[go: up one dir, main page]

WO2025002573A1 - Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine - Google Patents

Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine Download PDF

Info

Publication number
WO2025002573A1
WO2025002573A1 PCT/EP2023/068015 EP2023068015W WO2025002573A1 WO 2025002573 A1 WO2025002573 A1 WO 2025002573A1 EP 2023068015 W EP2023068015 W EP 2023068015W WO 2025002573 A1 WO2025002573 A1 WO 2025002573A1
Authority
WO
WIPO (PCT)
Prior art keywords
relevant
safety
kpis
map
several
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/068015
Other languages
English (en)
Inventor
Vishwanath Nagnath Pai
Ahmad Adee
Milad HASANVAND
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TomTom International BV
Original Assignee
TomTom International BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TomTom International BV filed Critical TomTom International BV
Priority to PCT/EP2023/068015 priority Critical patent/WO2025002573A1/fr
Publication of WO2025002573A1 publication Critical patent/WO2025002573A1/fr
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C21/00Navigation; Navigational instruments not provided for in groups G01C1/00 - G01C19/00
    • G01C21/38Electronic maps specially adapted for navigation; Updating thereof
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0218Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
    • G05B23/0243Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
    • G05B23/0245Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
    • G05B23/0248Causal models, e.g. fault tree; digraphs; qualitative physics
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • Techniques that provide assistance to a driver of a vehicle and/or that autonomously perform vehicle control operations are gaining popularity.
  • Such techniques have the potential of eliminating human errors that can cost lives.
  • Such techniques include, without limitation, driver assistance systems, advanced driver assistance systems (ADAS), Highly Automated Driving (HAD) systems, and/or autonomous driving systems.
  • ADAS advanced driver assistance systems
  • HAD Highly Automated Driving
  • Such techniques are collectively referred to as providing automated driving functions, or driving automation, at level 1 (driver assistance), level 2 (partial driving automation), level 3 (conditional driving automation), level 4 (high driving automation), or level 5 (full driving automation).
  • Automated driving functions may use perception, i.e., the processing and interpretation of data captured by a vehicle sensor for performing the respective automated driving function.
  • a world model used in performing the automated driving function may be based on map data of an electronic map.
  • the different electronic maps may be distinguished from each other by the map features of the electronic maps and the key performance indicators that the map features have in each of the electronic maps.
  • the question of which electronic map data allows an automated driving function to be executed is, thus, pertinent to vehicle safety when executing the automated driving function.
  • WO 2021/170718A2 discloses a technique for the generating and provision of digital map data that is safe and reliable.
  • the technique enables the verification of the digital map data in a map-client using a simple and efficient data structure to check the correctness of the map data before in-vehicle delivery to components that rely on this map data.
  • the determined lists of map features and their KPIs required for safe execution of an automated function may then be used to verify that electronic map data to be used has the required map feature(s) and KPI(s) and/or to selectively activate or deactivate automated driving functions in a manner which ensures that all activated automated driving functions require only map feature(s) and KPI(s) that have been verified to be present in the electronic map data used for execution of the activated automated driving functions.
  • Determining the one or several safety-relevant map features and the one or several safety-relevant KPIs by the at least one processing circuit comprises: identifying one or several map features that affect execution of the automated driving function; determining the one or several safety-relevant map features, comprising determining which of the identified one or several map features are causal for at least one malfunction of the automated driving function; establishing, for each of the one or several safety-relevant map features, one or several KPIs of the safety-relevant map feature causal for at least one malfunction of the automated driving function; and determining the one or several safety-relevant KPIs for the one or several safety-relevant map features based at least on the established KPIs causal for the at least one malfunction.
  • both the presence or absence of the safety-relevant map features and the presence or absence of the safety-relevant KPIs may be checked when assessing whether electronic map data complies with criteria that allow it to be used for safe execution of the automated driving function.
  • the criteria may comprise determining whether the electronic map data has all of the safetyrelevant map features and all of the safety-relevant KPIs.
  • the causality analysis may be performed based on a system model of an automated driving system (ADS), taking into consideration whether and, if so, which sensor data is used in combination with the electronic map data to determine a world model for performing the automated driving function.
  • ADS automated driving system
  • map feature(s) that are causally related to at least one malfunction can be identified.
  • the risk of electronic map data being incorrectly considered as unsuitable for performance of the automated driving function is mitigated.
  • the further causality analysis may comprise a further fault tree analysis, a further Bayesian network analysis, and/or other further causality analysis techniques.
  • the further causality analysis may be performed based on a system model of an automated driving system (ADS), taking into consideration whether and, if so, which sensor data is used in combination with the electronic map data to determine a world model for performing the automated driving function.
  • ADS automated driving system
  • map feature(s) that are causally related to at least one malfunction can be identified even when no detailed implementation knowledge of the automated driving function is available.
  • Each of the one or several safety-relevant KPIs may have an associated weight.
  • the criteria may further be based on the weight associated with at least one of the one or several safety-relevant KPIs.
  • the method may further comprise controlling at least one human machine interface (HMI) to enable the inputting of the weights.
  • HMI human machine interface
  • the safety-relevant KPIs may be selected from a given, pre-defined set of KPIs that may be of relevance for ensuring that the electronic map data does not prejudice safe execution of the automated driving function.
  • the safety-relevant KPIs may be selected from a standardized set of KPIs agreed upon to be of potential relevance to automated driving.
  • the safety-relevant KPIs may be selected from a KPI set comprising, or consisting of,
  • the method may further comprise selectively executing the automated driving function by the vehicle based on a result of the verification.
  • execution of the automated driving function may be restricted or modified in case the electronic map data cannot be verified to comply with the criteria. Vehicle safety is enhanced thereby.
  • Modifying the electronic map data may comprise merging or otherwise supplementing a first electronic map that comprises the electronic map data with at least one second electronic map having KPIs different from the first electronic map.
  • the electronic map data may be improved, in view of the determined safety-relevant map features and KPIs, prior to its use based on the determined safety-relevant map features and the determined safety-relevant KPIs, so as to ensure safe execution of the automated driving function. This further enhances vehicle safety.
  • the automated driving function may comprise or may be an automated driving function at any one of driving automation levels 1, 2, 3, 4, or 5.
  • the automated driving function may comprise or may be an automated driving function that provides driver assistance or an automated driving function that provides enhanced driver assistance or an automated driving function that provides autonomous driving functionality.
  • safety-relevant map features and safety-relevant KPIs may be employed for both driver assistance and autonomous driving, which involve different degrees of automation. This further enhances vehicle safety.
  • the automated driving function may comprise or may be a driving function that outputs a control signal acting on a vehicle HMI of the vehicle.
  • safety-relevant map features and safety-relevant KPIs may be employed for automated driving functions that provide output to a vehicle driver.
  • the automated driving function may comprise or may be a driving function that outputs a control signal acting on a vehicle actuator of the vehicle.
  • the method may further comprise performing, by an ADS of the vehicle, the automated driving function conditionally dependent on the electronic map data being in compliance with the criteria.
  • Vehicle safety is enhanced by executing the automated driving function conditionally dependent on the electronic map data being in compliance with the criteria.
  • the method may further comprise determining, by the at least one processing circuit, further safety-relevant KPIs causal for safe execution of one or several further automated driving functions by the vehicle.
  • the determination of safety-relevant map features and safety-relevant KPIs may be performed successively or in parallel for various different automated driving functions.
