EP4238336A1 - Procédé de fonctionnement d'un système de sécurité - Google Patents

Procédé de fonctionnement d'un système de sécurité

Info

Publication number
EP4238336A1
EP4238336A1 EP21794836.3A EP21794836A EP4238336A1 EP 4238336 A1 EP4238336 A1 EP 4238336A1 EP 21794836 A EP21794836 A EP 21794836A EP 4238336 A1 EP4238336 A1 EP 4238336A1
Authority
EP
European Patent Office
Prior art keywords
data
monitoring
received
backend
monitoring data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21794836.3A
Other languages
German (de)
English (en)
Inventor
Hans-Leo ROSS
Kurt ECKERT
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of EP4238336A1 publication Critical patent/EP4238336A1/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/005Discovery of network devices, e.g. terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/005Moving wireless networks

Definitions

  • the invention relates to a method for operating a security system.
  • the invention also relates to a backend device or a communication device (e.g. car2car or car2infrastructure).
  • the invention also relates to a device.
  • the invention also relates to a security system.
  • the invention also relates to a computer program product.
  • Deterministic or semi-deterministic methods which can be carried out on known bus systems such as Flexray, CAN, etc., are characterized by the fact that a clear data flow with known communication endpoints must be defined during development. especially the The necessity that the traffic environment has to be continuously monitored and that new combinations of states, events and effectiveness are constantly coming at the vehicle in very different ways requires continuous observation of the traffic environment and the actors (e.g. people, drivers, pedestrians, cyclists, occupants, other road users, etc.) on the road. These actuators also behave very differently under heterogeneous boundary conditions, especially in stressful situations or in changing weather conditions.
  • WO 2017/053454 A1 discloses communication network architectures, systems and methods for connecting to a network of moving things.
  • a request from a mobile access point installed in a vehicle may be received via a network interface circuit of one or more computing devices.
  • the processing circuitry of the one or more computing devices may determine characteristics of a captive portal to be presented in response to the request based on the current location of the vehicle and the mobile access point.
  • a captive portal with the determined characteristics is then provided by the processing circuitry via the network interface circuitry in response to the request.
  • the object is achieved with a method for operating a security system, having the steps: providing data and monitoring data on a backend device;
  • a safety system or a system is advantageously provided that can meet defined requirements with regard to functional safety.
  • the monitoring dates are either cyclical and a receiver knows this implicitly or there was a previous date signaling when the next date is to be expected.
  • the availability of an autonomous driving function of an automated vehicle can advantageously be expanded by making autonomous driving available even in problematic traffic scenarios.
  • the mentioned driving function can advantageously be provided beyond the vehicle at least partially by means of an infrastructure on the route, whereby a determinism of a data flow for the automated vehicle is largely supported.
  • the monitoring data form a "heartbeat" of the system, which indicates whether the system is still functional via the air interface and is therefore able to transmit control data.
  • the system specifies a time frame in which the current communication function can be ensured.
  • the object is achieved with a backend device, having: a control device; a transmitter; a first data switch; and a first monitoring module; wherein user data and monitoring data can be transmitted on independent channels of a radio interface by means of the first data switching device and the first monitoring module.
  • This monitoring module also checks the technical requirements of the transmission device, which are necessary for the successful transmission of the relevant data.
  • the control device controls the timing of the transmission process within the framework of the specification.
  • control flow monitoring In the case of the transmission module, the correct and timely control of the communication (control flow monitoring) is monitored with the aid of the monitoring unit, and the correctness and timeliness of the content of the useful information is also monitored (data flow monitoring). This measure is also implemented accordingly on the receiver side. Independence can also be provided by underlying other certificates, keys (CRC, hashes, etc.).
  • the object is achieved with a device, comprising: a receiving device; a detection device; a controller; a second data switch; and a second monitoring module; wherein user data and monitoring data can be received on independent channels of a radio interface by means of the second data switching device and the second monitoring module and/or have been received in good time and at the correct time.
  • the object is achieved with a security system comprising: a proposed backend device; a proposed device setup; and a radio interface arranged therebetween; wherein a data transmission from the backend device to the device device can be monitored via the radio interface.
  • the object is achieved with a computer program product with program code means that is set up to carry out the proposed method when it is based on a proposed security system runs or is stored on a computer-readable data carrier.
  • An advantageous development of the method provides that the user data is offered to a publication module of the backend device.
  • a sequence of the proposed method can be initiated by making available, for example, useful data from objects detected by sensors.
  • a further advantageous development of the method provides for the data to be encrypted on the backend device and to be transmitted in encrypted form over the air interface.
  • a high level of security for the proposed method is advantageously supported in this way, and time information is also sent as part of the information so that the receiving unit can check whether it has been received in time.
  • a further advantageous development of the method provides for the data to be received by a data switching device on the device and distributed to registered components of the device. This supports the fact that only registered components can receive the intended data received in a monitored manner via monitoring data. This also advantageously supports a high level of security for the proposed method.
