Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
System and Method for Controlling a Motor Vehicle to Drive Autonomously
Document Type and Number:
WIPO Patent Application WO/2019/125269
Kind Code:
A1
Abstract:
A motor vehicle (MV) is controlled to drive autonomously in agreement with a nominal path in response to nominal control signals (NCS) from a bank of control units (110). Safety policies (P) are provided via a first data-interface unit (163). The safety policies (P) describe mission-related rules to be followed during operation of the motor vehicle (MV). The safety policies (P) are based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard. A watch unit (160) receives sensor signals (SS) from the motor vehicle (MV), and based thereon repeatedly generates commands ({cmd}) to update the boundary conditions ({bc}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P). The bank of control units reads out the set of boundary conditions ({bc}) and controls the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary conditions ({bc}), and is thus be considered to be safe.

Inventors:
MOHAN NAVEEN (SE)
ROOS PER (SE)
SVAHN JOHAN (SE)
Application Number:
PCT/SE2018/051260
Publication Date:
June 27, 2019
Filing Date:
December 07, 2018
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
SCANIA CV AB (SE)
International Classes:
B60W30/10; B60W60/00; G01C21/26; G01C21/34; G01C21/36; G05D1/00; G05D1/02; G08G1/00
Foreign References:
US20170197626A12017-07-13
US20070021915A12007-01-25
SE400977B1978-04-17
Attorney, Agent or Firm:
FRENDH, Eva (SE)
Download PDF:
Claims:
Claims

1 . A system for controlling a motor vehicle (MV) to drive au- tonomously, the system comprising :

a bank of control units (1 10) containing a number of auto control units (ACU 1 , ACUn) configured to produce nominal control signals (NCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a nominal path ; and a watch unit (160) configured to receive, from the motor vehicle (MV) , sensor signals (SS) describing a current status of the motor vehicle (MV), and based on the sensor signals (SS), generate commands ({cmd}) influencing how the bank of control units (1 10) produces the nominal control signals (NCS) ,

characterized in that the system further comprises:

a data storage (1 40) containing a set of boundary condi- tions ({be}) that the nominal path shall satisfy in order to be con- sidered safe; and

a first data-interface unit (163) configured to provide at least one safety policy (P) describing a respective mission-rela- ted rule to be followed during operation of the motor vehicle (MV), the first data-interface unit (1 63) being configured to pro- vide the at least one safety policy (P) based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard,

the watch unit ( 160) being configured to generate the commands ({cmd}) repeatedly to update the boundary conditions ({be}) ai- ming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P), and the bank of control units ( 1 10) is configured to:

read out the set of boundary conditions ({be}) from the data storage ( 140), and

control the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary condi- tions ({be}).

2. The system according to claim 1 , wherein the safety case (SC) stipulates a set of operation modes each in which the mo- tor vehicle (MV) shall be controlled to operate depending on a current fault status of the motor vehicle (MV).

3. The system according to claim 2, wherein the set of opera- tion modes comprises at least one of:

a first operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that the motor vehicle’s (MV) capability is unimpeded;

a second operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that motor vehicle’s (MV) capability is limited;

a third operation mode in which the motor vehicle (MV) shall be controlled to operate if the current fault status is such that motor vehicle (MV) must be brought to a minimal-risk con- dition ; and

a fourth operation mode representing the minimal-risk con- dition.

4. The system according to any one of the preceding claims, wherein the at least one safety policy (P) relates to at least one of:

a minimum distance that the motor vehicle (MV) shall keep to a followed vehicle,

a speed limit that the motor vehicle (MV) shall keep, definitions of safe stop locations that the motor vehicle (MV) shall be capable of reaching in case of a fault in the motor vehicle (MV), and

a set of actions to be taken in case one or more of a pre- defined set of faults occurs in the motor vehicle (MV).

5. The system according to any one of the preceding claims, wherein the watch unit ( 160) comprises:

a system-health-supervision unit (150) configured to recei- ve the sensor signals (SS) , and based thereon derive vehicle- health data (H) representing a functional status of the motor ve- hicle (MV), and a safety unit (1 20) configured to receive the vehicle-health data (H) and the at least one safety policy (P), and based there- on, generate the commands ({cmd}) to the data storage (140).

6. The system according to claim 5, wherein the watch unit (160) further comprises:

a second data-interface unit ( 165) configured to receive and store at least one regulatory requirement (R) that shall be followed during operation of the motor vehicle (MV), and

the safety unit (120) is configured to receive the at least one re- gulatory requirement (R) and generate the commands ({cmd}) on the further basis of the at least one regulatory requirement (R) to the safety unit ( 120).

