SE541390C2 - System and Method for Controlling a Motor Vehicle to Drive Autonomously - Google Patents

System and Method for Controlling a Motor Vehicle to Drive Autonomously

Info

Publication number
SE541390C2
SE541390C2 SE1751581A SE1751581A SE541390C2 SE 541390 C2 SE541390 C2 SE 541390C2 SE 1751581 A SE1751581 A SE 1751581A SE 1751581 A SE1751581 A SE 1751581A SE 541390 C2 SE541390 C2 SE 541390C2
Authority
SE
Sweden
Prior art keywords
motor vehicle
safety
unit
nominal
risk
Prior art date
Application number
SE1751581A
Other versions
SE1751581A1 (en
Inventor
Johan Svahn
Naveen Mohan
Per Roos
Original Assignee
Scania Cv Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Scania Cv Ab filed Critical Scania Cv Ab
Priority to SE1751581A priority Critical patent/SE541390C2/en
Priority to DE112018005796.8T priority patent/DE112018005796B4/en
Priority to PCT/SE2018/051260 priority patent/WO2019125269A1/en
Publication of SE1751581A1 publication Critical patent/SE1751581A1/en
Publication of SE541390C2 publication Critical patent/SE541390C2/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/0055Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots with safety arrangements
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C21/00Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00
    • G01C21/26Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00 specially adapted for navigation in a road network
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W30/00Purposes of road vehicle drive control systems not related to the control of a particular sub-unit, e.g. of systems using conjoint control of vehicle sub-units
    • B60W30/14Adaptive cruise control
    • B60W30/143Speed control
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0016Planning or execution of driving tasks specially adapted for safety of the vehicle or its occupants
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0018Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions
    • B60W60/00186Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions related to the vehicle
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C21/00Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00
    • G01C21/26Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00 specially adapted for navigation in a road network
    • G01C21/34Route searching; Route guidance
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C21/00Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00
    • G01C21/26Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00 specially adapted for navigation in a road network
    • G01C21/34Route searching; Route guidance
    • G01C21/36Input/output arrangements for on-board computers
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C21/00Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00
    • G01C21/26Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00 specially adapted for navigation in a road network
    • G01C21/34Route searching; Route guidance
    • G01C21/36Input/output arrangements for on-board computers
    • G01C21/3605Destination input or retrieval
    • G01C21/3617Destination input or retrieval using user history, behaviour, conditions or preferences, e.g. predicted or inferred from previous use or current movement
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/40Control within particular dimensions
    • G05D1/43Control of position or course in two dimensions [2D]
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/60Intended control result
    • G05D1/646Following a predefined trajectory, e.g. a line marked on the floor or a flight path
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/60Intended control result
    • G05D1/65Following a desired speed profile
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/60Intended control result
    • G05D1/69Coordinated control of the position or course of two or more vehicles
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D2109/00Types of controlled vehicles
    • G05D2109/10Land vehicles

Landscapes

  • Engineering & Computer Science (AREA)
  • Remote Sensing (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Automation & Control Theory (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Mechanical Engineering (AREA)
  • Transportation (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)
  • Safety Devices In Control Systems (AREA)
  • Control Of Electric Motors In General (AREA)

Abstract

A motor vehicle (MV) is controlled to drive autonomously in agreement with a nominal path in response to nominal control signals (NCS) from a bank of control units (1 10). Safety policies (P) are provided via a first data-interface unit (163). The safety policies (P) describe mission-related rules to be followed during operation of the motor vehicle (MV). The safety policies (P) are based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard. A watch unit (160) receives sensor signals (SS) from the motor vehicle (MV), and based thereon repeatedly generates commands ({cmd}) to update the boundary conditions ({bc}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P). The bank of control units reads out the set of boundary conditions ({bc}) and controls the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary conditions ({bc}), and is thus be considered to be safe.