  • a further advantageous development of the method provides for the reception of the monitoring data to be checked cyclically by the device, with the device knowing the times at which the monitoring data are to be received. This makes it possible for the device to check in a simple manner whether monitoring data is received at an intended point in time, which advantageously supports determinism of the data transmission.
  • a further advantageous development of the method provides that in the event that the monitoring data is not received by the device, a device operated with the device is placed in a safe state or the function implemented on the basis of the data is adapted such that the device continues can be operated safely. In this case, it can be provided, for example, that an autonomous vehicle operated by means of the device is put into a safe state, for example stopped, parked, etc., or that, for example, the maximum permissible speed is correspondingly reduced.
  • Disclosed method features result analogously from corresponding disclosed device features and vice versa. This means in particular that features, technical advantages and explanations relating to the method result in an analogous manner from corresponding explanations, features and advantages relating to the individual components of the safety system or the safety system and vice versa.
  • 1 is a block diagram of the proposed security system
  • FIG. 2 shows a communication diagram of a proposed information flow between backend device and device device
  • 4 shows a representation of a transmission of monitoring data
  • 5 shows a basic sequence of a proposed method for operating a security system.
  • automated vehicle is used synonymously in the meanings of fully automated vehicle, partially automated vehicle, fully autonomous vehicle and partially autonomous vehicle.
  • a “safety system” is understood to mean a system that can provide defined requirements with regard to functional safety.
  • the safety-critical information and its control flow must be prioritized accordingly. It is proposed to separate a data flow from a monitoring data flow.
  • the data flow is optimized according to performance requirements, with appropriate templates being created for the protocol structure and coordinated between the sender and the respective recipients.
  • a redundant data stream can be transmitted wirelessly with maximum power via two independent channels.
  • data contents together with associated, defined security keys are transmitted in a first path and monitoring data, which control the transmission of the data, are transmitted in a second path.
  • this represents a handshake between con- trol and data flow monitoring via the air interface.
  • independent physical paths is only one variant.
  • the monitoring data can be transmitted on the same physical channel, although in any case they are logically separated from the user data.
  • a preferred embodiment of the proposed method uses the standardized CPM protocol for the proposed monitored data transmission, which provides different templates and formats for security-relevant objects in their context and their temporal assignment.
  • CPM protocol for the proposed monitored data transmission
  • other suitable data transmission protocols are also conceivable for data transmission via the air interface. Permanently transferring this amount of data for all scenarios, situations and degradation scenarios would lead to an immense flood of data.
  • Security modules on a sender and receiver side therefore ensure that correct data is assembled at the right time with the correct security attributes and is made available for communication via the air interface. Furthermore, these security modules check the security integrity of the transmitted data.
  • a data switching device arranged on the transmitter and receiver side compiles the data according to the respective situation, the respective status, etc., and prepares them for communication via the air interface. If this is implemented correctly, taking into account all security requirements, certain security certificates are selected by the security module and made available to secure communication.
  • a final security authority in the form of a monitoring module monitors the entire process and issues a master security certificate for a certain period of time. This is communicated to the receivers in the devices with the highest priority.
  • This master security certificate also controls the data processing on the receiving end and ensures that the measures taken based on the transmitted information correspond to the data quality and transmission quality.
  • the data switching equipment can act as a server in a client-server communication to the various clients in the vehicles or also to the various then provide different consumers in the vehicle with the necessary data, including the relevant safety certificates.
  • This master security certificate also ensures the basic function for communication when it is received correctly and on time and acts as the last final shutdown device, whereby this can also be designed dynamically or fault-tolerantly like a window watchdog.
  • FIG. 1 shows an embodiment of a proposed security system 100 for communicating infrastructure data to an at least partially automated device (e.g., vehicle, not shown).
  • a backend device 10 and a device device 20 can be seen, which can communicate with one another via an air interface 30 (e.g. mobile radio link, WLAN connection, etc.).
  • a communication chain from an infrastructure sensor system to a vehicle controlled by the device 20 is indicated.
  • a control device 1 and a transmission device 2 can be seen in a first level of detail L1 of the backend device 10.
  • a receiving device 11, a detection device 12 and a control device 13 for controlling the at least partially automated device can also be seen on the device device 20.
  • Sensors S are provided for detecting an area surrounding the at least partially automated device.
  • Actuators A such as actuators of the vehicle, steering, brakes, etc. are used to operate the at least partially automated device.
  • control device 1 has a detection module 1a and a publication module 1b, with the detection module 1a being responsible in particular for data fusion and the publication module 1b in particular for publishing or offering data from detected objects Oi . . . O n .
  • backend device 10 has a first data transmission device 3 and a first monitoring device 4 (“heartbeat module”).
  • FIG. 2 shows flows of user data D and monitoring data SD from the backend device 10 to the device device 20, which can be implemented with the security system 100 from FIG.
  • Objects 01, 02 can be recognized, for example in the form of a vehicle or a person, which is detected by a sensor system S (e.g. camera in a parking garage, camera at the side of the road, etc.) of the backend device 10 and sent by data stream via an air interface 30 to the device controlling device device 20 is transmitted.