  • the processing used to determine the safety-relevant map features and safety-relevant KPIs may respectively be performed as described in detail above and as further described in detail in association with embodiments below.
  • the verification that the electronic map data to be used in performing the automated driving function has all required map features and safety-relevant KPIs may be performed individually for each automated driving function. Individual automated driving functions may be selectively activated depending on whether the electronic map data used by the specific automated driving function has the safety-relevant map features and safety-relevant KPIs determined for the specific automated driving function.
  • the actions are appropriate to ensure that the electronic map data, possibly of the modification, have the map features and KPIs of the map features that are relevant for ensuring that the electronic map data does not prejudice safe execution of the automated driving function. Thereby, vehicle safety is enhanced further.
  • Determining the safety-relevant map features and the safety-relevant KPIs may be done by verifying conformity with the one or several safety goals (SG).
  • a method of controlling vehicle operation comprises performing the method of any one of the preceding claims to determine the one or several safety-relevant map features and the one or several safety-relevant KPIs; selectively activating the automated driving function in response to determining that the electronic map data has the one or several safety-relevant map features and the one or several safety-relevant KPIs; and controlling, by the automated driving function, at least one vehicle component.
  • the method may comprise controlling at least one HMI of or coupled to a processing system to enable the one or several safety goals to be specified via the HMI, wherein the processing system determines the safety-relevant map features and the safety-relevant KPIs based on the specified one or several SGs.
  • the HMI via which the safety goal(s) can be specified is distinct from an onboard HMI of a vehicle.
  • a processing system comprising at least one processing circuit operative to determine, for the electronic map, one or several safety-relevant map features and one or several safety-relevant key performance indicators (KPIs) of at least one of the one or several safety-relevant map features, wherein the one or several safety-relevant KPIs are causal for safe execution of an automated driving function by a vehicle.
  • KPIs safety-relevant key performance indicators
  • the at least one processing circuit is operative to perform the following operations to determine the one or several safety-relevant map features and the one or several safety-relevant KPIs: identifying one or several map features that affect execution of the automated driving function; determining the one or several safety-relevant map features, comprising determining which of the identified one or several map features are causal for at least one malfunction of the automated driving function; establishing, for each of the one or several safety-relevant map features, one or several KPIs of the safety-relevant map feature causal for at least one malfunction of the automated driving function; and determining the one or several safety-relevant KPIs for the one or several safety-relevant map features based at least on the established KPIs causal for the at least one malfunction.
  • the processing system may be operative to perform or enable a verification that electronic map data to be used in the execution of the automated driving function complies with criteria that are based at least on the one or several safety-relevant map features and the one or several safety-relevant KPIs of the one or several safety-relevant map features.
  • the processing system may be operative to perform the method according to an embodiment.
  • a vehicle comprises a vehicle system operative to execute an automated driving function.
  • the vehicle system comprises at least part of the processing system and/or the vehicle processing system is operative to receive data relating to the one or several safetyrelevant map features and the one or several safety-relevant key performance indicators (KPIs) determined using a method according to an embodiment, and to perform at least one automated function based on the received data relating to the one or several safety-relevant map features and the one or several safety-relevant key performance indicators.
  • KPIs safety-relevant key performance indicators
  • the vehicle system may be an automated driving system (ADS).
  • ADS automated driving system
  • the data related to the map features and their KPIs that are required for safe execution of the automated function may be used by the ADS.
  • the ADS may be operative to perform one, several or all of the following: selecting electronic map data from several electronic maps available to the ADS in accordance with the received data relating to the safety-relevant map features and the safety-relevant KPIs; requesting an over-the-air (OTA) update of electronic map data available to the ADS; selectively activating the automated driving function conditionally dependent on whether the electronic map data has the one or several safetyrelevant map features and the one or several safety-relevant KPIs; selectively activating a fallback function for an automated driving function conditionally dependent on whether the electronic map data has the one or several safety-relevant map features and the one or several safety-relevant KPIs.
  • OTA over-the-air
  • Vehicle safety is enhanced thereby.
  • the ADS may be operative to control at least one vehicle actuator of the vehicle when performing the automated driving function.
  • the techniques disclosed herein are harnessed for enhancing vehicle safety upon execution of automated driving functions that control one or several vehicle actuators.
  • a system comprising the processing system according to an embodiment and a vehicle comprising an automated driving system (ADS), the ADS being operative to perform an automated driving function conditionally dependent on whether the electronic map data has the one or several safety-relevant map features and the one or several safety-relevant KPIs.
  • ADS automated driving system
  • Vehicle safety is enhanced thereby.
  • the automated driving function may comprise or may be an automated driving function at any one of driving automation levels 1, 2, 3, 4, or 5.
  • the automated driving function may comprise or may be an automated driving function that provides driver assistance or an automated driving function that provides enhanced driver assistance or an automated driving function that provides autonomous driving functionality.
  • machine-readable instruction code comprising instructions which, when executed by at least one processing circuit, cause the at least one processing circuit to perform the method of any one aspect or embodiment.
  • a data carrier comprising machine-readable instruction code comprising instructions which, when executed by at least one processing circuit, cause the at least one processing circuit to perform the method of any one aspect or embodiment.
  • the data carrier may comprise a non-transitory storage medium having stored thereon the machine-readable instruction code.
  • Figure 1 is a diagram of a system comprising a processing system and a vehicle.
  • FIG. 2 is a block diagram of the processing system.
  • Figure 3 is a flow chart of a method.
  • Figure 4 is a flow chart of a method.
  • Figure 5 is a flow chart of a method.
  • Figure 6 is a schematic representation of causality analysis that may be performed by the methods and processing systems.
  • Figure 7 is a schematic representation of causality analysis that may be performed by the methods and processing systems.
  • Figure 8 is a flow chart of a method.
  • Figure 9 is a high level diagram of a lane keeping control.
  • Figure 10 illustrates map features relevant to lane keeping control.
  • Figure 11 is a diagram illustrating determination and use of data for enhancing vehicle safety.
  • Figure 12 is a diagram illustrating determination and use of data for enhancing vehicle safety.
  • Figure 13 is a block diagram of a vehicle.
  • Figure 14 is a diagram illustrating determination and use of data for enhancing vehicle safety.
  • Figure 15 is a diagram of a system comprising a processing system and a vehicle.
  • Embodiments of the invention will be described in detail. While embodiments will be described in association with autonomous driving or driver assistance functions, the embodiments are not limited thereto. The embodiments may be used in association with various automated driving functions at driving automation levels 1, 2, 3, 4, or 5.
  • the techniques disclosed herein in detail may be used to enhance safety of automated driving functions executed by a vehicle. More specifically, the techniques disclosed herein are operative to systematically determine which map features and key performance indicators (KPIs) of the map features must be present in electronic map data to mitigate the risk of the map data causing malfunction of an automated driving function.
  • KPIs key performance indicators
  • an electronic map and electronic map data refers to data defining a navigable network comprising a plurality of navigable segments along which a vehicle (such as a motor vehicle and/or unmotorized vehicle such as a bike) or other movable element can move.
  • the electronic map and electronic map data may comprise map features such as lane markings, traffic signs, lane boundaries.
  • map features may be included in the electronic map as attributes or may be included in separate, dedicated map layers.
  • a map feature and KPIs of the map feature are determined as being "safetyrelevant" for performance of an automated driving function by an automated driving system (ADS) of a vehicle if electronic map data that does not have the safety-relevant map feature or that does not have the safety-relevant KPI can cause a malfunction of the automated driving function.
