法国专利FR3034882A1 METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPOND

专利PDF首页>>法国专利

专利附录

专利说明

权利要求

类似技术

同族专利

引用文献

法律状态

优先权

专利摘要:
The method according to the invention allows the implementation of a function of a motor vehicle conforming to standard ASIL levels corresponding to increasing security requirements levels QM, A, B, C, D such as those defined. by the ISO 26262 standard. The method is of the type of those implementing this function with a first level of requirement in terms of security by at least means (12, 13, 14) presenting a second level of requirement in terms of security. less than said first level of security requirement. According to the invention, the first level of requirement in terms of security is rated D or C and the second level of security requirement is rated B, A or QM for a diversity of design means (12, 13). , 14) less than four.
公开号:FR3034882A1
申请号:FR1552961
申请日:2015-04-07
公开日:2016-10-14
发明作者:Paul Degoul；Michel Leeman
申请人:Valeo Equipements Electriques Moteur SAS；
IPC主号:

专利说明:

[0001] - 1 - METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPONDING SYSTEM AND MOTOR VEHICLE COMPRISING SUCH A SYSTEM TECHNICAL FIELD OF THE INVENTION The present invention relates to a method of implementing a function of a motor vehicle conforming to ASIL standard levels ("Automotive Security Integrity Level" in English terminology, that is to say "Requirement level in 10 terms Automotive Safety "). The invention also relates to a system capable of implementing this method, as well as the motor vehicle comprising this system. BACKGROUND ART OF THE INVENTION. 15 The recent development of autonomous vehicles (levels of automation 4 and 5 as defined by the Society of Automotive Engineers (SAE)) requires operational systems after failure ("fail operational"). Instead of conventional systems in automotive safety critical applications that require only fail silent systems, a fail-safe system maintains its functionality or at least a reduced functionality in the case of any simple failure A fail-operational system requires a redundant data bus and power supplies as well as a redundant ECU (Electronic Computing Unit) in a possible hardware architecture. to produce an operational electronic computing unit after a failure It is known as Duplex - Double Architecture, and its use is common in avionics. A Duplex-Double architecture can be constituted by two conventional passive failure ecu ECUs and a switch, as shown in FIG. 1. The two ECUs can be based for example on the use of a so-called synchronous double-core microcontroller. LSDC (acronym for "Lock Step Dual Core" in English terminology). When a status of the first electronic computing unit is functional, the output data is that provided by the first electronic computing unit. When the status of the first electronic computing unit is non-functional, i.e., it fails, the output data is that provided by the second electronic computing unit. The status of the second electronic computing unit is used to report the hidden errors, when it is not operational, and is no longer able to take over the failure of the first computing unit. electronic. In the case of multiple output data, the switch is a switch network. With regard to the software, the ISO 26262 standard establishes a formal framework for the functional safety of modules in the automobile. The ISO 26262 standard states that the software's "safety" must be systematically taken into account throughout the software development cycle. An ASIL is assigned on the basis of the risk of the occurrence of a hazardous event taking into account the periodicity of the situation, the impact of any damage, and to what extent this situation can be controlled and managed. The ISO 26262 standard defines four ASILs indicated by letters from A to D, the latter corresponding to the lowest risk and the highest security requirement level. A security requirement level indicated by QM ("Quality Management" ie "Quality Management") is assigned to the non-critical functions. Many autonomous vehicle functions will have at least two contradictory ASIL D security constraints. On the one hand, an erroneous decision will be ASIL D, and, on the other hand, the loss of the function will also be ASIL D. To satisfy a correct decision at the ASIL D level, the implementation of the function in both ECUs will either require the software to be developed at the ASIL D level, or will require an ASIL decomposition, as defined in ISO 26262. In the case of an ASIL decomposition, two redundant modules developed at a lower criticality level may be implemented. in both ECUs. Developing a complex application software at the ASIL D level is not the strategy generally adopted in an automotive industrial development, for reasons of cost and development time. Therefore, an ASIL decomposition leading to lower ASILs will be preferred at least for application software. However, an ASIL decomposition requires a redundant and diverse implementation. Under these conditions, regardless of the hardware architecture chosen for the passive electronic computing units after failure, two different algorithms will be necessary in order to ensure the independence between the two redundant modules implemented in each ECU, otherwise the ASIL decomposition to reduce the ASIL 5 is not allowed by the ISO 26262 standard. In addition, to satisfy the availability constraint in the event of a simple failure, the software modules implemented in each of the electronic computing units of an architecture Duplex-Double must also present a diversity.