  • a sensor system S e.g. camera in a parking garage, camera at the side of the road, etc.
  • the backend device 10 e.g. camera in a parking garage, camera at the side of the road, etc.
  • the user data D and the monitoring data SD are transmitted on independent channels of the air interface 30, with the monitoring data SD being able to monitor correct functionality of the air interface 30.
  • Fig. 3 shows the processing of data packets through to the checking of security integrity and the handshakes required for this between individual components of the backend device 10 and the device device 20.
  • a connection to a first data switching device 3 of the backend device 10 is set up, the establishment of which is confirmed in a step S3.
  • a connection is established on the device 20 between a subscription module 12a of the detection device 12 and a second data switching device 14 on the device 20, which is confirmed in a step S5 after it has been executed.
  • the subscription module 12a registers for desired data relating to objects Oi . . . O n .
  • Steps S1 . . . S6 can be carried out once or several times at defined points in time on the part of the backend device 10 or the device device 20 .
  • a step S7 new data relating to objects Oi...On detected by sensors in the environment of the at least partially automated device is offered or published to the first data exchange device 3 of said data and transmission of the signed data to the first data switching device 3.
  • the first data switching device 3 issues a command to a first communication module 2b to transmit the signed messages via the air interface 30.
  • a step S11 carried out on the device device 20 the received data concerning the objects Oi...O n are confirmed.
  • the security information of the data is checked and confirmed in a step S13 to the second data switching device 14, which is now transmitted in a step S14 the received and checked data to the subscription module 12a.
  • Fig. 3 thus illustrates a structuring of the data flow between the backend device 10 and the device device 20 via the air interface 30.
  • the backend device 10 can, for example, have sensors and/or algorithms, etc., which are not available on the device device 20 or cannot be executed there (e.g. due to a lack of computing power).
  • steps S15, S16 a security status of the monitoring data SD is checked between the acquisition module 1a and the publication module 1b of the backend device 10.
  • the security module 2a checks the master security certificate issued by the backend device 10 for the user data D, which is confirmed to the first data switching device 3 in a step S18.
  • a step S19 the monitoring data SD are transmitted via the air interface 30 by means of a first communication module 2b.
  • step S20 Gene cyclic checks whether the monitoring data SD at the first data switching device 3 are available.
  • a step S21 the monitoring data SD received by a second communication module 11a of the receiving device 11 of the device 20 is forwarded to the second data switching device 14.
  • the received monitoring data SD is forwarded to the security module 11b of the receiving device 11 of the device 20.
  • steps S23 it is checked whether the monitoring data SD have arrived at the second data switching device 14 at the expected times.
  • steps S24, S25 it is confirmed that data communication over the air interface 30 is secure for a defined period of time (e.g. for n milliseconds).
  • FIG. 4 thus shows a transmission of the monitoring data SD between the backend device 10 and the device device 20, which is used to check whether the air interface 30 is functional.
  • the monitoring data SD are preferably generated cyclically and transmitted via the air interface 30, as a result of which the device 20 always knows when the next data packet of the monitoring data SD must arrive.
  • 5 shows a basic sequence of a proposed method.
  • a step 200 user data D and monitoring data SD are provided on a backend device 10.
  • a step 210 the user data D is transmitted via a first channel and the monitoring data SD is transmitted via a second channel of an air interface 30 to a device 20.
  • a step 220 it is checked whether the monitoring data SD were received at the expected times. If this is the case, the user data D are transmitted to the device 20 in a step 230 .
  • the user data D are not transmitted to the device 20 in a step 240, in which case the device controlled by the device 20 is switched to a safe state, for example.
  • the proposed method can be used advantageously, for example, when parking a vehicle automatically and/or when operating an automated vehicle in an urban environment.
  • externally controlled operation of the at least partially automated vehicle at increased speed is conceivable.
  • Applications for operating at least partially automated production machines in an industrial environment, such as real-time capable production robotics, etc. are also conceivable.
  • the proposed method can advantageously be implemented in the form of a software program with suitable program code means, which runs on a security system with the components explained above. A simple adaptability of the method is possible in this way.
  • the proposed method can advantageously be used for automated parking of a vehicle and/or for at least partially automated driving of a vehicle in an urban environment.
  • the number of channels of the security system is also greater than two.
  • the number of channels can also be one if the data and control flow monitoring and the other security mechanisms are embedded in a common container including the useful information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Selective Calling Equipment (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé de fonctionnement d'un système de sécurité (100), comprenant les étapes consistant à : - fournir des données d'utilisateur (D) et des données de surveillance (SD) sur un dispositif d'arrière-plan (10) ; - transmettre les données d'utilisateur (D) par l'intermédiaire d'un premier canal et transmettre les données de surveillance (SD) par l'intermédiaire d'un second canal au niveau d'une interface hertzienne (30) à une unité de dispositif (20) ; - les données d'utilisateur (D) étant transmises à l'unité de dispositif (20) uniquement si les données de surveillance (SD) sont périodiquement reçues par l'unité de dispositif (20).
EP21794836.3A 2020-10-28 2021-10-20 Procédé de fonctionnement d'un système de sécurité Pending EP4238336A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102020213522.3A DE102020213522A1 (de) 2020-10-28 2020-10-28 Verfahren zum Betreiben eines Sicherheitssystems
PCT/EP2021/079039 WO2022090012A1 (fr) 2020-10-28 2021-10-20 Procédé de fonctionnement d'un système de sécurité

