WO2021073938A1 - Procédé et appareil pour délivrer, au moyen d'un module de sortie, des représentations de conditions pertinentes pour le fonctionnement sûr d'un véhicule - Google Patents

Procédé et appareil pour délivrer, au moyen d'un module de sortie, des représentations de conditions pertinentes pour le fonctionnement sûr d'un véhicule Download PDF

Info

Publication number
WO2021073938A1
WO2021073938A1 PCT/EP2020/077936 EP2020077936W WO2021073938A1 WO 2021073938 A1 WO2021073938 A1 WO 2021073938A1 EP 2020077936 W EP2020077936 W EP 2020077936W WO 2021073938 A1 WO2021073938 A1 WO 2021073938A1
Authority
WO
WIPO (PCT)
Prior art keywords
output
representation
output module
sensor
control device
Prior art date
Application number
PCT/EP2020/077936
Other languages
German (de)
English (en)
Inventor
Martin Stamm
Original Assignee
Continental Automotive Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Continental Automotive Gmbh filed Critical Continental Automotive Gmbh
Publication of WO2021073938A1 publication Critical patent/WO2021073938A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/048Monitoring; Safety
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/26Pc applications
    • G05B2219/2637Vehicle, car, auto, wheelchair
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Definitions

  • the invention relates to a method for outputting representations relevant to the safe operation of a vehicle, a Com puterprogramm product, a corresponding system or its components, and a vehicle with a system according to the invention.
  • Modern vehicles are equipped with a large number of sensors and support systems that are used for safe, approval-compliant and / or comfortable operation of the vehicles.
  • fault-free functionality of the systems or their components cannot be guaranteed one hundred percent despite all efforts and precautions in the design of the systems or components and for quality assurance in production and system integration.
  • Certain, in particular safety-relevant systems or components can be designed redundantly to increase the operational readiness of the vehicle, but this is often not possible for reasons of cost.
  • the document DE 102012024818 A1 discloses a method for improving the functional safety and increasing the availability of an electronic control system, in particular in automotive electronics.
  • the document DE 102014220373 A1 discloses a method for displaying information in a motor vehicle, the integrity and safety requirements for the correct and needs-based display of the driver warning being guaranteed for digital displays.
  • the document US 2019/0018408 A1 shows a system for verifying the integrity of a sensor system in a motor vehicle.
  • the document DE 102015211 451 A1 discloses a method for protecting against manipulation of user data packets to be transmitted between system components via a bus system, in particular for motor vehicles.
  • the document DE 10 2015 209448 A1 shows a method for displaying safety-relevant display elements in a motor vehicle.
  • the document DE 10 2016 212 196 A1 discloses a method for evaluating sensor data in which sensor data are signed.
  • These output devices include displays on which a large amount of information can be displayed at the same time.
  • the displays can be set up to show certain content in some areas when the vehicle systems are functioning normally, the perceptibility of which is of subordinate importance for the safe driving of the vehicle at all times. Other areas of the display can be reserved for the presentation of content, the perceptibility of which must be guaranteed at all times for safe driving of vehicles.
  • the content does not have to be permanently visible, it is also possible that the content is selectively displayed or not displayed depending on an operating mode of the vehicle. For ergonomic reasons, it is advantageous to always have certain content in the same place on the display in the same way. In the case of selectively displayed content, this position can also be empty, depending on the operating mode or the operating status.
  • FIG. 4 shows some exemplary examples of representations which can be output on a display and which inform a vehicle driver about conditions relevant for the safe operation of the vehicle.
  • symbols are shown line-by-line that represent the function or malfunction of a steering support device, the anti-lock braking system, the braking device, the airbags, the engine control and an electronic driving stability program.
  • the last line shows a symbol for the engine oil pressure, which also relates to a condition relevant to the safe operation of a vehicle.
  • ASIL Automotive Safety Integrity Level
  • A, B, C and D levels, A, B, C and D.
  • Level A stands for the lowest risk level and D for the highest risk level.
  • the standard defines functional safety as "the absence of disproportionate risk due to hazards caused by incorrect behavior of electrical or electronic systems.”
  • the ASIL levels set safety requirements for vehicle components and systems based on the likelihood and acceptability of damage firmly.
  • the aforementioned output devices which inform a vehicle driver about operating states and modes as well as the proper function or failure of safety-relevant systems or components of the vehicle he is driving, can therefore also be subject to the ASIL requirements as soon as safety-relevant information is output about them.