[0002] If this were not the case, a systematic error affecting one of the two redundant algorithms in one of the two passive ECUs after failure would also affect the other ECU. If this error was activated on one of the ECUs, it would be activated simultaneously on the other, because the input data of the two ECUs are the same, and therefore, the two ECUs would fail simultaneously, not satisfying this fact. the availability constraint. Since the fundamental reason for the failure is an error of a weaker ASIL software, this is not acceptable. This means that for a function subject to two conflicting ASIL D (or C) security constraints, one relating to the validity of the output data, and the other to the availability of this output data, when a Duplex- Double is used, four different software modules will be needed as shown in Figure 2. But in many cases, it is not possible to satisfy the software diversity requirement, that is, it does not It is not possible to find four different algorithms for the same function.
[0003] It is obviously easier to develop a system, or a subsystem, qualified as IL IL B rather than SA IL D. Therefore, cost and pragmatic incentives lead to the location of all or part of a project at the lowest possible level in the ITA scale, while aiming for the highest possible global qualification.
[0004] For example, the patent application U520150057908 describes an engine control unit fulfilling qualified safety functions at a level ASIL B by means of a microcontroller qualified at a level ASIL B and a qualified integrated circuit at a level QM. The ASIL decomposition disclosed in this application does not seem to be transposable to a Duplex-Double architecture, as described above, to be qualified at a ASIL D or ASIL C level. There is therefore a need for a technical solution to qualify this architecture at these high ASIL levels using a qualified implementation at a lower level, while limiting the design diversity.
[0005] GENERAL DESCRIPTION OF THE INVENTION The present invention therefore aims to satisfy this need. Its subject is precisely a method for implementing a function of a motor vehicle conforming to standard ASIL levels corresponding to increasing safety requirements levels QM, A, B, C, D such as those defined by ISO 26262. The method in question is of the type of those implementing this function with a first level of security requirement by at least means having a second level of requirement in terms of lower security. at the first level of security requirement for a design diversity of these means less than four. According to the invention, this first level of requirement in terms of security is rated D or C and the second level of requirement in terms of security is rated B, A or QM. This function is carried out according to the invention, in parallel from at least one input data by first and second passive passive calculating electronic units respectively generating at least first and second output data alternately constituting at least one nominal output data of the function according to a state of the first and second electronic calculating units. In a first embodiment of the invention, the first and second electronic calculation units each execute an identical set of three different software modules performing this function and generating the first and second output data via first and second voters. The second level of security requirement for at least one of the three modules is two degrees lower than the first level of security requirement. In a second embodiment of the invention, the first and second electronic calculation units respectively perform first and second modules respectively, and the second and third modules 3034882 - 5 modules among a set of three different modules performing this function and generating the first and second output data via first and second majority voters taking into account the first, second and third intermediate outputs respectively generated by the first, second and second and third modules, the second level of security requirement of at least one of the first, second and third modules being two degrees lower than the first security requirement level. In a third embodiment of the invention, first and second electronic calculation units each execute a first identical module 10 having an ASIL D rating and, respectively, second and third different modules having another ASIL QM rating. The invention also relates to a system for implementing a function of a motor vehicle conforming to standard ASIL levels corresponding to increasing safety requirement levels QM, A, B, C, D such as those defined by the ISO 26262 standard, suitable for implementing