Description

System and Method for Controlling a Motor Vehicle to Drive Autonomously TECHNICAL FIELD The invention relates generally to autonomous vehicles. In particular, the present invention concerns a system for controlling a motor vehicle to drive autonomously in agreement with a nominal path and a corresponding method. The invention also relates to a computer program and a non-volatile data carrier.
BACKGROUND Today, there is a strong trend towards fully autonomous vehicles. Naturally, since there is no human driver involved, safety issues are very important. Functional safety standards, such as ISO 26262 stipulate the diagnosis functionality required with respect to safety. In general, these standards place significant overhead on diagnosis and the safe handling of functional failures. Moreover, the verification of the provability of functional safety is a very extensive process. Typically, the overhead increases dramatically with growing numbers of functions and the complexity of the functions involved. As a result, automated driving and functions related thereto provide one of the largest challenges in terms of complexity in the automotive domain so far.
US 2017/0277194 describes how an operation related control of a vehicle is facilitated. Here, a finite set of candidate trajectories of the vehicle is generated that begin at a location of the vehicle as of a given time. The candidate trajectories are based on a state of the vehicle and on possible behaviors of the vehicle and of the environment as of the location of the vehicle and the given time. A putative optimal trajectory is selected from among the candidate trajectories based on costs associated with the candidate trajectories. The costs include costs associated with violations of rules of operation of the vehicle. The selected putative optimal trajectory is used to facilitate the operation related to control of the vehicle.
EP 2 317 412 shows a safety management system for equipment adapted to operate autonomously in a real-time environment. Deterministic and a non-deterministic processors are provided for processing incoming alerts and generating control signals in response. The non-deterministic processor can deal with unrehearsed, complex and unpredictable situations by providing essentially open-ended procedures working in large search spaces with no guarantee of a solution. The deterministic processor monitors behavior of the non-deterministic processor and validates control signals produced by it against safety policies. The deterministic processor also provides an intelligent interface to the non-deterministic processor, which receives alerts only from the deterministic processor, and enforces time-critical delivery of responses.
US 2015/0057869 discloses apparatuses, methods and a storage medium associated with computerized assist or autonomous driving of vehicles. A computing device may receive a plurality of data associated with vehicles driving at various locations within a locality; and based thereon, generate one or more locality specific policies for computerized assisted or autonomous driving of vehicles at the locality.
Thus, there are known examples of solutions for controlling motor vehicles to drive autonomously in agreement with specific rules and policies while handling complex and unpredictable traffic situations.
Naturally, the safety regulations for autonomously driven motor vehicles are very rigorous. For example, the software that implements the autonomous driving functionality must undergo extensive testing before being authorized. Consequently, it is costly and very time-consuming to integrate any kind of new and/or updated functionality in an autonomously driven motor vehicle.
SUMMARY One object of the present invention is therefore to facilitate updating of existing functions in an autonomous driving system. It is also an object of the invention to simplify the process of adding new functions to such a system.
According to one aspect of the invention, these objects are achieved by a system for controlling a motor vehicle to drive autonomously, where the system contains: a bank of control units, a watch unit, a data storage and a first data-interface unit. The bank of control units contains a number of auto control units (i.e. one or more) configured to produce nominal control signals adapted to cause the motor vehicle to move autonomously in agreement with a nominal path. The data storage contains a set of boundary conditions that the nominal path shall satisfy in order to be considered safe. The watch unit is configured to receive sensor signals from the motor vehicle, which sensor signals describe a current status of the motor vehicle. Based on the sensor signals, the watch unit is configured to generate commands that influence how the bank of control units produces the nominal control signals. More precisely, the watch unit is configured to generate the commands repeatedly to update the boundary conditions aiming at confining the nominal path within limits that are given by the sensor signals and the at least one safety policy. The first data-interface unit is configured to provide at least one safety policy describing a respective mission-related rule to be followed during operation of the motor vehicle. Specifically, the first data-interface unit is configured to provide the at least one safety policy based on a safety case stipulating how the motor vehicle shall be controlled to meet a functional safety standard. The bank of control units is configured to read out the set of boundary conditions from the data storage, and control the motor vehicle to move in such a manner that the nominal path satisfies the boundary conditions.
This system is advantageous because the proposed linking between safety policies and the safety case renders it possible to define substantial safety-critical parts of the design via the safety policies. Thus, functionality can be added and/or updated without requiring requalification the auto control units as such. Of course, This is beneficial both with respect to costs and efforts.
According to embodiments of this aspect of the invention, the safety case stipulates a set of operation modes each in which the motor vehicle shall be controlled to operate depending on a current fault status of the motor vehicle. For example, the set of operation modes may include: a first operation mode in which the motor vehicle shall be controlled to operate if the current fault status is such that the motor vehicle’s capability is unimpeded; a second operation mode in which the motor vehicle shall be controlled to operate if the current fault status is such that motor vehicle’s capability is limited; a third operation mode in which the motor vehicle shall be controlled to operate if the current fault status is such that motor vehicle must be brought to a minimal-risk condition; and/or a fourth operation mode representing the minimal-risk condition. Thus, safe operation of the motor vehicle can be guaranteed based on clear and concise principles.
According to another embodiment of this aspect of the invention, the at least one safety policy relates to: a minimum distance that the motor vehicle shall keep to a followed vehicle, a speed limit that the motor vehicle shall keep, definitions of safe stop locations that the motor vehicle shall be capable of reaching in case of a fault in the motor vehicle (e.g. a number of safe stops that shall always be reachable and respective qualities thereof), and a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle. This renders the design highly efficient, especially in terms of future updates and developments.
According to other embodiments of this aspect of the invention, the watch unit contains a system-health-supervision unit and a safety unit. The system-health-supervision unit is configured to receive the sensor signals, and based thereon derive vehiclehealth data representing a functional status of the motor vehicle. The safety unit is configured to receive the vehicle-health data and the at least one safety policy, and based thereon generate the commands to the data storage.
Additionally, the watch unit may include a second data-interface unit configured to receive and store at least one regulatory requirement that shall be followed during operation of the motor vehicle. Here, the safety unit is configured to receive the at least one regulatory requirement and generate the commands on the further basis of the at least one regulatory requirement to the safety unit. This means that it becomes straightforward to ensure that the design fulfills various regulatory requirements, e.g. following specific traffic rules.
