TWI824778B - System and method with safety of the intended functionality scene collection and self-update mechanism - Google Patents

Abstract

A method with a Safety Of The Intended Functionality (SOTIF) scene collection and a self-update mechanism is proposed. The method is applied to a vehicle and includes performing a state judging step, a scene collecting step, a modifying step, a verifying step and an updating step. The state judging step includes configuring an autonomous driving system to judge whether a sensing control data generated by a sensor and a controller belongs to one of an unexpected intervention data and an accident scene data to generate a state judgement result. The scene collecting step includes configuring the autonomous driving system to collect the sensing control data to establish a scene database according to the state judgement result. The modifying step includes configuring the autonomous driving system to modify an algorithm of the sensor and the controller according to the scene database. The verifying step includes configuring one of the autonomous driving system and a cloud platform to perform a parallel operation on the sensor and the controller modified in the modifying step to generate a verification output command and compare the verification output command with a driving intervention control command to generate a comparison result. The updating step includes configuring the one of the autonomous driving system and the cloud platform to update the algorithm of the sensor and the controller according to the comparison result, so that an updated output command generated by the updated algorithm corresponds to the driving intervention control command. Therefore, the method with SOTIF scene collection and self-update mechanism of the present disclosure can take the SOTIF scene into account and have the self-update mechanism.

Description

System and method for collecting and self-updating expected functional safety scenarios

The present invention relates to a system and method with scene collection and self-updating, and in particular to a system and method with expected functional safety scene collection and self-updating.

Generally, self-driving systems can be divided into automatic driving systems (Autonomous Driving System; ADS) or advanced driver assistance systems (Advanced Driver Assistance Systems; ADAS). The conventional self-driving system only has an online update mode, and the algorithm is based on neural network technology. If there are no learning samples, there will be misjudgments. Using driving as the monitoring target may lead to the learning of wrong trends. There is no further analysis and identification of abnormal phenomena. Influencing factors of sensors, controllers or human error. It can be seen from this that there is currently a lack of a system and method on the market that is suitable for self-driving systems and that takes into account dissociation (intervention), accident scenarios, and has offline and online update mechanisms with expected functional safety scene collection and self-update. Therefore, relevant industries are all looking for solutions.

Therefore, the purpose of the present invention is to provide a system and method with expected functional safety scene collection and self-updating, which collects scenes during unexpected dissociation (artificial dissociation/system dissociation) or scenes at the time of an accident through the vehicle's self-driving system. To establish a scenario database, then conduct comparison and testing, distinguish functional safety or expected functional safety (Safety Of The Intended Functionality; SOTIF), provide functional abnormal point suggestions and scene, controller and sensor data records, and then match the scenario The calibration step confirms the sensing signal and controller response, and finally confirms the system operation and confirms the calibration comparison results to increase the reliability and application level of the system and method, and improve marketability. In addition, the present invention can solve the problem of long time-consuming multi-layer verification and network training in the conventional technology, the problem of erroneous learning caused by the malicious operation intention of the driver, the functional limitations of the sensor that cannot be solved through the learning mechanism, the inability to update offline and online. Learn to update relatively complex problems.

An implementation method according to the method aspect of the present invention provides a method for collecting and self-updating scenarios with expected functional safety, which is applied to vehicles. The method for collecting and self-updating scenarios with expected functional safety includes a state judgment step, a scene collection step, and a correction step. steps, verification steps, and update steps. The state judgment step includes driving the self-driving system to determine whether the sensing control data generated by the sensor and the controller is one of unexpected dissociation data and accident scene data to generate a state judgment result. The scene collection step includes driving the self-driving system to collect sensing control data based on the status judgment results and establishing a scene database. The correction step includes an algorithm that drives the self-driving system to correct sensors and controllers based on the scene database. The verification step includes driving one of the self-driving system and the cloud platform to perform a parallel operation on the corrected sensor and controller to generate a verification output command, and compare the verification output command with the driving dissociation control command to generate a comparison. result. The update step includes driving the self-driving system and the cloud platform to update the algorithms of the sensors and controllers based on the comparison results, so that the updated output commands generated by the updated sensors and controllers correspond to the driving disengagement control commands. When the status judgment step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to the expected functional safety (Safety Of The Intended Functionality; SOTIF) scene.

Thereby, the method of collecting and self-updating the expected functional safety scenarios of the present invention takes into account the SOTIF scenario of the accident and has offline or online self-updating.

Other examples of the aforementioned embodiments are as follows: the aforementioned state determination step includes an accident state determination step. This accident state determination step includes driving the self-driving system to determine whether the sensing control data belongs to accident action information to generate an accident state determination result, and determine based on the accident state. As a result, one of the accident confirmation step and the dissociation confirmation step is executed. When the accident status judgment result is yes, the self-driving system executes the accident confirmation step; when the accident status judgment result is no, the self-driving system executes the dissociation confirmation step.

Other examples of the foregoing implementation are as follows: the foregoing accident confirmation step includes driving the self-driving system to confirm whether the sensing control data belongs to the accident scene data to generate an accident confirmation result. When the accident confirmation result is yes, the self-driving system executes the scene collection step. The dissociation confirmation step includes driving the self-driving system to confirm that the sensing control data belongs to artificial dissociation data or system dissociation data to generate a dissociation confirmation result, and execute one of the artificial unexpected dissociation judgment step and the system unexpected dissociation judgment step based on the dissociation confirmation result. When the dissociation confirmation result is that the sensing control data belongs to artificial dissociation data, the self-driving system executes the artificial unexpected dissociation judgment step; when the dissociation confirmation result is that the sensing control data belongs to system dissociation data, the self-driving system executes the system unexpected dissociation judgment step.

Other examples of the aforementioned embodiments are as follows: the aforementioned artificial unexpected dissociation judgment step includes driving the self-driving system to judge whether the sensed control data belongs to artificial unexpected dissociation data and generate a human unexpected dissociation judgment result. The system unexpected dissociation judgment step includes driving the self-driving system to judge whether the sensed control data belongs to the system's unexpected dissociation data and generate a system unexpected dissociation judgment result. When one of the artificial unexpected dissociation judgment result and the system unexpected dissociation judgment result is yes, the self-driving system executes the scene collection step.

Other examples of the aforementioned implementation are as follows: the aforementioned accident activation information includes at least one of airbag activation information, acceleration sensor sensing information, and sensor failure information. The artificial dissociation data includes at least one of brake actuation information, gas/switch activation information, steering wheel actuation information and emergency button actuation information. The system dissociation data includes at least one of system notification information, system enforcement information, and system failure information. Unexpected dissociation data includes artificial unexpected dissociation data and system unexpected dissociation data.

Other examples of the foregoing implementation are as follows: the foregoing accident scene data includes abnormal non-action data and mis-action data, where the abnormal non-action data represents data generated when the self-driving system should have acted but failed to act. Misoperation data represents data generated by the self-driving system when it should not operate but does.

