[0001] The present invention relates to systems and methods for monitoring at least one
driving operation of at least one vehicle. The system comprises a plurality of environmental
sensors that collect real-time environmental sensor surrounding environment data that
is sent to a central data processing unit. Vehicle driving data of vehicles in connection
with the central data processing unit are also sent to the central processing unit
and are combined with the environmental sensor data. The system is thus able to draw
a complete map that is used to generate driving operation signals for the vehicles,
particularly to monitor driving operations, and in potentially dangerous situations
take control by sending a brake control signal to increase safety on the road.
Background
[0002] The development of autonomous vehicles is not only filled with innovations, investment,
and opportunity, but also with uncertainty, doubt, and risk. The technological advancements
seen over the last period are huge, and undeniable, yet striking up a good balance
between safety and commercial liability remains in question.
[0003] The current autonomous vehicle technology solutions that exist today or are being
currently in the development phase have several challenges that can be deemed as "road-blockers".
These road-blockers can be summarized as cyber security, and other threats, several
regulatory and industrial and technological challenges, and issues related to ensuring
safety for all stakeholders. Thus, a balance must be found between the amount of cost
and effort needed to achieve an unclearly defined safety level and the risk of not
achieving this level, which is very abstract at best. The industrial challenge that
requires a solution at the moment is to find a way to achieve simultaneous data acquisition,
manipulation, and processing in real time, and to provide output as drive instructions
within a safety tolerance time interval.
[0004] This is currently not possible due to limited available state-of-the-art processing
capabilities / technologies, environmental conditions requirements, or wireless connection
requirements. In addition, there is a large amount of data processing needed to be
carried out with limited technological capacity, and at the same time there is finite
time needed for processing - given safety requirements related to a fault tolerance
time interval. These can be summarized as technological and wireless network speed
requirements. The existing solutions rely heavily on the vehicle itself to achieve
everything, and within very short period of time. This, however, significantly increases
system complexity, the need for computer power, which given the finite resources available
in the vehicle becomes close to impossible to achieve with current technologies. And
at the same time, this reduces the level of safety due to the lack of additional independent
layers of protection.
Summary of the invention
[0005] It is therefore an object of the present invention to provide a system and method
for monitoring at least one driving operation of at least one vehicle that addresses
the aforementioned problems. More specifically, it is an object of the present invention
to provide a system and method for monitoring a projected drive decision of at least
one vehicle and to prevent a potentially dangerous situation by ensuring that a safe
state of the vehicle is achieved, such as a stop by activating the brake system of
the vehicle. A potentially dangerous situation is to be understood as any undesired
event that could lead to undesired consequences on health, environment, assets, etc.,
such as damage, injuries, loss of life, etc.
For solving the object, systems and methods for monitoring at least one driving operation
of at least one vehicle according to the independent claims are provided. Preferred
embodiments and further developments are defined in the dependent claims.
[0006] According to an aspect, a system for monitoring at least one driving operation of
at least one vehicle is provided. The system comprises a central data processing and
control unit (CECU) and a plurality of environmental sensors placed at a respective
plurality of fixed locations distributed in the operating area at least along the
travel route and connected to the CECU, as well as a vehicle control unit (VECU) that
provided in the at least one vehicle. The at least one vehicle comprises a main vehicle
control unit that is configured to automatedly control at least one driving operation
of the vehicle based on vehicle sensory driving data obtained by at least one sensor
of the vehicle while the vehicle is travelling along the travel route. The main vehicle
control unit is in data connection with the CECU to send vehicle driving data to the
CECU, the vehicle driving data comprising the vehicle sensory driving data and drive
decision data generated by the main vehicle control unit. The main vehicle control
unit is further configured to receive processed drive data (PDD) from the CECU.
[0007] Each of the environmental sensors is configured to detect real-time environmental
data for the respective fixed location, the real-time environmental data including
surrounding environment data on a continuous basis, the environmental sensors each
being in data connection with the CECU and configured to send the environmental data
to the CECU via the respective data connection.
[0008] The CECU is located remotely from the plurality of environmental sensors and remotely
from the at least one vehicle. The CECU comprises a first CECU data interface, configured
to receive the environmental data via the data connection from the plurality of environmental
sensors, a second CECU data interface, configured to receive the vehicle driving data
sent from the at least one vehicle's main vehicle control unit, and a third CECU data
interface, configured to send processed drive data (PDD) to the at least one vehicle's
main vehicle control unit.
[0009] The CECU is configured to process the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD), wherein the CECU is further configured to compare the drive
decision received from the at least one vehicle's main vehicle control unit with the
obtained CDD, to obtain a confirmation of the drive decision in case the comparison
does not cause a conflict, or in case the comparison causes a conflict, to generate
an emergency control signal and to send the emergency control signal to the VECU to
cause the VECU to initiate an emergency action to prevent a potentially dangerous
situation. The VECU is in direct data connection with the CECU to directly receive
the emergency control signal from the CECU and is in further data connection to at
least one drive control system of the vehicle to cause the drive control system to
perform the emergency action.
[0010] According to another aspect, a method for monitoring at least one driving operation
of at least one vehicle is provided. A system for monitoring at least one driving
operation of at least one vehicle is provided, preferably the system described above,
the system comprising a central data processing and control unit (CECU), a plurality
of environmental sensors placed at a respective plurality of fixed locations distributed
in the operating area at least along the travel route, and a vehicle control unit
(VECU), which is provided in the at least one vehicle.
[0011] The at least one vehicle comprises a main vehicle control unit that automatedly controls
at least one driving operation of the vehicle based on vehicle sensory driving data
obtained by at least one sensor of the vehicle, the main vehicle control unit being
in data connection with the CECU, the method comprising sending, by means of the main
vehicle control unit, via the data connection, vehicle driving data to the CECU, the
vehicle driving data comprising the vehicle sensory driving data and drive decision
data generated by the main vehicle control unit, and receiving, by means of the main
vehicle control unit, via the data connection, processed drive data (PDD) from the
CECU.
[0012] The method then further comprises the following steps:
- detecting, by means of the plurality of environmental sensors, real-time environmental
data for the respective fixed location, the real-time environmental data including
surrounding environment data on a continuous basis;
- sending, by means of the plurality of environmental sensors, the environmental data
to the CECU, the environmental sensors each being in data connection with the CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors;
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit;
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to the at least one vehicle's main control unit;
- processing, by means of the CECU, the received data, including the environmental data
and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU
drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit with the obtained CDD, and obtaining a confirmation
of the drive decision in case the comparison does not cause a conflict, or in case
the comparison causes a conflict, generating an emergency control signal and sending
the emergency control signal to the VECU to cause the VECU to initiate an emergency
action to prevent a potentially dangerous situation, wherein in this case, the method
further comprises
- directly receiving, by means of the VECU, via a direct data connection with the CECU,
the emergency control signal from the CECU, wherein the VECU is in further data connection
to at least one drive control system of the vehicle to cause the drive control system
to perform the emergency action.
[0013] Preferably, the drive control system that is in data connection with the VECU is
a brake system of the vehicle, wherein the emergency control signal is a brake control
signal that causes the VECU to activate the brake system of the vehicle as the emergency
action. Activating the brake system, thereby possibly bringing the vehicle to a full
stop, is an effective way to prevent potentially dangerous situations, such as collision
with another object.
[0014] According to one embodiment, the vehicle's main vehicle control unit is in data connection
with the vehicle's VECU, such that the data connection between the main vehicle control
unit and the CECU is provided via the VECU, wherein the VECU is configured to receive
the vehicle driving data from the main vehicle control unit and forward the vehicle
driving data to the CECU, wherein the VECU is further configured to receive the PDD
from the CECU and forward the PDD to the main vehicle control unit.
[0015] According to another embodiment, the vehicle's main vehicle control unit is in data
connection with the CECU, such that the data connection between the main vehicle control
unit and the CECU is provided in a direct manner, wherein the main vehicle control
unit is configured to directly send the vehicle driving data to the CECU and further
to directly receive the PDD from the CECU.
[0016] The VECU may be configured as an independent component with respect to the main vehicle
control unit, such that the emergency control signal that is sent by the CECU can
be received directly by the VECU, which will initiate the emergency action to prevent
a potentially dangerous situation unseen or unrecognized by the main vehicle control
unit, or to avoid unsafe actions that the main vehicle control unit intends to take.
Providing the VECU as an independent component particularly means that the VECU will
have the independence to respond to the request of the CECU (e.g. power, etc.) and
will also have a higher priority on the emergency action than the main vehicle control
unit.
[0017] According to another aspect a system for monitoring at least one driving operation
of at least one vehicle is provided. The system comprises a central data processing
and control unit (CECU), and a plurality of environmental sensors placed at a respective
plurality of fixed locations distributed in the operating area at least along the
travel route. The at least one vehicle comprises a main vehicle control unit that
is configured to automatedly control at least one driving operation of the vehicle
based on vehicle sensory driving data obtained by at least one sensor of the vehicle,
the main vehicle control unit being in data connection with the CECU to send vehicle
driving data to the CECU, the vehicle driving data comprising the vehicle sensory
driving data and drive decision data generated by the main vehicle control unit, and
to receive processed drive data (PDD) from the CECU.
ad, wherein Each of the plurality of environmental sensors is configured to detect
real-time environmental data for its respective fixed location, the real-time environmental
data including surrounding environment data on a continuous basis, and wherein each
of the environmental sensors is in data connection with the CECU configured to send
the environmental data to the CECU.