Publications (1)

Publication Number Publication Date
EP4238336A1 true EP4238336A1 (fr) 2023-09-06

Family

ID=78302779

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21794836.3A Pending EP4238336A1 (fr) 2020-10-28 2021-10-20 Procédé de fonctionnement d'un système de sécurité

Country Status (5)

Country Link
US (1) US20230300609A1 (fr)
EP (1) EP4238336A1 (fr)
CN (1) CN116472783A (fr)
DE (1) DE102020213522A1 (fr)
WO (1) WO2022090012A1 (fr)

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE592795C (de) 1930-07-08 1934-02-15 Bianchi Giuseppe Totmanneinrichtung fuer Zuege oder Fahrzeuge
DE10048863A1 (de) 2000-10-02 2002-04-25 Kurt Bindl System zur Überwachung des Servicepersonals von technischen Einrichtungen
DE102015205607A1 (de) 2015-03-27 2016-09-29 Siemens Aktiengesellschaft Verfahren zum Überwachen einer Netzwerkkomponente sowie Anordnung mit einer Netzwerkkomponente und einer Überwachungs-Einrichtung
JP6567371B2 (ja) * 2015-09-15 2019-08-28 株式会社東芝 無線通信装置
US9521606B1 (en) 2015-09-22 2016-12-13 Veniam, Inc. Systems and methods for interfacing with a network of moving things
BE1023514B1 (fr) * 2015-10-05 2017-04-12 Henri Crohas Méthode et dispositif de communication sans fil
DE102016113499A1 (de) 2016-07-21 2018-01-25 Huf Hülsbeck & Fürst Gmbh & Co. Kg Authentifizierungsverfahren zur Authentifizierung eines Benutzers eines Endgeräts
US10267652B1 (en) * 2018-01-23 2019-04-23 Mueller International, Llc Node communication with unknown network ID
DE102020001677A1 (de) 2020-03-13 2020-06-25 Daimler Ag Verfahren zur Absicherung einer Kommunikation zwischen einer fahrzeugexternen Service- und Überwachungseinheit und einem autonom fahrenden Fahrzeug, vorzugsweise einem Güter transportierenden Nutzfahrzeug