  • ADS automated driving system
  • the determination of one or several safety-relevant map feature(s) and its or their safety-relevant KPI(s) is with reference to an automated driving functions.
  • the safety-relevant map feature(s) and safetyrelevant KPI(s) can vary from one automated driving function to another. While the techniques disclosed herein are primarily discussed in association with an automated driving function, they may be applied to determine and use the safety-relevant map features and KPIs for several automated driving functions executable by an ADS.
  • Safety of execution of an automated driving function may be determined based on one or several safety goals (SGs).
  • the SGs may be predefined or may be configurable, e.g., by controlling a human machine interface (HMI) to allow the SGs to be specified, with the HMI being coupled to or comprised by a computing system that performs the determination of the map features and KPIs required for safe execution of an AD function.
  • HMI human machine interface
  • KPI of a map feature may refer to a KPI selected from a pre-defined KPI set.
  • the KPI set may comprise or consist of KPIs in accordance with, or compatible with, ISO
  • the pre-defined KPI set may comprise or may consist of:
  • Accuracy can be defined as the closeness of agreement between a test result or measurement result and the true value. This can be broken down into several categories: o Positional accuracy: It relates to measurement accuracy, and it represents a closeness of agreement between a measured position of features and a position accepted as true within a spatial reference system.
  • this standard specifies the following three data quality elements for expressing positional accuracy: o Absolute or external accuracy: closeness of reported coordinate values to values accepted as true in a standard coordinate reference system; o Relative or internal accuracy: closeness of the relative positions of features in a related dataset to their respective relative positions accepted as true in a local coordinate reference system; o
  • Thematic accuracy may be defined as the accuracy of quantitative attributes and the correctness of non-quantitative attributes and of the classifications of features and their relationships.
  • Classification correctness comparison of the classes assigned to features or their attributes to a universe of discourse (e.g., ground truth or reference data)
  • Freshness of the map How close is the map in comparison to reality can be termed as freshness of the map.
  • Coverage represents the presence or absence of topics, their attributes, and relationships according to the regional scope of the product
  • Completeness refers to the presence and/or absence of features, their attributes, and relationship.
  • the KPIs of map features used for performing an automated driving (AD) function may be different from the KPIs of navigable segments or points of interest (POIs), for example.
  • an AD function may use lane boundaries in combination with sensor data to determine, by fusion of the sensor data and the map feature (lane boundaries), a world model (i.e., a model of a surrounding of the vehicle).
  • the map feature used in performing the AD function (lane boundaries) may have a coverage, freshness, or completeness that is different from that of navigable segments of a navigable network.
  • FIG. 1 is a schematic representation of a system.
  • the system comprises a processing system 30 and a vehicle 10 according to an embodiment.
  • the vehicle 10 comprises one or several actuators 11 and/or one or several HMI(s) 12 controlled by at least one control circuit 20.
  • the one or several actuators 11 may comprise at least one vehicle speed actuator (which may control an engine or brake) and/or a steering direction actuator (which may control wheel steering orientation).
  • the one or several HMI(s) 12 may comprise an optical output device and/or device(s) providing audible or tactile feedback.
  • the vehicle 10 may comprise at least one vehicle sensor.
  • the at least one vehicle sensor may comprise a camera 13, a ranging sensor 14 (which may be a LIDAR-based sensor, for example), a global navigation satellite system (GNSS) receiver, and/or other sensors.
  • GNSS global navigation satellite system
  • the at least one control circuit 20 may comprise an ADS electronic control unit (ECU).
  • the ADS ECU may be operative to perform at least one (and typically several) AD functions.
  • the AD functions may comprise AD functions at various driving automation levels, such as level 1 or level 2 or level 3 or level 4 or level 5.
  • the at least one control circuit 20 may be operative to perform a fusion of electronic map data and sensor data captured by the at least one sensor to determine a world model of an area surrounding the vehicle and to perform the AD function(s) based thereon.
  • a processing system 30 determines which one or several map features and their KPIs are safety-relevant in the sense that absence of the respective map feature(s) or KPIs can cause at least one malfunction of the respective AD function.
  • the processing system 30, a map server system, and/or the vehicle 10 may use the determined safety-relevant map feature(s) and KPI(s) to mitigate the risk of map data-induced malfunctions of the AD function.
  • the vehicle 10 may comprise an OTA interface 21 to receive map data 22 and/or data specifying the map feature(s) and KPI(s) determined to be safety-relevant for the respective AD function.
  • the OTA interface 21 may be communicatively interfaced with the processing system 30 over at least one communication link.
  • the at least one communication link may be a communication link of a communication network 23, which may comprise a wireless communication system, in particular a cellular communication system, and/or a wide area network (WAN) and/or a communication system for a cloud-based processing system.
  • a processing system 30 comprising one or several processing circuit(s) to perform the various processing functions is described in more detail with reference to
  • FIG. 2 is a block diagram of the processing system 30.
  • the processing system 30 comprises at least one first interface 31 operative to receive an electronic map 51 and system model data 52 relating to performance of an AD function or several AD functions by an ADS of a vehicle 10. While the following explanations will focus on the processing for an AD function, the processing operations and actions disclosed below can, and typically will, be performed by the processing system 30 for each of a set of AD functions.
  • the AD functions for which the processing is performed may comprise AD functions of different driving automation levels, such as at least two different automation levels selected from automation levels 1, 2, 3, 4, or 5.
  • the determination of safety-relevant map features and KPIs may be performed in parallel or sequentially for the different AD functions.
  • the safety-relevant map features and KPIs may be determined per AD function and may be used to ensure that the respective AD function, if performed, is not prone to map data-induced malfunctions.
  • the system model data 52 may define whether and, if so, how electronic map data is used or may be used for performing the AD function.
  • the system model data 52 may be comprise a generic model defining which data elements are fused to perform a certain function (such as by defining that lane boundaries of an electronic map are used in combination with camera images).
  • the system model data 52 may be independent of the specific logic operations that define how the data elements are logically combined, allowing the techniques disclosed herein to be applicable to a wide variety of implementations that may be proprietary for various vehicles models or ADS suppliers.
  • the system model data 52 may also comprise information on the specific logical implementation defining how map features and sensor data are available if such information is available.
  • the processing system 30 may be operative to process the system model data 52 and, optionally, the electronic map data 51 to generate and provide output 53.
  • the output 53 may comprise an output that ensures that electronic map data used by the ADS of the vehicle 10 does not cause a malfunction of the AD function.
  • the output 53 may comprise an output used by a device or system different from the processing system (such as the vehicle 10, a map server, an OTA update server, a fleet management server for vehicles) to ensure that electronic map data used by the ADS of the vehicle 10 does not cause a malfunction of the AD function.
  • the output 53 may comprise data defining the safety-relevant map features and the safety-relevant KPIs for each of one or more AD functions.
  • Such data defining the safety-relevant map features and the safety-relevant KPIs may be used by the vehicle 10, the map server, the OTA update server, or the fleet management server to ensure that electronic map data used by the vehicle 10 in performing the AD function has the safetyrelevant map features and KPIs determined by the processing system 30 for the respective AD function.
  • the output 53 may comprise electronic map data that has been verified by the processing system 30 to have the safety-relevant map features and KPIs determined by the processing system 30 for the respective AD function.
  • the processing system 30 may comprise functions of a map server and/or an OTA update server and/or a fleet management system and may provide electronic map data or updates, verified for their conformity with the determined safety-relevant map features and KPIs, for use by the vehicle 10.
  • the processing system 30 may store the map data 51 and/or the system model data 52 in a storage system 33 of the processing system 30 or in a storage system accessible to the processing system 30 for use in the processing operations.
  • the processing system 30 comprises the storage system 33.
  • the storage system 33 is operative to store at least the system model(s) for at least one ADS.