[0018] The CECU is located remotely from the plurality of environmental sensors and remotely
from the at least one vehicle. The CECU comprises a first CECU data interface, configured
to receive the environmental data via the data connection from the plurality of environmental
sensors, a second CECU data interface, configured to receive the vehicle driving data
sent from the at least one vehicle's main vehicle control unit, and a third CECU data
interface, configured to send processed drive data (PDD) to the at least one vehicle's
main vehicle control unit. The CECU is configured to process the received data, including
the environmental data and the vehicle driving data, to obtain the processed drive
data (PDD) and a CECU drive decision (CDD), wherein the CECU is further configured
to compare the drive decision received from the at least one vehicle's main vehicle
control unit with the obtained CDD, to obtain a confirmation of the drive decision
in case the comparison does not cause a conflict, or in case the comparison causes
a conflict, generate an emergency control signal and send the emergency control signal
to at least one drive control system of the vehicle to cause the drive control system
to perform an emergency action to avoid collision of the vehicle with another object.
[0019] The drive control system comprises a drive control unit that may be configured as
an independent vehicle control unit with respect to the main vehicle control unit
of the respective vehicle, wherein the drive control unit is configured to receive
a drive control signal from the main vehicle control unit to control at least one
driving operation of the at least one vehicle, and/or further configured to receive
the emergency control signal from the CECU to perform the emergency action as the
driving operation.
[0020] According to still another aspect, a method for monitoring at least one driving operation
of at least one vehicle is provided. A system for monitoring at least one driving
operation of at least one vehicle is provided, preferably the system described above,
the system comprising a central data processing and control unit (CECU), and a plurality
of environmental sensors placed at a respective plurality of fixed locations distributed
in the operating area at least along the travel route.
[0021] The at least one vehicle comprises a main vehicle control unit that automatedly controls
at least one driving operation of the vehicle based on vehicle sensory driving data
obtained by at least one sensor of the vehicle, the method comprising sending, by
means of the main vehicle control unit, vehicle driving data to be received by the
CECU, the vehicle driving data comprising the vehicle sensory driving data and drive
decision data generated by the main vehicle control unit, and receiving, by means
of the main vehicle control unit, processed drive data (PDD) sent from the CECU.
[0022] The method then further comprises the following steps:
- detecting, by means of the plurality of environmental sensors that is placed at a
plurality of fixed locations along at least one environmental road, real-time environmental
data for the respective fixed location, the real-time environmental data including
surrounding environment data on a continuous basis,
- sending, by means of the plurality of environmental sensors, the environmental data
to the CECU, the environmental sensors each being in data connection with the CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors;
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit;
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to be received by the at least one vehicle's main control unit;
- processing, by means of the CECU, the received data, including the environmental data
and the vehicle driving data, to obtain the processed drive data (PDD) and a CECU
drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit with the obtained CDD, and obtaining, by means
of the CECU, a confirmation of the drive decision in case the comparison does not
cause a conflict, or in case the comparison causes a conflict, generating, by means
of the CECU, an emergency control signal and sending the emergency control signal
to at least one drive control system of the vehicle to cause the drive control system
to perform an emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured
as an independent vehicle control unit with respect to the main vehicle control unit
of the respective vehicle, wherein the method further comprises:
- receiving, by the drive control unit, a drive control signal from the main vehicle
control unit to control at least one driving operation of the at least one vehicle,
or
- receiving, by the drive control unit, the emergency control signal from the CECU to
perform the emergency action as the driving operation.
[0023] Preferably, in the system according to this aspect, the drive control system is a
brake system of the vehicle, wherein the emergency control signal is a brake control
signal that activates the brake system of the vehicle as the emergency action.
[0024] The main vehicle control unit according to this aspect of the invention may either
communicate directly with the CECU as described above or via the drive control unit."
[0025] In any one of the aforementioned systems, the CECU may be configured to generate
the emergency control signal also in case the at least one vehicle's main vehicle
control unit is not able to receive the CDD or is not responsive to the CECU sending
the CDD.
[0026] The vehicle driving data may further comprise drive intention data including information
about at least one of a destination, remaining distance and route choice, wherein
the CECU may be configured to send the PDD based on the respective drive intention
data to the at least one vehicle's main vehicle control unit to support the main vehicle
control unit with generating its drive decision data.
[0027] The roadside data may include at least one of the environmental sensor's own location,
surrounding environment data, the surrounding environment data including at least
one of, preferably both of, fixed and time changing data from and around the road
on a continuous basis. The surrounding environment data preferably includes real time
environment data surrounding the respective environmental sensor, including at least
one of a moving object's size, shape, movement speed, movement direction, and GPS
coordinates.
[0028] In an embodiment, which may likewise apply to all above-described safety systems,
the CECU may comprise a fourth CECU data interface, configured to receive at least
one of a high-definition 3D life digital map, cloud points, and imaging data.
[0029] The CECU may be further configured to assemble all received data in real time and
lay them as per its GPS coordinates on corresponding location maps, preferably high-definition
3D maps, and further to obtain the CDD related to vehicle driving data received from
the at least one vehicle. The CECU may still further be configured to lay all data
as per their GPS coordinates on at least one corresponding location map to create
a real-time three-dimensional map, preferably as a high-definition digital map.
[0030] Preferably, the data connection between the environmental sensors and the CECU is
a wired data connection, preferably a high-speed internet cable connection. Alternatively,
a wireless data connection may be provided.
[0031] The present invention provides a system and method, particularly an independent system
and method, respectively, for monitoring at least one driving operation of at least
one vehicle that is capable of providing the needed information within the time needed,
thereby enabling or at least increasing, more specifically significantly increasing
safe autonomous driving. A vehicle is, however, capable of making its own drive decisions
given the sensory data it receives from its own sensors, sending such data to the
CECU and further able to receive processed drive data from the CECU, and process it
to modify its drive decision. For instance, the system can take a vehicle to a safe
state by activating the brake system of the vehicle should the vehicle's drive decision
be deemed unsafe by the CECU. Therefore, the system and method according to the invention
are referred to as "safety system" and safety method, respectively, throughout this
disclosure for the sake of simplicity.
[0032] The systems and methods of the present invention are capable of effectively preventing
dangerous situations for each vehicle connected. Examples of dangerous situations
may include collision with an object, including moving objects (such as other vehicles,
persons on the road, animals etc.) and non-moving objects (such as buildings, walls,
trees, street infrastructure, or also holes in the road, etc.). Potentially dangerous
situations in the sense of the present disclosure may also be referred to as "undesired
events or consequences", which generally may include for instance potential loss of
life, property, environment, asset, reputation, etc.
[0033] The environmental sensors may be arranged along a travel route in various ways. It
may be advantageous to use existing infrastructure where the sensors are attached
to, such as street-lamps, street signs, buildings, etc. They may, however, also be
constructed separately. They are placed at fixed locations along a travel route, such
as a road, where it is preferably to choose a distance between the sensors that is
suitable to create a complete image without gaps. Apart from that, it will be appreciated
that the present disclosure is not limited by referring to a "travel route". The travel
road may be a single road but may also comprise one road or a plurality of roads (i.e.
"at least one road"). It is further to be understood that term like "travel route"
or "road" are to be understood in a general sense that includes any travel path that
may be accessible by a vehicle to travel there along. This particularly shall include
any routes in any type of traffic or transportation network, including paved and unpaved
routes, such as roads, streets, pathways, highways, freeways, other travel routes,
etc. The term "environmental" may especially refer to a "roadside" but is to be understood
accordingly in a general sense, i.e. not limited to a "side of a road", but may refer
to any location along the respective travel route, which is also not limited to a
"side" location but shall also comprise any sensor location which is suitable to allow
the environmental sensors to detect "real-time environmental data", including e.g.
positions above the respective travel route.
[0034] The invention will be of great benefit to the automotive industry and in particular
the autonomous driving technology. The system and method according to the present
invention will achieve the following advantages. It will increase safety by adding
redundancy of the safety system sensory, communication, and processing units; It will
reduce the required computational load as well as power placed on the autonomic vehicle
safety system; and it will reduce the residual risk of cyber security threats.
[0035] The features described above and below for the systems equally apply for the respective
method.
Brief description of the drawings
[0036] Preferred embodiments of the present invention are described in more detail below
with reference to the drawings. In the drawings:
- Fig. 1
- shows a schematic illustration of an embodiment of a system according to the invention.
- Fig. 2
- shows a schematic representation of components of a system and their connection according
to a first embodiment.
- Fig. 3
- shows a schematic representation of components of a system and their connection according
to a second embodiment.
- Fig. 4
- shows a schematic representation of the components of a system and their connection
according to a third embodiment.
Detailed description of the invention
[0037] For the sake of better understanding of the invention, various aspects and topics
in this technical field are discussed in detail below. Other proposed, developed or
even currently tested techniques are compared with the achievements of the present
invention. It will be appreciated that all details described above and below for the
safety system are also valid for the corresponding method of the present invention.
Further below, the invention is discussed with respect to preferred embodiments, which
are not intended to be limiting but are described by way of example and illustrated
in the drawings.
[0038] The following commonly known terms are used in the description: V2V technologies
refer to technologies with only vehicle-to-vehicle communication. V21 technologies
refer to vehicle-to-infrastructure communication technologies, and technologies implementing
both, i.e. vehicle-to-vehicle and vehicle-to-infrastructure are referred to as V2X
technologies.
