Fail-safe EE architecture for automated driving

US 9,606,537 B2
Filed: 10/12/2015
Issued: 03/28/2017
Est. Priority Date: 10/14/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first computer unit having a first interface configured to connect to a sensor and to an actuator;

a second computer unit having a second interface configured to connect to the sensor and to the actuator;

a third interface configured to connect the first computer unit and the second computer unit to each other; and

a human-machine interface configured to transfer a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of the first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function,wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to control which of the first computer unit and the second computer unit can effectively activate the actuator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system with a first computer unit and with a second computer unit, wherein the first computer unit comprises a first interface to enable connection to at least one sensor and to at least one actuator, wherein the second computer unit comprises a second interface to enable connection to at least one sensor and to at least one actuator, wherein the first and the second computer units can be connected to each other by means of a further interface, wherein the actuator comprises an interface, wherein depending on the first or on the second operating state the interface determines whether a control command for a driving function is adopted by the first or the second computer unit, so that in the first operating state only the first computer unit can activate the actuator and in a second operating state only the second computer unit can activate the actuator.

17 Citations

View as Search Results

19 Claims

1. A system comprising:
- a first computer unit having a first interface configured to connect to a sensor and to an actuator;
  
  a second computer unit having a second interface configured to connect to the sensor and to the actuator;
  
  a third interface configured to connect the first computer unit and the second computer unit to each other; and
  
  a human-machine interface configured to transfer a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of the first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function,wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to control which of the first computer unit and the second computer unit can effectively activate the actuator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system as claimed in claim 1, wherein the actuator has a fourth interface, the fourth interface being configured to control, based on one of a first operating state and a second operating state, whether a control command for a driving function from one of the first computer unit and the second computer unit is adopted, such that in the first operating state only the first computer unit can activate the actuator and in the second operating state only the second computer unit can activate the actuator.
  - 3. The system as claimed in claim 1, wherein:
    - during correct operation of the first computer unit, a first operating state is active and only the first computer unit can effectively activate the actuator; and
      
      in the event of a malfunction of the first computer unit, a second operating state is active and only the second computer unit can effectively activate the actuator.
  - 4. The system as claimed in claim 1, wherein, in a first operating state, the second computer unit is configured to perform a test method.
  - 5. The system as claimed in claim 4, wherein the test method tests a communication between the second computer unit and the first computer unit.
  - 6. The system as claimed in claim 4, wherein the test method tests a communication between the second computer unit and the actuator.
  - 7. The system as claimed in claim 4, wherein the test method checks an operation of the second computer unit.
  - 8. The system as claimed in claim 1, wherein the actuator is configured to, in the response to a malfunction of at least one of the first computer unit and the second computer unit, operate in one of a safety function and a safety position.
  - 9. The system as claimed in claim 1, further comprising:
    - two actuator controllers, the two actuator controllers being configured to work in conjunction with the actuator, each actuator controller being connected to the first computer unit and the second computer unit.
  - 10. The system as claimed in claim 1, wherein the first computer unit and the second computer unit are configured to be supplied with electrical power from separate electrical power supply systems.
  - 11. The system as claimed in claim 1, wherein the first computer unit is configured to provide at least input data to the second computer unit for a test method for checking for correct operation.
  - 12. The system as claimed in claim 1, wherein:
    - the first computer unit is configured to (i) compute a first automated driving function and (ii) transmit the computed first automated driving function to the second computer unit; and
      
      the second computer unit is configured to (i) independently compute a second automated driving function that is the same as the first automated driving function (ii) compare the independently computed second automated driving function with the first automated driving function, and (iii) check for a malfunction of the second computer unit based on the comparison.
  - 13. The system as claimed in claim 1, further comprising:
    - at least a first sensor and a second sensor configured to redundantly measure a same parameter, the first computer unit being connected to the first sensor and the second computer unit being connected to the second sensor.
  - 14. The system as claimed in claim 13, further comprising:
    - a plurality of sensors, the first computer unit and the second computer unit each being connected to an overlapping set of the plurality of sensors, each sensor of the plurality of sensors being connected at least one of the first computer unit and the second computer unit.
  - 15. The system as claimed in claim 1, wherein:
    - the first computer unit is configured to send a takeover to the human-machine interface if (i) the first computer unit assesses itself to be operational and (ii) the first computer unit has received from the second computer unit an indication that the second computer unit also assesses itself to be operational; and
      
      the second computer unit is configured to send a takeover to the human-machine interface if (i) the second computer unit assesses itself to be operational and (ii) the second computer unit receives from the first computer unit an indication that the first computer unit also assesses itself to be operational.
  - 16. The system as claimed in claim 1, wherein, in a second operating state in which the second computer unit is performing an automated driving function, the performance of the automated driving function is handed back to the first computer unit if the first computer unit indicates that it is operational again.
  - 17. The system as claimed in claim 16, wherein the handing back of the automated driving function to the first computer unit is limited to at least one of specified malfunctions and specified driving functions.

18. A method for the operation of a system having a first computer unit and a second computer unit, the first computer unit having an first interface configured to connect to a sensor and to an actuator the second computer unit having an second interface configured to connect to the sensor and to the actuator, the system further having a third interface configured to connect the first computer unit and the second computer unit to each other, the system further having a human-machine interface, the method comprising:
- controlling, with at least one of the first computer unit, the second computer unit, and the actuator, which of the first computer unit and the second computer unit can effectively activate the actuator; and
  
  transferring, with the human-machine interface, a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function.

19. A system comprising:
- a first computer unit having a first interface configured to connect to a sensor and to an actuator, ;
  
  a second computer unit having a second interface configured to connect to the sensor and to the actuator; and
  
  a third interface configured to connect the first computer unit and the second computer unit to each other,wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to control which of the first computer unit and the second computer unit can effectively activate the actuator,wherein the first computer unit is configured to (i) compute a first automated driving function and (ii) transmit the computed first automated driving function to the second computer unit, andthe second computer unit is configured to (i) independently compute a second automated driving function that is the same as the first automated driving function, (ii) compare the independently computed second automated driving function with the first automated driving function, and (iii) check for a malfunction of the second computer unit based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Inventors
Hogenmueller, Thomas, Huck, Thorsten, Kersken, Ulrich, Ruehle, Armin, Tilsner, Heinz, Gebauer, Carsten, Baysal, Tuelin, Mueller, Bernd, Blaschke, Volker, Niem, Wolfgang
Primary Examiner(s)
Lee, Tyler J

Application Number

US14/880,510
Publication Number

US 20160103450A1
Time in Patent Office

533 Days
Field of Search

701/23
US Class Current

1/1
CPC Class Codes

B60W 30/00   Purposes of road vehicle dr...

B60W 30/143   Speed control B60W30/16 tak...

B60W 30/16   Control of distance between...

B60W 50/02   Ensuring safety in case of ...

G05D 1/0077   using redundant signals or ...

Fail-safe EE architecture for automated driving

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Fail-safe EE architecture for automated driving

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links