  • the storage system 33 may have stored therein data that indicates which types of electronic map data (i.e., which map features) are used, alone or generally in combination with sensor data, to determine a world model used in execution of the AD function.
  • the processing system 30 comprises at least one processing circuit 40.
  • the at least one processing circuit 40 may comprise any one or any combination of integrated circuits, integrated semiconductor circuits, processors, controllers, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), circuit(s) including quantum bits (qubits) and/or quantum gates, without being limited thereto.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • circuit(s) including quantum bits (qubits) and/or quantum gates without being limited thereto.
  • the at least one processing circuit 40 may be implemented in one device, such as a device selected from a group consisting of a server remote from the vehicle (such as a processing server, a map server or OTA update server), a fleet management system, and the vehicle 10.
  • the at least one processing circuit 40 may comprise circuits of a distributed system implemented in at least two devices, such as two or more devices selected from a group consisting of a server remote from the vehicle (such as a map server or OTA update server), a fleet management system, and the vehicle 10.
  • the at least one processing circuit 40 is operative to perform a processing 41 to determine one or several map features and KPIs of the one or several map features, which, when missing in electronic map data, have the potential of causing at least one map data-induced malfunction of the AD function.
  • map feature(s) and KPI(s) are also referred to as "safety-relevant" map features and KPIs, respectively.
  • the processing 41 may receive at least the system model data 52 and, if present, the electronic map 51 as input.
  • the processing 41 may comprise a determination 42 of one or several safety-relevant map features.
  • the map feature determination 42 may comprise identifying one or several map features (such as map features related to road boundaries, lane boundaries, traffic signs) that will or potentially will be used by the AD function.
  • the determination 42 may comprise identifying which of these map feature, if missing in the electronic map data, has the potential to cause a map data induced malfunction.
  • a map data induced malfunction is a malfunction that can be present even when the sensor data used for performing the AD function are correct. Determining which map feature(s) can be causal for at least one malfunction may comprise performing a causality analysis.
  • the causality analysis may comprise a Bayesian network (BN) or fault tree analysis, without being limited thereto. Examples of such causality analyses are provided and will be explained in more detail with reference to Figures 6 and 7.
  • the processing 41 may comprise a determination 43 of one or several safety-relevant KPIs for the map features determined to be safety-relevant.
  • the KPIs in map data may be different for map features such as related to road boundaries, lane boundaries, traffic signs and navigable segments of the navigable network represented by the electronic map.
  • the KPI determination 43 may comprise identifying one or several KPIs (such as accuracy, freshness, correctness, coverage) that, if missing, can cause a map induced malfunction of the AD function. Determining which KPIs can be causal for at least one malfunction may comprise performing another causality analysis.
  • the other causality analysis may comprise a Bayesian network (BN) or fault tree analysis, without being limited thereto.
  • the processing 41 may comprise a verification 44 of electronic map data and/or the implementation of a mitigating action, based on a check of the map data 51 against the determined one or several safety-relevant map feature(s) and KPI(s).
  • the verification 44 may comprise verifying whether the electronic map data used in execution of the AD function has the one or several safetyrelevant map feature(s) and KPI(s).
  • a mitigating action is initiated or performance of a mitigating action is enabled.
  • a mitigating action is initiated or performance of a mitigating action is enabled.
  • the mitigating action may comprise any one or any combination of: modifying the electronic map data (e.g., by performing map merging or otherwise combining information from electronic maps having different map feature(s) and/or KPI(s) of the map feature(s)) to ensure that the electronic map data used by the ADS complies with the safety-relevant map feature(s) and KPI(s); causing provision of an OTA map update to the vehicle to ensure that the electronic map data used by the ADS complies with the safety-relevant map feature(s) and KPI(s); enabling a selective activation of the AD function by the ADS responsive to a verification that the electronic map data has the safety-relevant map feature(s) and KPI(s) for that AD function; activating a fallback AD function different from the AD function by the ADS responsive to a verification that the electronic map data does not have the safetyrelevant map feature(s) and/or does not have the safety-relevant KPI(s) determined for that AD function; deactivating the ADS until the map data received meets the
  • the output 53 that comprises electronic map data verified to have the required safety-relevant map feature(s) and KPI(s) may be provided via the at least one first interface 31 or at least one second interface 32 (which may be interfaced with a wide area network 23 or a cellular network) for use by the vehicle 10, a map servers, an OTA update server, or a fleet management system.
  • Figure 3 is a flow chart of a method 60.
  • the method 60 may be performed automatically by the at least one processing circuit 40, alone or in combination with another device (such as the vehicle 10, a map server, an OTA update server, etc.).
  • another device such as the vehicle 10, a map server, an OTA update server, etc.
  • the malfunction(s) may be represented by failure of meeting one or several safety goals (SGs).
  • the one or several SGs may be fixed or configurable, e.g., via an H Ml of the processing system 30.
  • the processing system 30 may be operative to control the HMI to enable the SGs to be specified. It is noted that the HMI of the processing system 30 should not be confused with an onboard HMI that may be present in a vehicle.
  • the verification may comprise checking map data to verify that it has both the one or several safety-relevant map feature(s) and the one or several safety-relevant KPI(s).
  • the verification at process block 62 may comprise checking which map features (such as map features relating to road boundaries, lane boundaries, and/or traffic signs) are present in the map data and comparing these map features with the safety-relevant map feature(s).
  • the verification at process block 62 may comprise checking which KPIs the safety-relevant map feature(s) have in the map data (such as by retrieving the accuracy, freshness, coverage, and/or completeness) and comparing these KPI(s) of the map features with the safety-relevant KPI(s).
  • FIG. 4 is a flow chart of a method 70.
  • the method 70 may be performed automatically by the at least one processing circuit 40, alone or in combination with another device (such as the vehicle 10, a map server, an OTA update server, etc.), by the control circuit 20 of the vehicle 10, or by another device or system.
  • the method 70 may be performed to implement process blocks 62 and 63 of the method 60 of Figure 3.
  • electronic map data is retrieved for use in performance of an AD function.
  • Retrieval of the electronic map data may comprise an OTA retrieval of the electronic map data by the vehicle 10, based on a location, driving direction, and optionally velocity of the vehicle 10.
  • Retrieval of the electronic map data may comprise a retrieval of the electronic map data by the at least one processing circuit 40 or a map server, based on a location, driving direction, and optionally velocity of the vehicle 10.
  • process block 72 it is determined whether the retrieved electronic map data has the safetyrelevant map feature(s).
  • the verification at process block 72 may comprise checking which map features (such as map features relating to road boundaries, lane boundaries, and/or traffic signs) are present in the map data and comparing these map features with the safety-relevant map feature(s). If at least one safety-relevant map feature is not present, the method proceeds to process block 75. Otherwise, the method continues at process block 73.
  • the verification at process block 73 may comprise checking which KPIs the safetyrelevant map feature(s) have in the map data (such as by retrieving the accuracy, freshness, coverage, and/or completeness) and comparing these KPI(s) of the map features with the safety-relevant KPI(s). If at least one safety-relevant KPI for at least one of the safety-relevant map features is not present, the method proceeds to process block 75. Otherwise, the method continues at process block 74.
  • both the safety-relevant map features and the safety-relevant KPI(s) are present, use of the electronic map data for performing the AD function is authorized. This may be done in various ways, such as by selectively activating the AD function in response to and conditionally dependent on successful verification that both the safety-relevant map features and the safetyrelevant KPI(s) are present. Alternatively or additionally, the AD function (or ADS) may be deactivated when the vehicle is about to exit an operational design domain (ODD).
  • ODD operational design domain
  • a mitigating action may be performed.