V2V Technologies
[0039] V2V (vehicle-to-vehicle) technologies are currently known. Amongst the proposed autonomous
technologies is to follow the strategic line of thought that autonomous-driven vehicles
will be connected wirelessly, and exchange information and communicate with one another
and with the infrastructure also wirelessly. These wireless devices, that may include
e.g. WiFi, global navigation satellite systems, information and entertainment systems
("infotainment systems"), cameras, or automated emergency alert system are typically
owned and operated by other (third party) companies and built to different codes in
different countries. There are several issues with this approach that has to send,
receive, and process data that is neither produced by the same technology, up to the
same standard, has the same levels of security, or that even meets the same requirements,
i.e. such solutions may require to combine systems that may not be totally compatible.
V2V or V2I approaches may be very technically challenging from a legal, technical
and data protection laws aspects.
[0040] There are many advantages associated with this overall system, which will be discussed
over the next points in details.
[0041] The advantages may include the reduction to computational power needed in the vehicle,
the independence of the safety system, the secure network cable connection in comparison
to high risk cyber security threats from the various points of interactions with the
current technology of an automated vehicle, the ability to have plenty of time to
respond to potentially life threatening situations, the elimination of moral legal
questions, as probability of such situations will be in essence negligible. Contrary
to existing solutions, according to the present invention vehicles are not connected
to each other directly. The proposed solution is an independent system to the vehicle,
but shared between all vehicles, that will receive data and information from other
vehicles via highspeed wireless network connections, and over network cables from
infrastructure elements.
[0042] The reduction of computation power needed in the vehicle will be achieved because
roadside data and other vehicles driving data will not be received or processed in
the at least one connected vehicle, but the vehicle will only process its sensory
drive data. The vehicle driving data are sent to the CECU and are centrally processed
there. The CECU also receives environmental data from the environmental sensors, which
particularly include information about moving objects. This may then be combined with
static 3D high-definition maps. After data processing at the CECU, the CECU's drive
decision is sent to the vehicles, wherein the VECU can be directly connected to stop
the vehicle in case a drive decision from the main vehicle control unit would not
be safe. This would achieve an independent safety system. The invention allows plenty
of time to respond to potentially life-threatening situations because in the current
or suggested autonomic technology, the viewing range of the vehicle is limited and,
thus, its reaction time may be too short, whereas the CECU has a complete image of
the surrounding environment, due to its direct and real-time interface with the environmental
sensors that provide environmental data, i.e. a real-time image of full range.
[0043] In addition, having one interface for the vehicle to the CECU instead of many interfaces
to other vehicles or infrastructures as defined in the method and system significantly
reduces cyber security threats.
[0044] In the current autonomic technologies, legal, moral and ethical questions may arise
in situations where the auto-nomic drive system must decide between two lives. Given
the advance warning provided via the environmental sensors and the central data processing
and control unit CECU in the proposed invention, such situations will be eliminated.
The discussions and legal debates about such situations will also be eliminated allowing
the industry to move forward.
[0045] The main benefit of the present invention compared to V2V technologies is the improved
data and privacy protection, as well as the avoidance of regulatory and standard issues
related to V2V connection. Processing of other vehicle's data and all its computational
power is reduced because this is done centrally in the CECU. The cyber security threats
related to V2V are reduced.
[0046] Compared to V21 technologies, the present invention reduces cyber security threats
to vehicles, and also the computation power needed is reduced.
[0047] The present invention eliminates all regulatory, compliance, privacy, and technical
risks and complications related to V2V or V2X by eliminating V2V and V21 or V2X communication.
Of course, there is the road speeds, road signs, traffic lights, and so on that the
vehicle's sensory system or maps interacts with, but that is not actively sending
environmental data signals, but rather a reflection of an image or road information.
Wireless Technology Standards
[0048] One of the complications related to V2V is the lack of a standard that governs wireless
equipment use in the Autonomous vehicle technology. To this effect three levels of
requirements need to be met, country (Radio Equipment Directive), industry-specific,
and cellular requirements. This is combined with radio and telecommunications testing
under the IECEE's CB scheme. However, it would be better if the issue can be removed
entirely.
[0049] The safety system according to the present invention will receive wired information
from the infrastructure. There will be no exchange of information between vehicles
directly, or between active infrastructure and vehicles. All the information generated
by all vehicles connected to the system will be sent in parallel to the CECU and plotted
on a high-definition live map. A similar map will also be drawn independently by the
vehicle auto pilot and sensory systems given its capabilities and on-board computational
powers in each of the connected vehicles. The main vehicle control system can be based
on the information in the vehicle to motorically control the vehicle. The safety system
according to the present invention will not interfere, so long as the data and drive
decisions are similar. However, as soon as differences arise either in the data or
in the decisions made, the safety system will react by activating the controlled safe
stop (emergency control signal sent from the CECU to the VECU) before the vehicle
reaches point of interest of difference between the two systems (control and safety).
[0050] This wired concept, removes the need and complexity of having different wireless
security standards spreading over geographically different regions. The vehicles will
be made to the same requirements, but infrastructure requirements need to match the
country of origin.
[0051] However, it may add a layer of complications relating to highspeed network cables.
Therefore, it is foreseen that the present invention will also connect to infrastructure
elements wirelessly, where wired connection is not available. The system will have
such capability, and it is within the invention patent to include wired and wireless
connections. Of course, the benefits of a wired connection outweigh the cost of potential
risk, but as risk acceptance levels vary from one region in the world to another,
so does the safety system to fit the regional needs.
Data Protection and Privacy Laws
[0052] The current industry practice of V2V solution suggests data exchange between vehicles
contrary to existing privacy rules. New data privacy legal requirements e.g. in Germany
make things a bit clearer and define what type of data to be released and when such
data is allowed to be released. However, it would be better if the risk can be removed
entirely.
[0053] The safety system according to the present invention does not recommend connecting
vehicles to each other. On the contrary, the subject vehicle will sense the presence
of other vehicles in its vicinity and make drive maneuvers accordingly. Sensory information
that the subject vehicle and other vehicles' sense will be sent to the central data
base (CECU), where vehicle actions will be accepted or rejected. An example is change
of lane where a first vehicle is approaching with a clear path, and a second vehicle
wants to change lane due to an obstacle on the path. The obstacle is not visible to
the first vehicle. In this case, the first vehicle's motoric action to speed up will
be contrary to the driving action calculated by the CECU of the present invention
to slow down and allow the other vehicle to go through. It will further prevent changing
the lane to where the obstacle is. It will further notify the first vehicle of the
obstacle in the lane of the second vehicle.
[0054] The CECU will act as the receiver point of all information coming from all vehicles,
infrastructure sensors, point references, and maps. Drive information, destinations,
point of departure, arrival, etc. are all information that will be filtered out to
reduce the clutter of information needed for safe driving, and speedy response and
processing times. On the other hand, information on drive situations and sensory signals
received, road conditions, congestion, traffic, etc. will be shared to the system
and redistributed on a need-to-drive basis. In particular, the CECU will receive drive
data via interface 3, roadside data via interface 2, and static data like 3D HD digital
maps via interface 4, and will send back to the vehicle main control unit processed
data via interface 5.
[0055] The advantages of the invention are manifold. First of all, data privacy laws are
too complex and are too difficult to get around. In the absence of the need for such
an exchange of data, autonomous solutions can find their way more quickly to the market.
Furthermore, it is possible that one vehicle sends corrupt or misinformation to another
vehicle prompting unsafe action, either deliberately, or due to cyber-attacks. Second,
the need to share data with other vehicles, and breakdown privacy rules and regulations
will all be removed. Third, it is not recommendable connecting the vehicles directly
to each other or to the infrastructure where information can be directly shared before
it is validated. This could lead to cyber security threats.
Cyber Security Threats
[0056] A major issue related to current or emerging vehicle technology is cyber security
and the potential to send vehicles manipulated sensory data prompting sudden reaction
or planned wrong actions. An example is giving instructions of a turn on the road,
when there is no turn on the road, but rather a mall entrance. In spite of current
legal framework that surrounds vehicle approval and testing regimes, it remains a
risk that one cannot live with. One can imagine how easily such cyber security attacks
motivated by infinite resources, hate, terrorism, and geopolitical risks can suddenly
manifest themselves in the everyday lives of people. Such a risk is called a societal
risk, which is defined as a single event that could lead to multiple fatalities. Such
a risk that has been previously argued (reference safety case for autonomous driving)
as one that cannot be borne by the vehicle manufacturer alone. In the presence of
infinite resources and all other factors, such threats should no longer be treated
as highly unlikely events. Current industry practice is heading towards the management
system approach, which allows companies to reduce the risk by evaluating their entire
management system against cyber security threats. This is combined with rigorous testing
requirements. However, it would be better if the risk can be removed entirely.
[0057] The present invention provides an independent system (wired or wireless) connected
to infrastructure that is able to validate the life stream of information coming from
the vehicle and mandates a motoric safe state total stop from the vehicle in the event
of a mismatch. It relies on sensorics information mapped and provided by the hardwired
safety system to validate vehicle sensory data and give it the authorization to drive
ahead. It provides high integrity data about road conditions, and any active or projected
movement in the projected drive direction of the vehicle with more time to response.
The motoric actions of the vehicle will be planned and calculated to ensure a safe,
uninterrupted and comfortable ride to the passengers and the road users alike.
[0058] Strategic cyber security does not only evaluate the vehicle systems and the companies
and the supplier's security systems, but also, it addresses the fundamental questions
regarding exchange of information with the outside environment, and their need, timing,
security, and redundancy, and safety measures, and safe state.
[0059] Although the management approach to deal with cyber security threats combined with
rigorous testing may reduce the risk, the risk reduction would not be sufficient.