  • the systems used for information from vehicle drivers in vehicles include one or more sensors that detect physical measured variables and / or logical states required to determine the operating state, one or more control units that evaluate the measured values supplied by the one or more sensors and determine an operating state or mode or the proper functioning or failure of a system or a component of the vehicle, a communication channel, for example a network, and the actual output device.
  • the output device can, for example, comprise a display which is connected to a control device which calculates the information to be displayed on the display and sends it to the display via a graphic interface.
  • the information to be displayed on the display can include general content, the display of which does not have to comply with an AS IL requirement, and safety-relevant content, the display or output of which must comply with ASIL requirements.
  • the control device must ensure that safety-relevant content is displayed correctly over or instead of other content.
  • the control unit must therefore meet ASIL requirements, i.e. the hardware and software of the control unit must meet the safety requirements specified in ISO 26262 because the Driver at no time wrong Information about certain safety-relevant operating states, operating modes or the proper functioning of systems or components of the vehicle may be conveyed.
  • the control devices used to control output devices in vehicles have to process and output an increasing number of sensor signals. Because the performance of the processors that can basically be used in the control units is constantly increasing, this does not appear to be a problem from the point of view of computing capacity. However, the performance increases are usually achieved with processors that do not come from the automotive environment and therefore do not meet AS IL requirements that the use of such more powerful components is not easily possible. An adaptation of the more powerful components to the AS IL requirements is not carried out by the manufacturers because of the small quantities compared to other industries in the automotive environment, or it is not economically feasible. In addition, the software executed by the control unit must also meet the AS IL requirements, so that the development effort increases considerably here as well.
  • a method for outputting a representation of a state relevant for safe operation of a vehicle by an output module of the vehicle includes the signing of a sensor signal that corresponds to a physical or logical variable that represents a state relevant for safe operation of a vehicle with one of the Sensor, the sensor type and / or the signature assigned to the signal.
  • the term output of a representation can refer to a large number of possible output types, although the focus in the present description is on a visual output on a display.
  • the display output representation of a state relevant for safe operation of a vehicle can, for example, comprise a status or warning symbol or icon.
  • Acoustic representations can include specific beeps or sequences of beeps.
  • a physical variable that represents a condition relevant to the safe operation of a vehicle can be represented, for example, by a measured value from a temperature sensor that indicates a machine temperature or an outside temperature, or by a measured value from a level meter that indicates a brake fluid or cooling water level.
  • a logic variable can be represented, for example, by a binary signal which indicates the function or failure of a safety-relevant system of the vehicle, for example an anti-lock braking system or an electronic driving stability system.
  • the term sensor signal is used here for a signal that can be transmitted via a communication channel and that transports a measured value of the physical or logical variable.
  • the sensor signal can be transmitted directly from a sensor equipped with a corresponding interface for the communication channel, or from a sensor control device equipped with a corresponding interface, to which measured values from a plurality of measuring sensors are fed.
  • the method also includes sending the signed sensor signal to an output control device connected to the output module and set up to control it via a communication channel, and accordingly receiving the signed sensor signal in the output control device.
  • the method further comprises generating a representation, which can be output by the output module, of the meaning content of the received sensor signal in the output control device, sending the output representation and the signature received with the sensor signal from the output control device to the output module and, accordingly, receiving the output representation and the signature in the output module.
  • the method further comprises checking, in the output module, whether the outputtable representation matches the signature, and if the outputtable representation and the signature match, outputting the outputtable representation by the output module, or if the representation that can be output and the signature do not match, the generation of a perceptible error reaction.
  • the perceptible error reaction can, for example, be an output of information perceptible by the vehicle driver, which indicates a malfunction of the sensor or of a system component involved in the transmission of the sensor signal.
  • a perceptible malfunction can also include the recognizable shutdown of the output module.
  • the step of checking whether the outputtable representation matches the signature can include, in one or more embodiments, the calculation of unambiguous validation information from the received outputtable representation.