  • the mitigating action may comprise any one or any combination of: modifying the electronic map data by the processing system 30 or a map server different therefrom (e.g., by performing map merging or otherwise combining information from electronic maps having different map feature(s) and/or KPI(s) of the map feature(s)) to ensure that the electronic map data used by the ADS complies with the safety-relevant map feature(s) and KPI(s); causing, by the processing system 30 or by an OTA server different therefrom, provision of an OTA map update to the vehicle to ensure that the electronic map data used by the ADS complies with the safety-relevant map feature(s) and KPI(s); performing, by the ADS, a selective activation of the AD function responsive to a verification that the electronic map data has the safety-relevant map feature(s) and KPI(s) for that AD function; activating, by
  • Figure 5 is a flow chart of a method 80.
  • the method 80 may be performed automatically by the at least one processing circuit 40, alone or in combination with another device (such as the vehicle 10, a map server, an OTA update server, etc.).
  • the method 80 may be performed to implement process block 61 of the method 60 of Figure 3.
  • a control structure model of the ADS is retrieved.
  • the control structure model may define which AD functions use electronic map data (and more specifically use various map feature(s), such as map feature(s) relating to lane boundaries and/or traffic signs) to perform the respective AD function, alone or - typically - in combination with sensor data.
  • the control structure model may include information on how (i.e., by which logic gates) fusion of electronic map data and sensor data is performed by the ADS to generate a world model of vehicle surroundings.
  • control structure model allows the processing circuit(s) 40 to determine which map feature(s) are used to generate a world model (or otherwise) to perform an AD function.
  • an AD function is selected.
  • the AD function may be selected from a set of AD functions of the control structure model.
  • malfunctions of the AD function are determined which can be caused by the electronic map data. Determining the malfunctions that can be caused by the electronic map data may comprise a causality analysis.
  • the causality analysis may be implemented using a BN or fault tree, without being limited thereto.
  • the causality analysis may be performed under an assumption that all inputs and operations other than the electronic map data are fault-free.
  • the determined malfunction(s) may be correlated with the electronic map data.
  • the correlation may be performed as explained with reference to Figure 4, for example.
  • the malfunction(s) may be traced back to map feature(s) of the map data that, if missing, may cause at least one malfunction.
  • the malfunction(s) may additionally be traced back to KPI(s) of these map feature(s) that, if not having the required characteristics (such as accuracy, freshness, coverage, completeness), may cause at least one malfunction.
  • the determined safety-relevant map feature(s) and KPI(s) are used to verify whether the electronic map data has the determined safety-relevant map feature(s) and KPI(s) and/or to take a mitigating action, if required.
  • Process block 86 may be implemented using the method 70 of Figure 4.
  • the processing system, vehicle, and methods discussed in detail above and further described below provide a framework designed for the identification of safety-relevant map features and their respective KPIs for AD.
  • the role of maps in AD has been demonstrated by different approaches employed by original equipment manufacturers (OEMs).
  • OEMs original equipment manufacturers
  • the safety of AD functions depends on a wide set of factors with the map data being one important factor.
  • the role of a map in the safe operation of automated driving is an important consideration. Approaches are available to trace the malfunction of the AD applications to the sub-system level where map feature(s) are being used.
  • the techniques disclosed herein provide an enhanced approach to identify the role electronic maps play in ensuring safe and reliable operation of an ADS.
  • the system, vehicle, and methods disclosed herein can be applied to any defined level of vehicle automation.
  • the system, vehicle, and methods disclosed herein can be applied to any given AD application using a map feature to identify safety relevant map feature KPIs.
  • the system, vehicle, and methods disclosed herein can also be deployed within the bounds of the vehicle using a runtime application which can enable safe operation of AD functions.
  • OEMs OEMs to determine which map features, used in the safe operation of ADAS/AD systems, are safety relevant. Furthermore, the KPIs used for tracking quality for these safety critical map features can also be determined using the techniques disclosed herein. For illustration, to develop a L3 AD system which performs lane keeping, the techniques disclosed herein will yield lane features as a safety critical map feature. The safety relevant KPIs for this function are determined to be, e.g., accuracy, freshness, completeness, etc. Tier 1: The techniques disclosed herein could be applied by Tier 1 manufacturers which are responsible for developing and integrating the components of an ADS for the OEMs.
  • Map providers can be used by any map provider to determine a list of safety critical map features and its quality parameters.
  • the techniques disclosed herein enable a map provider to develop a map suitable for broad set of use cases thereby encompassing a larger portion of the automotive market. Since the techniques disclosed herein do not require data or involvement from OEMs, the techniques may be used in planning future developments of products which cater to the needs of the growing AD industry. Moreover, the techniques disclosed herein can also be used as a baseline for verifying requirements received from OEMs, thereby ensuring the map providers are developing products at the same pace as the industry.
  • the processing system, vehicle, and methods are particularly useful for determining characteristics of electronic map data for use in AD functions. For illustration, various electronic maps that are distinguished from each other by map feature(s) and/or their KPI(s) may be evaluated, using the determined safety-relevant map feature(s) and KPI(s) as reference that must be fulfilled. A determination may be made as to map selection and/or map merging operations that are to be performed to mitigate the risk of map data induced malfunctions.
  • a further benefit of the techniques disclosed herein is that they do not require the control system model to include details on the fusion logic (e.g., details on the logic gates) used to fuse map data and electronic map data to generate a world model for performing the AD function.
  • KPIs are identified via a top-down safety analysis performed on the AD system.
  • the top-down analysis may be based of multiple safety analysis techniques.
  • a definition of the AD system with its required functionalities may be used (as at process block 81 in Figure 5).
  • the definition of the automation of the AD system may be in accordance with SAE J3016 (e.g., as in force on the filing or priority date of this application).
  • the boundaries of the AD system are also taken into consideration during the system definition phase.
  • the role of map in performing its required functions is used.
  • a definition of the latter may include a list of map features to be used by the AD system in performing its required maneuvers.
  • An implementation of such a system definition is a Systems Theoretic Process Analysis (STPA) control structure of the AD system under analysis.
  • STPA Systems Theoretic Process Analysis
  • the control structures are modelled to the point where the subsystem using maps are identified. Tracing the malfunctions (as in process block 83 in Figure 5) may comprise tracing each malfunction of each AD function to a subsystem and component level. The result of this process concerns the map data being used in performing the analyzed AD function. Malfunctions caused by the components of the AD system which do not have any association with the map will not be further considered in this process.
  • An embodiment of this process can comprise a causality analysis, such as a fault tree analysis, event tree analysis or using a Bayesian network, as illustrated in Figure 6 and Figure 7.
  • Correlating the malfunctions with map quality may comprise determining the impact each malfunction has on the AD function. Using these malfunctions, a list of safety-relevant map KPIs are also obtained. This process is repeated for each map feature required for performing the defined AD function. The KPIs are used to evaluate the quality of the map.
  • the KPIs may be defined based on ISO 19157:2013.
  • the KPIs accuracy, classification, freshness, coverage, completeness, which were already mentioned, are a subset of the available KPIs for evaluating a map's quality. Definitions of these KPIs were already provided herein above.
  • These identified map KPIs that are present in the electronic map data are to be evaluated against the list of KPIs that are identified as being safety-relevant. This evaluation may be performed in process blocks 83, 84 in Figure 5 and process blocks 61, 62 in Figure 3. This results in the identification of a subset of safety relevant KPIs which can be used for defining safety requirements for maps.
  • the malfunctions which may optionally be ranked, can be correlated with map KPIs. This verification may be performed at process block 63 in Figure 3 and process block 86 in Figure 5. The correlation is generally performed with respect to all the safety-relevant KPIs. Weights can be assigned to each KPI depending on the AD functionality being considered.
  • One implementation of this step may comprise assigning a higher weight to accuracy and a lower weight to completeness when the control system definition of the AD system requires a map with high accuracy.
  • the result of this correlation is a list of ranked safety relevant map KPIs, which may be correlated with map KPIs as in process block 63 in Figure 3 and process block 86 in Figure 5.