The potential to feed in false signals to multiple automated vehicles simultaneously
wirelessly requires a high degree of organized effort possibly using AI. This needs
to be synchronized with a potential high-risk area to outline the risk picture. However,
with the present invention, this risk is eliminated as the data will be validated
via the hard-wired infrastructure-based sensory data. It is also defined what data
will be exchanged when, and by whom. This overview will aim at closing the door completely
to cyber-attacks in hazardous driving situations. It is not foreseen as a likely situation
that countries without high-speed internet cables would experience such a risk.
Level of Integrity or Risk
[0060] The level of integrity that the safety systems, which are designed for autonomous
vehicles, need to meet is currently not clear. This is already a huge concern to governing
and certification bodies. It is argued in "
CoMapping: Multi-robot Sharing and Generation of 3D-Maps applied to rural and urban
scenarios" by Luis Contreras-Samame et al. (https://hal.archives-ouver-tes.fr/hal-01867743) as well as above, that Cyber Security Threats to vehicle safety could potentially
lead to societal risks that cannot be addressed via ISO 26262, the highest Integrity
level of which is (ASIL D). Societal risks are single events, the occurrence of which
could lead to multiple fatalities. The current ISO 26262 addresses at its highest
level of integrity individual risks, those that can at worst case lead to a single
fatality, or single household fatalities in the case of a single vehicle containing
a family. However, societal risks as is the case with cyber security threats, a single
event as described above has the potential to lead to multiple fatalities even if
all vehicle functions work as intended. With autonomous vehicles, a single cyber security
attack leading to an incident, has the potential to cause everything from multiple
fatalities - a category unknown in vehicle automotive safety to country-wide disturbances.
[0061] Furthermore, current safety level relies heavily on the driver's reaction to control
hazardous situations. In absence of that, the controllability part of the ASIL allocation
is dropped, requiring all the current vehicle systems to be at a higher level of integrity.
[0062] Furthermore, a large percentage of current accidents data can be traced back to driver
error. The driver needs to pay a fine, or even serve time in prison with third degree
murder or in some cases first degree murder. In the case of an autonomous vehicle
error leading to a fatality, the outrage that such an accident would cause will exponentially
increase the risk to intolerable, or unacceptable. That is because, responsibility
cannot be so easily traced back to a single driver. Of course, taking into account
that autonomous vehicles will maintain road rules, and be one or two orders of magnitude
safer than current vehicles. The increase of risk due to outrage is much higher, so
the net increase in risk, can be expected to be two to three orders of magnitude higher
than current levels.
[0063] This means that the safety level of vehicles even if it achieves an ASIL D is not
going to be enough. However, by adding the infrastructure safety system with a SIL
4, It would reduce the risk to much lower levels.
[0064] This is also on an individual risk level. Cyber security threats for autonomous vehicles
can be classified as societal risks, and using the F-N curve tolerance threshold can
be shown to be much higher than the current risk level.
[0065] The present invention combines the life stream of information coming from road network,
i.e. the environmental data, which is wired and the life stream of information coming
from the vehicle(s), i.e. the vehicle drive data, which is wireless. The invention
including the environmental sensors, the CECU and the interfaces to the vehicle may
meet IEC 61508 SIL 4 requirements. The vehicle part of the system which may include
the VECU, and the interfaces to the vehicle main control unit, also acts as a second
sensor, logic and final element will need to meet the ISO 26262 requirements. The
combined level of integrity that this solution will have will equivalent to an ASIL
D and a SIL 2-4 depending on the region. In effect 10-7 * 10-8 which would result
in a level of integrity of 10-15, which would be significantly safer than current
solutions. In fact, other industries have already plenty of such high integrity (SIL
4) safety systems in operation protecting millions of lives across many industries
starting with nuclear to air-travel and energy.
[0066] Using ISO 26262 in combination with IEC 61508 allows the invention to have two redundant
safety systems made up of two sensory parts (in vehicles, and in infrastructure (environmental
sensors)), two communication channels (wired and wireless), two logic systems (one
in the vehicles, one in the central control center (CECU)), and two final elements
activations (one normal vehicle brake system (i.e. via the main vehicle control unit),
and one brake activation path (via the VECU)) will afford an unprecedented level of
safety and control for the autonomous vehicle technology. However, it may occur that
it does not completely eliminate the risk. Further passive infrastructure safety systems
can also be implemented.
Level of Complexity
[0067] The levels of complexity associated with the current proposed solutions driven by
the lack of a strategic overview of the safety case for autonomous vehicles needs
desperately to be addressed. Currently, the ADAS as well as V2V and V21 or V2X are
all combined to provide information to the vehicle OBC unit(s) (i.e. the On-Board
Control Units or the vehicle main control unit as per the invention terminology) responsible
for driving. This information is not only subject to network speed, but also to processing
speed. Assuming various layers of protection exist event-though they will not be independent,
the complexity to merge all the data and make sense of it all lends itself to imagery
learning as the only option to solve the problem. This is because it is simply too
much for an On-Board-Control until to handle. However, what if this complexity can
be taken out of the vehicle, and even functions within the vehicle be distributed?
This would make testing easier, reduce the computational load and speed processing
time.
[0068] According to the present invention, the safety system logic and control until is
located in a central location (CECU), which could be country specific. All life-feed
information from both vehicles (vehicle drive data via interface 3), and infrastructure
elements (environmental data via interface 2) will be sent there, where they will
be handled and processed in combination with live updates to high-definition maps
(via interface 4) producing life maps and decisions (i.e. the PDD produced in the
CECU sent to vehicles via interface 5). These drive decisions (CDD) will act like
traffic lights to vehicle proposed actions - actions proposed by the vehicle in drive
situations based on its life-stream feed of data. When the feed of vehicle data matches
infrastructure data, the actions will be the same, and a conformation ("green light")
will be given, but when data streams are not the same after allowing for tolerances
and blind spots, both data and drive decisions will not be identical. In case of conflict,
an emergency signal will be sent to the VECU to activate the emergency control action
(brakes), taking the car to a safe stop.
[0069] The way the invention is expected to work is like an independent source of sensory
data that the vehicle (any vehicle, more specifically at least one connected vehicle)
will have access to, and be able to react to, ahead of time. It is the ability to
see behind the curve and adjust driving accordingly. There will be no surprises and
no need for short-time response.
[0070] To address the high level of complexity associated with even lower levels of autonomy,
and the infinite number of situations that may be encountered, high-definition maps
and drive decisions are derived from object identification, process, and classification
outside of the vehicle in the central system (CECU) using hardwired technology that
implements robust cyber security system to its signals and protection to its data.
[0071] With the present invention, all the high computer power required, and complexity
will be removed from the automated vehicle requirements. In addition, since the infrastructure
(environmental data sensors) will provide actual (i.e. live environmental data) and
projected data streams, there will be plenty of time for the vehicle to respond and
plan its path.
[0072] Using the present invention, one stays clear from using the camera and imaging which
is very dependent on weather conditions, reflections, and is susceptible for corruption
and manipulation.
Independence of Safety System
[0073] The current autonomous vehicle technologies use multiple safety systems, but as is
the case in most vehicle systems, the hardware is shared as well as the central control
unite. Cyber security threats targeted at the vehicle could potentially lead to undesired
consequences or dangerous situations. The levels of safety achieved are not fit for
the risk described and proposed above. When safety systems are described as independent,
this must be understood on multiple folds including: use of difference technology,
use of different sensorics inputs, use of redundant signal transmission lines / methods,
use of different logic elements, use of redundant final element - brake systems.
[0074] According to the present invention, all information received to the central system
(CECU) will be verified many times over from the hard-wired (or wireless) infrastructure
sensory elements (particularly environmental sensors, which may be added to existing
infrastructure, such as streetlamps), from other vehicles on road wirelessly, and
from other point source data and maps (fixed data), using wired, secure, tried and
proved, highspeed network cables. This adds a second independent layer of safety to
the wireless technologies. This means that V2V and V2I communication is significantly
reduced, which will significantly reduce the cyber security threats, and radio technology
regulatory and standard requirements.
[0075] The physical independence of the safety system clears the problem that all safety
can be targeted by targeting one vehicle. The safety system of the present invention
has two redundant sensory parts (in the vehicles, and in the infrastructure), which
may use two different technologies (e.g. lidar and radio frequencies), two different
communication channels (wired and wireless), two logic systems (one in the vehicle,
one in the CECU), and two final elements activations (one normal vehicle brake system,
and one brake system provided by the present invention). The VECU will be independent
from the main vehicle control unit to receive the emergency signal from the CECU and
activate the control signal accordingly. This second system fulfils impendence requirements
and will allow for the level of safety described above to be achieved.
[0076] Furthermore, the safety system of the present invention will have a security threat
management strategy forbidding its systems (e.g. the main vehicle control unit) from
receiving on-drive information that may allow for drive-system manipulations. This
is achieved by ensuring that only brake information can be received from the central
system (CECU) to the vehicle on-board control unit (main vehicle control unit). Only
the vehicle (by means of the main vehicle control unit) can give drive actions based
solely on the information it has gathered from its own sensory systems. The data received
from the safety system (i.e. the PDD and CDD) will be the "green light" or the allowance
to drive or the "red light" and the "brake activation". This is key, as manipulated
drive information can also be sent wirelessly contradicting the vehicle sensory system.
The argument here is that hacking both independent systems simultaneously will have
a remote (highly unlikely) probability of occurrence.