7. The system according to any one of claims 5 or 6, wherein the watch unit (1 60) further comprises:

a risk-assessment unit ( 167) configured to dynamically as- sess a respective estimated risk that the motor vehicle (MV) col- lides with each of any other road user and/or obstacle located in proximity to the motor vehicle (MV), the respective estimated risk being expressed by at least one signal (Sj) , and

the safety unit (1 20) is configured to receive the at least one signal (Sj) , and generate the commands ({cmd}) on the further basis of the at least one signal (Sj) .

8. The system according to claim 7, wherein the risk-assess- ment unit (167) is further configured to monitor an environment around the motor vehicle (MV) to determine if the motor vehicle (MV) is currently operating within a range of parameters under which it is designed to operate, and the at least one signal (Sj) further reflecting whether or not the motor vehicle (MV) is cur- rently operating within said range of parameters. 9. The system according to any one of claims 7 or 8, wherein the risk-assessment unit (167) is further configured to determine an estimated risk that the motor vehicle (MV) and/or any other road user in proximity thereto violates a traffic rule, and the at least one signal (Sj) further reflecting said estimated risk.

10. The system according to any one of the claims 5 to 9, wherein the safety unit (1 20) is further configured to:

determine if at least one received safety-related parameter

(P, R, Sj , H) describes at least one condition under which the motor vehicle (MV) is currently operated, which at least one condition is such that a risk that the motor vehicle (MV) cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold, and if the failure-risk threshold is excee- ded

produce safety control signals (SCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a safe path, which safe path takes precedence over the nominal path represented by the nominal control signals (NCS).

1 1 . The system according to claim 10, wherein the safety unit (120) is configured to generate a control signal (Ctrl) indicating whether or not the failure-risk threshold is exceeded, and

the system further comprises a control switch (210) arran- ged in communicative connection with the bank of control units (1 1 0) and the safety unit ( 120) , and the control switch (210) is configured to:

receive the control signal (Ctrl) ,

receive the nominal control signals (NCS) and any safety control signals (SCS) respectively, and

in response to the control signal (Ctrl), forward either the nominal control signals (NCS) or the safety control sig nals (SCS) to the motor vehicle (MV) .

12. The system according to any one of the preceding claims, wherein each of the auto control units (ACU 1 , ... , ACUn) is con- figured to produce a set of the nominal control signals (NCS), which set of the nominal control signals (NCS) is adapted to cause the motor vehicle (MV) to move autonomously in agree- merit with a respective nominal path.

13. The system according to any one of claims 1 to 1 1 , where- in two or more of the auto control units (ACU 1 , ... , ACUn) are configured to produce a conjoint set of the nominal control sig- nals (NCS), which conjoint set of the nominal control signals (NCS) is adapted to cause the motor vehicle (MV) to move auto- nomously in agreement with the nominal path.

14. The system according to any one of the preceding claims, further comprising a platform interface (130) configured to:

receive the sensor signals (SS) from the motor vehicle

(MV) ; and

send out the nominal control signals (NCS) to the motor vehicle (MV).

15. A method of controlling a motor vehicle (MV) to drive auto- nomously, the method comprising :

producing, via a bank of control units (1 10) containing a number of auto control units (ACU 1 , ... , ACUn), nominal control signals (NCS) adapted to cause the motor vehicle (MV) to move autonomously in agreement with a nominal path ; and

receiving, in a watch unit (160) , sensor signals (SS) from the motor vehicle (MV), the sensor signals (SS) describing a current status of the motor vehicle (MV) , and based on the sen- sor signals (SS),

generating, in the watch unit (1 60), commands ({cmd}) in- fluencing how the bank of control units (1 10) produces the nomi- nal control signals (NCS),

characterized by:

storing, in a data storage (1 40), a set of boundary condi- tions ({be}) that the nominal path shall satisfy in order to be con- sidered safe; and

providing, via a first data-interface unit (1 63), at least one safety policy (P) describing a respective mission-related rule to be followed during operation of the motor vehicle (MV), the at least one safety policy (P) being provided based on a safety ca- se (SC) stipulating how the motor vehicle (MV) shall be control- led to meet a functional safety standard,

the commands ({cmd}) being generated repeatedly by the watch unit (1 60) to update the boundary conditions ({be}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P), and the method further comprising :

reading out the set of boundary conditions ({be}) from the data storage (140) into the bank of control units (1 10) , and

controlling the motor vehicle (MV) to move in such a man- ner that the nominal path satisfies the boundary conditions ({be}).