Other examples of the aforementioned implementation are as follows: the aforementioned verification step includes driving the self-driving system and the cloud platform to perform one of online verification and offline verification to generate verification output commands and comparison results. The online verification includes an online system operation confirmation step, which includes driving the self-driving system and the cloud platform to confirm whether to perform the update step based on the online verification comparison results. The offline verification includes the offline system operation confirmation step, and the offline system operation confirmation step includes the driver self-driving system confirming whether to perform the update step based on the offline verification comparison results. The comparison result is one of the online verification comparison result and the offline verification comparison result. The driving disengagement control command corresponds to at least one of brake actuation information, gas/switch start information, steering wheel actuation information and emergency button actuation information.

Other examples of the aforementioned implementation are as follows: In the aforementioned verification step, the cloud platform stores the preset number of times and another scene database, and the self-driving system and the cloud platform are driven to perform online verification, and the online verification further includes Online correction steps and online calculation steps. The online correction step includes driving the self-driving system and the cloud platform to correct the algorithm of the sensor and controller based on the scene database and another scene database, and then executing the algorithm to generate a verification output command. The online computing step includes driving the self-driving system and the cloud platform to perform parallel operations on the sensors and controllers corrected by the online correction step to generate online verification comparison results. The parallel operation includes comparing the verification output command and Driving disengagement control commands.

Other examples of the aforementioned implementation are as follows: when the online verification comparison result of the aforementioned online system operation confirmation step is that the verification output command is the same as the driving disengagement control command and the number of consecutive times is greater than the preset number, the update step is performed. When the online verification comparison result of the online system operation confirmation step is not the verification output command and the driving disengagement control command, and the number of consecutive times is greater than the preset number, repeat the online correction step, the online calculation step, and the online system operation confirmation step. .

Other examples of the aforementioned implementation are as follows: when the online verification comparison result of the aforementioned online system operation confirmation step is that the verification output command is different from the driving disengagement control command and the number of consecutive differences is greater than the preset number, the online correction is repeated. step, then proceed to the update step. When the online verification comparison result of the online system operation confirmation step is not that the verification output command is different from the driving disengagement control command and the number of consecutive differences is greater than the preset number, the online correction step, the online calculation step and the online system operation are repeated. Confirm steps.

Other examples of the aforementioned implementation are as follows: in the aforementioned verification step, the self-driving system stores a preset number of times and is driven to perform offline verification, and the offline verification further includes an offline calculation step. The offline calculation step includes driving the self-driving system to execute the algorithm against the corrected sensors and controllers in the correction step to generate verification output commands, and then performing parallel operations to generate offline verification comparison results. The parallel operations include comparison and verification. Verify the output command and driving disengagement control command.

Other examples of the aforementioned implementation are as follows: when the offline verification comparison result of the aforementioned offline system operation confirmation step is that the verification output command is the same as the driving disengagement control command and the number of consecutive times is greater than the preset number, the update step is performed. When the offline verification comparison result of the offline system operation confirmation step is not that the verification output command is the same as the driving disengagement control command and the number of consecutive times is greater than the preset number, the correction step and the verification step are repeated.

Other examples of the aforementioned implementation are as follows: when the offline verification comparison result of the aforementioned offline system operation confirmation step is that the verification output command is different from the driving disengagement control command and the number of consecutive differences is greater than the preset number, the correction step is repeated. , and then perform the update step. When the offline verification comparison result of the offline system operation confirmation step is not that the verification output command is different from the driving disengagement control command and the number of consecutive differences is greater than the preset number, the correction step and the verification step are repeated.

An embodiment according to the structural aspect of the present invention provides a system with expected functional safety scene collection and self-updating, which is applied to a vehicle. The system with expected functional safety scene collection and self-updating includes a self-driving system. The self-driving system is installed in the vehicle and includes sensors and controllers. The self-driving system is configured to perform operations including the following steps: a status determination step, a scene collection step, a correction step, a verification step, and an update step. The state judgment step includes judging whether the sensing control data generated by the sensor and the controller is one of unexpected dissociation data and accident scene data to generate a state judgment result. The scene collection step includes collecting sensing control data based on the status judgment results and establishing a scene database. The correction step includes modifying the sensor and controller algorithms based on the scene database. The verification step includes performing parallel operations on the corrected sensor and controller to generate a verification output command, and comparing the verification output command with the driving disengagement control command to generate a comparison result. The updating step includes updating the algorithm of the sensor and the controller based on the comparison result, so that the updated output command generated by the updated sensor and controller corresponds to the driving disengagement control command. When the status judgment step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to the expected functional safety (Safety Of The Intended Functionality; SOTIF) scene.

In this way, the system of the present invention with expected functional safety scenario collection and self-updating can still take into account SOTIF scenarios of accidents and have offline or online self-updating under the condition that it only has a self-driving system (no cloud platform).

Other examples of the foregoing implementation are as follows: the foregoing accident scene data includes abnormal non-action data and mis-action data, where the abnormal non-action data represents data generated when the self-driving system should have acted but failed to act. Misoperation data represents data generated by the self-driving system when it should not operate but does.

Other examples of the aforementioned implementation are as follows: the aforementioned driving disengagement control command corresponds to at least one of brake actuation information, gas/switch activation information, steering wheel actuation information and emergency button actuation information.

According to another structural aspect of the present invention, a system with expected functional safety scene collection and self-updating is provided, which is applied to a vehicle. Systems with expected functional safety scenario collection and self-updating include self-driving systems and cloud platforms. The self-driving system is installed in the vehicle and includes sensors and controllers. The cloud platform signal connects to the self-driving system. The self-driving system and the cloud platform are configured to perform operations including the following steps: a status determination step, a scene collection step, a correction step, a verification step, and an update step. The state judgment step includes driving the self-driving system to determine whether the sensing control data generated by the sensor and the controller is one of unexpected dissociation data and accident scene data to generate a state judgment result. The scene collection step includes driving the self-driving system to collect sensing control data based on the status judgment results and establishing a scene database. The correction step includes an algorithm that drives the self-driving system to correct sensors and controllers based on the scene database. The verification step includes driving one of the self-driving system and the cloud platform to perform a parallel operation on the corrected sensor and controller to generate a verification output command, and compare the verification output command with the driving dissociation control command to generate a comparison. result. The update step includes driving the self-driving system and the cloud platform to update the algorithms of the sensors and controllers based on the comparison results, so that the updated output commands generated by the updated sensors and controllers correspond to the driving disengagement control commands. When the status judgment step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to the expected functional safety (Safety Of The Intended Functionality; SOTIF) scene.

In this way, the system of the present invention with expected functional safety scenario collection and self-updating, under the condition that it has both a self-driving system and a cloud platform, takes into account the SOTIF scenario of the accident and has offline or online self-updating.

Other examples of the foregoing implementation are as follows: the foregoing accident scene data includes abnormal non-action data and mis-action data, where the abnormal non-action data represents data generated when the self-driving system should have acted but failed to act. Misoperation data represents data generated by the self-driving system when it should not operate but does.

Other examples of the aforementioned implementation are as follows: the aforementioned verification step includes driving the self-driving system and the cloud platform to perform one of online verification and offline verification to generate verification output commands and comparison results. The online verification includes an online system operation confirmation step, which includes driving the self-driving system and the cloud platform to confirm whether to perform the update step based on the online verification comparison results. The offline verification includes the offline system operation confirmation step, and the offline system operation confirmation step includes the driver self-driving system confirming whether to perform the update step based on the offline verification comparison results. The comparison result is one of the online verification comparison result and the offline verification comparison result. The driving disengagement control command corresponds to at least one of brake actuation information, gas/switch start information, steering wheel actuation information and emergency button actuation information.