the process described above. This system is of the type of those implementing this function with a first level of requirement in terms of security and comprising at least a first electronic computing unit, means for acquiring an input data of the function and functions. means for generating at least a first output of the function having a second level of security requirement lower than the first level of security requirement. In the system according to the invention, the first level of safety requirement is rated D or C and the second level of safety requirement is rated B, A or QM for a design diversity of these means. less than four generations. According to the invention, this system further comprises a second electronic computing unit generating at least a second output data of the function, and switching means for generating at least one nominal output data by switching the first output data. or the second output data according to a state of the first and second electronic computing units, these first and second electronic calculation units being passive after failure. In the first embodiment of the invention, the system for implementing a function of a motor vehicle conforming to standard ASIL levels further comprises an identical set of three different modules performing this function executed. by each of the first and second electronic calculation units, and first and second majority voters generating the first and second output data, the second security requirement level of at least one of these three modules being less than two 5 degrees at the first level of requirement in terms of security. In the second embodiment of the invention, the system further comprises, on the one hand, a first and a second one of a set of three different modules implementing the function executed by the first electronic computing unit, and, secondly, the second and third modules of this set of three different modules executed by the second electronic computing unit, and first and second majority voters taking into account the first, second and third intermediate outputs respectively generated by the first, second and third modules, the second level of security requirement of at least one of the first, second and third modules being two degrees lower than the first security requirement level. In the third embodiment of the invention, the system further comprises a first identical module having an ASIL D rating executed by each of the first and second computing units and second and third different modules having another ASIL QM rating executed. Respectively by these first and second electronic calculating units. In these three embodiments of the system for implementing a function of a motor vehicle conforming to standard ASIL levels according to the invention, this function is preferably a detection of an object, the input data is derived of a LIDAR, or a radar, or a camera, and at least one nominal output data advantageously generates a control of a group comprising a steering control, an engine control and a braking command . According to the invention, at least one output data preferably generates the command by means of a path planning module ASIL D.
[0006] The invention also relates to a motor vehicle of the type of those comprising an advanced driving assistance system allowing automatic motorway driving comprising a system for implementing a function of a motor vehicle conforming to standard ASIL levels. as previously described. These few essential specifications will have made obvious to the skilled person the advantages provided by the method of implementing a function of a motor vehicle conforming to standard ASIL levels according to the invention, as well as by the corresponding system, and by the motor vehicle comprising such a system, compared to the state of the prior art. The detailed specifications of the invention are given in the following description in conjunction with the accompanying drawings. It should be noted that these drawings have no other purpose than to illustrate the text of the description and do not constitute in any way a limitation of the scope of the invention.
[0007] BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a block diagram of an operational duplex-dual hardware architecture after a known state of the art failure. Figure 2 is a block diagram of a motor vehicle function implementation system conforming to standard ASIL levels, based on the architecture shown in Figure 1, known from the state of the art. . Fig. 3 is a block diagram of a motor vehicle function implementation system conforming to standard ASIL levels, based on the architecture shown in Fig. 1, according to the first embodiment of the present invention. 'invention. FIG. 4 is a block diagram of a system for implementing a function of a motor vehicle conforming to standard ASIL levels, based on the architecture shown in FIG. 1, according to the second embodiment of FIG. invention.
