Method for controlling a motor vehicle remotely
11537122 · 2022-12-27
Assignee
Inventors
Cpc classification
H04L9/3239
ELECTRICITY
H04W4/44
ELECTRICITY
H04L9/3297
ELECTRICITY
H04W4/90
ELECTRICITY
G05D1/0214
PHYSICS
B60W30/08
PERFORMING OPERATIONS; TRANSPORTING
International classification
G05D1/00
PHYSICS
H04W4/44
ELECTRICITY
H04L9/06
ELECTRICITY
Abstract
A method for controlling a motor vehicle remotely. The method includes: receiving safety condition signals, which represent at least one safety condition that must be satisfied, so that the motor vehicle may be controlled remotely; checking if the at least one safety condition is satisfied; generating remote control signals for controlling the motor vehicle remotely, based on a result of the check as to whether the at least one safety condition is satisfied; and outputting the remote control signals generated. A device, a computer program and a machine-readable storage medium, are also described.
Claims
1. A method for controlling a motor vehicle remotely, comprising the following steps: receiving safety condition signals, which represent at least one safety condition that must be satisfied, so that the motor vehicle may be controlled remotely; checking whether the at least one safety condition is satisfied; generating remote control signals for controlling the motor vehicle remotely, based on a result of the check as to whether the at least one safety condition is satisfied; and outputting the generated remote control signals, wherein after the outputting of the remote control signals, remote control of the motor vehicle is tested based on the output remote control signals in order to detect a fault, and wherein, in response to the detection of a fault, the remote control is interrupted, or emergency remote control signals for controlling the motor vehicle remotely in an emergency are generated and output, wherein emergency plan signals are received, which represent an emergency plan specific to the detected fault, and the emergency remote control signals are generated based on the specific emergency plan, wherein it is additionally tested, at regular intervals, if the emergency plan signals were received and/or if the emergency remote control signals were generated, wherein if the emergency plan signals were not received or if the emergency remote control signals were not generated, a reactionary action is carried out.
2. The method as recited in claim 1, wherein the at least one safety condition includes at least one of the following safety conditions: (i) presence of a predetermined safety integrity level or automotive safety integrity level of at least the motor vehicle and an infrastructure including a communication path and/or communications components, for controlling a motor vehicle remotely, (ii) presence of a maximum latency time of a communication between the motor vehicle and a remote control device for controlling the motor vehicle remotely based on the remote control signals, (iii) presence of a predetermined computer protection level of a device for executing the method steps, (iv) presence of predetermined components and/or algorithms and/or communication options, which are used for executing the method steps, (v) presence of redundancy and/or diversity in predetermined components and/or algorithms and/or communication options, which are used for executing the method steps, (vi) presence of predetermined availability information, which indicates an availability of predetermined components and/or algorithms and/or communication options, (vii) presence of predetermined quality criteria of the predetermined components and/or algorithms and/or communication options, (viii) presence of a plan, which includes measures for reducing faults and/or measures in response to failures of predetermined components and/or algorithms and/or communication options and/or measures for incorrect analyses and/or measures in response to incorrect interpretations; presence of one or more fallback scenarios, (ix) presence of a predetermined function, (x) presence of a predetermined traffic situation, (xi) presence of predetermined weather, (xii) presence of a maximum possible time for a specific performance or execution of one method step or a plurality of method steps, (xiii) presence of a test result, that elements or functions, which are used for executing the method, are presently functioning correctly.
3. The method as recited in claim 1, wherein the remote control signals are generated only when the at least one safety condition is satisfied.
4. The method as recited in claim 1, wherein the check as to whether the at least one safety condition is satisfied, is carried out prior to and/or after and/or during one or more predetermined method steps.
5. The method as recited in claim 1, wherein the testing of the remote control includes the check as to whether the at least one safety condition is satisfied, and wherein the fault is determined when it is determined that the at least one safety condition is not satisfied.
6. The method as recited in claim 1, wherein the testing of the remote control includes a check as to whether a result to be achieved by the remote control is achieved, and wherein a fault is determined when a result of the check as to whether the result to be achieved by the remote control is achieved which indicates that the result to be achieved by the remote control has not been achieved.