  • the calculation of the validation information can include, for example, the formation of a checksum or a scatter value using image data of a received display content that can be output.
  • the calculated validation information can then be compared with reference information stored for the received signature in a memory of the output module.
  • a representation that can be output by the output module is stored in the memory of the output module for a signature, for example an image or icon.
  • output parameters of the representation can be stored, for example a position on a display at which the representation is to be output, a duration of the output of the representation, an intermittent output or the like.
  • the output module can output the received representation that can be output or a representation stored in the memory, the latter for example in order to obtain a defined graphic appearance independently of a representation generated in the output control device.
  • the output parameters stipulate that the representation that can be output is always output over any other output content.
  • the matching of the received representation and the stored Reference information also include a subtraction of the received and stored image contents from one another in a pixel-by-pixel manner.
  • the area used by the representations must be empty, for example the brightness or color values of each pixel must be 0.
  • the signature of the sensor signal can also be transported in a data stream which also transmits the sensor signal.
  • the signature can, however, also be transmitted via a separate data connection, with the signature and sensor signal being assigned, for example, via time stamps or tags. If a sensor signal is processed in a control device, the received signature is added to the result of the processing by the control device or is sent on together with it.
  • the signature can be transmitted from the output control device to the display module via a separate interface, or in a data stream that transmits the content to be output, for example in an image data stream.
  • the signature When transmitted in an image data stream, the signature can be transmitted, for example, in data fields provided for synchronization, or in image areas not shown on a display, for example in an overscan area of an image content. It is also possible to transmit the signature in the representation that can be output, for example in a row or column located on the outer edge of a bitmap representation of a graphic symbol to be output, which is omitted in the output. Another possibility is to transfer the signature through changes in the colors or brightness of individual pixels of a graphic symbol to be output that are imperceptible to humans. If the signature is not contained in the same way in the reference information stored in the output module, the rows or columns containing the signature can be ignored when calculating the validation information, or a method can be used that tolerates slight deviations between the calculated validation information and reference information.
  • a computer program product accordingly contains commands which, when executed by a computer, cause the computer to generate an or carry out several refinements and further developments of the method described above.
  • the computer program product can be stored on a computer-readable data carrier.
  • the data carrier can be embodied physically, for example as a hard drive, CD, DVD, flash memory or the like, but the data carrier can also comprise a modulated electrical, electromagnetic or optical signal that is received by a computer by means of a corresponding receiver and stored in the memory of the computer can be saved.
  • a vehicle system which is set up to output a representation of a state relevant to the safe operation of a vehicle, comprises an output module, one or more sensors, an output control device connected to the output module and set up to control it, and a communication device that has a communication channel between the provides one or more sensors and the output control device.
  • the communication device can, for example, comprise a network, wherein the network can have several interconnected sections which have physical and / or logical properties defined according to different standards, for example CAN, Ethernet, FlexRay, etc.
  • the one or more sensors, the output control device and the output module of the vehicle system are set up to carry out one or more steps of the method described above.
  • the vehicle system is thus set up to use the one or more sensors to detect a physical or logical variable that represents a state that is relevant for the safe operation of a vehicle.
  • the physical or logical variable can relate, for example, to an environmental condition or a state of a vehicle component.
  • the detected physical or logical variable is converted into a corresponding sensor signal by the respective sensor or a control device to which the respective sensor is connected, with one of the sensor, the sensor type and / or the physical or provided a signature assigned to a logical variable, and the signed sensor signal is transmitted to a first control device interface of an output control device via a communication channel connected to a sensor interface of the sensor.
  • the communication channel can comprise a network that transports data over interconnected sections of the network.
  • the individual sections of the network can be implemented according to one or different standards.