[0008] Figure 5 is a schematic block diagram of an advanced driver assistance system enabling automatic highway driving known from the state of the art. Figure 6 is a block diagram of an advanced driver assistance system that allows automatic highway driving based on a motor vehicle function implementation system that conforms to standard ASIL levels shown in FIG. Figure 3. DESCRIPTION OF THE PREFERRED EMBODIMENTS OF THE INVENTION As already mentioned in the preamble, a possible architecture 1 for the implementation of the critical functions of an autonomous vehicle is that already widely used in avionics shown in FIG.
[0009] An input data 2 of the function to be produced is processed simultaneously by two electronic calculation units 3, 4 which generate output data 5, 6. It will be noted here that the terms "output data (s)" used in FIG. this application should not be interpreted strictly and also cover one or more output orders.
[0010] A nominal output data 7 is formed either by a first output data item 5 generated by a first 3 of the electronic computing units 3, 4 when the latter is operating normally, or by a second output data item 6 generated by a second 4 electronic computing units 3, 4 when the first 3 is in failure.
[0011] The transition from one to the other of the output data 5, 6 is ensured by a switch 8 as a function of the state 9 of the first electronic calculation unit 3. An indication of the state, or the status 10 of the second electronic computing unit 4 makes it possible to highlight the hidden errors. In order to implement a qualified function at a first level ASIL C 20 or D, it is known from the state of the art to implement, divided two by two in the electronic calculation units 3, 4, four modules 12, 13, 14, 15 qualified at a second level ASIL A or B, respectively, as shown in Figure 2. This method of implementing, to achieve a function of a motor vehicle qualified to a first level of requirement in terms of safety, qualified modules at a second level lower than the first, is well known from the state of the art. However, such a known method most often requires being able to develop several different modules 12, 13, 14, 15, which is not always possible for certain functions. On the contrary, in the method of implementing a function of a motor vehicle conforming to standard ASIL levels corresponding to the increasing safety requirement levels QM, A, B, C, D of ISO 26262, according to the invention, the diversity of the modules 12, 13, 14, 15 is limited. In a first embodiment, the method according to the invention is implemented in a system 16 represented in FIG. 3. The design diversity is reduced to three by implementing three algorithms 12, 13, 14 in the two electronic computing units 17, 18 which comprise voters 19, 20 making a majority vote between intermediate outputs 21, 22, 23 generated by the algorithms 12, 13, 14. In the case of the production of a fault in one of the three algorithms 12, 13, 14, the two electronic computing units 17, 18 will be impacted but will remain operational since the other two algorithms 12, 13, 14 will continue to provide coherent outputs. To perform an ASIL D function, the three modules 12, 13, 14 must be developed in ASIL B. To perform an ASIL function C, one of the redundant modules 12, 13, 14 can be developed in ASIL A, the other two modules being developed in ASIL B.
[0012] In this first embodiment, FIG. 3 is an example of implementation of a function in ASIL D by three modules 12, 13, 14 in ASIL B. An advantage of this first embodiment of the invention is that the two electronic calculation units 17, 18 are identical and can therefore have the same stock reference. However, one disadvantage is that three redundant modules 12, 13, 14 are executed on each ECUs 17, 18. This increases the computing power to be implemented as well as the size of the memory required. A possible variant of this first embodiment is to run permanently first and second modules 12, 13, but not to run a third module 14 in case of disagreement between the first and second outputs intermediate 21, 22 of the first and second modules 12, 13. This reduces the calculation load of the ECUs. However, this is only applicable if the fault tolerance time interval is relatively long. In a second embodiment, the method according to the invention is implemented in a system 24 shown in FIG. 4. The design diversity is also reduced to three, only two 12, 13 of the three algorithms 12, 13, 14 diversified are executed on the first electronic computing unit 25 and two others 13, 14 among these three are executed on the second electronic calculation unit 26. The intermediate output 21, 23 of the module 12, 14 which does not is not executed on one of the electronic calculation units 25, 26 is sent to it by the other module 12, 14, so that the majority voters 19, 20 generate the output data 5, 6 of the function.
[0013] In this second embodiment, FIG. 4 is an example of implementation of a function in ASIL D by three modules 12, 13, 14 in ASIL B. The advantage of this second embodiment of the invention compared with FIG. In the first embodiment, less computing power and less memory are needed. The disadvantage is the need for cross communication between the two ECUs and two diversified ECUs. In a third embodiment of the invention, the first module implementing the function that is executed on each electronic computing unit is qualified ASIL D, and the second and third different qualified modules ASIL QM are each executed on each of the calculation units. electronic 3, 4.