Moreover, the watch unit may contain a risk-assessment unit configured to dynamically assess a respective estimated risk that the motor vehicle collides with each of any other road user and/or obstacle located in proximity to the motor vehicle, which respective estimated risk is expressed by at least one signal. Here, the safety unit is configured to receive the at least one signal and generate the commands on the further basis of the at least one signal. As a result, collision avoidance functionality is resourcefully implemented.
According to yet another embodiment of this aspect of the invention, the risk-assessment unit is further configured to monitor an environment around the motor vehicle to determine if the motor vehicle is currently operating within a range of parameters under which it is designed to operate. Here, the at least one signal further reflects whether or not the motor vehicle is currently operating within said range of parameters. Thus, if the motor vehicle is found to be outside said range, adequate actions can be taken immediately.
According to still another embodiment of this aspect of the invention, the risk-assessment unit is further configured to determine an estimated risk that the motor vehicle and/or any other road user in proximity thereto violates a traffic rule. Here, the at least one signal further reflects said estimated risk. Thereby, the vehicle control implemented by the auto control units can be effected such that the overall risk of violations of the traffic regulations is reduced.
According to one embodiment of this aspect of the invention, the safety unit is further configured to determine if at least one received safety-related parameter describes at least one condition under which the motor vehicle is currently operated, which at least one condition is such that a risk that the motor vehicle cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold. If the failure-risk threshold is exceeded, the safety unit is configured to produce safety control signals adapted to cause the motor vehicle to move autonomously in agreement with a safe path. The safe path takes precedence over the nominal path represented by the nominal control signals. In other words, if the safety control signals are present, the motor vehicle is configured to ignore any received nominal control signals. Consequently, even in emergency situations, a safe vehicle handling is ensured.
Alternatively, or in addition thereto, the safety unit may be configured to generate a control signal indicating whether or not the failure-risk threshold is exceeded. Furthermore, the system includes a control switch arranged in communicative connection with the bank of control units. The control switch is arranged in communicative connection with the bank of control units and the safety unit, and the control switch is configured to: receive the control signal; receive the nominal control signals and any safety control signals respectively; and in response to the control signal, forward either the nominal control signals or the safety control signals to the motor vehicle. In such a case, the motor vehicle itself does not need to take any measures to ensure that the safe path takes precedence over the nominal path.
According to further embodiments of this aspect of the invention, either each of the auto control units is individually configured to generate a set of the nominal control signals adapted to cause the motor vehicle to move autonomously in agreement with a respective nominal path; or two or more of the auto control units are configured to generate a conjoint set of the nominal control signals adapted to cause the motor vehicle to move autonomously in agreement with the nominal path. This provides a high degree of freedom as how to implement the system.
According to yet embodiment of this aspect of the invention the system includes a platform interface configured to receive the sensor signals from the motor vehicle; and send out the nominal control signals to the motor vehicle. Hence, the communication between the system and the motor vehicle can be made efficient and flexible.
According to another aspect of the invention, the above objects are achieved by a method of controlling a motor vehicle to drive autonomously. The method involves producing nominal control signals via a bank of control units containing a number of auto control units. The nominal control signals are adapted to cause the motor vehicle to move autonomously in agreement with a nominal path. The method also involves receiving sensor signals from the motor vehicle in a watch unit. The sensor signals describe a current status of the motor vehicle. Additionally, the method involves: storing, in a data storage, a set of boundary conditions that the nominal path shall satisfy in order to be considered safe; and providing, via a first data-interface unit, at least one safety policy describing a respective mission-related rule to be followed during operation of the motor vehicle. The at least one safety policy is provided based on a safety case stipulating how the motor vehicle shall be controlled to meet a functional safety standard. The method further involves generating commands in the watch unit based on the sensor signals, which commands influence how the bank of control units produces the nominal control signals. Specifically, the commands are generated repeatedly by the watch unit to update the boundary conditions aiming at confining the nominal path within limits that are given by the sensor signals and the at least one safety policy. Moreover, the method involves: reading out the set of boundary conditions from the data storage into the bank of control units; and controlling the motor vehicle to move in such a manner that the nominal path satisfies the boundary conditions. The advantages of this method, as well as the preferred embodiments thereof, are apparent from the discussion above with reference to the proposed system.
According to a further aspect of the invention the objects are achieved by a computer program containing instructions which, when executed on at least one processor, cause the at least one processor to carry out the above-described method.
According to another aspect of the invention the objects are achieved by a non-volatile data carrier containing such a computer program.
Further advantages, beneficial features and applications of the present invention will be apparent from the following description and the dependent claims.
BRIEF DESCRIPTION OF THE DRAWINGS The invention is now to be explained more closely by means of preferred embodiments, which are disclosed as examples, and with reference to the attached drawings.
Figure 1 schematically depicts a system according to embodiments of the invention; Figure 2 schematically shows a system according to other embodiments of the invention; and Figure 3 illustrates, by means of a flow diagram, the general method according to the invention.
DETAILED DESCRIPTION Referring to Figure 1, we will describe a system according to one embodiment of the invention for controlling a motor vehicle MV to drive autonomously. The system includes a bank of control units 1 10, a watch unit 160, a data storage 140 and a first data-interface unit 163.
The bank of control units 1 10 containing one or more auto control units ACU1, ..., ACUn is configured to produce nominal control signals NCS, which are adapted to cause the motor vehicle MV to move autonomously in agreement with a nominal path. Either each of the auto control units ACU1, ..., ACUn is configured to generate a set of the nominal control signals NCS, which set of the nominal control signals NCS is adapted to cause the motor vehicle MV to move autonomously in agreement with a respective nominal path; or two or more of the auto control units ACU1, ..., ACUn are configured to generate a conjoint set of the nominal control signals NCS, which conjoint set of the nominal control signals NCS is adapted to cause the motor vehicle MV to move autonomously in agreement with the nominal path. For instance, one auto control unit may be adapted to control the motor vehicle MV in a longitudinal direction, while another auto control unit is adapted to control the motor vehicle MV in a transverse direction. Alternatively, a first auto control unit ACU1 may implement a highway pilot, a second auto control unit may implement a traffic jam pilot, a third auto control unit may implement a platooning pilot, and so on, up to an n:th auto control unit ACUn that may for example be configured to operate the motor vehicle MV in a mining environment. Although, of course, the auto control units ACU1, ..., ACUn may be implemented in hardware, it is advantageous if they are realized in software. In such a case, there may either be a specific software module for each auto control unit in the bank of control units 1 10, or the entire bank of control units 1 10 may be represented by a common piece of software.