16. The method according to claim 1 5, wherein the safety case (SC) stipulates a set of operation modes each in which the mo- tor vehicle (MV) shall be controlled to operate depending on a current fault status of the motor vehicle (MV).

17. The method according to claim 16, wherein the set of ope- ration modes comprises at least one of:

a first operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that the motor vehicle’s (MV) capability is unimpeded;

a second operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that motor vehicle’s (MV) capability is limited;

a third operation mode in which the motor vehicle (MV) is controlled to operate if the current fault status is such that motor vehicle (MV) must be brought to a minimal-risk condition ; and a fourth operation mode representing the minimal-risk con- dition.

18. The method according to any one of the claims 15 to 17, wherein the at least one safety policy (P) relates to at least one of: a minimum distance that the motor vehicle (MV) shall keep to a followed vehicle,

a speed limit that the motor vehicle (MV) shall keep, definitions of safe stop locations that the motor vehicle (MV) shall be capable of reaching in case of a fault in the motor vehicle (MV), and

a set of actions to be taken in case one or more of a pre- defined set of faults occurs in the motor vehicle (MV).

19. The method according to any one of the claims 15 to 18, wherein the watch unit (1 60) comprises a system-health-supervi- sion unit (150) and a safety unit (120), and the method compri- ses:

receiving, in the system-health-supervision unit (150) , the sensor signals (SS), and based thereon

deriving vehicle-health data (H) representing a functional status of the motor vehicle (MV) , and

receiving, in the safety unit (120), the vehicle-health data (H) and the at least one safety policy (P) , and based thereon, generating the commands ({cmd}) to the data storage (140).

20. The method according to claim 1 9, wherein the watch unit (160) further comprises a second data-interface unit ( 165), and the method comprises:

receiving and storing, in the second data-interface unit (165), at least one regulatory requirement (R) that shall be folio- wed during operation of the motor vehicle (MV),

receiving, in the safety unit ( 120), the at least one regula- tory requirement (R) and on the further basis of the at least one regulatory requirement (R)

generating the commands ({cmd}) to the safety unit ( 120).

21 . The method according to any one of claims 19 or 20, whe- rein the watch unit (160) further comprises a risk-assessment unit (167), and the method comprises: assessing, dynamically, in the risk-assessment unit (1 67), a respective estimated risk that the motor vehicle (MV) collides with each of any other road user and/or obstacle located in proximity to the motor vehicle (MV), the respective estimated risk being expressed by at least one signal (Sj) ,

receiving, in the safety unit (120), the at least one signal (Sj) , and on the further basis of the at least one signal (Sj)

generating the commands ({cmd}) .

22. The method according to claim 21 , further comprising :

monitoring , via the risk-assessment unit (1 67), an environ- ment around the motor vehicle (MV) to determine if the motor vehicle (MV) is currently operating within a range of parameters under which it is designed to operate, and the at least one signal (Sj ) further reflects whether or not the motor vehicle (MV) is currently operating within said range of parameters.

23. The method according to any one of claims 21 or 22, fur- ther comprising :

determining, in the risk-assessment unit (167) an estima- ted risk that the motor vehicle (MV) and/or any other road user in proximity thereto violates a traffic rule, and the at least one signal (Sj) further reflects said estimated risk.

24. The method according to any one of the claims 19 to 23, further comprising :

determining, in the safety unit (120), if at least one recei- ved safety-related parameter (P , R, Sj , H) describes at least one condition under which the motor vehicle (MV) is currently opera- ted, which at least one condition is such that a risk that the mo- tor vehicle (MV) cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold, and if the fai- lure-risk threshold is exceeded

generating, in the safety unit (120), safety control signals (SCS) adapted to cause the motor vehicle (MV) to move autono- mously in agreement with a safe path , which safe path takes precedence over the nominal path represented by the nominal control signals (NCS).

25. A computer program (127) comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to any one of the claims 15 to 24.

26. A non-volatile data carrier (125) containing the computer program of claim 25.

Description:
System and Method for Controlling a Motor Vehicle to Drive

Autonomously

TECHN ICAL FIELD

The invention relates generally to autonomous vehicles. In parti- cular, the present invention concerns a system for controlling a motor vehicle to drive autonomously in agreement with a nomi- nal path and a corresponding method. The invention also relates to a computer program and a non-volatile data carrier.

BACKGROUND

Today, there is a strong trend towards fully autonomous vehic- les. Naturally, since there is no human driver involved, safety is- sues are very important. Functional safety standards, such as ISO 26262 stipulate the diagnosis functionality required with respect to safety. In general , these standards place significant overhead on diagnosis and the safe handling of functional failu res. Moreover, the verification of the provability of functional sa- fety is a very extensive process. Typically, the overhead increa- ses dramatically with growing numbers of functions and the complexity of the functions involved. As a result, automated dri- ving and functions related thereto provide one of the largest challenges in terms of complexity in the automotive domain so far.