[0014] A design diversity for the first module is not necessary, since it is qualified to the same ASIL D security level as the function to be implemented. In this way the design diversity remains less than four. A typical example of the application of the invention is a fourth level Advanced Driving Assistance System (ADAS), such as an "Advanced Driving Assistance System" (ADAS). system allowing automatic motorway driving (or MDS, that is to say "Motorway Driver System" in English terminology). The human driver can rest on the MDS to control the vehicle while driving on a highway, which allows him to respond to e-mails, watch TV, etc. The MDS has a complete picture of the environment of driving the vehicle thanks to its redundant sensors. It can follow other vehicles, it can also make decisions, such as braking or steering to avoid collisions with other vehicles, or even overtaking to maintain a given speed. FIG. 5 shows an overview of a simplified MDS 27 known from the state of the art, taking only the front sensors 28, 29, 30 into account. A complete system also requires rear sensors and lateral sensors, for among other things to allow a lane change. Three front sensors 28, 29, 30 of various technologies (LIDAR 28, radar 29, camera 30) are used to maintain sufficient detection performance (detection of objects and their tracking 31, 32, by LIDAR 28 and the radar 29, or simple object detection 33 by the camera 30) under any environmental conditions after a first failure. A merging of the complementary information 34 from the front sensors 28, 29, 30 makes it possible to identify the road, the other vehicles, the obstacles, etc. A planning of the trajectory 35 determines the trajectory of the vehicle. Lateral and longitudinal control 36 calculates the steering controls 37, engine 38, and brake 39 so that the vehicle follows the planned path. Regarding the level of requirement in terms of security, for the MDS, make a bad decision or not to detect an obstacle is rated ASIL D. Each sensor before 28, 29, 30 is qualified only ASIL B thanks to the redundancy of these front sensors 28, 29, 30.
[0015] In this state of the art, the merging of the information 34 of the front sensors 28, 29, 30, the trajectory planning 35, and the lateral and longitudinal control 36 must be qualified to ASIL D. In addition, the MDS system 27 must remain operational after a first failure, as it may take more than ten seconds for the driver to resume the hand. The complete sudden loss of the availability of the system 27 must therefore be qualified ASIL D. The method of implementing a function of a motor vehicle according to standard ASIL levels according to the invention makes it possible to reduce the levels of requirement in ASIL D security terms of the information fusion and trajectory planning functions 35, and also the lateral and longitudinal control 36. FIG. 6 is an example of an MDS system 40 based on the invention, where only the reduction of the Security requirement level is applied to information merging function 24, while trajectory planning function and lateral and longitudinal control 41 remain qualified as ASIL D, in order to simplify the scheme. Three different modules 12, 13, 14 implementing the "information merging" function 34 are executed by the two electronic calculation units 17, 18 in application of the first embodiment of the invention shown in FIG. 3. This implementation avoids the use of four different modules if only two modules were executed in each ECU 17, 18, as known from the state of the art (Figure 2). The output data 5 of the first electronic computing unit 17 forms the steering controls 37, motor 38 and brake 39 unless this first electronic computing unit 17 is no longer operational. In this case, the switch 8 supplies the commands 37, 38, 39 from the second electronic unit 18. A possible variant of this example is the implementation of the "information merging" function 34 in application of the second embodiment of FIG. The only difference is that the first module 12 implementing the "information merging" function is not implemented in the second electronic computing unit 26 and the third module 14 implementing this function n ' is not implemented in the first electronic computing unit 25. In addition, the intermediate output 21 of the first module 12 is sent to the second electronic computing unit 26, and the intermediate output 23 of the third module 14 is sent to the first unit As will be appreciated, the invention is not limited to the only preferred embodiments described above.
[0016] A similar description could relate to automotive after-failure operational systems different from an MDS, including electric power steering (or EPS) systems or braking systems. . These other embodiments are not outside the scope of the present invention insofar as they result from the claims below.