In any case, the bank of control units 1 10 is configured to read out a set of boundary conditions {bc} from the data storage 140, and control the motor vehicle MV to move in such a manner that the nominal path satisfies the boundary conditions {bc}.
The data storage 140 contains the set of boundary conditions {bc} to be satisfied by the nominal path in order to be considered safe.
The first data-interface unit 163 is configured to provide at least one safety policy P that describes a respective mission-related rule to be followed during operation of the motor vehicle MV. Specifically, the at least one safety policy P provided by the first data-interface unit 163 is based on a safety case SC stipulating how the motor vehicle MV shall be controlled to meet a functional safety standard, for example ISO 26262. Such a linking between the safety policies P and the safety case SC renders it possible to define substantial safety-critical parts of the design via the safety policies P. Consequently, functionality can be added to the system and/or the system can be updated without requalifying the auto control units ACU1, ..., ACUn as such in terms of safety compliance.
The safety policies P of the first data-interface unit 163 may relate to: a minimum distance that the motor vehicle MV shall keep to a followed vehicle (e.g. during platooning); a speed limit that the motor vehicle MV shall keep; a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle MV; and/or definitions of safe stop locations that the motor vehicle MV shall be capable of reaching in case of a fault in the motor vehicle MV. The safe stops, in turn, may be further defined in terms of quantities and qualities, such as a minimum number of safe stop locations that shall be reachable by the motor vehicle MV at all times, and where the safe stops shall be located relative to the current location of the motor vehicle. For example, 1 to 20 safe stop locations may be required, a first subset thereof may be located in the same lane, a second subset thereof may be located in a rightmost lane, third subset thereof may be located on a hard shoulder of the road, a fourth subset thereof may be located in in a parking spot on a highway. A fifth subset thereof may be represented by a predefined at an n:th exit from the highway, a sixth subset thereof may be located at an identified workshop, and a seventh subset thereof may be a final goal of a route being followed. Maximum and/or minimum times to reach a safe stop location may also be defined by the safety policy P. Apparently, considering other road users, a shortest possible time to the safety stop location is not always ideal. Typically, a strategy balancing the safety interests of multiple road users is optimal.
The watch unit 160 is configured to receive sensor signals SS from the motor vehicle MV. The sensor signals SS describe a current status of the motor vehicle MV. The sensor signals SS may be received from the motor vehicle MV via a platform interface 130. Preferably such a platform interface 130 is bi-directional, and is thus also configured to send out the nominal control signals NCS to the motor vehicle MV. Nevertheless, according to the invention, even if the platform interface 130 is included in the design, one or more of the sensor signals SS may be received through alternative channels and/or one or more of the nominal control signals NCS may be fed to the motor vehicle MV in other ways than via the platform interface 130.
The watch unit 160 is configured to generate commands {cmd} based on the sensor signals SS, which commands {cmd} influence how the bank of control units 1 10 produces the nominal control signals NCS. More precisely, the watch unit 160 is configured to generate the commands {cmd} repeatedly to update the boundary conditions {bc} aiming at confining the nominal path within limits that are given by the sensor signals SS and the at least one safety policy P.
According to one embodiment of the invention, the safety case SC also stipulates a set of operation modes in which the motor vehicle MV shall be controlled to operate depending on a current fault status of the motor vehicle MV.
For example, the set of operation modes may include first, second, third and fourth operation modes. Here, the motor vehicle MV may be controlled to operate in the first operation mode, if a current fault status of the motor vehicle MV is such that the motor vehicle’s MV capability is unimpeded. Minor faults may be present, however none of these impedes the capability of the motor vehicle MV. If the current fault status is such that motor vehicle’s MV capability is limited, but not critically, the motor vehicle MV may be controlled to operate in the second operation mode. If, instead, the current fault status is such that motor vehicle MV must be brought to a minimal-risk condition (say a stand-still), the motor vehicle MV may be controlled to operate in the third operation mode. The fourth operation mode may represent the minimal-risk condition, in which for example the motor vehicle MV should not be driven at all.
Figure 2 schematically shows a system according to other embodiments of the invention. Here, all units, signals, commands and parameters that are also represented in Figure 1 denote the same units, signals, commands and parameters as described above with reference to Figure 1.
According to one of the embodiments of the invention exemplified in Figure 2, the watch unit 160 contains a system-healthsupervision unit 150 and a safety unit 120. The system-healthsupervision unit 150 is configured to receive the sensor signals SS, and based thereon derive vehicle-health data H representing a functional status of the motor vehicle MV. The safety unit 120 is configured to receive the vehicle-health data H and the at least one safety policy P; and based thereon generate the commands {cmd} to the data storage 140.
According to another embodiment of the invention, the watch unit 160 further contains a second data-interface unit 165, which is configured to receive and store at least one regulatory requirement R that shall be followed during operation of the motor vehide MV. Here, the safety unit 120 is configured to receive the at least one regulatory requirement R and generate the commands {cmd} on the further basis of the at least one regulatory requirement R to the safety unit 120. Market specific regulations enumerated at mission start time, for example relating to traffic rules (e.g. right/left hand traffic, local road laws and various street signs) are examples of regulatory requirement R.
Analogous to the first data-interface unit 163, the second data-15 interface unit 165 is communicatively connected to the safety unit 120 so as to provide the at least one regulatory requirement R to the safety unit 120, and thus enable the safety unit 120 to generate the at least one command {cmd} based on the at least one regulatory requirement R.
According to one embodiment of the invention, the watch unit 160 contains a risk-assessment unit 167, which is configured to dynamically assess a respective estimated risk that the motor vehicle MV collides with each of any other road user and/or obstacle located in proximity to the motor vehicle MV. The respective estimated risk may be expressed by at least one signal Sj. Here, the safety unit 120 is configured to receive the at least one signal Sj, and generate the commands {cmd} on the further basis of the at least one signal Sj. The assessment may involve lane-markings monitoring, and if no sufficiently clearly detectable lane markings can be found, the at least one signal Sj reflects this in the form of an estimated risk of traffic-rule violation.