7. The method as recited in claim 6, wherein further remote control signals for controlling the motor vehicle remotely based on the result to be achieved are generated and outputted in order to achieve the result, and wherein the motor vehicle is controlled remotely based on the further remote control signals.
8. The method as recited in claim 1, wherein the check as to whether the at least one safety condition is satisfied, includes a check as to whether the at least one safety condition is satisfied at a predetermined time.
9. The method as recited in claim 1, further comprising the following steps: receiving situation signals which represent a situation in which the motor vehicle finds itself; receiving table signals which represent a table that affixes predetermined situations to predetermined requirements for controlling a motor vehicle remotely; and assigning the situation in which the motor vehicle finds itself to one of the predetermined situation; wherein the remote control signals are generated based on the requirement for controlling a motor vehicle remotely corresponding to the one predefined situation.
10. The method as recited in claim 1, wherein the one or more method steps are executed inside the motor vehicle, and/or the one or more of the method steps are executed outside of the motor vehicle in an infrastructure.
11. The method as recited in claim 1, wherein one or more of the method steps are executed outside of the motor vehicle in a cloud infrastructure.
12. The method as recited in claim 1, wherein the method steps are documented in a blockchain.
13. The method as recited in claim 1, further comprising: testing whether an entity made up of the motor vehicle and infrastructure involved in the method, including communication between the infrastructure and the motor vehicle, is secure.
14. A device for controlling a motor vehicle remotely, the device comprising a processor, wherein the processor is programmed to: receive safety condition signals, which represent at least one safety condition that must be satisfied, so that the motor vehicle may be controlled remotely; check whether the at least one safety condition is satisfied; generate remote control signals for controlling the motor vehicle remotely, based on a result of the check as to whether the at least one safety condition is satisfied; and output the generated remote control signals, wherein after the outputting of the remote control signals, remote control of the motor vehicle is tested based on the output remote control signals in order to detect a fault, and wherein, in response to the detection of a fault, the remote control is interrupted, or emergency remote control signals for controlling the motor vehicle remotely in an emergency are generated and output, wherein emergency plan signals are received, which represent an emergency plan specific to the detected fault, and the emergency remote control signals are generated based on the specific emergency plan, wherein it is additionally tested, at regular intervals, if the emergency plan signals were received and/or if the emergency remote control signals were generated, wherein if the emergency plan signals were not received or if the emergency remote control signals were not generated, a reactionary action is carried out.
15. A non-transitory machine-readable storage medium on which is stored a computer program for controlling a motor vehicle remotely, the computer program, when executed by a computer, causing the computer to perform the following steps: receiving safety condition signals, which represent at least one safety condition that must be satisfied, so that the motor vehicle may be controlled remotely; checking whether the at least one safety condition is satisfied; generating remote control signals for controlling the motor vehicle remotely, based on a result of the check as to whether the at least one safety condition is satisfied; and outputting the generated remote control signals, wherein after the outputting of the remote control signals, remote control of the motor vehicle is tested based on the output remote control signals in order to detect a fault, and wherein, in response to the detection of a fault, the remote control is interrupted, or emergency remote control signals for controlling the motor vehicle remotely in an emergency are generated and output, wherein emergency plan signals are received, which represent an emergency plan specific to the detected fault, and the emergency remote control signals are generated based on the specific emergency plan, wherein it is additionally tested, at regular intervals, if the emergency plan signals were received and/or if the emergency remote control signals were generated, wherein if the emergency plan signals were not received or if the emergency remote control signals were not generated, a reactionary action is carried out.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1)
(2)
(3)
(4)
DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
(5)
(6) Determining 101 that a motor vehicle should be controlled remotely; receiving 103 safety condition signals, which represent at least one safety condition that must be satisfied, so that the motor vehicle may be controlled remotely;
(7) checking 105 if the at least one safety condition is satisfied;
(8) generating 107 remote control signals for controlling the motor vehicle remotely, based on a result of the check as to whether the at least one safety condition is satisfied;
(9) outputting 109 the remote control signals generated.
(10) At this point, it is noted that the determining step 101 is an optional step. In one further specific embodiment, the determining step 101 may not be included in the method according to the first aspect.