权利要求:
Claims (13)
[0001]
REVENDICATIONS1. A method of implementing a function of a motor vehicle conforming to standard ASIL levels corresponding to increasing security requirements levels QM, A, B, C, D as defined by ISO 26262 , the method being of the type of those implementing said function with a first level of requirement in terms of security by at least means (12, 13, 14, 15) having a second level of security requirement lower than said first security requirement level, characterized in that said first security requirement level is rated D or C and said second security requirement level is rated B, A or QM for a diversity of security requirements. design of said means (12, 13, 14) less than four.
[0002]
2. A method of implementing a function of a motor vehicle according to standard ASIL levels according to the preceding claim 1, characterized in that said function is performed in parallel from at least one input data ( 2) by first and second passive passive computing units (3, 4, 17, 18, 25, 26) respectively generating at least first and second output data (5, 6) constituting alternately at least one piece of data 20 nominal output (7) of said function according to a state of said first and second electronic calculating units (3, 4, 17, 18, 25, 26).
[0003]
A method of implementing a motor vehicle function according to standard ASIL levels according to the preceding claim 2, characterized in that said first and second electronic calculation units (17, 18) each execute an identical set. of three different modules (12, 13, 14) performing said function and generating said first and second output data (5, 6) through first and second majority voters (19, 20), said second level of requirement in terms of security of at least one of said three modules being two degrees lower than said first level of security requirement.
[0004]
A method of implementing a motor vehicle function according to standard ASIL levels according to the preceding claim 2, characterized in that said first and second electronic calculating units (25, 26) respectively execute first, second and second modules (12, 13), and, secondly, said second and third modules (13, 14) out of a set of three modules (12, 13, 14). different performing said function and generating said first and second output data (5, 6) through first and second majority voters (19, 20) taking into account first, second and third intermediate outputs (21, 22, 23); ) respectively generated by said first, second and third modules (12, 13, 14), said second level of security requirement of at least one of said first, second and third modules (12, 13, 14) being less than two degrees says first level of requirement in terms of security.
[0005]
5) Method for implementing a function of a motor vehicle conforming to standard ASIL levels according to the preceding claim 2, characterized in that said first and second electronic calculation units (3, 4) each execute a first identical module. having an ASIL D rating and, respectively, second and third different modules having another AS IL QM rating.
[0006]
6) Implementation system (1, 16, 24, 27, 40) of a motor vehicle function conforming to standard ASIL levels corresponding to increasing safety requirements levels QM, A, B, C, D such as those defined by the ISO 26262 standard, suitable for implementing the method according to any one of the preceding claims 1 to 5 of the type of those implementing said function with a first level of requirement in terms of security and comprising at least a first electronic calculation unit (3, 17, 25), input data acquisition means (2) of said function and generation means (12, 13, 14) of minus a first output datum (5) of said function having a second level of security requirement lower than said first security requirement level, characterized in that said first security requirement level is side D or C and said second level of requirement in te Rs of safety is rated B, A or QM for a design diversity of said generating means (12, 13, 14) less than four.
[0007]
7) Implementation system (16, 24, 40) of a motor vehicle function conforming to standard ASIL levels according to the preceding claim 6, characterized in that it further comprises a second electronic computing unit (18, 26) generating at least a second output data (6) of said function, and a switch (8) producing at least one nominal output data (7) by switching said first output data (5). ) or said second output data (6) according to a state of said first and second computing units (16, 17, 25, 26), said first and second computing units being passive after failure.
[0008]
8) System for implementing (16, 40) a function of a motor vehicle conforming to standard ASIL levels according to the preceding claim 7, characterized in that it further comprises an identical set of three modules (12). , 13, 14) performing said function performed by each of said first and second calculating electronic units (17, 18), and first and second majority voters (19, 20) generating said first and second output data (5, 6). ), said second level of security requirement of at least one of said three modules being two degrees lower than said first level of security requirement.
[0009]
9) System for implementing (24) a function of a motor vehicle conforming to standard ASIL levels according to the preceding Claim 7, characterized in that it furthermore comprises on the one hand a first and a second modules (12, 13) among a set of three different modules (12, 13, 14) carrying out said function executed by said first electronic computing unit (25), and secondly and third modules (13). , 14) among said set of three different modules (12, 13, 14) executed by said second electronic computing unit (26), and first and second majority voters (19, 20) taking into account first, second and third intermediate outputs (21, 22, 23) respectively generated by said first, second and third modules (12, 13, 14), said second level of security requirement of at least one of said first, second and third modules (12, 13, 14) being inferred two degrees 30 to this first level of security requirement.
[0010]
10) System for implementing a function of a motor vehicle conforming to standard ASIL levels according to the preceding claim 7, characterized in that it further comprises a first identical module having an ASIL D rating D 35 executed by each of said first and second electronic calculation units 3034882 - (3, 4) and second and third different modules having another ASIL QM rating respectively executed by said first and second electronic calculation units (3, 4). 5
[0011]
11) System for implementing (40) a function of a motor vehicle conforming to standard ASIL levels according to any one of the preceding claims 7 to 10, characterized in that said function is a detection of an object, said input data (2) is derived from a LIDAR (28), or a radar (29), or a camera (30), and said at least one nominal output data (7) generates a controlling a group comprising a steering control (37), a motor control (38) and a brake control (39).
[0012]
12) An implementation system (40) of a motor vehicle function conforming to standard ASIL levels according to the preceding claim 11, characterized in that said at least one output data item (5, 6) generates said command ( 37, 38, 39) by means of a trajectory planning module (41) ASIL D.
[0013]
13) A motor vehicle of the type comprising those having an advanced driving assistance system authorizing automatic motorway driving, characterized in that it comprises an implementation system (16, 24, 40) of a driving function. a motor vehicle conforming to standard ASIL levels according to any one of the preceding claims 6 to 12.