The risk-assessment unit 167 may be further configured to monitor an environment around the motor vehicle MV to determine if the motor vehicle MV is currently operating within a range of parameters under which it is designed to operate. Here, the at least one signal Sjalso reflects whether or not the motor vehicle MV is currently operating within said range of parameters.
According to one embodiment of the invention, the safety unit 120 is further configured to determine if the set of safety-related parameters P, R, Sjand H describes one or more conditions under which the motor vehicle MV is currently operated, which condition(s) is(are) such that a risk that the motor vehicle MV cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold.
If this failure-risk threshold is exceeded, the safety unit 120 is configured to generate safety control signals SCS adapted to cause the motor vehicle MV to move autonomously in agreement with a safe path. The safe path constitutes an alternative to the nominal path, and the safe path shall be followed instead of the nominal path calculated by the bank of control units 1 10. In other words, the safe path takes precedence over the nominal path represented by the nominal control signals NCS.
In one embodiment shown in Figure 1, the motor vehicle MV itself effects said precedence by being configured to ignore any received nominal control signals NCS if the safety control signals SCS are received, for example via the platform interface 130 as illustrated in Figure 1. Consequently, even in emergency situations, a safe vehicle handling is ensured.
Figure 2 schematically shows a system according to another embodiment of the invention. Here, all units, signals, commands and parameters that are also represented in Figure 1 denote the same units, signals, commands and parameters as described above with reference to Figure 1.
In the system exemplified in Figure 2, the safety unit 120 is configured to generate a control signal Ctrl that indicates whether or not the failure-risk threshold is exceeded.
The system also includes a control switch 210, which is arranged in communicative connection with the bank of control units 1 10 and the safety unit 120. The control switch 210 is configured to: receive the control signal Ctrl; receive the nominal control signals NCS and any safety control signals SCS respectively.
The control switch 210 is configured to forward either the nominal control signals NCS or the safety control signals SCS to the motor vehicle MV. Specifically, if the safety unit 120 generates the safety control signals SCS, the safety unit 120 also generates the control signal Ctrl in such a manner that upon receipt thereof in the control switch 210, the control switch 210 prevents the nominal control signals NCS from being forwarded to the motor vehicle MV. Instead, the control signal Ctrl forwards the safety control signals SCS to the motor vehicle MV. This mitigates the requirements of the motor vehicle MV in terms of not being required to select between nominal control signals NCS and the safety control signals SCS; and analogous to the above, a safe handling of the motor vehicle MV is ensured even in emergency situations.
Analogous to the auto control units ACU1, ..., ACUn, the safety unit 120, the system health-supervision unit 150, the first data interface 163, the second data interface 165, the risk-assessment unit 167 and/or the control switch 210 may be implemented partly or entirely in software. Such, software, in turn, may be installed to run on one or more processors. Further, a common piece of software may implement two or more of said units and interfaces.
For example, the safety unit 120 may contain a processing unit with processing means including at least one processor, such as one or more general purpose processors. Further, this processing unit is further preferably communicatively connected to a data carrier 125 in the form computer-readable storage medium, such as a Random Access Memory (RAM), a Flash memory, or the like. The data carrier 125 contains computer-executable instructions, i.e. a computer program 127, for causing the processing unit and the other units of the system to perform in accordance with the embodiments of the invention as described herein, when the computer-executable instructions are executed on the at least one processor of the processing unit.
In order to sum up, and with reference to the flow diagram in Figure 3, we will now describe the general method according to the invention for controlling a motor vehicle to drive autonomously.
In a first step 310, sensor signals are received from the motor vehicle. The sensor signals describe a current status of the motor vehicle. Then, in a step 320, a set of boundary conditions are read out from a data storage. In a subsequent step 330, at least one command is generated based on the sensor signals.
In a step 340 following step 330, nominal control signals are produced under influence of the least one command. The nominal control signals are adapted to cause the motor vehicle to move autonomously in agreement with a nominal path that satisfies the set of boundary conditions, and thus is considered to be safe. Thereafter, in a step 350, the nominal control signals are sent out to the motor vehicle for controlling the motor vehicle to move in agreement with the nominal path.
In a step 360 thereafter, the boundary conditions are updated aiming at confining the nominal path within limits that are given by the sensor signals and at least one safety policy. The at least one safety policy describe a respective mission-related rule to be followed during operation of the motor vehicle. The at least one safety policy, in turn, is provided based on a safety case that stipulates how the motor vehicle shall be controlled to meet a functional safety standard.
In a step 370, the updated set of boundary conditions is stored in the data storage, and thereafter the procedure loops back to step 310.
Naturally, although the method according to the invention is performed in a general sequential order as shown in Figure 3, it should be pointed out that a subsequent step of the procedure may be initiated before a preceding step has ended. In fact, basically all steps are active all the time. For example, sensor signals are preferably received in step 310 with respect to a particular time interval while the boundary conditions are updated in step 360 in relation to a set of safety-related parameters referring to a time interval preceding said particular time interval, and so on.
All of the process steps, as well as any sub-sequence of steps, described with reference to Figure 3 above may be controlled by means of at least one programmed processor. Moreover, although the embodiments of the invention described above with reference to the drawings comprise processor and processes performed in at least one processor, the invention thus also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source and object code such as in partially compiled form, or in any other form suitable for use in the implementation of the process according to the invention. The program may either be a part of an operating system, or be a separate application. The carrier may be any entity or device capable of carrying the program. For example, the carrier may comprise a storage medium, such as a Flash memory, a ROM (Read Only Memory), for example a DVD (Digital Video/Versatile Disk), a CD (Compact Disc) or a semiconductor ROM, an EPROM (Erasable Programmable Read-Only Memory), an EEPROM (Electrically Erasable Programmable Read-Only Memory), or a magnetic recording medium, for example a floppy disc or hard disc. Further, the carrier may be a transmissible carrier such as an electrical or optical signal which may be conveyed via electrical or optical cable or by radio or by other means. When the program is embodied in a signal which may be conveyed directly by a cable or other device or means, the carrier may be constituted by such cable or device or means. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant processes.
The term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps or components. However, the term does not preclude the presence or addition of one or more additional features, integers, steps or components or groups thereof.
The invention is not restricted to the described embodiments in the figures, but may be varied freely within the scope of the claims.