(11) In one specific embodiment, it is provided that request signals be received, which represent a request for controlling a motor vehicle remotely.
(12) According to one specific example embodiment of the present invention, it is determined, in response to the receipt of the request signals, that a motor vehicle is intended to be controlled remotely.
(13) In one specific example embodiment of the present invention, it is provided that situation signals be received, which represent a situation in which a motor vehicle finds itself. According to one specific example embodiment of the present invention, the situation signals are processed, in order to ascertain if the motor vehicle must be controlled remotely. According to one specific example embodiment of the present invention, if it is ascertained that the motor vehicle must be controlled remotely, then it is determined that the motor vehicle is intended to be controlled remotely.
(14) For example, the motor vehicle may be in a situation, which the motor vehicle is not able to resolve or overcome independently. Then, for example, it is determined that the motor vehicle should be controlled remotely.
(15) The result of the check indicates, for example, that the at least one safety condition is satisfied. The result of the check indicates, for example, that the at least one safety condition is not satisfied.
(16) In one specific example embodiment according to the present invention, it is provided that the remote control signals only be generated, when the result of the check indicates that the at least one safety condition is satisfied.
(17) In one specific example embodiment according to the present invention, it is provided that the generation of remote control signals be refrained from, if the result of the check indicates that the at least one safety condition is not satisfied.
(18) According to one specific example embodiment of the present invention, the outputting 109 includes that the generated remote control signals are transmitted over a communications network, in particular, over a wireless communications network, to the motor vehicle.
(19) According to one specific example embodiment of the present invention, the method according to the first aspect includes the step of controlling the motor vehicle remotely on the basis of the outputted remote control signals.
(20)
(21) Device 201 is configured to execute all of the steps of the method according to the first aspect.
(22) Device 201 includes an input, which is configured to receive the safety condition signals.
(23) Device 201 further includes a processor 205, which is configured to check if the at least one safety condition is satisfied.
(24) In a further specific embodiment (not shown), processor 205 is configured, in particular, to determine that a motor vehicle should be controlled remotely.
(25) Processor 205 is further configured to generate the remote control signals.
(26) Device 201 further includes an output 207, which is configured to output the remote control signals generated.
(27) According to one specific example embodiment of the present invention, device 201 includes a remote control device, which is configured to control the motor vehicle remotely on the basis of the remote control signals outputted.
(28) In general, signals, which are received, are received with the aid of input 203. Thus, input 203 is configured, in particular, to receive the corresponding signals.
(29) In general, signals, which are outputted, are outputted with the aid of output 207. Thus, output 207 is configured, in particular, to output the corresponding signals.
(30) According to one specific example embodiment of the present invention, a plurality of processors are provided in place of the one processor 205.
(31) According to one specific example embodiment of the present invention, processor 205 is configured to execute the generating and checking steps described above and/or in the following.
(32) In one specific example embodiment of the present invention, one or more method steps up to the steps of generating and outputting the remote control signals are executed inside the motor vehicle, and/or one or more method steps are executed outside of the motor vehicle, in particular, in an infrastructure, preferably, in a cloud infrastructure.
(33) Device 201 is, for example, part of an infrastructure, in particular, cloud infrastructure, or part of the motor vehicle.
(34) According to one specific example embodiment of the present invention, for redundant execution of the corresponding method steps, a plurality of devices 201 may be provided, so that, for example, both the motor vehicle and the infrastructure, in particular, the cloud infrastructure, include a device 201.
(35)
(36) A computer program 303 is stored in machine-readable storage medium 301; the computer program including commands, which, in response to execution of computer program 303 by a computer, cause it to implement a method according to the first aspect.
(37) According to one specific example embodiment of the present invention, an infrastructure or an infrastructure system is provided, which includes, for example, the device according to the second aspect.
(38)
(39) Infrastructure 403 includes a road 405, on which motor vehicle 401 travels.
(40) Infrastructure 403 further includes a surround sensor 407, a traffic light 409 and a cloud infrastructure 411, in which, for example, the device according to the second aspect is situated and/or provided.
(41) In a specific embodiment not shown, infrastructure 403 includes a plurality of surround sensors, which are positioned so as to be spatially distributed within the infrastructure.