类似技术:

公开号 | 公开日 | 专利标题

FR3034882A1|2016-10-14|METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPONDING SYSTEM AND MOTOR VEHICLE COMPRISING SUCH A SYSTEM

EP3242823B1|2018-10-03|Architecture for a driving assistance system with conditional automation

JP6611664B2|2019-11-27|Automatic operation control device and automatic operation control method

FR3037564A1|2016-12-23|BRAKING SYSTEM FOR AIRCRAFT

CN110709303A|2020-01-17|Vehicle control device

US20200269876A1|2020-08-27|Autonomous driving control device and method for autonomous driving control of vehicles

US20210302165A1|2021-09-30|Imu data offset compensation for an autonomous vehicle

US11256251B2|2022-02-22|Enabling remote control of a vehicle

FR2973765A1|2012-10-12|METHOD FOR MANAGING A MOTOR VEHICLE WITH ENERGY SAVING

CN113169956A|2021-07-23|Controller, context broadcaster and alert processing device

KR20120029460A|2012-03-26|Vehicle unit

Cusumano2020|Self-driving vehicle technology: progress and promises

FR2962959A1|2012-01-27|DRIVING ASSISTANCE SYSTEM WITH BRAKE CONTROL

US10394241B2|2019-08-27|Multi-stage voting control

Leibinger2015|Software architectures for advanced driver assistance systems |

JP6463571B1|2019-02-06|Vehicle control device

FR2985237B1|2019-06-14|METHOD AND DEVICE FOR ADAPTING A PARAMETER IN THE END OF VEHICLE TRUCK ALGORITHM

WO2019025333A1|2019-02-07|Method for creating a control setpoint for a driving member of a motor vehicle

WO2019152049A1|2019-08-08|Map discrepancy identification with centralized map data

US20210094559A1|2021-04-01|Fault-tolerant embedded automotive applications through cloud computing

US20210086790A1|2021-03-25|Method for driving a motor vehicle in at least partially automated fashion

US20200385008A1|2020-12-10|Safety-Aware Comparator for Redundant Subsystems in Autonomous Vehicles

US20210009114A1|2021-01-14|Certified control for self-driving cars

US20210394794A1|2021-12-23|Assessment of a vehicle control system

US20210309255A1|2021-10-07|Method and apparatus for operating a motor vehicle in an automated driving mode

同族专利:

公开号 | 公开日

FR3034882B1|2018-12-07|

WO2016162624A1|2016-10-13|

引用文献:

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

DE102007045398A1|2007-09-21|2009-04-02|Continental Teves Ag & Co. Ohg|Integrated microprocessor system for safety-critical regulations|