Several embodiments of the present invention will be described below with reference to the drawings. For the sake of clarity, many practical details will be explained together in the following narrative. However, it will be understood that these practical details should not limit the invention. That is to say, in some embodiments of the present invention, these practical details are not necessary. In addition, for the sake of simplifying the drawings, some commonly used structures and components are shown in the drawings in a simple schematic manner; and repeated components may be represented by the same numbers.

In addition, when a certain component (or unit or module, etc.) is "connected" to another component in this article, it may mean that the component is directly connected to the other component, or it may mean that one component is indirectly connected to the other component. , meaning that there are other elements between the said element and another element. When it is stated that an element is "directly connected" to another element, it means that no other elements are interposed between the element and the other element. Terms such as first, second, third, etc. are only used to describe different components without limiting the components themselves. Therefore, the first component can also be renamed the second component. Moreover, the combination of components/units/circuit in this article is not a combination that is generally known, conventional or customary in this field. Whether the component/unit/circuit itself is common knowledge cannot be used to determine whether its combination relationship is easily understood in the technical field. Easily accomplished by the average person with knowledge.

Please refer to FIG. 1 , which is a schematic diagram of a system 100 with expected functional safety scenario collection and self-updating according to the first embodiment of the present invention. As shown in the figure, the system 100 with expected functional safety scenario collection and self-updating is applied to a vehicle 110 and includes a self-driving system 200 and a cloud platform 300 (backend). The self-driving system 200 is installed in the vehicle 110 and includes a sensor 210 and a controller 220 . The self-driving system 200 may be an automatic driving system (Autonomous Driving System; ADS) or an advanced driving assistance system (Advanced Driver Assistance Systems; ADAS). The sensor 210 may be various sensing devices of ADS or ADAS. The cloud platform 300 signals are connected to the self-driving system 200 . First, the self-driving system 200 determines whether a sensing control data generated by the sensor 210 and the controller 220 belongs to one of unexpected dissociation data and an accident scene data and generates a state judgment result. Next, the self-driving system 200 collects sensing control data based on the status judgment results and establishes a scene database. Then, the self-driving system 200 modifies an algorithm of the sensor 210 and the controller 220 according to the scene database. Then, one of the self-driving system 200 and the cloud platform 300 performs parallel operations on the corrected sensor 210 and the controller 220 to generate a verification output command, and compares the verification output command with a driving disengagement control command. Produce a comparison result. Finally, the self-driving system 200 and the cloud platform 300 update the algorithm of the sensor 210 and the controller 220 based on the comparison result, so that the updated sensor 210 corresponds to an update output command generated by the controller 220 Driving disengagement control commands. When the self-driving system 200 determines that the sensing control data belongs to the accident scene data, the collected sensing control data belongs to a Safety Of The Intended Functionality (SOTIF) scene. The sensing control data is a collection of sensing data of the sensor 210 and control data of the controller 220 .

The self-driving system 200 further includes a self-driving processor and a self-driving memory. The self-driving processor signals connect the self-driving memory, the sensor 210 and the controller 220 . The cloud platform 300 includes a cloud processor and a cloud memory, and the cloud processor signal is connected to the cloud memory. Either the self-driving processor or the cloud processor can be a processor (Processor), a microprocessor (Microprocessor), an Electronic Control Unit (ECU), a computer, a mobile device processor or other computing processor, but The present invention is not limited to this. Either the self-driving processor or the cloud processor can perform methods for collecting and self-updating expected functional safety scenarios. In addition, either the self-driving memory or the cloud memory may be a random access memory (RAM) or other type that can store information and instructions for execution by either the self-driving processor or the cloud processor. dynamic storage device, but the present invention is not limited to this.

Please refer to Figure 1 and Figure 2 together. Figure 2 is a schematic flowchart illustrating a method 400 for collecting and self-updating safety scenarios with expected functions according to the second embodiment of the present invention. As shown in the figure, the method 400 with expected functional safety scenario collection and self-updating is applied to the vehicle 110 and includes a status determination step S01, a scenario collection step S02, a correction step S03, a verification step S04 and an update step S05. The state judgment step S01 includes driving the self-driving system 200 to determine whether the sensing control data generated by the sensor 210 and the controller 220 belongs to unexpected dissociation data and accident scene data to generate a state judgment result. The scene collection step S02 includes driving the self-driving system 200 to collect sensing control data according to the state judgment results and establish a scene database. The correction step S03 includes driving the self-driving system 200 to correct the algorithm of the sensor 210 and the controller 220 according to the scene database. The verification step S04 includes driving one of the self-driving system 200 and the cloud platform 300 to perform a parallel operation on the corrected sensor 210 and the controller 220 to generate a verification output command, and compare the verification output command with the driving dissociation Control commands to produce comparison results. The update step S05 includes driving the self-driving system 200 and the cloud platform 300 to update the algorithm of the sensor 210 and the controller 220 based on the comparison result, so that the updated sensor 210 and the controller 220 generate an updated output. The command corresponds to the driving disengagement control command. When the state determination step S01 determines that the sensing control data belongs to the accident scene data, the sensing control data collected in the scene collection step S02 belongs to the SOTIF scene.

Thereby, the system 100 with expected functional safety scene collection and self-updating and the method 400 with expected functional safety scene collection and self-updating of the present invention can use the self-driving system 200 to collect the scene during unexpected dissociation or the scene at the time of the accident, so as to Establish a scenario database, then perform comparisons and tests to distinguish functional safety or expected functional safety (SOTIF), provide functional abnormal point suggestions and scenario, controller 220 and sensor 210 data records, and then proceed with the scenario verification step S04 The sensing signal and the response of the controller 220 are confirmed, and finally the system operation is confirmed, and the verification and comparison results are confirmed to increase the reliability and application level of the system and method, and improve the marketability.

Please refer to Figures 1, 2, 3 and 4 together. Figure 3 is a schematic flow chart illustrating a method 400a for collecting and self-updating expected functional safety scenarios according to the third embodiment of the present invention. ; and Figure 4 is a schematic flowchart showing the state determination step S21 and the scene collection step S22 of Figure 3 . The method 400a for collecting and self-updating safety scenarios with expected functions is applied to the vehicle 110 and includes a status determination step S21, a scenario collection step S22, a modification step S23, a verification step S24 and an update step S25.

The state judgment step S21 includes an accident state judgment step S212, an accident confirmation step S214, a dissociation confirmation step S216, a man-made unexpected dissociation judgment step S2162, and a system unexpected dissociation judgment step S2164. The accident status judgment step S212 is "accident status judgment", which includes driving the self-driving system 200 to judge whether the sensed control data belongs to accident action information to generate an accident status judgment result, and executing the accident confirmation step S214 and dissociation confirmation based on the accident status judgment result. One of steps S216. When the accident status determination result is yes, the self-driving system 200 executes the accident confirmation step S214; when the accident status determination result is no, the self-driving system 200 executes the dissociation confirmation step S216. In one embodiment, the accident activation information may include at least one of airbag activation information, acceleration sensor sensing information, and sensor failure information. The airbag activation information represents information generated by the explosion of the airbag of the vehicle 110, The acceleration sensor sensing information represents the information generated by the acceleration sensor (G-sensor) operation (the sensing value exceeds a preset value), and the sensor failure information represents the information generated by the failure of the sensor 210. However, the present invention is not limited to this.