  • the output control device receives the signed sensor signal at the first control device interface and, based on the received sensor signal and the signature, generates a representation of a meaning content of the sensor signal that can be output by an output module.
  • the representation that can be output is transmitted together with the received signature via a second control device interface of the output control device to an interface of the output module.
  • the output module receives the outputtable representation and the signature at its interface and compares the received data with validation information stored in a memory of the output module. If the comparison shows that the received displayable representation and the received signature match, the output module outputs the displayable representation. If the received representation that can be outputted and the received signature do not match, the output module outputs a perceptible error response.
  • a sensor of the vehicle system comprises one or more sensor arrangements which are set up to detect physical or logical variables which represent states that are relevant for the safe operation of the vehicle.
  • the sensor also includes a sensor control device which is set up to generate a sensor signal as a function of the detected physical or logical variable and which is also set up to output the sensor signal with a signature assigned to the sensor, the sensor type and / or the physical or logical variable to provide.
  • the sensor arrangement and the sensor control device can be arranged spatially at a distance from one another, and the sensor control device can be connected to a plurality of sensor arrangements for detecting the same or different physical or logical variables be.
  • the sensor or the sensor control device also has a sensor interface which is set up to transmit the signed sensor signal to an output control device via a communication channel.
  • An output control device of the vehicle system comprises a first control device interface, which is set up to receive signed sensor signals via a communication network, and a second control device interface, which is connected to an output device.
  • the output control device is set up to generate, based on received signed sensor signals and the signature, a representation of a meaningful content of the sensor signal that can be output by the output module, and to transmit the representation together with the received signature to the output module via the second control device interface.
  • the expression “representation of a meaningful content” stands for a representation that conveys a meaning of the physical or logical variable in an associated context to a human recipient.
  • a logical variable can, for example, be a flag that signals a faulty function of a vehicle component, for example a failure of the ABS.
  • the corresponding sensor signal can, for example, be an error code with which a normal vehicle driver can do little.
  • the representation of the meaning content can, for example, be a symbol that shows a simplified symbol of a braking device, possibly with the letters ABS, so that the vehicle driver can immediately recognize that a system that is important for the safe operation of the vehicle is not working or is working incorrectly.
  • a physical variable for example a temperature
  • a measured value recorded by a sensor arrangement for example a measuring probe, is converted into a data value of a sensor signal that does not necessarily give a human receiver an immediate idea of the temperature.
  • the representation of the data value can include, for example, an output of the temperature in degrees Celsius or degrees Fahrenheit, which as a rule gives a human receiver an impression of the temperature.
  • a snowflake symbol can also be displayed, which is widely accepted as a warning symbol, for example at low outside temperatures or low engine temperatures.
  • Graphically displayable representations of the The meaning of sensor signals can include, for example, monochrome or color bitmaps or other graphic formats.
  • An output module of the vehicle system comprises one or more interfaces which are set up to receive a representation that can be output by the output module and a signature associated with the output that can be output.
  • the representation that can be output and the signature can be received via the same interface or via interfaces that are independent of one another; it is particularly important that a signature and a representation that can be outputted belong to one another in a recognizable manner for the output module.
  • the output module also includes a memory that stores reference information on signatures of representations that can be output, and a comparison device that is configured to calculate validation information on the basis of the representation that can be output and to compare it with reference information stored for the received signature.
  • the output module is also set up to output the representation that can be output or a perceptible error reaction as a function of the result of the comparison.
  • the output module also includes an arrangement that noticeably conveys the outputtable representation and the error reaction to a human receiver, for example a monochrome or color display or a loudspeaker for outputting acoustic representations of states relevant to the operation of a vehicle.
  • the present invention separates the functional path of the output of a representation of a state relevant for safe operation of a vehicle by an output module of the vehicle into the phases of detecting the state, transmitting the state to a display control device and outputting the representation.