[0077] Having an independent safety system shared between all the vehicles using numerous
sensors and providing planned actions in the form of CDD in case of mismatch between
the inputs (vehicle drive data) received from the sensors located in the vehicle and
those (PDD) received from the infrastructure as well as other vehicles' drive data
will afford the level of safety required.
Infrastructure Restrictions
[0078] The current V2I works on sending information wirelessly directly to the vehicle so
it is combined to create a life-picture of the external environment in the vehicle,
based on which drive decisions can be made. The V2I is not intended to act as a safety
system or interfere in the motoric operation of the vehicle. The information is compiled
using High-Definition maps, and point source data, and map generation and layering
algorithms that allows images obtained from the vehicle sensory system to be better
interpreted based on the geographic location of the point reference on an actual map.
It also allows for a recalibration of the car actual location on the GPS system. All
of this happens within the vehicle's On-Board Control Unit (main vehicle control unit).
[0079] A major component of the safety system of the present invention are the environmental
sensors, preferably configured as radio sensors that will be located in street-lamps,
and connected via high-speed hardware cables to the central control unit (CECU) of
the safety system according to the present invention, which will be located external
to the vehicle in a physical location that is local, regional, or national, or international
depending on the jurisdiction in question. The safety system of the present invention
in contrary to the current technologies, will combine information received from the
infrastructure radio sensors collected via highspeed wired network cables (or wirelessly
if wired is not available), with the up-to-date high-definition maps and point data
systems, as well as the sensory data received from the vehicle sensory system wirelessly.
All of this data will be used to: first validate the wireless data received from the
vehicles, and second act as an intendent safety system to control vehicle motoric
movement in case of a discrepancy between the two sets of data received wirelessly
and over wired cables. When the data does not match, and this would have an impact
on the drive decision of the vehicle, the drive decision would also be different.
This will be an equivalent to a "red light", and the safety system will request the
vehicle to come to a safe stop by activating the brake system.
[0080] The safety system will not be located in the vehicle but will communicate with the
vehicle to send the stop request in case of a potential safety breach, and/or a safety
risk. In case the stop request is not executed, safety system will activate the brakes,
via the redundant channel (VECU) which will have superiority over the On-Board Control
Unit (the vehicle main control unit), as it will have a higher integrity level SIL
4, which is a higher level of integrity than an ASIL D, which is comparable to a SIL
3.
[0081] The advantages of the safety system of the present invention can be quickly described
as a redundant sensory system (comprising the environmental sensors) that is hard-wired
to a redundant logic and processing unite (CECU) that is external to the vehicle,
but has access to the vehicle brake activation system (VECU), far exceed its cost
of implementation. However, in this particular case, in comparison to existing technology,
where V2I is suggested, the safety system will be superior as it will reduce the risk
of cyber security threats - falsified data received from the sensors of the infrastructure
prompting unsafe vehicle actions, which is one example of a cyber security threat.
It will also reduce the computing load demands on the vehicle On-Board Control Unite.
The response time is increased, i.e. the time between detection of obstacles and maneuver
to avoid collision and safety risk. This is achieved as the life-stream of data to
the safety system will be possible to manage without the limitations of mobile technology.
The safety system will achieve better sensory data as it will be independent of weather
or light conditions. Last but not least, the safety system will achieve a high safety
level due to the redundant sensory elements used across its sensory, communication,
logic, and final elements
[0082] Referring now to Fig. 1, an exemplary overview is illustrated of how a safety system
according to an embodiment of the invention is expected to work. The system can be
applied on vehicles that contain some level of autonomy already. This is illustrated
in the depicted vehicle that contains at least one sensor (three are shown in the
drawing) and the main drive control unit, which already exists within most vehicles
that contain ADAC systems.
[0083] Data interfaces with the CECU to send vehicle driving data (b) are depicted in the
arrow leaving the vehicle from the antenna which depicted as the data interface with
the CECU. The vehicle driving data compromising the vehicle sensory driving data and
drive decision data generated by the main vehicle control unit. The vehicle sensory
data includes information about at least one of a destination, remaining distance,
route choice, and information from its sensors including the GPS position of the vehicle
depicted also on the drawing in the centre of the vehicle. The at least one connected
vehicle also receives PDD and CDD from the CECU. The PDD comprises the processed driving
data which is compiled from the environmental sensors data and other vehicles driving
data. The CDD comprises the CECU drive decision. This is depicted with microwaves
leaving the building (e) where the CECU is located. The vehicle would receive the
PDD and CECU with the depicted antenna.
[0084] Furthermore, examples of the endless possibilities of objects that can be seen in
the environment are depicted, as well as major component of the safety system which
is the environmental sensor, which in this example located in the streetlamps is illustrated
as (c). The at least one sensor (c) connected to the CECU via the hardwired connection
of the streetlamp to the main "building" is illustrated with (a), where the environmental
data will be transferred as depicted in (d). The environmental data includes at least
one of the environmental sensor's own location (illustrated with the GPS symbol on
the drawing, surrounding environment data, which includes at least one , preferably
both of fixed and time changing data from and around the road on a continuous basis,
wherein the surrounding environment data preferably includes real time environment
data surrounding the respective environmental sensor including at least one of the
moving object's size, shape, movement speed and movement direction.
[0085] Fig. 2 illustrates a first example embodiment of the invention, particularly the
interrelationships between the components of the system, including the central data
processing unit (CECU), the roadside components and the components in a vehicle that
is connected to the system.
[0086] Fig. 2 shows the following objects:
- A. The External Environment
- B. The Static High Definition Maps and cloud points that make up the external environment
as data input in digital maps in data source
- C. The environmental data including fixed and time changing surrounding environment
data that surrounds the environmental sensors.
- D. The environmental sensors which get input from the external environment - Part
of invention
- E. An example environmental sensor with interface to external environment and interface
to CECU - Part of invention
- F. An example vehicle that is connected to the CECU
- G. Vehicle driving data sent via an interface to the CECU -― Part of invention
- H. Other vehicles
- I. Example vehicle sensory / actuator system
- J. Sensors in the vehicle
- K. Actuator 1 (electric motor)
- L. Actuator 2 (Steering)
- M. Actuator 3 (Brakes)
- N. Vehicle Main Control Unit
- O. Drive control system 1 (Electrical drive control unit)
- P. Drive control system 2 (Steering control unit)
- Q. Drive control system 3 (brake control unit)
- R. VECU - Vehicle Electric control unit - Part of invention
- S. CECU - Central Electrical Control Unit - Part of invention
- T. CECU - Part 1 Data Receival and processing unit - part of invention
- U. CECU - Part 2 Data control and sending unit - Part of invention
- V. CECU - interface between part 1 and part 2 data exchange.
[0087] Fug. 2 also shows the following interfaces for data communication:
- 1. Interface between environmental sensors and CECU to send roadside data from environmental
sensors (D and E) to CECU (S part 1 or T)
- 2. Interface between environmental sensors and CECU to receive roadside data from
environmental sensors (D and E) to CECU (S part 1 or T)
- 3. Interface between Vehicle main control unit (N) and CECU (S) to receive vehicle
driving data from example vehicle (F) as well as other connected vehicles (H) main
control unit (N) by CECU (S part 1 or T)
- 4. Interface between Static high definition maps and cloud points data source (B)
located based on external environment (A) and CECU to receive preferably Static high
definition maps and cloud points data from data source (B) in environment (A) to CECU
(S part 1 or T).
- 5. Interface between CECU (S part 2 or U) and the vehicle main control unit (N) to
send from CECU Processed Drive Data (PDD) to vehicle main control unit.
- 6. Interface between CECU (S part 2 or U) and the VECU (R) to send emergency control
action (brake signal) from CECU (S part 2 or U) to VECU (R).
- 7. Interface between the Vehicle's main control unit (N) and the CECU (S part 1 or
T) to send vehicle driving data from example vehicle (F) as well as other connected
vehicles (H) main control unit (N) to CECU (S part 1 or T)
- 8. Interface between the CECU (S part 2 or U) and main control unit (N) to receive
PDD sent from CECU (S Part 2 or U) to vehicle main control unit (N).
- 9. Interface between VECU (R) and drive control system Actuator 3 (Brakes) (M) to
send brake signal from VECU (R) to Actuator 3 (Brakes) (M)
- 10. Interface between VECU (R) and CECU (S part 2 or U) to receive safety signal sent
from CECU (S part 2 or U) to VECU (R).
[0088] Fig. 3 illustrates a second example embodiment of the invention similar to that of
Fig. 2 where like parts are denoted with like reference signs as in Fig. 2. Insofar
it is referred to the description above in connection with Fig. 2. Unlike in the embodiment
of Fig. 2, in the embodiment shown in Fig. 3 the CECU only communicates with the VECU,
not with the main control unit of the vehicle.
[0089] Fig. 3 shows the following objects:
- A. The External Environment
- B. The Static High Defition Maps and cloud points that make up the external environment
as data input in digital maps in data source
- C. The environemtnal data including fixed and time changing surrounding environment
data that surrounds the environmental sensors.
- D. The environmental sensors which get input from the external environment - Part
of invention
- E. An example environmental sensor with interface to external environment and interface
to CECU - Part of invention
- F. An example vehicle that is connected to the CECU
- G. Vehicle driving data sent via an interface to the CECU - Part of invention
- H. Other vehicles
- I. Example vehicle sensory / actuator system
- J. Sensors in the vehicle
- K. Actuator 1 (electric motor)
- L. Actuator 2 (Steering)
- M. Actuator 3 (Brakes)
- N. Vehicle Main Control Unit
- O. Drive control system 1 (Electrical drive control unit)
- P. Drive control system 2 (Steering control unit)
- Q. Drive control system 3 (brake control unit)
- R. VECU - Vehicle Electric control unit - Part of invention
- S. CECU - Central Electrical Control Unit - Part of invention
- T. CECU - Part 1 Data receiving and processing unit - part of invention
- U. CECU - Part 2 Data control and sending unit - Part of invention
- V. CECU - interface between part 1 and part 2 data exchange.