Claims (26)

Claims
1. A system for controlling a motor vehicle (MV) to drive autonomously, the system comprising: a bank of control units (1 10) containing a number of auto control units (ACU1, ..., ACUn ) configured to produce nominal control signals (NCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a nominal path; and a watch unit (160) configured to receive, from the motor vehicle (MV), sensor signals (SS) describing a current status of the motor vehicle (MV), and based on the sensor signals (SS), generate commands ({cmd}) influencing how the bank of control units (1 10) produces the nominal control signals (NCS), characterized in that the system further comprises: a data storage (140) containing a set of boundary conditions ({bc}) that the nominal path shall satisfy in order to be considered safe; and a first data-interface unit (163) configured to provide at least one safety policy (P) describing a respective mission-related rule to be followed during operation of the motor vehicle (MV), the first data-interface unit (163) being configured to provide the at least one safety policy (P) based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard, the watch unit (160) being configured to generate the commands ({cmd}) repeatedly to update the boundary conditions ({bc}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P), and the bank of control units (1 10) is configured to: read out the set of boundary conditions ({bc}) from the data storage (1 40), and control the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary conditions ({bc}).
2. The system according to claim 1, wherein the safety case (SC) stipulates a set of operation modes each in which the mo tor vehicle (MV) shall be controlled to operate depending on a current fault status of the motor vehicle (MV).
3. The system according to claim 2, wherein the set of operation modes comprises at least one of: a first operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that the motor vehicle’s (MV) capability is unimpeded; a second operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that motor vehicle’s (MV) capability is limited; a third operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that motor vehicle (MV) must be brought to a minimal-risk condition; and a fourth operation mode representing the minimal-risk condition.
4. The system according to any one of the preceding claims, wherein the at least one safety policy (P) relates to at least one of: a minimum distance that the motor vehicle (MV) shall keep to a followed vehicle, a speed limit that the motor vehicle (MV) shall keep, definitions of safe stop locations that the motor vehicle (MV) shall be capable of reaching in case of a fault in the motor vehicle (MV), and a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle (MV).
5. The system according to any one of the preceding claims, wherein the watch unit (160) comprises: a system-health-supervision unit (150) configured to receive the sensor signals (SS), and based thereon derive vehiclehealth data (H) representing a functional status of the motor vehicle (MV), and a safety unit (120) configured to receive the vehicle-health data (H) and the at least one safety policy (P), and based thereon, generate the commands ({cmd}) to the data storage (140).
6. The system according to claim 5, wherein the watch unit (1 60) further comprises: a second data-interface unit (165) configured to receive and store at least one regulatory requirement (R) that shall be followed during operation of the motor vehicle (MV), and the safety unit (120) is configured to receive the at least one regulatory requirement (R) and generate the commands ({cmd}) on the further basis of the at least one regulatory requirement (R) to the safety unit (120).
7. The system according to any one of claims 5 or 6, wherein the watch unit (160) further comprises: a risk-assessment unit (167) configured to dynamically assess a respective estimated risk that the motor vehicle (MV) collides with each of any other road user and/or obstacle located in proximity to the motor vehicle (MV), the respective estimated risk being expressed by at least one signal (Sj), and the safety unit (120) is configured to receive the at least one signal (Sj), and generate the commands ({cmd}) on the further basis of the at least one signal (Sj).
8. The system according to claim 7, wherein the risk-assessment unit (167) is further configured to monitor an environment around the motor vehicle (MV) to determine if the motor vehicle (MV) is currently operating within a range of parameters under which it is designed to operate, and the at least one signal (Sj) further reflecting whether or not the motor vehicle (MV) is currently operating within said range of parameters.
9. The system according to any one of claims 7 or 8, wherein the risk-assessment unit (167) is further configured to determine an estimated risk that the motor vehicle (MV) and/or any other road user in proximity thereto violates a traffic rule, and the at least one signal (Sj) further reflecting said estimated risk.
10. The system according to any one of the claims 5 to 9, wherein the safety unit (120) is further configured to: determine if at least one received safety-related parameter (P, R, Sj, H) describes at least one condition under which the motor vehicle (MV) is currently operated, which at least one condition is such that a risk that the motor vehicle (MV) cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold, and if the failure-risk threshold is exceeded produce safety control signals (SCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a safe path, which safe path takes precedence over the nominal path represented by the nominal control signals (NCS).
11. 1 1. The system according to claim 10, wherein the safety unit (120) is configured to generate a control signal (Ctrl) indicating whether or not the failure-risk threshold is exceeded, and the system further comprises a control switch (210) arranged in communicative connection with the bank of control units (110) and the safety unit (120), and the control switch (210) is configured to: receive the control signal (Ctrl), receive the nominal control signals (NCS) and any safety control signals (SCS) respectively, and in response to the control signal (Ctrl), forward either the nominal control signals (NCS) or the safety control signals (SCS) to the motor vehicle (MV).
12. The system according to any one of the preceding claims, wherein each of the auto control units (ACU1, ..., ACUn) is configured to produce a set of the nominal control signals (NCS), which set of the nominal control signals (NCS) is adapted to cause the motor vehicle (MV) to move autonomously in agreement with a respective nominal path.
13. The system according to any one of claims 1 to 11, wherein two or more of the auto control units (ACU1, ..., ACUn ) are configured to produce a conjoint set of the nominal control signals (NCS), which conjoint set of the nominal control signals (NCS) is adapted to cause the motor vehicle (MV) to move autonomously in agreement with the nominal path.