  • the system definition process of the ADS system requires the elicitation of requirements on the AD system and its use cases. If the AD system undergoes a design change or changes in requirements, the processing is repeated to ensure the relevancy of the results.
  • the process can also be employed when there are several safety-relevant map features for an AD function.
  • the processing operations executed to determine the safetyrelevant KPI(s) are performed for each of the safety-relevant map features. This may be done using parallel or sequential processing. Also in this case, the processing is reapplied if there is a change to the list of map features considered for the use case. While techniques of identifying map-related KPIs for a specific use case by analyzing the inputs of the AD system have been previously applied, the defined framework aids in the identification of safety relevant map KPIs relevant to vehicle and AD system providers.
  • the techniques disclosed herein are operative to cascade safety of an AD application to the maps. This results in safety being introduced into the map domain due to the decomposition of safety requirements of the AD application.
  • At least one causality analysis may be performed to determine which map feature(s) and/or which KPI(s) of the map feature(s) are causal for at least one malfunction.
  • BN, fault tree, or event tree analysis may be used.
  • Figure 6 illustrates an implementation of a causality analysis 90.
  • the causality analysis it is determined whether a malfunction corresponding to a SG violation 91 can be caused by an electronic map.
  • the SG violation is an incorrect steering or an incorrect acceleration operation or an incorrect braking operation, which may be caused by an incorrect AD function output 92, an incorrect actuator behavior 93, or an incorrect driver behavior 94.
  • the purpose of the causality analysis 90 is to identify the map-related causes for possible malfunctions. Hence, the actuator behavior and driver behavior 94 are regarded to be correct.
  • the incorrect AD function output 92 may be caused by an incorrect AD function operation 96 or an issue with the AD function input 95.
  • the issue with the AD function input 95 may be caused by an issue with the electronic map data 97 or sensor input 98.
  • the electronic map data and sensor input 98 may be combined by the AD system in a potentially complex logics operation 99.
  • Figure 7 illustrates a more specific implementation of a causality analysis 100 as applied to an incorrect steering behavior, i.e., a violation of a SG 101 relating to lane keeping.
  • a malfunction corresponding to a SG violation 101 can be caused by an electronic map.
  • the SG violation is an incorrect steering operation, which may be caused by an incorrect input to steering 102 or an incorrect implementation of the steering 103.
  • the implementation of the steering is regarded as being correct.
  • the incorrect input to the steering 102 may be caused by an incorrect lane keeping assistance input 104, an incorrect steering actuator output 105, or an incorrect driver behavior 106.
  • the purpose of the causality analysis 100 is to identify the map-related causes for possible malfunctions.
  • the actuator behavior and driver behavior 105, 106 are regarded to be correct.
  • the incorrect LKA input 104 may be caused by an incorrect dependency of the LKA function 108 or an incorrect operation 109 of the LKA function.
  • the issue with the AD function input 108 may be caused by an issue with the electronic map data 111 or sensor input 112.
  • the electronic map data 11 and sensor input 112 may be combined by the AD system in a potentially complex logics operation 110.
  • Figure 8 is a flow chart of a method 120.
  • the method 120 uses the determined safety-relevant map feature(s) and KPI(s) to enhance vehicle safety.
  • the method 120 may be performed by the processing system 30 and/or the control circuit 20 of the vehicle 10 (in particular the ADS of the control circuit 20).
  • Method 120 may be used to implement process block 63 of Figure 3, process blocks 74, 75 of Figure 4, or process block 86 of Figure 5.
  • the determined safety-relevant map feature(s) and KPI(s) are retrieved.
  • the determined safety-relevant map feature(s) and KPI(s) may specify, for each one of one or several AD functions, which map feature(s) and KPI(s) of the map feature(s) must be fulfilled by electronic map data that is used for performing the respective AD function.
  • a runtime evaluation of electronic map data may be performed onboard the vehicle 10 or by the processing system 10 or by a map or OTA server that controls the provision of map data to the vehicle 10.
  • the evaluation at process block 122 may comprise determining which map feature(s) and KPI(s) thereof the electronic map data has.
  • the evaluation at process block 122 may be performed based on criteria that are dependent on the received safety-relevant map feature(s) and KPI(s). This may be done as explained with reference to process blocks 72 and 73 of Figure 4.
  • the evaluation at process block 122 may be performed as new map data is received by the vehicle 10.
  • the evaluation may be performed for each of the one or several AD functions, each of the associated map feature(s), and each of the associated KPI(s).
  • process block 123 it is verified whether the electronic map data has the safety-relevant map feature(s) and KPI(s). This may be done as explained with reference to process blocks 72 and 73 of Figure 4.
  • the AD function may be performed using the electronic map data.
  • Process block 124 may comprise selectively activating the AD function in response to confirming that the electronic map data has the map feature(s) and KPI(s) specified to be safety-relevant in the received data 121.
  • a mitigating action may be performed, as previously explained.
  • the system considered is a Level 3 AD system.
  • the functions considered in this system are an Adaptive Cruise control (ACC), Automatic Emergency Braking (AEB), Lane Keep Assist (LKA), and Lane Departure warning (LDW).
  • ACC Adaptive Cruise control
  • AEB Automatic Emergency Braking
  • LKA Lane Keep Assist
  • LDW Lane Departure warning
  • the AD system utilizes the lane features, traffic signs, road markings, and speed restrictions to perform its functions. The role of map feature in each AD application is discussed below.
  • the LKA system requires the lane features to function optimally on a defined road segment.
  • Figure 9 shows a high-level control structure 200 implemented by the AD system of the vehicle 10.
  • Actuators 202 may be operated by driver action 201 or by an output of a lateral driving control unit 203.
  • the lateral driving control unit 203 receives the actuator states as input and uses the actuator states to control the lateral position, e.g., for LKA functions.
  • Automated driving functions may use perception 204, i.e., the processing and interpretation of data captured by a vehicle sensor for performing the respective AD function, and electronic map data 205.
  • FIG. 10 shows a schematic top view 210 to explain some map features that may be used by the AD functions.
  • Functions such as LKA and LDW may use a center line 211 of a road segment, a lane width 212, broken lane markings 213 (or the presence or absence thereof) in performing the AD functions.
  • the purpose of LKA or LDW may be to keep a vehicle positioned within a boundary 214, which is also referred to as boundary of correctness in the art.
  • a wandering distance sets an allowable lateral distance within which the AD vehicle can operate safely.
  • LKA must stay within defined wandering distance, which may be, e.g., 0.375m. This distance may be defined using UNECE R157.
  • Map features considered for the application of LKA are lane features. A further breakdown of lane features is possible but will not be presented in the following. Hence, the level of abstraction of map feature is limited to lane features in the following for ease of understanding. A broad set of use cases for the map data can generally be taken into consideration, reflecting different possible approaches taken by OEMs or ADS providers.
  • KPIs accuracy (positional, absolute, and relative, thematic); freshness; coverage; completeness (false positives, false negatives).
  • the SG(s) is/are determined from the defined vehicle level hazards.
  • the SG for the LKA function is to ensure the vehicle stays within the bounds of the lane markings on the road.
  • the tracing of malfunctions of the AD application can be performed using an FTA.
  • the failure to keep the vehicle within the lateral bounds can be propagated to the failure of maps.
  • the results of the FTA are shown in Figure 7.
  • Malfunction identification is performed as a part of the previous step.
  • HAZOP (IEC 61882) can be referred to ensure completeness regarding the failure modes. Instances of a map induced malfunctions obtained from HAZOP are provided in the following Table 3:
  • Lane Keep Assist the map features, lanes, is safety relevant and the following KPIs are considered as safety relevant (with the list position indicating the degree of importance): freshness; accuracy; completeness and coverage.
  • safety-relevant map feature(s) and safetyrelevant KPI(s) may be used in various ways and for various purposes, respectively in a manner which enhances vehicle safety by reducing the risk of map induced malfunctions in performance of the AD function.
  • FIG 11 illustrates a process in which a map provider maintains a map database 141.
  • the map database may comprise one or several electronic maps.
  • the map database 141 may define navigable segments with which speed restrictions 143 and/or lane features 144 and/or other features may be associated.
  • Electronic map data 142 generated from the map database 141 may be provided to the vehicle 10 for use in performance of an AD function, such as an LKA function.
  • the map provider may determine the safety-relevant map features and KPIs 145, 146 for each of one or several AD functions.