The accident confirmation step S214 is "accident confirmation", which includes driving the self-driving system 200 to confirm whether the sensing control data belongs to the accident scene data 420 to generate an accident confirmation result. When the accident confirmation result is yes, the self-driving system 200 executes scene collection step S22; when the accident confirmation result is no, the self-driving system 200 stops the current scene collection and self-updating actions. In detail, the accident scene data 420 includes abnormal non-action data 422 and malfunction data 424 . The abnormal non-actuation data 422 represents data generated when the self-driving system 200 should act but does not act. The misoperation data 424 represents data generated by the self-driving system 200 when it should not operate but does operate (such as an abnormal command from the controller 220 ). When the accident confirmation result is yes, the sensing control data belongs to one of the abnormal non-actuation data 422 and mis-action data 424. Such unexpected accidents have the risk of harm, and the self-driving system 200 will execute the scene collection step S22; otherwise, when When the accident confirmation result is no, the sensed control data does not belong to the abnormal non-actuated data 422 and mal-actuated data 424 (for example, the controller 220 command is normal and complies with the standard ISO26262). This kind of expected accident is a normal state and does not need to be processed, and the self-driving system 200 Stop this scene collection and self-updating action.

The dissociation confirmation step S216 is "dissociation confirmation", which includes driving the self-driving system 200 to confirm that the sensing control data belongs to the artificial dissociation data 412 or the system dissociation data 414 to generate a dissociation confirmation result, and execute the artificial unexpected dissociation judgment step S2162 based on the dissociation confirmation result. One of step S2164 for determining unexpected dissociation from the system. When the dissociation confirmation result is that the sensing control data belongs to the artificial dissociation data 412, the self-driving system 200 executes the artificial unexpected dissociation judgment step S2162; when the dissociation confirmation result is that the sensing control data belongs to the system dissociation data 414, the self-driving system 200 executes the system non-unexpected dissociation data 414. Expected dissociation judgment step S2164. Specifically, the artificial dissociation data 412 includes at least one of a brake actuation information, a gas/switch activation information, a steering wheel actuation information and an emergency button actuation information. Among them, the brake actuation information represents the information generated when the brake is activated; the gas/switch start information represents the information generated when the accelerator or switch is activated; the steering wheel actuation information represents the information generated when the steering wheel is activated (such as turning); the emergency button actuation information represents Information generated when the emergency button is activated. The system dissociation data 414 includes at least one of a system notification information, a system enforcement information and a system failure information, where the system notification information represents the notification information sent by the self-driving system 200; the system enforcement information represents the consequences of the self-driving system 200 due to enforcement. The information generated; the system failure information represents the information generated when the sensed control data exceeds the controllable range of the self-driving system 200 . In addition, the artificial unexpected dissociation determination step S2162 is "artificial dissociation", which includes driving the self-driving system 200 to determine whether the sensed control data belongs to artificial unexpected dissociation data and generate an artificial unexpected dissociation judgment result. The system unexpected dissociation judgment step S2164 is "system dissociation", which includes driving the self-driving system 200 to judge whether the sensed control data belongs to the system unexpected dissociation data and generate a system unexpected dissociation judgment result. When one of the artificial unexpected dissociation judgment result and the system unexpected dissociation judgment result is yes, the self-driving system 200 executes scene collection step S22. Unexpected dissociation data includes artificial unexpected dissociation data and system unexpected dissociation data.

In the artificial unexpected dissociation judgment step S2162, when the artificial unexpected dissociation judgment result is yes (the sensed control data belongs to artificial unexpected dissociation data), the self-driving system 200 determines that driving is forced to intervene (abnormal dissociation). For example, when the direction lights are not activated and the brakes are not activated, but the steering wheel is rotated, such unexpected dissociation may cause harm. The self-driving system 200 will execute the scene collection step S22 and perform the subsequent correction step S23 and verification. Step S24 and update step S25 allow the self-driving system 200 to be updated to cover such hazardous risk scenarios. In this example, the sensing control data is the direction light no-action information, the brake no-action information and the steering wheel action information; the artificial unexpected dissociation data is the direction light no-action information, the brake no-action information and the steering wheel action information.

In the artificial unexpected dissociation judgment step S2162, when the artificial unexpected dissociation judgment result is no (the sensed control data does not belong to artificial unexpected dissociation data), the self-driving system 200 determines that driving intention is involved (normal dissociation). For example, when the direction lights are activated, the brakes are activated, and the steering wheel is rotated, this expected dissociation is a normal state and does not need to be processed, and the self-driving system 200 stops the current scene collection and self-updating operations. In this example, the sensing control data is the turn signal activation information, the brake activation information and the steering wheel movement information; the artificial unexpected dissociation data is the turn signal no action information, the brake no action information and the steering wheel action information.

In the system unexpected dissociation determination step S2164, when the system unexpected dissociation determination result is yes (the sensed control data belongs to the system unexpected dissociation data), the self-driving system 200 determines that the system is abnormally involved (misoperation). For example, when the self-driving system 200 malfunctions, such unexpected dissociation may cause harm. The self-driving system 200 will execute the scene collection step S22, and perform the subsequent correction step S23, verification step S24 and update step S25. The self-driving system 200 has been updated to cover such dangerous and risky scenarios. In this example, the sensing control data is malfunction information; the system unexpected dissociation data is malfunction information.

In the system unexpected dissociation judgment step S2164, when the system unexpected dissociation judgment result is no (the sensed control data does not belong to the system unexpected dissociation data), the self-driving system 200 determines that the system is disabled (outside the Operational Design Domain). ; ODD) and remind the driver to intervene). For example, when the self-driving system 200 undergoes a deactivation action, this expected dissociation is a normal state and does not need to be processed, and the self-driving system 200 stops the current scene collection and self-updating actions. In this example, the sensing control data is disablement action information; the system unexpected dissociation data is false action information.

The scene collection step S22 is "scene collection and cause analysis", which includes driving the self-driving system 200 to collect sensing control data based on the status judgment results to establish a scene database. When the state determination step S21 determines that the sensing control data belongs to the accident scene data 420, the sensing control data collected in the scene collection step S22 belongs to the SOTIF scene 426. In addition, the scene collection step S22 will analyze the causes (Sensor, HW, SW, human) of each scene in the scene database for subsequent judgment. Sensor represents the cause caused by the sensor 210; HW represents the cause caused by the hardware; SW represents the cause caused by the software.

The correction step S23 includes driving the self-driving system 200 to correct the algorithm of the sensor 210 and the controller 220 according to the scene database. Specifically, the modification step S23 includes an improvement item feedback step S232 and an algorithm modification step S234. The improvement project feedback step S232 is "sensor/controller function limitation (improvement project feedback)", which includes transmitting the improvement project feedback information of the sensor 210 or the controller 220 to the sensor 210 or the controller 220 The manufacturer (manufacturing side) allows the manufacturer to make corrections based on the feedback information from the improvement project. The algorithm modification step S234 is "sensor/controller algorithm modification", which includes the algorithm of modifying the sensor 210 and the controller 220 based on the scene database and improvement project feedback information. The improvement project feedback step S232 and the algorithm correction step S234 can improve the problem of functional limitations of the sensor 210 or the controller 220 .