US20130346783A1|2010-09-28|2013-12-26|Samsung Sdi Co Ltd|Method and Arrangement for Monitoring at least one Battery, Battery having such an Arrangement, and Motor Vehicle having a Corresponding Battery|

US20140067192A1|2012-08-28|2014-03-06|GM Global Technology Operations LLC|Active safety systems of vehicles with graphical microprocessors|

EP2765045A1|2013-02-12|2014-08-13|Paravan GmbH|Circuit for controlling an acceleration, braking and steering system of a vehicle|

ITTO20130646A1|2013-07-30|2015-01-31|Magneti Marelli Spa|IMPLEMENTATION IN COMPLIANCE WITH ASIL B OF SAFETY-BASED AUTOLYTIC FUNCTIONS THROUGH AN INTEGRATED CIRCUIT WITH HIGH DIAGNOSTICABILITY DESIGNED ACCORDING TO QUALITY STANDARDS|FR3058378B1|2016-10-14|2018-12-07|Valeo Schalter Und Sensoren Gmbh|METHOD FOR PRODUCING A STEERING SUPERVISION SETTING OF A DRIVING DEVICE OF A MOTOR VEHICLE|

DE102017210156B4|2017-06-19|2021-07-22|Zf Friedrichshafen Ag|Device and method for controlling a vehicle module|

US11214273B2|2017-06-23|2022-01-04|Nvidia Corporation|Method of using a single controllerfor a fault-tolerant/fail-operational self-driving system|

FR3069830B1|2017-08-02|2021-05-07|Valeo Schalter & Sensoren Gmbh|PROCESS FOR PREPARING A DRIVING INSTRUCTIONS FOR A DRIVING UNIT OF A MOTOR VEHICLE|

US10482289B2|2017-08-24|2019-11-19|Qualcomm Incorporated|Computing device to provide access control to a hardware resource|

DE102017218643A1|2017-10-19|2019-04-25|Volkswagen Aktiengesellschaft|Function module, control unit for an operation assistance system and working device|

DE102017218898A1|2017-10-23|2019-04-25|Volkswagen Aktiengesellschaft|Control system for a battery system|

EP3495218B1|2017-12-07|2020-06-24|TTTech Auto AG|Fault-tolerant computer system for assisted and autonomous driving|

CN112224200A|2019-06-28|2021-01-15|纬湃科技投资有限公司|Controller of vehicle equipment control system and function safety control method|

EP3778309A1|2019-08-15|2021-02-17|Beijing Baidu Netcom Science and Technology Co., Ltd.|Autonomous vehicle and system for autonomous vehicle|

DE102020109481A1|2020-04-06|2021-10-07|Audi Aktiengesellschaft|Control unit, control circuit and motor vehicle|

US11171481B1|2020-11-23|2021-11-09|Ford Global Technologies, Llc|Dual-supply automotive electrical system with protection of motion control components|

法律状态:
2016-04-28| PLFP| Fee payment|Year of fee payment: 2 |

2017-03-03| PLSC| Publication of the preliminary search report|Effective date: 20170303 |

2017-04-28| PLFP| Fee payment|Year of fee payment: 3 |

2018-04-26| PLFP| Fee payment|Year of fee payment: 4 |

2019-04-29| PLFP| Fee payment|Year of fee payment: 5 |

2020-04-30| PLFP| Fee payment|Year of fee payment: 6 |

2021-04-29| PLFP| Fee payment|Year of fee payment: 7 |

优先权:

申请号 | 申请日 | 专利标题

FR1552961|2015-04-07|

FR1552961A|FR3034882B1|2015-04-07|2015-04-07|METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPONDING SYSTEM AND MOTOR VEHICLE COMPRISING SUCH A SYSTEM|FR1552961A| FR3034882B1|2015-04-07|2015-04-07|METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPONDING SYSTEM AND MOTOR VEHICLE COMPRISING SUCH A SYSTEM|

PCT/FR2016/050768| WO2016162624A1|2015-04-07|2016-04-05|Method for implementing a motor vehicle function in accordance with standard asil levels, corresponding system, and motor vehicle including such a system|

[返回顶部]