  • the safety-relevant map features and KPIs may be provided, in association with the AD function to which it relates, to the vehicle 10.
  • the vehicle control circuit 20 may optionally also be operative to perform the method disclosed herein to identify safety-relevant map feature(s) and KPI(s) for at least one AD function, as illustrated at 131.
  • the vehicle control circuit 20 may be operative to perform a runtime evaluation 133 of KPIs.
  • the runtime evaluation may comprise verifying that the electronic map data has the required map features and KPI(s).
  • the vehicle control circuit 20 may perform a fusion 134 of perception (based on sensor data) and electronic map data to provide a world model of the vehicle surroundings.
  • An activation 135 of an ADS may be performed onboard the vehicle.
  • a selective activation or deactivation 136 of AD functions may be performed.
  • the ADS 137 then performs the activated AD functions.
  • Figure 11 uses a runtime implementation of the method implemented onboard a vehicle. This may be beneficial for a collaborative development of an ADS by multiple stakeholders (OEM, Tier 1, and map provider).
  • the map provider is responsible for the delivery of map data along with the required meta data such as the KPIs to the vehicle 10.
  • the map provider may also provide an ODD layer which may be managed by the OEM and Tier 1.
  • the ADS can determine the usage and role of the map data depending on the vehicle functions present in the ADS. This will be used as an input to the proposed framework 131 to determine required map features. The KPIs for each map feature will be determined based on the requirements of the AD function.
  • the evaluation 133 which may be hosted on the ADS ECU, is performed to ensure the map delivered meets the requirements of the ADS.
  • the evaluation may comprise a check of confidence levels assigned to different map features. If the cumulative confidence score of the map features is above the threshold defined by the ADS, the evaluation is considered successful.
  • Successful results of the evaluation enable the world modelling process 134, fusion of map and sensor data, which is communicated to the ADS 137 if it has been activated. Failures occurring in the evaluation process cause the ADS to remain deactivated until the map data meets the required thresholds set by the ADS.
  • Figure 12 illustrates operation 150 of a system which represents an extension of the techniques of Figure 11.
  • Figure 12 uses a runtime implementation of the method in a vehicle.
  • the map providers delivers map data to the vehicle with the required metadata such as the KPIs.
  • the map providers, OEMs, and/or ADS providers must determine the possible scenarios encountered by the vehicle.
  • the scenarios can be performed by the map provider as ADS scenario identification 147 and/or onboard the vehicle, for example.
  • the scenarios can be described as the type of maneuvers expected to be made by the ADS in the planned route for the vehicle. This will be used as an input to the map feature and KPI identification 131.
  • the map feature and KPI identification can be performed within the vehicle using a defined machine-readable instruction code component in the ADS.
  • the map feature and KPI identification provides a list of safety-relevant map features required for performing the selected AD function in the identified scenarios.
  • An evaluation which is hosted on the ADS ECU, is performed to ensure the map delivered meets the requirements of the ADS.
  • the scenarios encountered by the vehicle are logged and used for the verification of identified scenarios.
  • the first execution of the framework requires many possible scenarios and the results obtained for them are saved by the machine-readable instruction code component of the ADS.
  • the list of scenarios and their required map features become more concise thereby leading to a quicker and pre-emptive executions of the method.
  • the map features identified required for performing maneuvers which are not observed are stored in the memory cache to ensure that the framework does not have to be executed multiple times to obtain the required results. This is illustrated in Figure 12.
  • embodiments also relate to a vehicle capable of performing and/or using the safety-relevant map feature(s) and KPI(s).
  • Figure 13 is a block diagram of a vehicle 10 comprising at least one ADS ECU 166 of an ADS 165.
  • the at least one ADS ECU 166 is operative to control one or several actuator(s) 11 and/or one or several HMI(s) 12 to perform AD functions.
  • the ADS ECU 166 is operative to receive electronic map and sensor data 161.
  • the electronic map data received at at least one interface 163 may be dependent on the location and driving direction of the vehicle 10.
  • the ADS ECU 166 is operative to receive data specifying safety-relevant map feature(s) and KPI(s) 162 or to determine the safety-relevant map feature(s) and KPI(s) 162 using the techniques disclosed herein.
  • the at least one ADS ECU 166 may be operative to perform a map feature and KPI processing 167 to verify that electronic map data has the safety-relevant map feature(s) and KPI(s) determined for an AD function to be performed.
  • the at least one ADS ECU 166 may be operative to perform an AD function control 168 responsive to the processing 167.
  • the AD function control 168 may be operative to selectively control an AD function conditionally dependent on a verification that the electronic map data has the safetyrelevant map feature(s) and KPI(s).
  • the at least one ADS ECU 166 may perform a sensor and map data fusion 169 to generate a world model, and may control the actuator(s) 11 and/or HMI(s) based thereon.
  • the at least one ADS ECU 166 may comprise any one or any combination of integrated circuits, integrated semiconductor circuits, processors, controllers, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), circuit(s) including quantum bits (qubits) and/or quantum gates, without being limited thereto.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • circuit(s) including quantum bits (qubits) and/or quantum gates without being limited thereto.
  • the at least one ADS ECU 166 may be operative to store map features required for performing maneuvers which are not observed in a storage system 164 to ensure that unnecessary multiple executions of the method can be avoided.
  • the method disclosed herein may also be used in the initial development and/or update of AD functions.
  • the processing system 30 or an OTA update server may be operative to provide updates for AD functions that take into account the safety-relevant map feature(s) and KPI(s), as well as the map feature(s) and KPI(s) offered by the available electronic map data.
  • the techniques disclosed herein may be used to control deployment and/or update of AD functions or ADSs.
  • AD functions are being developed continually, i.e., in an ongoing manner.
  • CI-CD pipelines may be used.
  • safety engineering is dependent on the system architecture, changes in any form result in the repetition of techniques which ensure safety.
  • the proposed method can be integrated within the development of AD functions or their updates.
  • Figure 14 illustrates such a scenario 180.
  • the techniques of determining safety-relevant map features and KPI(s) 183 may be used to verify that the electronic map data provides the safety-relevant map features and KPIs for the AD function as developed or modified.
  • vehicle manufacturer or ADS manufacturer can source the required map features from map provider to ensure safe operation of their vehicles.
  • an enhanced AD development or AD update process 181 is provided.
  • the results of the process 181 may be used for controlling map delivery 184 for in-vehicle map features delivery 186.
  • the results of the process 181 may alternatively or additionally be used for performing a modification of the ADS, e.g., by means of an OTA update.
  • While methods, systems, and devices have been described in association with a vehicle 10, the techniques are generally applicable to a plurality of vehicles to ensure that AD functions performed by each of the plurality of vehicles use electronic map data having the safety-relevant map features and KPIs.
  • Figure 15 shows a system 190 comprising a vehicle 10.
  • the vehicle 10 has the ADS 165.
  • the vehicle has an OTA interface comprising an antenna 19 for receiving electronic map data and/or ADS updates in an OTA-based manner.
  • the safety-relevant map feature(s) and KPI(s) may be used to control the distribution of electronic map data from a data resource 192 (such as a map server) and/or from an OTA update server 191 to the vehicle 10 as well as multiple other vehicles 194 comprised by the system 190.
  • the distribution may be performed via a communication system 193 that may comprise a WAN and/or a cellular system.
  • the vehicle 10 and the vehicles 194 may respectively be operative to use the safety-relevant map feature(s) and KPI(s) for a runtime implementation in which the electronic map data is verified to have the safety-relevant map feature(s) and KPI(s), thereby mitigating the risk of map data induced malfunctions.
  • the techniques disclosed herein provided various technical effects. By determining the safetyrelevant map feature(s) and KPI(s) for each of one or several AD functions and verifying electronic map data based on criteria established using the safety-relevant map feature(s) and KPI(s), the risk of map induced malfunctions is reduced.
  • the techniques can be implemented without requiring detailed information on the logic gates that are used to implement the fusion of map data and perception (sensor data).
  • a machine-readable instruction code may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via a wide area network or other wired or wireless telecommunication systems.
  • a machine-readable instruction code can also be a data structure product or a signal for embodying a specific method such as the method according to embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Traffic Control Systems (AREA)