The verification step S24 includes driving one of the self-driving system 200 and the cloud platform 300 to perform a parallel operation on the corrected sensor 210 and the controller 220 to generate a verification output command, and compare the verification output command with the driving dissociation Control commands to produce comparison results. In detail, the verification step S24 includes step S240. Step S240 is "online scene download", which includes driving the self-driving system 200 and the cloud platform 300 to confirm whether to perform the online scene download operation to generate an online scene download confirmation result. , and then drives the self-driving system 200 and the cloud platform 300 to perform one of the online verification S242 and the offline verification S244 according to the online scene download confirmation result to generate a verification output command and a comparison result. When the online scene download confirmation result is yes, the self-driving system 200 and the cloud platform 300 perform online verification S242; conversely, when the online scene download confirmation result is no, the self-driving system 200 and the cloud platform 300 perform offline verification Check S244.

The update step S25 includes driving the self-driving system 200 and the cloud platform 300 to update the algorithm of the sensor 210 and the controller 220 based on the comparison result, so that the updated sensor 210 and the controller 220 generate an updated output. The command corresponds to the driving disengagement control command.

In this way, the method 400a of the present invention for collecting and self-updating expected functional safety scenarios uses the self-driving system 200 to collect scenes during unexpected dissociation (artificial dissociation/system dissociation) or scenes at the time of the accident to establish a scene database, and then perform Compare and test, distinguish functional safety or expected functional safety (SOTIF), provide functional abnormality point suggestions and scenario, controller 220 and sensor 210 data records, and then cooperate with the scenario verification step S24 to carry out sensing signals and controller 220 Response confirmation, and finally system operation confirmation, and verification and comparison results are confirmed to increase the reliability and application level of the system and methods, and improve marketability.

Please refer to Figures 1, 2, 3, 4 and 5 together. Figure 5 is a schematic flow chart of the online verification S242 of Figure 3. In the verification step S24, the cloud platform 300 stores a preset number of times and another scene database, and the self-driving system 200 and the cloud platform 300 are driven to perform an online verification S242. The online verification S242 includes the online correction step S2422, Online calculation step S2424 and online system operation confirmation step S2426. The online correction step S2422 includes confirming whether it is tested by the cloud platform 300. If so, the one between the self-driving system 200 and the cloud platform 300 is the cloud platform 300. If not, the one between the self-driving system 200 and the cloud platform 300 is the self-driving system 200. (The self-driving system 200 will download the scene and sensing control data to establish another scene database); and the person who drives the self-driving system 200 and the cloud platform 300 corrects the sensor 210 and the sensor 210 according to the scene database and another scene database. The algorithm of the controller 220 then executes the algorithm to generate the verification output command 432 . Furthermore, the online computing step S2424 includes driving the self-driving system 200 and the cloud platform 300 to perform parallel computing on the sensor 210 and the controller 220 corrected by the online correction step S2422 to generate an online verification comparison result 436, where The parallel operation includes the comparison verification output command 432 and the driving disengagement control command 434 . The online system operation confirmation step S2426 includes the person driving the self-driving system 200 and the cloud platform 300 confirming whether to perform the update step S25 based on the online verification comparison result 436 . If yes, update step S25 is executed; if not, online correction step S2422 is repeatedly executed. The scene database contains scene data with another scene database. The scene data corresponds to the sensor 210 output record and the controller 220 output record. The verification output command 432 corresponds to the sensor 210 output and the controller 220 output. The driving disengagement control command 434 represents a control command under driver disengagement under the condition of using the corrected sensor 210 and the controller 220 (corresponding to the externally corrected sensor 210 output and the external corrected controller 220 output). Contains brake, accelerator or steering commands.

Please refer to Figure 1, Figure 2, Figure 3, Figure 4, Figure 5 and Figure 6 together. Figure 6 is a schematic diagram showing a first example of the online verification S242 of Figure 3. The online verification S242 includes an online operation step S2424 and an online system operation confirmation step S2426a. The online operation step S2424 is the same as the online operation step S2424 in Figure 3 and will not be described again. In addition, the online system operation confirmation step S2426a is "E=0, continuous > N times, update, and issue braking, accelerator or steering commands", which includes driving the self-driving system 200 and the cloud platform 300 based on the online verification ratio. The result 436 is checked whether to execute the update step S25. Specifically, when the online verification comparison result 436 of the online system operation confirmation step S2426a is that the verification output command 432 is the same as the driving disengagement control command 434 (E=0) and the number of consecutive times is greater than the preset number of times (N times) , perform update step S25 (update the original sensor 210 and controller 220 outputs). On the contrary, when the online verification comparison result 436 of the online system operation confirmation step S2426a is not "the verification output command 432 is the same as the driving disengagement control command 434 and the number of consecutive times is greater than the preset number of times", the online correction step S2422, Online calculation step S2424 and online system operation confirmation step S2426a. In one embodiment, N may be equal to 3, but the present invention is not limited thereto.

For example, when the vehicle 110 has no accident, when the vehicle 110 is running on the highway and encounters an obstacle in front of the vehicle, the output to be updated (for comparison, it is not the actual command output to the vehicle 110) will correspond to Braking (online corrected) or disengaging (offline self-correcting), the parallel operation compares the output to be updated (i.e., the verification output command 432) with the final output command of the vehicle 110 (i.e., the driving disengagement control command 434). If they are consistent (that is, the online verification comparison result 436 is that the verification output command 432 and the driving disengagement control command 434 are the same), and the accumulation reaches a certain number of times (that is, the number of consecutive identical times is greater than the preset number), update step S25 is performed.

Please refer to Figures 1, 2, 3, 4, 5, 6 and 7 together. Figure 7 shows the second step of the online verification S242 of Figure 3. Diagram of the example. The online verification S242 includes an online operation step S2424 and an online system operation confirmation step S2426b. The online operation step S2424 is the same as the online operation step S2424 in FIG. 6 and will not be described again. In addition, the online system operation confirmation step S2426b is "E≠0, continuous > M times or damage, correct again", which includes the driver of the self-driving system 200 and the cloud platform 300 confirming whether to execute based on the online verification comparison result 436 Update step S25. Specifically, when the online verification comparison result 436 of the online system operation confirmation step S2426b is that the verification output command 432 and the driving disengagement control command 434 are different and the number of consecutive differences is greater than the preset number (M times), the process is repeated. Online correction step S2422, and then update step S25. On the contrary, when the online verification comparison result 436 of the online system operation confirmation step S2426b is not "the verification output command 432 and the driving dissociation control command 434 are different and the number of consecutive differences is greater than the preset number of times," the online correction step is repeated. S2422, online calculation step S2424 and online system operation confirmation step S2426b. In one embodiment, M may be equal to 1, but the present invention is not limited thereto.