[0090] Fig. 3 also shows the following interfaces:
1. Interface between environmental sensors and CECU to send roadside data from environmental
sensors (D and E) to CECU (S part 1 or T)
2. Interface between environmental sensors and CECU to receive roadside data from
environmental sensors (D and E) to CECU (S part 1 or T)
3. Interface between VECU (R) and CECU (S) to receive vehicle driving data from example
vehicle (F) as well as other connected vehicles (H) VECU (R) by CECU (S part 1 or
T)
4. Interface between Static high definition maps and cloud points data source (B)
located based on external environment (A) and and CECU to receive preferably Static
high definition maps and cloud points data from data source (B) in environment (A)
to CECU (S part 1 or T).
5. Interface between CECU (S part 2 or U) and the vehicle main control unit (N) to
send from CECU Processed Drive Data (PDD) to vehicle main control unit.
6. Interface between CECU (S part 2 or U) and the VECU (R) to send emergency control
action (brake signal) from CECU (S part 2 or U) to VECU (R).
7. Interface between the VECU (R) and CECU (S part 1 or T) to send vehicle driving
data from example vehicle (F) as well as other connected vehicles (H) main control
unit (N) to CECU (S part 1 or T) via this VECU (R)
7'. Interface between Vehicle Main Control Unit (N) and VECU (R) to send vehicle driving
data to CECU (S part 1 or T) via VECU (R).
8. Interface between the CECU (S part 2 or U) and VECU (R) to receive PDD sent from
CECU (S Part 2 or U) to vehicle main control unit (N) via VECU (R).
8'. Interface between the VECU (R) and the Vehicle main control unit (N) to receive
PDD sent from CECU (S part 2 or U) to Vehicle main control unit (N) via VECU (R).
9. Interface between VECU (R) and drive control system Actuator 3 (Brakes) (M) to
send brake signal from VECU (R) to Actuator 3 (Brakes) (M)
10. Interface between VECU (R) and CECU (S part 2 or U) to receive safety signal sent
from CECU (S part 2 or U) to VECU (R).
[0091] Fig. 4 illustrates a third example embodiment of the invention different to those
of Fig. 2 and Fig. 3 described above.
[0092] Fig. 4 contains the following objects:
- A. The External Environment
- B. The Static High Definition Maps and cloud points that make up the external environment
as data input in digital maps in data source
- C. The environemtnal data including fixed and time changing surrounding environment
data that surrounds the environmental sensors.
- D. The environmental sensors which get input from the external environment - Part
of invention
- E. An example environmental sensor with interface to external environment and interface
to CECU - Part of invention
- F. An example vehicle that is connected to the CECU
- G. Vehicle driving data sent via an interface to the CECU -― Part of invention
- H. Other vehicles
- I. Example vehicle sensory / actuator system
- J. Sensors in the vehicle
- K. Actuator 1 (electric motor)
- L. Actuator 2 (Steering)
- M. Actuator 3 (Brakes)
- N. Vehicle Main Control Unit
- O. Drive control system 1 (Electrical drive control unit)
- P. Drive control system 2 (Steering control unit)
- Q. N/A
- R. Drive control System 3 (braking Control unit) ― which in this case also serves
as VECU.
- S. CECU - Central Electrical Control Unit - Part of invention
- T. CECU - Part 1 Data Receival and processing unit - part of invention
- U. CECU - Part 2 Data control and sending unit - Part of invention
- V. CECU - interface between part 1 and part 2 data exchange.
[0093] Fig. 4 also shows the following interfaces:
- 1. Interface between environmental sensors and CECU to send roadside data from environmental
sensors (D and E) to CECU (S part 1 or T)
- 2. Interface between environmental sensors and CECU to receive roadside data from
environmental sensors (D and E) to CECU (S part 1 or T)
- 3. Interface between Vehicle main control unit (N) and CECU (S) to receive vehicle
driving data from example vehicle (F) as well as other connected vehicles (H) main
control unit (N) by CECU (S part 1 or T)
- 4. Interface between Static high definition maps and cloud points data source (B)
located based on external environment (A) and CECU to receive preferably Static high
definition maps and cloud points data from data source (B) in environment (A) to CECU
(S part 1 or T).
- 5. Interface between CECU (S part 2 or U) and the vehicle main control unit (N) to
send from CECU Processed Drive Data (PDD) to vehicle main control unit.
- 6. Interface between CECU (S part 2 or U) and the VECU (R) to send emergency control
action (brake signal) from CECU (S part 2 or U) to VECU (R).
- 7. Interface between the Vehicle's main control unit (N) and the CECU (S part 1 or
T) to send vehicle driving data from example vehicle (F) as well as other connected
vehicles (H) main control unit (N) to CECU (S part 1 or T)
- 8. Interface between the CECU (S part 2 or U) and main control unit (N) to receive
PDD sent from CECU (S Part 2 or U) to vehicle main control unit (N).
- 9. Interface between VECU (R) and drive control system Actuator 3 (Brakes) (M) to
send brake signal from VECU (R) to Actuator 3 (Brakes) (M)
- 10. Interface between VECU (R) and CECU (S part 2 or U) to receive safety signal sent
from CECU (S part 2 or U) to VECU (R).
1. A system for monitoring at least one driving operation of at least one vehicle travelling
along a travel route in an operating area of the system, the system comprising a central
data processing and control unit (CECU), a plurality of environmental sensors placed
at a respective plurality of fixed locations distributed in the operating area at
least along the travel route, and a vehicle control unit (VECU), which is provided
in the at least one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit that is configured
to automatedly control at least one driving operation of the vehicle based on vehicle
sensory driving data obtained by at least one sensor of the vehicle while travelling
along the travel route, the main vehicle control unit being configured to send vehicle
driving data to be received by the CECU, the vehicle driving data comprising the vehicle
sensory driving data and drive decision data generated by the main vehicle control
unit, and to receive processed drive data (PDD) sent from the CECU;
wherein each of the environmental sensors is configured to detect real-time environmental
data for its respective fixed location along the travel route, the real-time environmental
data including surrounding environmental data on a continuous basis, and wherein each
of the environmental sensors is in data connection with the CECU and configured to
send the environmental data to the CECU via the data connection;
wherein the CECU is located remotely from the plurality of environmental sensors and
remotely from the at least one vehicle and comprises:
- a first CECU data interface, configured to receive the environmental data via the
data connection from the plurality of environmental sensors;
- a second CECU data interface, configured to receive the vehicle driving data sent
from the at least one vehicle's main vehicle control unit; and
- a third CECU data interface, configured to send processed drive data (PDD) to be
received by the at least one vehicle's main vehicle control unit;
wherein the CECU is configured to process the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD), wherein the CECU is further configured to compare the drive
decision received from the at least one vehicle's main vehicle control unit with the
obtained CDD, and, in case the comparison does not cause a conflict, to obtain a confirmation
of the drive decision, or, in case the comparison causes a conflict, to generate an
emergency control signal and to send the emergency control signal to the VECU to cause
the VECU to initiate an emergency action to prevent a potentially dangerous situation,
wherein the VECU is in direct data connection with the CECU to directly receive the
emergency control signal from the CECU and is in further data connection to at least
one drive control system of the vehicle to cause the drive control system to perform
the emergency action.
2. The system of claim 1, wherein the drive control system that is in data connection
with the VECU is a brake system of the vehicle, and wherein the emergency control
signal is a brake control signal that causes the VECU to activate the brake system
of the vehicle as the emergency action.
3. The system of claim 1 or 2, wherein the vehicle's main vehicle control unit is in
data connection with the vehicle's VECU, such that a data connection between the main
vehicle control unit and the CECU is provided via the VECU, wherein the VECU is configured
to receive the vehicle driving data from the main vehicle control unit via the data
connection, and forward the vehicle driving data to the CECU, wherein the VECU is
further configured to receive the PDD from the CECU via the data connection and forward
the PDD to the main vehicle control unit.
4. The system of claim 1 or 2, wherein the vehicle's main vehicle control unit is in
data connection with the CECU, such that the data connection between the main vehicle
control unit and the CECU is provided in a direct manner, wherein the main vehicle
control unit is configured to directly send the vehicle driving data to the CECU via
the data connection, and further to directly receive the PDD from the CECU via the
data connection.
5. The system of claim 4, wherein the VECU is configured as an independent component
with respect to the main vehicle control unit, such that the emergency control signal
that is sent by the CECU can be received directly by the VECU, which will initiate
the emergency action to prevent a potentially dangerous situation unseen or unrecognized
by the main vehicle control unit, or to avoid unsafe actions that the main vehicle
control unit intends to take.