(42) The surround sensors of infrastructure 403 monitor their respective surroundings and supply surround sensor data corresponding to the respective monitoring.
(43) The surrounding-area signals described here are based on the surround sensor data and/or include the surround sensor data.
(44) In a specific embodiment not shown, in addition to, or in place of, traffic light 409, infrastructure 403 includes further traffic systems, such as signs and communication systems.
(45) Motor vehicle 401 includes a roof-side surround sensor 413.
(46) According to
(47) In a specific embodiment not shown, in addition to, or in place of surround sensor 413, motor vehicle 401 may even include additional surround sensors, which are situated, for example, at the front end and/or rear end and/or on a side of the motor vehicle.
(48) In addition, three double arrows 415, 417, 419 are drawn in
(49) These symbolize a specific communication path and/or a specific communication channel between individual elements represented in
(50) Thus, the double arrow having reference numeral 415 symbolizes a communication path between motor vehicle 401 and cloud infrastructure 411.
(51) The double arrow having reference numeral 417 symbolizes a communication path between surround sensor 407 of infrastructure 403 and cloud infrastructure 411.
(52) The double arrow having reference numeral 419 symbolizes a communication path between motor vehicle 401 and traffic light 409.
(53) In order that motor vehicle 401 may be controlled remotely, according to the concept described here, there is a condition that the entity made up of motor vehicle 401 and elements involved in the method according to the first aspect be safe, that is, safe and secure.
(54) Thus, the elements involved in the method according to the first aspect presently include, in particular, infrastructure 403 and motor vehicle 401. Therefore, according to the exemplary embodiment shown in
(55) The specific communication paths 415, 417, 419 between the respective elements also belong to the entity.
(56) Therefore, this means, in particular, that, for example, a communication path 415 between motor vehicle 401 and cloud infrastructure 411 is checked as to whether it is secure.
(57) Accordingly, it is checked, for example, if surround sensor 407 is secure.
(58) According to the present invention, one or more safety conditions are specified as criteria for whether a communication path and/or an element of the entity are secure; the safety conditions having to be satisfied, in order that it may be determined that the corresponding element and/or the corresponding communication path are secure.
(59) For example, a communication path between two elements must have a minimum latency time, in order that the communication path be regarded as secure.
(60) For example, a surround sensor must satisfy certain quality criteria, in order for it to be regarded as reliable.
(61) For example, a surround sensor data processing algorithm, which is executed in a device in cloud infrastructure 411 according to the second aspect must have certain quality specifications.
(62) For example, specific emergency plans must be stored or saved in cloud infrastructure 411, in order that the motor vehicle may be controlled remotely.
(63) In one specific embodiment, remote control includes a change in the drive unit (e.g., for reducing emissions, limiting the speed) and/or specifying a trajectory to be covered (e.g., on the basis of requirements, preventing accidents).
(64) Therefore, this means, in particular, that the remote control signals include adjustment signals for adjusting a drive setting of the drive unit of the motor vehicle, and/or for adjusting a navigation setting of a navigation system of the motor vehicle.
(65) Therefore, this means that the remote control signals do not necessarily have to control lateral and/or longitudinal guidance of the motor vehicle, but may adjust one or more motor vehicle parameters or motor vehicle settings, in particular, a drive setting and/or navigation setting.
(66) In one specific embodiment, in the run-up to the intervention (of the remote control), and according to a further specific embodiment, during the intervention, it is ensured that the intervention and/or the action resulting from it are safe, which means, inter alia, that the intervention does not result in any accidents. Accompanying this, this means, in particular, that the term “safe” and “secure” is necessary, which means, inter alia, that hackers do not change the requirements/actions (For a further explanation of these two English terms, reference is made to the explanations following further down.).
(67) In one specific embodiment, for example, the following is provided:
(68) Analyzing or checking if the at least one safety condition is satisfied. In this case, it is checked, for example, when the remote control is/would be safe for intervention from the outside.
(69) Analyzing or checking if the at least one safety condition is satisfied at the time of the desired intervention.
(70) If yes, carrying out the remote control by generating and outputting corresponding remote control signals.