Please refer to Figure 1, Figure 2, Figure 3, Figure 4, Figure 8 and Figure 9 together. Figure 8 is a schematic diagram illustrating the first example of offline verification S244 in Figure 3; and FIG. 9 is a schematic diagram illustrating a second example of the offline verification S244 of FIG. 3 . In the verification step S24, the self-driving system 200 stores a preset number of times and is driven to perform the offline verification S244, and the offline verification S244 includes an offline calculation step S2442 and an offline system operation confirmation step S2444. The offline calculation step S2442 is "Active system dissociation (driving takeover/new dissociation item) in a parallel architecture comparison scenario", which includes driving the self-driving system 200 against the sensor 210 and controller 220 corrected in the correction step S23 The algorithm is executed to generate the verification output command 432, and then a parallel operation is performed to generate an offline verification comparison result 438, where the parallel operation includes the comparison verification output command 432 and the driving disengagement control command 434. The offline system operation confirmation step S2444 includes driving the self-driving system 200 to confirm whether to execute the update step S25 based on the offline verification comparison result 438 .

In the first example in Figure 8, the offline verification S244 includes an offline operation step S2442 and an offline system operation confirmation step S2444a, where the offline system operation confirmation step S2444a is "dissociation signal comparison, continuous correct > N times, update." "Dissociation will be thrown, please drive to take over", which includes driving the self-driving system 200 to confirm whether to execute the update step S25 based on the offline verification comparison result 438. Specifically, when the offline verification comparison result 438 of the offline system operation confirmation step S2444a is that the verification output command 432 is the same as the driving disengagement control command 434 and the number of consecutive times is greater than the preset number (N times), the update step S25 is performed. . On the contrary, when the offline verification comparison result 438 of the offline system operation confirmation step S2444a is not "the verification output command 432 is the same as the driving disengagement control command 434 and the number of consecutive times is greater than the preset number of times", the correction step S23 and the calibration are repeated. Check step S24.

In the second example in Figure 9, the offline verification S244 includes an offline calculation step S2442 and an offline system operation confirmation step S2444b, where the offline system operation confirmation step S2444b is "dissociation signal comparison, continuous errors >M times, re-correct" , which includes driving the self-driving system 200 to confirm whether to execute the update step S25 based on the offline verification comparison result 438 . Specifically, when the offline verification comparison result 438 of the offline system operation confirmation step S2444b is that the verification output command 432 and the driving disengagement control command 434 are different and the number of consecutive differences is greater than the preset number (M times), the process is repeated. Correct step S23, and then proceed to update step S25. On the contrary, when the offline verification comparison result 438 of the offline system operation confirmation step S2444b is not "the verification output command 432 and the driving dissociation control command 434 are different and the number of consecutive differences is greater than the preset number of times," the correction step S23 is repeated. and verification step S24.

It can be seen from Figures 3, 5, 6, 7, 8 and 9 that the comparison results generated in the verification step S24 are the online verification comparison result 436 and the offline verification comparison One of the results 438. The driving disengagement control command 434 corresponds to at least one of a brake actuation information, a gas/switch activation information, a steering wheel actuation information and an emergency button actuation information.

Please refer to Figures 1, 3, 4, 10 and 11 together. Figure 10 illustrates the method 400a of Figure 3 for collecting and self-updating expected functional safety scenarios applied to a A schematic flow chart of an accident state; and Figure 11 is a schematic flow chart showing the state determination step S21 and scene collection step S22 of Figure 4 applied to an accident state. The method 400a with expected functional safety scenario collection and self-updating is applied to the vehicle 110 and the system 100 with expected functional safety scenario collection and self-updating. The system 100 with expected functional safety scenario collection and self-updating includes a self-driving system 200 and a cloud platform 300. The self-driving system 200 is an ADS. The vehicle 110 is in an accident state (the vehicle 110 hits the dividing island, and the dividing island directly jams into the engine; the self-driving system 200 should act but does not act (should brake but does not brake), and generates abnormal non-acting data 422). When the accident state occurs, the method 400a with expected functional safety scene collection and self-updating executes the state judgment step S21, the accident state judgment step S212, the accident confirmation step S214, the scene collection step S22, the correction step S23, and the verification step S24. S240, online verification S242 and update step S25 are shown in the thick boxes and lines in Figures 10 and 11. In the status judgment step S21, the accident confirmation result is yes, and the sensing control data belongs to the abnormal non-action data 422. This kind of unexpected accident has the risk of harm. The self-driving system 200 will execute the scene collection step S22. The scene collection step S22 collects The sensing control data belongs to SOTIF scenario 426. In step S240, the online scene download confirmation result is yes, and the cloud platform 300 performs online verification S242.

Thereby, the system 100 with expected functional safety scene collection and self-updating and the method 400a with expected functional safety scene collection and self-updating of the present invention perform unexpected dissociation scenarios (artificial dissociation/system dissociation) or accidents through the self-driving system 200 Collect current scenarios to establish a scenario database, then conduct comparisons and tests to distinguish functional safety or expected functional safety (SOTIF), provide functional abnormal point suggestions and data records of scenarios, controllers 220 and sensors 210, and then match The scene verification step S24 confirms the sensing signal and the response of the controller 220, and finally confirms the system operation and confirms the verification comparison results to increase the reliability and application level of the system and method, and improve marketability. In addition, the present invention can solve the problem of long time-consuming multi-layer verification and network training in the conventional technology, the problem of erroneous learning caused by the driver's malicious operation intention, the functional limitations of the sensor 210 that cannot be solved through the learning mechanism, and the lack of offline updates. Online learning updates relatively complex issues.

It is understandable that the methods 400 and 400a of the present invention for collecting and self-updating safety scenarios with expected functions can be implemented through computer program products. The order of the implementation steps described in the above embodiments can be adjusted, combined or omitted according to actual needs. The above embodiments may be implemented using a computer program product, which may include a machine-readable medium storing a plurality of instructions that can program a computer to perform the steps in the above embodiments. Machine-readable media may be, but are not limited to, floppy disks, optical disks, CD-ROMs, magneto-optical disks, read-only memory, random access memory, erasable programmable read-only memory (EPROM), electronically erasable Except programmable read-only memory (EEPROM), optical or magnetic card, flash memory, or any machine-readable medium suitable for storing electronic instructions. Furthermore, embodiments of the present invention can also be downloaded as computer program products, which can transfer the computer program of the present invention from a remote computer by using data signals of a communication connection (such as a network connection or the like). Products to request computer.

It can be seen from the above embodiments that the present invention has the following advantages: First, through the self-driving system, the scene of unexpected dissociation (artificial dissociation/system dissociation) or the scene of the accident is collected to establish a scene database, and then perform comparison and testing. , distinguish functional safety or expected functional safety (SOTIF), provide functional abnormal point suggestions and scene, controller and sensor data records, and then use the scene verification step to confirm the sensing signal and controller response, and finally confirm the system operation , confirm the verification and comparison results to increase the reliability and application level of the system and methods, and improve marketability. Secondly, by taking unexpected dissociation scenes or accident scenes as the collection subject and only updating the algorithm, it can quickly and efficiently find and respond to potential unknown safety scenes and scenes with insufficient operational functions, and will not be caused by malicious driving intentions. Learning from mistakes. Thirdly, if it is verified that the function of the sensor is limited, it can be solved by simply replacing the sensor and performing parallel calculations with high security. Fourth, updates can be provided through online or offline mechanisms after verification and enhancement; when the update program has not yet been provided or cannot be updated, warnings will be added or adjusted to remind the driver to intervene to avoid collision hazards, thus avoiding the risk of accidents during the window period. the same hazardous events. Fifth, the cloud platform only needs to process event data collection, filtering and classification, or provide data playback functions required for algorithm confirmation, without the need for complex online learning updates.

Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone skilled in the art can make various modifications and modifications without departing from the spirit and scope of the present invention. Therefore, the protection of the present invention is The scope shall be determined by the appended patent application scope.

100: A system with expected functional safety scenario collection and self-updating

110:Vehicle

200:Self-driving system

210: Sensor

220:Controller

300:Cloud platform

400,400a: Methods for collecting and self-updating safety scenarios with expected functions

412: Artificial dissociation data

414: System dissociation data

420: Accident scene information

422: Abnormal no action data

424: Misoperation data

426:SOTIF scene

432: Verify output command

434: Driving dissociation control command

436: Online verification of comparison results

438: Offline verification comparison results

S01, S21: Status judgment steps

S02, S22: Scene collection steps

S03, S23: Correction steps

S04, S24: Verification steps

S05, S25: Update steps

S212: Accident status judgment steps

S214: Accident confirmation steps

S216: Dissociation confirmation step

S2162: Judgment steps for artificial unexpected dissociation

S2164: System Unexpected Dissociation Judgment Steps

S232: Improve project feedback steps

S234: Algorithm correction steps

S240: Steps

S242: Online verification

S244: Offline verification

S2422: Online correction steps

S2424: Online operation steps

S2426, S2426a, S2426b: Online system operation confirmation steps

S2442: Offline operation steps

S2444, S2444a, S2444b: Offline system operation confirmation steps

Figure 1 is a schematic diagram illustrating a system with expected functional safety scenario collection and self-updating according to the first embodiment of the present invention; Figure 2 is a schematic flowchart illustrating a method for collecting and self-updating safety scenarios with expected functions according to the second embodiment of the present invention; Figure 3 is a schematic flowchart illustrating a method for collecting and self-updating safety scenarios with expected functions according to the third embodiment of the present invention; Figure 4 is a flow chart illustrating the state judgment steps and scene collection steps of Figure 3; Figure 5 is a schematic flow chart showing the online verification of Figure 3; Figure 6 is a schematic diagram illustrating a first example of the online verification of Figure 3; Figure 7 is a schematic diagram illustrating a second example of the online verification of Figure 3; Figure 8 is a schematic diagram illustrating the first example of offline verification in Figure 3; Figure 9 is a schematic diagram illustrating a second example of offline verification in Figure 3; Figure 10 is a schematic process diagram illustrating the method of collecting and self-updating expected functional safety scenarios in Figure 3 when applied to an accident state; and Figure 11 is a schematic flowchart illustrating the state judgment step and scene collection step of Figure 4 when applied to an accident state.

400: Methods for collecting and self-updating safety scenarios with expected functions

S01: Status judgment steps

S02: Scene collection steps

S03:Correction steps

S04: Verification steps

S05:Update steps

Claims (19)