  • a verification of the representation to be output can take place, so that the sensor and the output device ASIL Requirements must be met while this is for other components not necessarily the case.
  • errors in the processing chain can be detected down to the last link, and correspondingly perceptible error reactions can be triggered at the end of the signal chain.
  • the method and the system can be used particularly advantageously in vehicle networks in which networks are divided into zones with their own zone servers.
  • the safeguarding of the correct output of safety-relevant content guaranteed by the signature of the sensor signal makes it possible to develop components located between the sensor and the output module according to the usual QM standard without an ASIL requirement having to be met; only the sensors and the output device must meet the ASIL requirements. Since these include less complex flardware and software, the development of the sensors and output devices according to the relevant safety standards is simpler and cheaper.
  • FIG. 1 shows an exemplary flow diagram of the method according to the invention
  • FIG. 2 shows a schematic representation of a vehicle system set up to carry out the method according to the invention
  • FIG. 3 shows a further schematic representation of the vehicle system set up to carry out the method according to the invention
  • FIG. 4 shows examples of representations that can be outputted of states relevant for the safe operation of a vehicle
  • FIG. 1 shows an exemplary flow chart of the method 100 according to the invention.
  • a sensor signal is signed with a signature assigned to the sensor, the sensor type and / or the signal, and in step 104 it is sent to an output control device connected to an output module.
  • the output control device receives the signed sensor signal, step 106, and in step 108 generates a representation of the meaning content of the received sensor signal which can be output by the output module and which is sent to the output module together with the signature in step 110.
  • the output module receives the outputtable representation in step 112 and checks in step 114 whether the outputtable representation matches the signature.
  • the check can include calculating validation information from the received outputtable representation, step 114a, and comparing the calculated validation information with reference information stored in a memory of the output module, step 114b. If the comparison shows that the signature matches the received output representation, "j" branch of step 114, the output module outputs it, step 116.
  • the output can include the reading out of output parameters, step 116, which specify, for example, at which point on a display an outputtable representation is to be shown. If the comparison shows that the signature does not match the received output representation, "n" branch of step 114, the output module generates a perceptible error reaction, which can consist, for example, in a predetermined message being shown on a display, or that the display is switched off.
  • FIG. 2 shows a schematic representation of an exemplary vehicle system 200 set up to carry out the method according to the invention.
  • Vehicle system 200 comprises a sensor control device 202 that outputs a sensor signal that corresponds to a physical or logical variable that represents a state relevant for the safe operation of a vehicle.
  • Sensor control device 202 also includes one or more sensor arrangements 204 that detect physical or logical variables and feed them to sensor control device 202.
  • Sensor control device 202 is set up to To sign sensor signals with a signature assigned to the sensor control device 202, the sensor type and / or the signal or the signal type before the output.
  • Sensor control unit 202 sends the signed sensor signal via a first section 206 of a communication channel to an optional zone server 208.
  • Zone server 208 is connected to several control units of a zone of the vehicle and forwards the signals together with their signatures via a second section 210 of the communication channel to an output control unit 212 .
  • output control device 212 From the received sensor signal and the signature, output control device 212 generates a representation of the meaning content of the received sensor signal that can be output by an output module 216 connected to output control device 212 via a third section 214 of the communication channel, and sends it to output module 216
  • sensor control device 202 and output module 216 as well as comparison or test device 218 have to meet ASIL requirements, indicated by the hatched background, because only these components of the system can actively influence the output of a content or signal corresponding to a safety-relevant state.
  • the comparison or test device can be formed by a corresponding computer program which is executed in the output module and can comprise hardware components or parts thereof.
  • One or more zone servers 208, which form part of the communication channel, as well as the output control device 212, can change the content of transmitted messages, but this change would be detected at the latest during the check in the output module 216 and trigger an error reaction. Therefore, the zone servers 208 and the output controller 212 do not have to meet the strict ASIL requirements; it is sufficient here to meet the established QM requirements.