14. The system according to any one of the preceding claims, further comprising a platform interface (130) configured to: receive the sensor signals (SS) from the motor vehicle (MV); and send out the nominal control signals (NCS) to the motor vehicle (MV).
15. A method of controlling a motor vehicle (MV) to drive autonomously, the method comprising: producing, via a bank of control units (1 10) containing a number of auto control units (ACU1, ..., ACUn), nominal control signals (NCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a nominal path; and receiving, in a watch unit (160), sensor signals (SS) from the motor vehicle (MV), the sensor signals (SS) describing a current status of the motor vehicle (MV), and based on the sensor signals (SS), generating, in the watch unit (160), commands ({cmd}) influencing how the bank of control units (1 10) produces the nominal control signals (NCS), characterized by: storing, in a data storage (140), a set of boundary conditions ({bc}) that the nominal path shall satisfy in order to be considered safe; and providing, via a first data-interface unit (163), at least one safety policy (P) describing a respective mission-related rule to be followed during operation of the motor vehicle (MV), the at least one safety policy (P) being provided based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard, the commands ({cmd}) being generated repeatedly by the watch unit (160) to update the boundary conditions ({bc}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P), and the method further comprising: reading out the set of boundary conditions ({bc}) from the data storage (140) into the bank of control units (1 10), and controlling the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary conditions ({bc}).
16. The method according to claim 15, wherein the safety case (SC) stipulates a set of operation modes each in which the motor vehicle (MV) shall be controlled to operate depending on a current fault status of the motor vehicle (MV).
17. The method according to claim 16, wherein the set of operation modes comprises at least one of: a first operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that the motor vehicle’s (MV) capability is unimpeded; a second operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that motor vehicle’s (MV) capability is limited; a third operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that motor vehicle (MV) must be brought to a minimal-risk condition; and a fourth operation mode representing the minimal-risk condition.
18. The method according to any one of the claims 15 to 17, wherein the at least one safety policy (P) relates to at least one of: a minimum distance that the motor vehicle (MV) shall keep to a followed vehicle, a speed limit that the motor vehicle (MV) shall keep, definitions of safe stop locations that the motor vehicle (MV) shall be capable of reaching in case of a fault in the motor vehicle (MV), and a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle (MV).
19. The method according to any one of the claims 15 to 18, wherein the watch unit (160) comprises a system-health-supervision unit (150) and a safety unit (120), and the method comprises: receiving, in the system-health-supervision unit (150), the sensor signals (SS), and based thereon deriving vehicle-health data (H) representing a functional status of the motor vehicle (MV), and receiving, in the safety unit (120), the vehicle-health data (H) and the at least one safety policy (P), and based thereon, generating the commands ({cmd}) to the data storage (140).
20. The method according to claim 19, wherein the watch unit (160) further comprises a second data-interface unit (165), and the method comprises: receiving and storing, in the second data-interface unit (165), at least one regulatory requirement (R) that shall be followed during operation of the motor vehicle (MV), receiving, in the safety unit (120), the at least one regulatory requirement (R) and on the further basis of the at least one regulatory requirement (R) generating the commands ({cmd}) to the safety unit (120).
21. The method according to any one of claims 19 or 20, wherein the watch unit (160) further comprises a risk-assessment unit (167), and the method comprises: assessing, dynamically, in the risk-assessment unit (167), a respective estimated risk that the motor vehicle (MV) collides with each of any other road user and/or obstacle located in proximity to the motor vehicle (MV), the respective estimated risk being expressed by at least one signal (Sj), receiving, in the safety unit (120), the at least one signal (Sj), and on the further basis of the at least one signal (Sj) generating the commands ({cmd}).
22. The method according to claim 21, further comprising: monitoring, via the risk-assessment unit (167), an environment around the motor vehicle (MV) to determine if the motor vehicle (MV) is currently operating within a range of parameters under which it is designed to operate, and the at least one signal (Sj) further reflects whether or not the motor vehicle (MV) is currently operating within said range of parameters.
23. The method according to any one of claims 21 or 22, further comprising: determining, in the risk-assessment unit (167) an estimated risk that the motor vehicle (MV) and/or any other road user in proximity thereto violates a traffic rule, and the at least one signal (Sj) further reflects said estimated risk.
24. The method according to any one of the claims 19 to 23, further comprising: determining, in the safety unit (120), if at least one received safety-related parameter (P, R, Sj, H) describes at least one condition under which the motor vehicle (MV) is currently operated, which at least one condition is such that a risk that the motor vehicle (MV) cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold, and if the failure-risk threshold is exceeded generating, in the safety unit (120), safety control signals (SCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a safe path, which safe path takes precedence over the nominal path represented by the nominal control signals (NCS).
25. A computer program (127) comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to any one of the claims 15 to 24.
26. A non-volatile data carrier (125) containing the computer program of claim 25.
SE1751581A 2017-12-20 2017-12-20 System and Method for Controlling a Motor Vehicle to Drive Autonomously SE541390C2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
SE1751581A SE541390C2 (en) 2017-12-20 2017-12-20 System and Method for Controlling a Motor Vehicle to Drive Autonomously
DE112018005796.8T DE112018005796B4 (en) 2017-12-20 2018-12-07 System and procedure for controlling a motor vehicle for autonomous driving
PCT/SE2018/051260 WO2019125269A1 (en) 2017-12-20 2018-12-07 System and Method for Controlling a Motor Vehicle to Drive Autonomously