(71) If no, carrying out no remote control, that is to say, not carrying out the remote control. Therefore, no generation and outputting of corresponding remote control signals.
(72) In a further specific embodiment, during the intervention (of the remote control), it is additionally tested, at regular intervals, if the at least one safety condition continues to be satisfied.
(73) In the case, in which the at least one safety condition is no longer satisfied, for example, emergency remote control signals are generated and outputted on the basis of a specific emergency plan. Preferably, specific emergency plans are analyzed and defined in advance for each possible, individual fault. One emergency plan may be, for example, to bring the vehicle to a dead stop, that is, to a safe driving state, as rapidly as possible. Preferably, in consideration/view of the surroundings, and while warning other road users.
(74) In a further specific example embodiment of the present invention, during the intervention (of the remote control), it is additionally tested, at regular intervals, if the planned remote control and/or its planned result occurs.
(75) If this is not the case, then, for example, a reactionary action is carried out.
(76) In one specific example embodiment of the present invention, a reactionary action may include an additional action, which continues to pursue the original result. E.g., even more deceleration and even more motive power, in order to still attain, e.g., the desired speed after all.
(77) In one further specific example embodiment of the present invention, a reactionary action may include, that the action is interrupted, since it is no longer effective.
(78) In a further specific example embodiment of the present invention, on the basis of an emergency plan, emergency remote control signals are generated and outputted as a function of the situation/fault.
(79) In a further specific example embodiment of the present invention, on the basis of an emergency plan, emergency remote control signals are generated and outputted, in particular, especially in the cases of faults.
(80) The check as to whether the at least one safety condition is satisfied, is based, in particular, on a check as to the requirements and/or conditions, under which the planned remote control is safe.
(81) In this context, the risks, which the action (the remote control) could have, are first analyzed, for example. Especially, whether accidents including damage (to motor vehicles, etc.), but, in particular, including injuries and/or death to parties involved, may be the result.
(82) Then, according to one specific embodiment, it is subsequently tested, how these results may be prevented.
(83) In this context, in particular, it is determined how faults are treated, that is, whether, and if yes, which reactionary actions and/or emergency plans (fallback actions) should be carried out.
(84) In this context, there are, in particular, static requirements and/or conditions and/or, in particular, dynamic requirements and/or conditions, namely, in particular, for the overall system, which is preferably made up of at least a motor vehicle, infrastructure (in particular, traffic systems, sensors and components in the infrastructure), computer systems in the infrastructure and/or in a cloud, and a communication path (e.g., WLAN/WIFI and/or mobile radio communication).
(85) The requirements are in force, in particular, for the overall system and, in the following, in particular, for all parts of the overall system.
(86) In this context, static requirements and/or conditions are preferably analyzed beforehand (prior to remote control) and, as a rule, do not change over time. E.g., which components are present in the operation, and how safe (“safe and secure”) are they (in general).
(87) In this context, the current state of dynamic requirements and/or conditions may not be analyzed beforehand and are a function of the current situation. For example:
(88) How is the current environment (number of road users, weather, . . . )?
(89) Do the components currently function in a faultless manner?
(90) However, how which states of the dynamic requirements and/or conditions present at the moment are to be reacted to, is preferably analyzed beforehand. Thus, e.g., may the action (the remote control) be carried out. Or, may the action only be carried out in a limited manner/partially/with restrictions.
(91) In the case of the static requirements or conditions, in particular, the quality, which the overall system must have, and/or the quality, which the involved components must have (availabilities, failure rates, accuracies, . . . ), and/or the quality, which the participating algorithms, methods, procedures (e.g., tests, operations, redundant calculations, . . . ) must have, are analyzed.
(92) In addition, how the overall relationships must be, is particularly analyzed. E.g., the overall dynamic behavior across systems and, consequently, over the individual systems/methods. E.g., how rapidly, where, and how must something be calculated and transmitted (e.g., latency behavior).
(93) In this context, for example, the following are checked (as a function of the specific remote control): (A)SIL's of the overall system, (A)SIL's of the components, (A)SIL's of the procedures/methods, latency times and bandwidths for data transmissions, times for calculations/communications,/reaction functions, safety methodologies (hacker protection), optionally, necessary, redundant/diversitary components/algorithm/communication options, quality of services/availability data/measures for reducing faults/failures/incorrect analyses/misinterpretations, fallback scenarios, premises regarding function/traffic situation/ . . . , premises regarding weather/ . . . , etc.