  • FIG. 3 shows a further schematic illustration of the vehicle system 200 set up to carry out the method according to the invention.
  • the illustration essentially corresponds to that from FIG. 2.
  • exemplary different sections 206, 210, 214 of the communication channel are shown.
  • the first section 206 can, for example, a connection according to the CAN bus standard include, via which sensor control device 202 is connected to zone server 208.
  • the sensor control device 202 can be combined in one component with the actual sensor arrangement 204, which records the physical or logical variable, or can be connected to a plurality of spatially separate sensor arrangements 204.
  • the second section 210 can, for example, comprise an Ethernet connection between the zone server 208 and the output control device 212.
  • the third section can, for example, comprise an LVDS display interface. What all three parts have in common is that, in addition to the sensor signal or the sensor data in the “Data” field, the signature associated with the sensor signal is transmitted in accordance with the respective protocol.
  • the “Data” field in addition to the sensor signal or the sensor data, time stamps, status information of the sensor and other information can be transmitted, which are converted into an output in the output control device.
  • an “alive counter” can be provided, which can be used to monitor that no messages sent by the sensor control device are lost during transmission. This can be done, for example, in that the output module stores the count value of the last message sent by a control device and compares it with the count value of the next message sent by this control device.
  • a count value is skipped, ie the message has a count value that is two or more higher, a corresponding error response can be output.
  • the embedding of the signature in different protocols of transmission links can take place without changing the protocols, for example in the payload sections or unused data fields. Because of the end-to-end control, it is not necessary to secure the interfaces used for transport.
  • FIG. 4 has already been described with reference to the prior art and will therefore not be discussed again at this point.
  • FIG. 5 shows examples of representations that can be output with signatures contained therein.
  • a barcode-like alternation of black and white pixels, which contains the signature is contained in an upper line of a bitmap image which represents the representation that can be output on a display contains.
  • the output module can either ignore this line and calculate validation information from the remaining lines, which is compared with the reference information for the signature stored in the output module, or the reference information can already take into account the signature contained in the representation.
  • the top line can be omitted accordingly.
  • FIG. 5 b) also contains a barcode-like change of image points that contains the signature, contained in the upper line of a bitmap image that represents the representation that can be output on a display.
  • the change is imperceptible to a human observer because the pixels of the per se black edge of the bitmap image change between black and a dark gray that is only one level lighter. In the figure, this is indicated by medium gray pixels for reasons of displayability. In this embodiment it is not necessary to omit the top line when outputting to a display. Instead of black and dark gray pixels, other color or brightness combinations can of course be used, depending on the image background on which the symbol is displayed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Human Computer Interaction (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé (100) pour délivrer en sortie, au moyen d'un module de sortie (216) du véhicule, une représentation d'une condition pertinente pour le fonctionnement sûr d'un véhicule, le procédé comprenant la signature (102), au moyen d'une signature associée au capteur (202, 204), du type de capteur et/ou du signal ou du type de signal, d'un signal de capteur qui correspond à une variable physique ou logique qui représente une condition pertinente pour le fonctionnement sûr d'un véhicule. Le signal de capteur signé est transmis par l'intermédiaire d'un canal de communication (206, 208, 210) à un dispositif de commande de sortie (212) qui est connecté au module de sortie (216) et configuré pour commander ledit module. Le dispositif de commande de sortie (212) génère une représentation du contenu significatif du signal de capteur reçu, ladite représentation pouvant être délivrée par le module de sortie (216), et transmet, au module de sortie (216), la représentation pouvant être délivrée et la signature reçue par le signal de capteur. Le module de sortie (216) vérifie si la représentation pouvant être délivrée correspond à la signature et délivre la représentation pouvant être délivrée si la représentation pouvant être délivrée et la signature correspondent. Sinon, le module de sortie (216) génère une réponse d'erreur perceptible.
PCT/EP2020/077936 2019-10-17 2020-10-06 Procédé et appareil pour délivrer, au moyen d'un module de sortie, des représentations de conditions pertinentes pour le fonctionnement sûr d'un véhicule WO2021073938A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102019216030.1A DE102019216030A1 (de) 2019-10-17 2019-10-17 Verfahren und Vorrichtung zur Ausgabe von Repräsentationen für den sicheren Betrieb eines Fahrzeugs relevanter Zustände durch ein Ausgabemodul
DE102019216030.1 2019-10-17