6. A system for monitoring at least one driving operation of at least one vehicle travelling
along a travel route in an operating area of the system, the system comprising a central
data processing and control unit (CECU), and a plurality of environmental sensors
placed at a respective plurality of fixed locations distributed in the operating area
at least along the travel route;
wherein the at least one vehicle comprises a main vehicle control unit that is configured
to automatedly control at least one driving operation of the vehicle based on vehicle
sensory driving data obtained by at least one sensor of the vehicle, the main vehicle
control unit being configured to send vehicle driving data to be received by the CECU,
the vehicle driving data comprising the vehicle sensory driving data and drive decision
data generated by the main vehicle control unit, and to receive processed drive data
(PDD) sent from the CECU;
wherein each of the environmental sensors is configured to detect real-time environmental
data for its respective fixed location along the travel route, the real-time environmental
data including surrounding environment data on a continuous basis, and wherein each
of the environmental sensors is in data connection with the CECU and configured to
send the environmental data to the CECU via the data connection;
wherein the CECU is located remotely from the plurality of environmental sensors and
remotely from the at least one vehicle and comprises:
- a first CECU data interface, configured to receive the environmental data via the
data connection from the plurality of environmental sensors;
- a second CECU data interface, configured to receive the vehicle driving data sent
from the at least one vehicle's main vehicle control unit;
- a third CECU data interface, configured to send processed drive data (PDD) to be
received by the at least one vehicle's main vehicle control unit;
wherein the CECU is configured to process the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD), wherein the CECU is further configured to compare the drive
decision received from the at least one vehicle's main vehicle control unit with the
obtained CDD, to obtain a confirmation of the drive decision in case the comparison
does not cause a conflict, or in case the comparison causes a conflict, to generate
an emergency control signal and to send the emergency control signal to at least one
drive control system of the vehicle to cause the drive control system to perform an
emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured
as an independent vehicle control unit with respect to the main vehicle control unit
of the respective vehicle, wherein the drive control unit is configured to receive
a drive control signal from the main vehicle control unit to control at least one
driving operation of the at least one vehicle, and further configured to receive the
emergency control signal from the CECU to perform the emergency action as the driving
operation.
7. The system of claim 6, wherein the drive control system is a brake system of the vehicle,
and wherein the emergency control signal is a brake control signal that activates
the brake system of the vehicle as the emergency action.
8. The system of any one of the preceding claims, wherein the CECU is configured to generate
the emergency control signal also in case the at least one vehicle's main vehicle
control unit is not able to receive the CDD or is not responsive to the CDD.
9. The system of any one of the preceding claims, wherein the vehicle driving data further
comprise drive intention data including information about at least one of a destination,
remaining distance and route choice, wherein the CECU is configured to send the PDD
based on the respective drive intention data to the at least one vehicle's main vehicle
control unit to support the main vehicle control unit with further refining and modifying
its drive decision data.
10. The system of any one of the preceding claims, wherein the environmental data includes
at least one of the environmental sensor's own location, surrounding environment data,
the surrounding environment data including at least one of, preferably both of, fixed
and time changing data from and around the environmental on a continuous basis, wherein
the surrounding environment data preferably includes real time environment data surrounding
the respective environmental sensor, including at least one of a moving object's size,
shape, movement speed, movement direction, and GPS coordinates.
11. The system of any one of the preceding claims, wherein the CECU comprises a fourth
CECU data interface, configured to receive at least one of a high-definition 3D life
digital map, cloud points, and imaging data.
12. The system of any one of the preceding claims, wherein the CECU is further configured
to assemble all received data in real time and lay them as per its GPS coordinates
on corresponding location maps, preferably high-definition 3D maps, and further to
obtain the CDD related to vehicle driving data received from the at least one vehicle.
13. The system of claim 12, wherein the CECU is further configured to lay all data as
per their GPS coordinates on at least one corresponding location map to create a real-time
three-dimensional map, preferably as a high-definition digital map.
14. The system of any one of the preceding claims, wherein data connection between the
environmental sensors and the CECU is a wired data connection, preferably a high-speed
internet cable connection, or a wireless data connection.
15. A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one
vehicle, preferably the system of claim 1, the system comprising a central data processing
and control unit (CECU), a plurality of environmental sensors placed at a respective
plurality of fixed locations distributed in the operating area at least along the
travel route, and a vehicle control unit (VECU), which is provided in the at least
one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit that automatedly
controls at least one driving operation of the vehicle based on vehicle sensory driving
data obtained by at least one sensor of the vehicle, the method comprising sending,
by means of the main vehicle control unit, vehicle driving data to be received by
the CECU, the vehicle driving data comprising the vehicle sensory driving data and
drive decision data generated by the main vehicle control unit, and receiving, by
means of the main vehicle control unit, processed drive data (PDD) sent from the CECU;
- detecting, by means of the plurality of environmental sensors, real-time environmental
data for the respective fixed location, the real-time environmental data including
surrounding environment data on a continuous basis;
- sending, by means of the plurality of environmental sensors, the environmental data
to the CECU, the environmental sensors each being in data connection with the CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors;
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit;
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to be received by the at least one vehicle's main control unit;
- processing, by means of the CECU, the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit with the obtained CDD, and, in case the comparison
does not cause a conflict, obtaining a confirmation of the drive decision, or, in
case the comparison causes a conflict, generating, by means of the CECU, an emergency
control signal and sending the emergency control signal to the VECU to cause the VECU
to initiate an emergency action to prevent a potentially dangerous situation, wherein
in this case, the method further comprises
- directly receiving, by means of the VECU, via a direct data connection with the
CECU, the emergency control signal from the CECU, wherein the VECU is in further data
connection to at least one drive control system of the vehicle to cause the drive
control system to perform the emergency action.
16. A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one
vehicle, preferably the system of claim 6, the system comprising a central data processing
and control unit (CECU), and a plurality of environmental sensors placed at a respective
plurality of fixed locations distributed in the operating area at least along the
travel route;
wherein the at least one vehicle comprises a main vehicle control unit that automatedly
controls at least one driving operation of the vehicle based on vehicle sensory driving
data obtained by at least one sensor of the vehicle, the method comprising sending,
by means of the main vehicle control unit, vehicle driving data to be received by
the CECU, the vehicle driving data comprising the vehicle sensory driving data and
drive decision data generated by the main vehicle control unit, and receiving, by
means of the main vehicle control unit, processed drive data (PDD) sent from the CECU;
- detecting, by means of the plurality of environmental sensors, real-time environmental
data for the respective fixed location, the real-time environmental data including
surrounding environment data on a continuous basis,
- sending, by means of the plurality of environmental sensors, the environmental data
to the CECU, the environmental sensors each being in data connection with the CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors;
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit;
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to be received by the at least one vehicle's main control unit;
- processing, by means of the CECU, the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit with the obtained CDD, and obtaining, by means
of the CECU, a confirmation of the drive decision in case the comparison does not
cause a conflict, or in case the comparison causes a conflict, generating, by means
of the CECU, an emergency control signal and sending the emergency control signal
to at least one drive control system of the vehicle to cause the drive control system
to perform an emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured
as an independent vehicle control unit with respect to the main vehicle control unit
of the respective vehicle, wherein the method further comprises:
- receiving, by the drive control unit, a drive control signal from the main vehicle
control unit to control at least one driving operation of the at least one vehicle,
or
- receiving, by the drive control unit, the emergency control signal from the CECU
to perform the emergency action as the driving operation.
Amended claims in accordance with Rule 137(2) EPC.
1. A system for monitoring at least one driving operation of at least one vehicle travelling
along a travel route in an operating area of the system, the system comprising a central
data processing and control unit (CECU), a plurality of environmental sensors (D,
E) placed at a respective plurality of fixed locations distributed in the operating
area at least along the travel route, and a vehicle control unit (VECU), which is
provided in the at least one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit (N) that is
configured to automatedly control at least one driving operation of the vehicle based
on vehicle sensory driving data obtained by at least one sensor of the vehicle (J)
while travelling along the travel route, the main vehicle control unit (N) being configured
to send vehicle driving data (VDD) to be received by the CECU, the vehicle driving
data comprising the vehicle sensory driving data and drive decision data generated
by the main vehicle control unit (N), and to receive processed drive data (PDD) sent
from the CECU;
wherein each of the environmental sensors (D, E) is configured to detect real-time
environmental data for its respective fixed location along the travel route, the real-time
environmental data including surrounding environmental data on a continuous basis,
and wherein each of the environmental sensors (D, E) is in data connection with the
CECU and configured to send the environmental data to the CECU via the data connection;
wherein the CECU is located remotely from the plurality of environmental sensors (D,
E) and remotely from the at least one vehicle and comprises:
- a first CECU data interface (1, 2), configured to receive the environmental data
via the data connection from the plurality of environmental sensors (D, E);
- a second CECU data interface (3), configured to receive the vehicle driving data
sent from the at least one vehicle's main vehicle control unit (N); and
- a third CECU data interface (5), configured to send processed drive data (PDD) to
be received by the at least one vehicle's main vehicle control unit (N);
wherein the CECU is configured to process the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD), wherein the CECU is further configured to compare the drive
decision received from the at least one vehicle's main vehicle control unit (N) with
the obtained CDD, and, in case the comparison does not cause a conflict, to obtain
a confirmation of the drive decision, or, in case the comparison causes a conflict,
to generate an emergency control signal and to send the emergency control signal to
the VECU to cause the VECU to initiate an emergency action to prevent a potentially
dangerous situation, wherein the VECU is in direct data connection with the CECU to
directly receive the emergency control signal from the CECU and is in further data
connection to at least one drive control system of the vehicle to cause the drive
control system to perform the emergency action.
2. The system of claim 1, wherein the drive control system that is in data connection
with the VECU is a brake system of the vehicle, and wherein the emergency control
signal is a brake control signal that causes the VECU to activate the brake system
of the vehicle as the emergency action.
