzeugs, Anordnung mit Steuergeräten, Computerprogramm und Fahrzeug | |
DE102022212513A1 (de) | Fahrzeuglenkvorrichtung und fahrzeuglenkverfahren | |
DE102021206297A1 (de) | Verfahren und System zum Betreiben eines wenigstens teilweise automatisierten Fahrzeugs | |
DE102022108001A1 (de) | System und verfahren zur bestimmung eines status einer zweiten ecu unter verwendung eines gemeinsam genutzten sensors in einem system mit zwei ecus | |
DE102008043089A1 (de) | Verfahren zur Überwachung der Funktionsfähigkeit eines elektronischen Bausteins | |
DE102020203420B4 (de) | Verfahren und Vorrichtung zum Rekonfigurieren eines automatisiert fahrenden Fahrzeugs in einem Fehlerfall |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20191126 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20201202 |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: SARI, BUELENT |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20210413 |