Publications (1)

Publication Number Publication Date
WO2021073938A1 true WO2021073938A1 (fr) 2021-04-22

Family

ID=72811823

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/077936 WO2021073938A1 (fr) 2019-10-17 2020-10-06 Procédé et appareil pour délivrer, au moyen d'un module de sortie, des représentations de conditions pertinentes pour le fonctionnement sûr d'un véhicule

Country Status (2)

Country Link
DE (1) DE102019216030A1 (fr)
WO (1) WO2021073938A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102022210422A1 (de) * 2022-09-15 2024-03-21 Continental Automotive Technologies GmbH Verfahren zum Übertragen eines Datensatzes zwischen einem Tachografen und einem Steuergerät

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008043830A1 (de) * 2008-11-18 2010-05-20 Bundesdruckerei Gmbh Kraftfahrzeug-Anzeigevorrichtung, Kraftfahrzeug-Elektroniksystem, Kraftfahrzeug, Verfahren zur Anzeige von Daten und Computerprogrammprodukt
DE102012024818A1 (de) 2012-03-06 2013-09-12 Conti Temic Microelectronic Gmbh Verfahren zur Verbesserung der funktionalen Sicherheit und Steigerung der Verfügbarkeit eines elektronischen Regelungssystems sowie ein elektronisches Regelungssystem
DE102014008808A1 (de) * 2014-06-11 2014-11-27 Daimler Ag Verfahren zur Absicherung der Übertragung von sicherheitsrelevanten Kamerabildern
DE102014220373A1 (de) 2014-10-08 2016-04-14 Bayerische Motoren Werke Aktiengesellschaft Freiprogrammierbares Display
DE102015209448A1 (de) 2015-05-22 2016-11-24 Bayerische Motoren Werke Aktiengesellschaft Verfahren zur Anzeige sicherheitsrelevanter Anzeigeelemente
DE102015211451A1 (de) 2015-06-22 2017-01-05 Volkswagen Aktiengesellschaft Verfahren zu einem Manipulationsschutz von über ein Bussystem zwischen Systemkomponenten zu übertragenden Nutzdatenpaketen
DE102016212196A1 (de) 2016-07-05 2018-01-11 Robert Bosch Gmbh Verfahren zum Auswerten von Sensordaten
DE102016225436A1 (de) * 2016-12-19 2018-06-21 Volkswagen Aktiengesellschaft Sensor zum Erfassen von Messwerten, Verfahren, Vorrichtung und computerlesbares Speichermedium mit Instruktionen zur Verarbeitung von Messwerten eines Sensors
US20190018408A1 (en) 2017-07-12 2019-01-17 Qualcomm Incorporated Systems and methods for verifying integrity of a sensing system
US10331128B1 (en) * 2018-04-20 2019-06-25 Lyft, Inc. Control redundancy

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008043830A1 (de) * 2008-11-18 2010-05-20 Bundesdruckerei Gmbh Kraftfahrzeug-Anzeigevorrichtung, Kraftfahrzeug-Elektroniksystem, Kraftfahrzeug, Verfahren zur Anzeige von Daten und Computerprogrammprodukt
DE102012024818A1 (de) 2012-03-06 2013-09-12 Conti Temic Microelectronic Gmbh Verfahren zur Verbesserung der funktionalen Sicherheit und Steigerung der Verfügbarkeit eines elektronischen Regelungssystems sowie ein elektronisches Regelungssystem
DE102014008808A1 (de) * 2014-06-11 2014-11-27 Daimler Ag Verfahren zur Absicherung der Übertragung von sicherheitsrelevanten Kamerabildern
DE102014220373A1 (de) 2014-10-08 2016-04-14 Bayerische Motoren Werke Aktiengesellschaft Freiprogrammierbares Display
DE102015209448A1 (de) 2015-05-22 2016-11-24 Bayerische Motoren Werke Aktiengesellschaft Verfahren zur Anzeige sicherheitsrelevanter Anzeigeelemente
DE102015211451A1 (de) 2015-06-22 2017-01-05 Volkswagen Aktiengesellschaft Verfahren zu einem Manipulationsschutz von über ein Bussystem zwischen Systemkomponenten zu übertragenden Nutzdatenpaketen
DE102016212196A1 (de) 2016-07-05 2018-01-11 Robert Bosch Gmbh Verfahren zum Auswerten von Sensordaten
DE102016225436A1 (de) * 2016-12-19 2018-06-21 Volkswagen Aktiengesellschaft Sensor zum Erfassen von Messwerten, Verfahren, Vorrichtung und computerlesbares Speichermedium mit Instruktionen zur Verarbeitung von Messwerten eines Sensors
US20190018408A1 (en) 2017-07-12 2019-01-17 Qualcomm Incorporated Systems and methods for verifying integrity of a sensing system
US10331128B1 (en) * 2018-04-20 2019-06-25 Lyft, Inc. Control redundancy

