Fail-safe EE architecture for automated driving
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G05D-001/00
G05D-001/02
B60W-030/00
출원번호
US-0880510
(2015-10-12)
등록번호
US-9606537
(2017-03-28)
우선권정보
DE-10 2014 220 781 (2014-10-14)
발명자
/ 주소
Hogenmueller, Thomas
Huck, Thorsten
Kersken, Ulrich
Ruehle, Armin
Tilsner, Heinz
Gebauer, Carsten
Baysal, Tuelin
Mueller, Bernd
Blaschke, Volker
Niem, Wolfgang
출원인 / 주소
Robert Bosch GmbH
대리인 / 주소
Maginot, Moore & Beck LLP
인용정보
피인용 횟수 :
0인용 특허 :
6
초록▼
A system with a first computer unit and with a second computer unit, wherein the first computer unit comprises a first interface to enable connection to at least one sensor and to at least one actuator, wherein the second computer unit comprises a second interface to enable connection to at least on
A system with a first computer unit and with a second computer unit, wherein the first computer unit comprises a first interface to enable connection to at least one sensor and to at least one actuator, wherein the second computer unit comprises a second interface to enable connection to at least one sensor and to at least one actuator, wherein the first and the second computer units can be connected to each other by means of a further interface, wherein the actuator comprises an interface, wherein depending on the first or on the second operating state the interface determines whether a control command for a driving function is adopted by the first or the second computer unit, so that in the first operating state only the first computer unit can activate the actuator and in a second operating state only the second computer unit can activate the actuator.
대표청구항▼
1. A system comprising: a first computer unit having a first interface configured to connect to a sensor and to an actuator;a second computer unit having a second interface configured to connect to the sensor and to the actuator;a third interface configured to connect the first computer unit and the
1. A system comprising: a first computer unit having a first interface configured to connect to a sensor and to an actuator;a second computer unit having a second interface configured to connect to the sensor and to the actuator;a third interface configured to connect the first computer unit and the second computer unit to each other; anda human-machine interface configured to transfer a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of the first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function,wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to control which of the first computer unit and the second computer unit can effectively activate the actuator. 2. The system as claimed in claim 1, wherein the actuator has a fourth interface, the fourth interface being configured to control, based on one of a first operating state and a second operating state, whether a control command for a driving function from one of the first computer unit and the second computer unit is adopted, such that in the first operating state only the first computer unit can activate the actuator and in the second operating state only the second computer unit can activate the actuator. 3. The system as claimed in claim 1, wherein: during correct operation of the first computer unit, a first operating state is active and only the first computer unit can effectively activate the actuator; andin the event of a malfunction of the first computer unit, a second operating state is active and only the second computer unit can effectively activate the actuator. 4. The system as claimed in claim 1, wherein, in a first operating state, the second computer unit is configured to perform a test method. 5. The system as claimed in claim 4, wherein the test method tests a communication between the second computer unit and the first computer unit. 6. The system as claimed in claim 4, wherein the test method tests a communication between the second computer unit and the actuator. 7. The system as claimed in claim 4, wherein the test method checks an operation of the second computer unit. 8. The system as claimed in claim 1, wherein the actuator is configured to, in the response to a malfunction of at least one of the first computer unit and the second computer unit, operate in one of a safety function and a safety position. 9. The system as claimed in claim 1, further comprising: two actuator controllers, the two actuator controllers being configured to work in conjunction with the actuator, each actuator controller being connected to the first computer unit and the second computer unit. 10. The system as claimed in claim 1, wherein the first computer unit and the second computer unit are configured to be supplied with electrical power from separate electrical power supply systems. 11. The system as claimed in claim 1, wherein the first computer unit is configured to provide at least input data to the second computer unit for a test method for checking for correct operation. 12. The system as claimed in claim 1, wherein: the first computer unit is configured to (i) compute a first automated driving function and (ii) transmit the computed first automated driving function to the second computer unit; andthe second computer unit is configured to (i) independently compute a second automated driving function that is the same as the first automated driving function (ii) compare the independently computed second automated driving function with the first automated driving function, and (iii) check for a malfunction of the second computer unit based on the comparison. 13. The system as claimed in claim 1, further comprising: at least a first sensor and a second sensor configured to redundantly measure a same parameter, the first computer unit being connected to the first sensor and the second computer unit being connected to the second sensor. 14. The system as claimed in claim 13, further comprising: a plurality of sensors, the first computer unit and the second computer unit each being connected to an overlapping set of the plurality of sensors, each sensor of the plurality of sensors being connected at least one of the first computer unit and the second computer unit. 15. The system as claimed in claim 1, wherein: the first computer unit is configured to send a takeover to the human-machine interface if (i) the first computer unit assesses itself to be operational and (ii) the first computer unit has received from the second computer unit an indication that the second computer unit also assesses itself to be operational; andthe second computer unit is configured to send a takeover to the human-machine interface if (i) the second computer unit assesses itself to be operational and (ii) the second computer unit receives from the first computer unit an indication that the first computer unit also assesses itself to be operational. 16. The system as claimed in claim 1, wherein, in a second operating state in which the second computer unit is performing an automated driving function, the performance of the automated driving function is handed back to the first computer unit if the first computer unit indicates that it is operational again. 17. The system as claimed in claim 16, wherein the handing back of the automated driving function to the first computer unit is limited to at least one of specified malfunctions and specified driving functions. 18. A method for the operation of a system having a first computer unit and a second computer unit, the first computer unit having an first interface configured to connect to a sensor and to an actuator the second computer unit having an second interface configured to connect to the sensor and to the actuator, the system further having a third interface configured to connect the first computer unit and the second computer unit to each other, the system further having a human-machine interface, the method comprising: controlling, with at least one of the first computer unit, the second computer unit, and the actuator, which of the first computer unit and the second computer unit can effectively activate the actuator; andtransferring, with the human-machine interface, a handover request for performance of an automated driving function by means of separate interfaces to the first computer unit and the second computer unit, the first computer unit and the second computer unit being configured to mutually and separately indicate a takeover of the automated driving function to the human-machine interface, the human-machine interface being configured to only transfer the automated driving function to the first computer unit if each of first computer unit and the second computer unit indicate that they are operating correctly and can perform the automated driving function. 19. A system comprising: a first computer unit having a first interface configured to connect to a sensor and to an actuator, ;a second computer unit having a second interface configured to connect to the sensor and to the actuator; anda third interface configured to connect the first computer unit and the second computer unit to each other,wherein at least one of the first computer unit, the second computer unit, and the actuator are configured to control which of the first computer unit and the second computer unit can effectively activate the actuator,wherein the first computer unit is configured to (i) compute a first automated driving function and (ii) transmit the computed first automated driving function to the second computer unit, andthe second computer unit is configured to (i) independently compute a second automated driving function that is the same as the first automated driving function, (ii) compare the independently computed second automated driving function with the first automated driving function, and (iii) check for a malfunction of the second computer unit based on the comparison.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (6)
Yavnai Arie,ILX, Autonomous command and control unit for mobile platform.
Kumar, Ajith Kuttannair; Shaffer, Glenn Robert; Peltz, David Michael; Noffsinger, Joseph F., System and method for monitoring the effectiveness of a brake function in a powered system.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.