Also Published As

Publication number Publication date
US20230300609A1 (en) 2023-09-21
WO2022090012A1 (fr) 2022-05-05
DE102020213522A1 (de) 2022-04-28
CN116472783A (zh) 2023-07-21

Similar Documents

Publication Publication Date Title
EP2936747B1 (fr) Transmission de données en utilisant un état d'exception de protocole
DE102016211750B4 (de) Verfahren zur spektral-effizienten Ermittlung von kollektiver Umfeld-Information für das kooperative und/oder autonome Fahren, sowie berichtendes Fahrzeug und weiteres Fahrzeug zur Verwendung bei dem Verfahren
EP2730076B1 (fr) Procédé de sélection de données, visant à réduire la complexité de calcul de décodage d'un système de véhicules à x communications, et système de véhicules à x communications correspondant
WO2019170400A1 (fr) Procédé de transmission de données via un canal de communication, dispositif et interface de communication conçus de manière correspondante ainsi que programme d'ordinateur conçu de manière correspondante
EP3036886B1 (fr) Filtrage de messages de description d'infrastructures
EP3661131A1 (fr) Procédé de transmission des données par l'intermédiaire d'un bus de communication série, interface de bus conçue de manière correspondante ainsi que programme informatique conçu de manière correspondante
EP2692116A1 (fr) Procédé et système de communication de véhicule à x pour la vérification sélective de séquences de sécurité de données de messages de véhicule à x reçus
EP2761610B1 (fr) Procédé et système de transmission répartie d'un flux de communication ainsi qu'utilisation du système
EP2862319A1 (fr) Réseau en anneau pour véhicule
DE102011116247B3 (de) Verfahren zum Übertragen von Nachrichten aus einem Datennetzwerk an ein Fahrzeug und Servereinrichtung für ein Datennetzwerk
EP3036729A2 (fr) Filtrage de paquet de données à retransmettre dans un réseau car2x
EP2801166A1 (fr) Procédé d'identification de réception redondante d'informations, système de communication entre véhicules et autres véhicules ou infrastructure (v2x) et utilisation de ce système
EP3777054B1 (fr) Procédé pour faire fonctionner un réseau de bord ethernet d'un véhicule à moteur, unité de commande et réseau de bord ethernet
WO2016192850A1 (fr) Procédé de fonctionnement d'un véhicule et véhicule
EP3332566B1 (fr) Véhicule avec une unité de communication pour plusieurs unités de contrôle
WO2015036068A1 (fr) Procédé de production et de transmission de données, en particulier en liaison avec un véhicule automobile
EP3228036A1 (fr) Procédé et dispositif de commande pour la transmission de données relatives à la sécurité dans un véhicule automobile au moyen d'une norme éthernet
DE112012006248B4 (de) Datenverarbeitungsvorrichtung und Programm
EP2430797B1 (fr) Dispositif de commande pour des véhicules en communication radio bidirectionnelle par réseau ad hoc
WO2017008928A1 (fr) Système de communication pour des ensembles et pour des appareils de commande d'un véhicule et véhicule comportant le système de communication
WO2021122362A1 (fr) Communication entre réseaux d'un véhicule automobile
WO2022090012A1 (fr) Procédé de fonctionnement d'un système de sécurité
EP3036885B1 (fr) Génération itérative de paquets de données dans un réseau car2x
EP3085123A1 (fr) Procédé et système pour déterminer un nombre de messages v2x à rejeter
EP3286958A1 (fr) Procédé et dispositif de transfert de données

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230530

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)