Also Published As

Publication number Publication date
DE102019216030A1 (de) 2021-04-22

Similar Documents

Publication Publication Date Title
DE10243713B4 (de) Redundante Steuergeräteanordnung
EP2040957B1 (fr) Procédé et dispositif de contrôle de plausibilité de valeurs de mesure dans l'environnement d'un véhicule à moteur
DE102005014550B4 (de) Brake By-Wire Steuersystem
DE102006017302B4 (de) Verfahren und System zur Kontrolle einer Signalübertragung eines elektrischen Pedals
EP2273369A1 (fr) Procédé de représentation d'une information relative à la sécurité sur un dispositif d'affichage et dispositif d'exécution du procédé
EP2833349B1 (fr) Procédé et dispositif de représentation d'un état relevant de la sécurité
DE102006056668A1 (de) Verfahren zum Sicherstellen oder Aufrechterhalten der Funktion eines komplexen sicherheitskritischen Gesamtsystems
WO2009000602A2 (fr) Procédé d'exploitation d'un microcontrôleur et d'une unité d'exécution, microcontrôleur et unité d'exécution correspondants
WO2021073938A1 (fr) Procédé et appareil pour délivrer, au moyen d'un module de sortie, des représentations de conditions pertinentes pour le fonctionnement sûr d'un véhicule
DE10142511B4 (de) Fehlerbehandlung von Softwaremodulen
DE102012207439A1 (de) Verfahren zur Darstellung sicherheitskritischer Daten durch eine Anzeigeneinheit; Anzeigeneinheit
EP3571085B1 (fr) Procédé et dispositif permettant d'afficher une indication pour un utilisateur et dispositif de travail
DE102018207791A1 (de) Verfahren zur Authentifizierung eines von einem Kfz-System eines Fahrzeugs erzeugten Diagnosefehlercodes
DE102019202862B4 (de) Vorrichtung zur Bereitstellung von Bilddaten
DE102016223540A1 (de) Verfahren zum Umsetzen einer vorgegebenen AUTOSAR-Kommunikationsstruktur in einem Steuergerät eines Kraftfahrzeugs sowie Kraftfahrzeug-Steuergerät und Kraftfahrzeug
DE102019203775B4 (de) Verfahren und Vorrichtung zur Verwendung der Fehlerfortpflanzung
DE102016215213A1 (de) Vorrichtung, Steuergerät, Verfahren, Fahrzeug und Computerprogramm zum Bestimmen von Information über einen Ersatzwert für einen Sensorwert
EP3488303B1 (fr) Surveillance d'une indication dans une cabine de conduite d'un moyen de transport
DE102020005066A1 (de) Verfahren zur Zeitsynchronisation von Fahrzeugsensoren
DE102021127310B4 (de) System und Verfahren zur Datenübertragung
DE10160348A1 (de) Verfahren und System zur Informationsübertragung in Kraftahrzeugen
DE102013204891B4 (de) Verfahren zur Rekonstruktion von Messdaten
EP3488347B1 (fr) Contrôle d'un affichage d'une cabine de conduite d'un moyen de transport
DE102005031724B4 (de) Verfahren und Vorrichtung zur Diagnose von elektronischen Systemen eines Kraftfahrzeugs
AT506439B1 (de) Redundantes bussystem

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20789045

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20789045

Country of ref document: EP

Kind code of ref document: A1