Abstract

Pour améliorer la sécurité d'un véhicule (10) effectuant une fonction de conduite automatisée, au moins un circuit de traitement (20, 30) détermine une ou plusieurs caractéristiques de carte et un ou plusieurs indicateurs de performance clés qui, s'ils ne sont pas présents dans des données de carte (22), peuvent conduire à un dysfonctionnement induit par des données de carte de la fonction de conduite automatisée. Les données de carte (22) sont vérifiées pour se conformer à des critères qui dépendent de la ou des caractéristiques de carte et du ou des indicateurs de performance de clé déterminés.
PCT/EP2023/068015 2023-06-30 2023-06-30 Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine Pending WO2025002573A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/068015 WO2025002573A1 (fr) 2023-06-30 2023-06-30 Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/068015 WO2025002573A1 (fr) 2023-06-30 2023-06-30 Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine

Publications (1)

Publication Number Publication Date
WO2025002573A1 true WO2025002573A1 (fr) 2025-01-02

Family

ID=87196417

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/068015 Pending WO2025002573A1 (fr) 2023-06-30 2023-06-30 Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine

Country Status (1)

Country Link
WO (1) WO2025002573A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180113474A1 (en) * 2015-03-24 2018-04-26 Pioneer Corporation Map information storage device, autonomous driving control device, control method, program and storage medium
US20180292833A1 (en) * 2017-04-05 2018-10-11 Hyundai Motor Company Autonomous driving control system and control method using the same
EP3611469A1 (fr) * 2017-04-12 2020-02-19 Nissan Motor Co., Ltd. Procédé de commande de conduite et dispositif de commande de conduite
WO2021170718A2 (fr) 2020-02-25 2021-09-02 Tomtom Global Content B.V. Données cartographiques numériques à sécurité fonctionnelle améliorée
US20210364306A1 (en) * 2020-05-19 2021-11-25 Toyota Jidosha Kabushiki Kaisha Map selection device, storage medium storing computer program for map selection and map selection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180113474A1 (en) * 2015-03-24 2018-04-26 Pioneer Corporation Map information storage device, autonomous driving control device, control method, program and storage medium
US20180292833A1 (en) * 2017-04-05 2018-10-11 Hyundai Motor Company Autonomous driving control system and control method using the same
EP3611469A1 (fr) * 2017-04-12 2020-02-19 Nissan Motor Co., Ltd. Procédé de commande de conduite et dispositif de commande de conduite
WO2021170718A2 (fr) 2020-02-25 2021-09-02 Tomtom Global Content B.V. Données cartographiques numériques à sécurité fonctionnelle améliorée
US20210364306A1 (en) * 2020-05-19 2021-11-25 Toyota Jidosha Kabushiki Kaisha Map selection device, storage medium storing computer program for map selection and map selection method

Similar Documents

Publication Publication Date Title
Holstein et al. Ethical and social aspects of self-driving cars
Hussain et al. Autonomous cars: Research results, issues, and future challenges
US20230039658A1 (en) In-vehicle operation of simulation scenarios during autonomous vehicle runs
CN114199263A (zh) 自动驾驶环境中的路径规划
US11592810B2 (en) Systems and methods for injecting faults into an autonomy system
Dabboussi Dependability approaches for mobile environment: Application on connected autonomous vehicles.
Holstein et al. Avoiding the intrinsic unfairness of the trolley problem
US12248852B2 (en) Decision architecture for autonomous systems
US12288166B2 (en) Assessment and response mechanism for autonomous systems
CN115151882A (zh) 用于机电系统的安全路径规划方法
Cao et al. L3pilot-code of practice for the development of automated driving functions
WO2025002573A1 (fr) Procédé d'amélioration de la sécurité d'un véhicule, procédé de commande du fonctionnement d'un véhicule, système de traitement, véhicule et code d'instruction lisible par machine
US20230227063A1 (en) Method and system for the fully automated guiding of a motor vehcle and motor vehicle
CN120171541A (zh) 用于确定用于驾驶交通工具的控制参数的方法
US12450147B2 (en) Compiler failure testing for vehicle software
JP7662064B2 (ja) 運転システムの設計方法、設計プログラム及び運転システム
Vermesan et al. Advancing the Design of Fail-Operational Architectures, Communication Modules, Electronic Components, and Systems for Future Autonomous/Automated Vehicles
CN118591487A (zh) 驾驶系统的评价方法以及存储介质
US10346690B2 (en) Driving assistance systems and method implemented in such a system
US12487911B2 (en) Computer-implemented method for the use of stored specification parts
US20250282380A1 (en) Processing system and method
US20250368226A1 (en) Dynamic adaptation of an operational design domain for an automated driving system of a vehicle
US20240289101A1 (en) Integrity aware build system for vehicle software environment
US20240190464A1 (en) Computer-implemented method and system for verifying a software-based behavior planner of an automated driving function
US20250231032A1 (en) System and method for checking the plausibility of a vehicle environment hypothesis for a motor vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23739153

Country of ref document: EP

Kind code of ref document: A1