A method for collecting and self-updating expected functional safety scenarios, applied to a vehicle. The method for collecting and self-updating expected functional safety scenarios includes: a state judgment step, including driving a self-driving system to judge a sensor and a control Whether a sensing control data generated by the device is one of unexpected dissociation (intervention) data and an accident scene data to generate a state judgment result; a scene collection step includes driving the self-driving system to collect according to the state judgment result The sensing control data creates a scene database; a correction step includes driving the self-driving system to correct an algorithm of the sensor and the controller according to the scene database; a verification step includes driving the self-driving system and a cloud platform to perform a parallel operation on the corrected sensor and the controller to generate a verification output command, and compare the verification output command with a driving disengagement control command to generate a comparison and an update step, including driving the self-driving system and the cloud platform to update the algorithm of the sensor and the controller based on the comparison result, so that the updated sensor and the An update output command generated by the controller corresponds to the driving disengagement control command; wherein, when the state judgment step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to A safety of the intended function (Safety Of The Intended Functionality; SOTIF) scenario. The method for collecting and self-updating expected functional safety scenarios as described in claim 1, wherein the status determination step includes: an accident status determination step, including driving the self-driving system to determine whether the sensing control data belongs to an accident action information; Generate an accident status judgment result, and execute one of an accident confirmation step and a dissociation confirmation step based on the accident status judgment result; wherein, when the accident status judgment result is yes, the self-driving system executes the accident confirmation step; when When the accident status judgment result is no, the self-driving system executes the dissociation confirmation step. The method for collecting and self-updating scenarios with expected functional safety as described in claim 2, wherein the accident confirmation step includes driving the self-driving system to confirm whether the sensing control data belongs to the accident scene data to generate an accident confirmation result. When the accident confirmation result is yes, the self-driving system executes the scene collection step; and the dissociation confirmation step includes driving the self-driving system to confirm that the sensing control data belongs to a person's artificial dissociation data or a system dissociation data to generate a dissociation confirmation result, And based on the dissociation confirmation result, one of an artificial unexpected dissociation judgment step and a system unexpected dissociation judgment step is executed; wherein, when the dissociation confirmation result is that the sensing control data belongs to the artificial dissociation data, the self-driving system executes This is the artificial unexpected dissociation judgment step; when the dissociation confirmation result is that the sensing control data belongs to the system's dissociation data, the self-driving system executes the system's unexpected dissociation judgment step. The method for collection and self-updating of expected functional safety scenarios as described in claim 3, wherein the step of determining artificial unintended dissociation includes driving the self-driving system to determine whether the sensing control data belongs to a person. is an unexpected dissociation judgment result; and the system's unexpected dissociation judgment step includes driving the autonomous system to judge whether the sensed control data belongs to a system's unexpected dissociation data to generate a system's unexpected dissociation judgment result; wherein, when the artificial When one of the expected dissociation judgment result and the system's unexpected dissociation judgment result is yes, the self-driving system executes the scene collection step. The method for collecting and self-updating expected functional safety scenarios as described in claim 4, wherein the accident operation information includes at least one of an airbag operation information, an acceleration sensor sensing information and a sensor failure information. The artificial dissociation data includes at least one of a brake actuation information, a gas/switch activation information, a steering wheel actuation information and an emergency button actuation information; the system dissociation information includes a system notification information, a system enforcement information and at least one of a system failure information; and the unexpected dissociation data includes the artificial unexpected dissociation data and the system unexpected dissociation data. Collection of expected functional safety scenarios as described in Request 1 And a self-updating method, in which the accident scene data includes: an abnormal non-action data, which represents the data generated when the self-driving system should act but does not act; and a mis-activation data, which represents the self-driving system Data generated when action occurs when it should not occur. The method for collecting and self-updating expected functional safety scenarios as described in claim 1, wherein the verification step includes: driving the self-driving system and the cloud platform to perform one of an online verification and an offline verification , to generate the verification output command and the comparison result; wherein, the online verification includes: a first-line system operation confirmation step, including driving the self-driving system and the cloud platform and confirming based on the first-line verification comparison result Whether to execute the update step; wherein, the offline verification includes: an offline system operation confirmation step, including driving the self-driving system to confirm whether to execute the update step based on an offline verification comparison result; wherein the comparison result is the online One of the verification comparison result and the offline verification comparison result, the driving disengagement control command corresponds to at least one of a brake actuation information, a gas/switch start information, a steering wheel actuation information and an emergency button actuation information. The method for collecting and self-updating expected functional safety scenarios as described in request item 7, wherein in the verification step, the cloud platform stores Saving a preset number of times and another scene database, the self-driving system and the cloud platform are driven to perform the online verification, and the online verification further includes: an online correction step, including driving the self-driving system and the The person on the cloud platform corrects the algorithm of the sensor and the controller based on the scene database and the other scene database, and then executes the algorithm to generate the verification output command; and an online operation step, The person who drives the self-driving system and the cloud platform performs the parallel operation on the sensor and the controller corrected by the online correction step to generate the online verification comparison result, wherein the parallel operation includes comparison The verification output command and the driving disengagement control command. The method for collecting and self-updating expected functional safety scenarios as described in claim 8, wherein the online verification comparison result of the online system operation confirmation step is that the verification output command is the same as the driving disengagement control command and When the number of consecutive identical times is greater than the preset number of times, the update step is performed; and when the online verification comparison result of the online system operation confirmation step is not the same as the verification output command and the driving disengagement control command and the consecutive identical times are greater than The online correction step, the online calculation step and the online system operation confirmation step are repeated for the preset number of times. The method for collecting and self-updating expected functional safety scenarios as described in claim 8, wherein the online verification comparison result of the online system operation confirmation step is: When the verification output command is different from the driving dissociation control command and the number of consecutive differences is greater than the preset number of times, repeat the online correction step, and then perform the update step; and when the online system operation confirmation step is performed, the online verification step When the comparison result is not different between the verification output command and the driving dissociation control command and the number of consecutive differences is greater than the preset number, the online correction step, the online calculation step and the online system operation confirmation step are repeated. The method for collecting and self-updating expected functional safety scenarios as described in claim 7, wherein in the verification step, the self-driving system stores a preset number of times and is driven to perform the offline verification, and the offline verification is updated It includes: an offline operation step, including driving the self-driving system to execute the algorithm on the sensor and the controller corrected by the correction step to generate the calibration output command, and then performing the parallel operation to generate the offline calibration. Verify the comparison result, wherein the parallel operation includes comparing the verification output command and the driving disengagement control command. The method for collecting and self-updating expected functional safety scenarios as described in claim 11, wherein the offline verification comparison result of the offline system operation confirmation step is that the verification output command is the same as the driving disengagement control command and When the number of consecutive identical times is greater than the preset number of times, the update step is performed; and when the offline verification comparison result of the offline system operation confirmation step is not When the verification output command is the same as the driving disengagement control command and the number of consecutive times is greater than the preset number of times, the correction step and the verification step are repeated. The method for collecting and self-updating expected functional safety scenarios as described in claim 11, wherein the offline verification comparison result of the offline system operation confirmation step is that the verification output command is different from the driving disengagement control command. And when the number of consecutive differences is greater than the preset number, the correction step is repeated, and then the update step is performed; and when the offline verification comparison result of the offline system operation confirmation step is not the verification output command and the driver When the dissociation control commands are different and the number of consecutive differences is greater than the preset number, the correction step and the verification step are repeated. A system with expected functional safety scene collection and self-updating, applied to a vehicle. The system with expected functional safety scene collection and self-updating includes: a self-driving system, which is installed in the vehicle and includes a sensor and a controller. , the self-driving system is configured to perform operations including the following steps: a state judgment step, including judging whether a sensing control data generated by the sensor and the controller belongs to an unexpected dissociation data and an accident scene data. One generates a status judgment result; a scene collection step includes collecting the sensing control data according to the status judgment result and establishing a scene database; a correction step including modifying the sensor and the scene database according to the scene database An algorithm of the controller; a verification step, including performing a parallel operation on the modified sensor and the controller to generate a verification output command, and comparing the verification output command with a driver dissociating the control command to generate a comparison result; and an update step, including updating the algorithm of the sensor and the controller based on the comparison result, so that the updated sensor and the controller generate An update output command corresponds to the driving disengagement control command; wherein, when the state judgment step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to an expected functional safety (Safety Of The Intended Functionality; SOTIF) scene. A system with expected functional safety scene collection and self-updating as described in request 14, wherein the accident scene data includes: an abnormal non-action data, which represents the situation where the self-driving system should have acted but did not act. data; and a misoperation data, which represents data generated by the self-driving system when it should not operate but does. A system with expected functional safety scene collection and self-updating as described in request 14, wherein the driving disengagement control command corresponds to at least one brake actuation information, one gas/switch activation information, one steering wheel actuation information and one emergency button actuation information. One. A system with expected functional safety scene collection and self-updating, applied to a vehicle. The system with expected functional safety scene collection and self-updating includes: a self-driving system, which is installed in the vehicle and includes a sensor and a controller. ; and a cloud platform with signals connected to the self-driving system; wherein the self-driving system and the cloud platform are configured to perform operations including the following steps: a status determination step, including driving the self-driving system to determine the sensor and the controller Whether the generated sensing control data belongs to one of unexpected dissociation data and an accident scene data generates a state judgment result; a scene collection step includes driving the self-driving system to collect the sensing control according to the state judgment result A scene database is created based on the data; a correction step includes driving the self-driving system to modify an algorithm of the sensor and the controller according to the scene database; a verification step includes driving the self-driving system and the cloud platform One of them performs a parallel operation on the modified sensor and the controller to generate a verification output command, and compares the verification output command with a driving disengagement control command to generate a comparison result; and An update step includes driving the self-driving system and the cloud platform to update the algorithm of the sensor and the controller based on the comparison result, so that the updated sensor and the controller generate An updated output command corresponds to the driving disengagement control command; Wherein, when the status determination step determines that the sensing control data belongs to the accident scene data, the sensing control data collected by the scene collection step belongs to a Safety Of The Intended Functionality (SOTIF) scene. A system with expected functional safety scene collection and self-updating as described in request 17, wherein the accident scene data includes: an abnormal non-action data, which represents the situation where the self-driving system should have acted but did not act. data; and a misoperation data, which represents data generated by the self-driving system when it should not operate but does. The system with expected functional safety scenario collection and self-updating as described in claim 17, wherein the verification step includes: driving the self-driving system and the cloud platform to perform one of an online verification and an offline verification , to generate the verification output command and the comparison result; wherein, the online verification includes: a first-line system operation confirmation step, including driving the self-driving system and the cloud platform and confirming based on the first-line verification comparison result Whether to execute the update step; wherein, the offline verification includes: an offline system operation confirmation step, including driving the self-driving system to confirm whether to execute the update step based on an offline verification comparison result; wherein the comparison result is the online The verification comparison result is compared with the offline verification One of the comparison results is that the driving disengagement control command corresponds to at least one of a brake actuation information, a gas/switch activation information, a steering wheel actuation information and an emergency button actuation information.

Images