(94) To this end (for development, analysis of the quality, etc.), there are, inter alia, rules, standards, etc.:
(95) https://de.wikipedia.org/wiki/Sicherheitsanforderungsstufe (safety requirement step)
(96) https://de.wikipedia.org/wiki/ISO_26262
(97) This means, in particular, that requirements/conditions, under which the action can/may be carried out without consequences (accidents, seriously injured persons, fatalities), are analyzed.
(98) In the analysis as to whether the requirements are met at the time of the desired intervention, it is then tested, for example, if the requirements (static, dynamic) are currently fulfilled, that is, satisfied.
(99) And in the following, remote control signals are then generated and outputted accordingly, or simply not, as a function of a result of the analysis.
(100) In this context, the check tests (Requirements currently present? Is the action being carried out correctly? . . . ) may or should preferably be carried out several times (for safety->safe/secure), in particular, using different methods, in particular, on different systems, as well. Therefore, in particular, the testing and/or checking is carried out in a redundant and diverse manner.
(101) Due to the consequences (fatality, etc.), the operation is preferably documented comprehensibly and in a manner safe from falsification, for example, in a blockchain.
(102) According to one specific embodiment, a condition for the remote control or for the intervention is that the remote control is safe. In the spirit of the description, “safe” means, in particular, “safe” and “secure.” Actually, these two English terms are normally translated into German as “sicker”. Nevertheless, these have a partially different meaning in English.
(103) The term “safe” is directed, in particular, to the topic of accident and accident prevention. Remote control, which is “safe,” causes, in particular, a probability of an accident or a collision to be less than or less than or equal to a predetermined threshold probability value.
(104) The term “secure” is directed, in particular, to the topic of computer protection and/or hacker protection, that is, in particular, how securely is a (computer) infrastructure and/or a communications infrastructure, in particular, a communication path between a motor vehicle and a remote control device for controlling a motor vehicle remotely, protected from unauthorized access and/or from data manipulation by a third party (hacker).
(105) Thus, remote control, which is “secure,” has, in particular, appropriate and sufficient computer protection and/or hacker protection as a basis.
(106) For example, according to one specific example embodiment of the present invention, it is tested if the entity made up of a motor vehicle and infrastructure involved in the method according to the first aspect, including communication between the infrastructure and the motor vehicle, is currently secure for the plan “intervention in the motor vehicle for critical actions” described here. Therefore, this means, in particular, that the motor vehicle and/or a local and/or a global infrastructure and/or communication are appropriately tested. In particular, the remote control signals are generated on the basis of a result of the test.
(107) Thus, this means, in particular, that the components, which are used during the execution of the method according to the first aspect, are tested for safety, that is, as to whether these satisfy specific safety conditions, before the intervention in the vehicle operation is carried out, that is, before the motor vehicle is controlled remotely.
(108) Important or dependent criteria include, for example, one or more of the safety conditions described above.
(109) According to one specific example embodiment of the present invention, first of all, the overall system (motor vehicle, infrastructure, communication path, cloud, . . . ) is tested with regard to the safety condition.
(110) According to one specific example embodiment of the present invention, the individual parts are also tested with regard to satisfying the safety condition. This, in particular, prior to controlling the motor vehicle remotely.
(111) In this context, in one specific example embodiment of the present invention, the testing step(s) are executed inside the motor vehicle and/or outside the motor vehicle, in particular, in an infrastructure.
(112) According to one specific example embodiment of the present invention, the checking step(s) are tested subsequently, that is, at a later time, for example, at regular intervals. For example, the testing step(s) are tested subsequently at a predetermined frequency, for example, every 100 ms.
(113) For example, according to one specific example embodiment of the present invention, this testing, that is, the test as to whether the at least one safety condition is satisfied, is carried out prior to and/or after and/or during one or more predetermined method steps.
(114) According to one specific example embodiment of the present invention, the testing is carried out or executed in response to problems.