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE1751581A SE541390C2 (en) 2017-12-20 2017-12-20 System and Method for Controlling a Motor Vehicle to Drive Autonomously

Publications (2)

Publication Number Publication Date
SE1751581A1 SE1751581A1 (en) 2019-06-21
SE541390C2 true SE541390C2 (en) 2019-09-10

Family

ID=66995030

Family Applications (1)

Application Number Title Priority Date Filing Date
SE1751581A SE541390C2 (en) 2017-12-20 2017-12-20 System and Method for Controlling a Motor Vehicle to Drive Autonomously

Country Status (3)

Country Link
DE (1) DE112018005796B4 (en)
SE (1) SE541390C2 (en)
WO (1) WO2019125269A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115884911A (en) * 2021-07-30 2023-03-31 华为技术有限公司 Fault detection method, fault detection device, server and vehicle

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE400977B (en) * 1973-01-31 1978-04-17 Richter Gedeon Vegyeszet INTERMEDIATE FOR USE IN THE PREPARATION OF 13 BETA-ETHYL-GONANE DERIVATIVES ACCORDING TO ITS PREPARATION
US20070021915A1 (en) * 1997-10-22 2007-01-25 Intelligent Technologies International, Inc. Collision Avoidance Methods and Systems
US20170197626A1 (en) * 2016-01-11 2017-07-13 Ford Global Technologies, Llc Management of autonomous vehicle lanes

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2317412A1 (en) 2009-10-23 2011-05-04 BAE SYSTEMS plc Safety management system
CN103998315B (en) 2012-03-14 2017-02-22 E-Aam 传动系统公司 Multi-level vehicle integrity and quality control mechanism
US9134731B2 (en) 2013-08-22 2015-09-15 Intel Corporation Locality adapted computerized assisted or autonomous driving of vehicles
EP3072023A4 (en) 2013-11-21 2017-08-16 Scania CV AB System configuration and method to make possible the autonomous operation of a vehicle
US9645577B1 (en) 2016-03-23 2017-05-09 nuTonomy Inc. Facilitating vehicle driving and self-driving

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE400977B (en) * 1973-01-31 1978-04-17 Richter Gedeon Vegyeszet INTERMEDIATE FOR USE IN THE PREPARATION OF 13 BETA-ETHYL-GONANE DERIVATIVES ACCORDING TO ITS PREPARATION
US20070021915A1 (en) * 1997-10-22 2007-01-25 Intelligent Technologies International, Inc. Collision Avoidance Methods and Systems
US20170197626A1 (en) * 2016-01-11 2017-07-13 Ford Global Technologies, Llc Management of autonomous vehicle lanes

Also Published As

Publication number Publication date
DE112018005796T5 (en) 2020-08-13
SE1751581A1 (en) 2019-06-21
WO2019125269A1 (en) 2019-06-27
DE112018005796B4 (en) 2026-02-26

Similar Documents

Publication Publication Date Title
US11440565B2 (en) Decision method, device, equipment in a lane changing process and storage medium
US10990096B2 (en) Reinforcement learning on autonomous vehicles
CN109808709B (en) Vehicle driving guarantee method, device, device and readable storage medium
Alshiekh et al. Safe reinforcement learning via shielding
Noh et al. Decision-making framework for automated driving in highway environments
EP3798782B1 (en) Method and apparatus for controlling vehicle, device and storage medium
JP6822752B2 (en) Driving assistance technology for active vehicle control
US8797186B2 (en) Parking assistance system for assisting in a parking operation for a plurality of available parking spaces
CN109739230B (en) Driving track generation method and device and storage medium
US20170080950A1 (en) Method and device for operating a vehicle
EP3766752B1 (en) Method and apparatus for detecting and avoiding collision applied to vehicle
SE541389C2 (en) System and Method for Controlling a Motor Vehicle to Drive Autonomously
US11537122B2 (en) Method for controlling a motor vehicle remotely
Adler et al. Safety engineering for autonomous vehicles
WO2021193059A1 (en) Information processing method and information processing system
US20200033863A1 (en) Adaptation of an evaluable scanning area of sensors and adapted evaluation of sensor data
US12576850B2 (en) Lane change system of autonomous vehicle
SE541390C2 (en) System and Method for Controlling a Motor Vehicle to Drive Autonomously
CN109240310A (en) Automatic Pilot barrier-avoiding method
Gleirscher et al. From hazard analysis to hazard mitigation planning: The automated driving case
Noh et al. Situation assessment and behavior decision for vehicle/driver cooperative driving in highway environments
US20240142253A1 (en) Methods and systems for generating trajectory information of a plurality of road users
CN118636878A (en) Vehicle driving control method, device, program product and vehicle
CN117416345A (en) Vehicle driving scheme determining method, device, electronic equipment and storage medium
CN114475595A (en) Vehicle and control method thereof