3. The system of claim 1 or 2, wherein the vehicle's main vehicle control unit (N) is
in data connection with the vehicle's VECU, such that a data connection between the
main vehicle control unit (N) and the CECU is provided via the VECU, wherein the VECU
is configured to receive the vehicle driving data from the main vehicle control unit
(N) via the data connection, and forward the vehicle driving data to the CECU, wherein
the VECU is further configured to receive the PDD from the CECU via the data connection
and forward the PDD to the main vehicle control unit (N).
4. The system of claim 1 or 2, wherein the vehicle's main vehicle control unit (N) is
in data connection with the CECU, such that the data connection between the main vehicle
control unit (N) and the CECU is provided in a direct manner, wherein the main vehicle
control unit (N) is configured to directly send the vehicle driving data to the CECU
via the data connection, and further to directly receive the PDD from the CECU via
the data connection.
5. The system of claim 4, wherein the VECU is configured as an independent component
with respect to the main vehicle control unit (N), such that the emergency control
signal that is sent by the CECU can be received directly by the VECU, which will initiate
the emergency action to prevent a potentially dangerous situation unseen or unrecognized
by the main vehicle control unit (N), or to avoid unsafe actions that the main vehicle
control unit (N) intends to take.
6. A system for monitoring at least one driving operation of at least one vehicle travelling
along a travel route in an operating area of the system, the system comprising a central
data processing and control unit (CECU), and a plurality of environmental sensors
(D, E) placed at a respective plurality of fixed locations distributed in the operating
area at least along the travel route;
wherein the at least one vehicle comprises a main vehicle control unit (N) that is
configured to automatedly control at least one driving operation of the vehicle based
on vehicle sensory driving data obtained by at least one sensor of the vehicle (J),
the main vehicle control unit (N) being configured to send vehicle driving data to
be received by the CECU, the vehicle driving data comprising the vehicle sensory driving
data and drive decision data generated by the main vehicle control unit, and to receive
processed drive data (PDD) sent from the CECU;
wherein each of the environmental sensors (D, E) is configured to detect real-time
environmental data for its respective fixed location along the travel route, the real-time
environmental data including surrounding environment data on a continuous basis, and
wherein each of the environmental sensors (D, E) is in data connection with the CECU
and configured to send the environmental data to the CECU via the data connection;
wherein the CECU is located remotely from the plurality of environmental sensors (D,
E) and remotely from the at least one vehicle and comprises:
- a first CECU data interface (1, 2), configured to receive the environmental data
via the data connection from the plurality of environmental sensors (D, E);
- a second CECU data interface (3), configured to receive the vehicle driving data
sent from the at least one vehicle's main vehicle control unit (N);
- a third CECU data interface (5), configured to send processed drive data (PDD) to
be received by the at least one vehicle's main vehicle control unit (N);
wherein the CECU is configured to process the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD), wherein the CECU is further configured to compare the drive
decision received from the at least one vehicle's main vehicle control unit (N) with
the obtained CDD, to obtain a confirmation of the drive decision in case the comparison
does not cause a conflict, or in case the comparison causes a conflict, to generate
an emergency control signal and to send the emergency control signal to at least one
drive control system of the vehicle to cause the drive control system to perform an
emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured
as an independent vehicle control unit with respect to the main vehicle control unit
(N) of the respective vehicle, wherein the drive control unit is configured to receive
a drive control signal from the main vehicle control unit to control at least one
driving operation of the at least one vehicle, and further configured to receive the
emergency control signal from the CECU to perform the emergency action as the driving
operation.
7. The system of claim 6, wherein the drive control system is a brake system of the vehicle,
and wherein the emergency control signal is a brake control signal that activates
the brake system of the vehicle as the emergency action.
8. The system of any one of the preceding claims, wherein the CECU is configured to generate
the emergency control signal also in case the at least one vehicle's main vehicle
control unit is not able to receive the CDD or is not responsive to the CDD.
9. The system of any one of the preceding claims, wherein the vehicle driving data further
comprise drive intention data including information about at least one of a destination,
remaining distance and route choice, wherein the CECU is configured to send the PDD
based on the respective drive intention data to the at least one vehicle's main vehicle
control unit (N) to support the main vehicle control unit (N) with further refining
and modifying its drive decision data.
10. The system of any one of the preceding claims, wherein the environmental data includes
at least one of the environmental sensor's (D, E) own location, surrounding environment
data, the surrounding environment data including at least one of, or both of, fixed
and time changing data from and around the environmental sensors (D, E) on a continuous
basis, wherein the surrounding environment data includes real time environment data
surrounding the respective environmental sensor(D, E), including at least one of a
moving object's size, shape, movement speed, movement direction, and GPS coordinates.
11. The system of any one of the preceding claims, wherein the CECU comprises a fourth
CECU data interface, configured to receive at least one of a high-definition 3D life
digital map, cloud points, and imaging data.
12. The system of any one of the preceding claims, wherein the CECU is further configured
to assemble all received data in real time and lay them as per its GPS coordinates
on corresponding location maps, and further to obtain the CDD related to vehicle driving
data received from the at least one vehicle.
13. The system of claim 12, wherein the CECU is further configured to lay all data as
per their GPS coordinates on at least one corresponding location map to create a real-time
three-dimensional map.
14. The system of any one of the preceding claims, wherein data connection between the
environmental sensors and the CECU is a wired data connection, preferably a high-speed
internet cable connection, or a wireless data connection.
15. A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one
vehicle, , the system comprising a central data processing and control unit (CECU),
a plurality of environmental sensors placed at a respective plurality of fixed locations
distributed in the operating area at least along the travel route, and a vehicle control
unit (VECU), which is provided in the at least one vehicle;
wherein the at least one vehicle comprises a main vehicle control unit (N) that automatedly
controls at least one driving operation of the vehicle based on vehicle sensory driving
data obtained by at least one sensor of the vehicle (J), the method comprising sending,
by means of the main vehicle control unit, vehicle driving data to be received by
the CECU, the vehicle driving data comprising the vehicle sensory driving data and
drive decision data generated by the main vehicle control unit, and receiving, by
means of the main vehicle control unit (N), processed drive data (PDD) sent from the
CECU;
- detecting, by means of the plurality of environmental sensors (D, E), real-time
environmental data for the respective fixed location, the real-time environmental
data including surrounding environment data on a continuous basis;
- sending, by means of the plurality of environmental sensors (D, E), the environmental
data to the CECU, the environmental sensors (D, E) each being in data connection with
the CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors (D, E);
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit;
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to be received by the at least one vehicle's main control unit;
- processing, by means of the CECU, the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit with the obtained CDD, and, in case the comparison
does not cause a conflict, obtaining a confirmation of the drive decision, or, in
case the comparison causes a conflict, generating, by means of the CECU, an emergency
control signal and sending the emergency control signal to the VECU to cause the VECU
to initiate an emergency action to prevent a potentially dangerous situation, wherein
in this case, the method further comprises
- directly receiving, by means of the VECU, via a direct data connection with the
CECU, the emergency control signal from the CECU, wherein the VECU is in further data
connection to at least one drive control system of the vehicle to cause the drive
control system to perform the emergency action.
16. A method for monitoring at least one driving operation of at least one vehicle, comprising
- providing a system for monitoring at least one driving operation of at least one
vehicle, , the system comprising a central data processing and control unit (CECU),
and a plurality of environmental sensors (D, E) placed at a respective plurality of
fixed locations distributed in the operating area at least along the travel route;
wherein the at least one vehicle comprises a main vehicle control unit that automatedly
controls at least one driving operation of the vehicle based on vehicle sensory driving
data obtained by at least one sensor of the vehicle (J), the method comprising sending,
by means of the main vehicle control unit, vehicle driving data to be received by
the CECU, the vehicle driving data comprising the vehicle sensory driving data and
drive decision data generated by the main vehicle control unit (N), and receiving,
by means of the main vehicle control unit, processed drive data (PDD) sent from the
CECU;
- detecting, by means of the plurality of environmental sensors (D, E), real-time
environmental data for the respective fixed location, the real-time environmental
data including surrounding environment data on a continuous basis,
- sending, by means of the plurality of environmental sensors (D, E), the environmental
data to the CECU, the environmental sensors each being in data connection with the
CECU;
- receiving, by means of the CECU at a first CECU data interface, the environmental
data via the data connection from the plurality of environmental sensors (D, E);
- receiving, by means of the CECU at a second CECU data interface, the vehicle driving
data sent from the at least one vehicle's main vehicle control unit (N);
- sending, by means of the CECU at a third CECU data interface, processed drive data
(PDD) to be received by the at least one vehicle's main control unit (N);
- processing, by means of the CECU, the received data, including the environmental
data and the vehicle driving data, to obtain the processed drive data (PDD) and a
CECU drive decision (CDD);
- comparing, by means of the CECU, the drive decision received from the at least one
vehicle's main vehicle control unit (N) with the obtained CDD, and obtaining, by means
of the CECU, a confirmation of the drive decision in case the comparison does not
cause a conflict, or in case the comparison causes a conflict, generating, by means
of the CECU, an emergency control signal and sending the emergency control signal
to at least one drive control system of the vehicle to cause the drive control system
to perform an emergency action to prevent a potentially dangerous situation;
wherein the drive control system comprises a drive control unit that is configured
as an independent vehicle control unit with respect to the main vehicle control unit
of the respective vehicle, wherein the method further comprises:
- receiving, by the drive control unit, a drive control signal from the main vehicle
control unit to control at least one driving operation of the at least one vehicle,
or
- receiving, by the drive control unit, the emergency control signal from the CECU
to perform the emergency action as the driving operation.