US 201 7/0277194 describes how an operation related control of a vehicle is facilitated. Here, a finite set of candidate trajectories of the vehicle is generated that begin at a location of the vehicle as of a given time. The candidate trajectories are based on a state of the vehicle and on possible behaviors of the vehicle and of the environment as of the location of the vehicle and the gi- ven time. A putative optimal trajectory is selected from among the candidate trajectories based on costs associated with the candidate trajectories. The costs include costs associated with violations of rules of operation of the vehicle. The selected pu- tative optimal trajectory is used to facilitate the operation related to control of the vehicle.

EP 2 317 412 shows a safety management system for equip- ment adapted to operate autonomously in a real-time environ- ment. Deterministic and a non-deterministic processors are pro- vided for processing incoming alerts and generating control sig nals in response. The non-deterministic processor can deal with unrehearsed, complex and unpredictable situations by providing essentially open-ended procedures working in large search spa- ces with no guarantee of a solution. The deterministic processor monitors behavior of the non-deterministic processor and valida- tes control signals produced by it against safety policies. The deterministic processor also provides an intelligent interface to the non-deterministic processor, which receives alerts only from the deterministic processor, and enforces time-critical delivery of responses.

US 2015/0057869 discloses apparatuses, methods and a stora- ge medium associated with computerized assist or autonomous driving of vehicles. A computing device may receive a plurality of data associated with vehicles driving at various locations within a locality; and based thereon, generate one or more loca- lity specific policies for computerized assisted or autonomous driving of vehicles at the locality. Thus, there are known examples of solutions for controlling mo- tor vehicles to drive autonomously in agreement with specific ru- les and policies while handling complex and unpredictable traffic situations.

Naturally, the safety regulations for autonomously driven motor vehicles are very rigorous. For example, the software that imple- ments the autonomous driving functionality must undergo exten- sive testing before being authorized. Consequently, it is costly and very time-consuming to integrate any kind of new and/or up- dated functionality in an autonomously driven motor vehicle. SUMMARY

One object of the present invention is therefore to facilitate up- dating of existing functions in an autonomous driving system. It is also an object of the invention to simplify the process of ad- ding new functions to such a system.

According to one aspect of the invention, these objects are achieved by a system for controlling a motor vehicle to drive au- tonomously, where the system contains: a bank of control units, a watch unit, a data storage and a first data-interface unit. The bank of control units contains a number of auto control units (i.e. one or more) configured to produce nominal control signals ad- apted to cause the motor vehicle to move autonomously in ag- reement with a nominal path . The data storage contains a set of boundary conditions that the nominal path shall satisfy in order to be considered safe. The watch unit is configured to receive sensor signals from the motor vehicle, which sensor signals des- cribe a current status of the motor vehicle. Based on the sensor signals, the watch unit is configured to generate commands that influence how the bank of control units produces the nominal control signals. More precisely, the watch unit is configured to generate the commands repeatedly to update the boundary con- ditions aiming at confining the nominal path within limits that are given by the sensor signals and the at least one safety policy. The first data-interface unit is configured to provide at least one safety policy describing a respective mission-related rule to be followed during operation of the motor vehicle. Specifically, the first data-interface unit is configured to provide the at least one safety policy based on a safety case stipulating how the motor vehicle shall be controlled to meet a functional safety standard. The bank of control units is configured to read out the set of boundary conditions from the data storage, and control the mo- tor vehicle to move in such a manner that the nominal path sa- tisfies the boundary conditions. This system is advantageous because the proposed linking bet- ween safety policies and the safety case renders it possible to define substantial safety-critical parts of the design via the safe- ty policies. Thus, functionality can be added and/or updated without requiring requalification the auto control units as such. Of course, This is beneficial both with respect to costs and ef- forts.

According to embodiments of this aspect of the invention, the safety case stipulates a set of operation modes each in which the motor vehicle shall be controlled to operate depending on a current fault status of the motor vehicle. For example, the set of operation modes may include: a first operation mode in which the motor vehicle shall be controlled to operate if the current fault status is such that the motor vehicle’s capability is unimpe- ded; a second operation mode in which the motor vehicle shall be controlled to operate if the current fault status is such that motor vehicle’s capability is limited; a third operation mode in which the motor vehicle shall be controlled to operate if the cur- rent fault status is such that motor vehicle must be brought to a minimal-risk condition ; and/or a fourth operation mode represen- ting the minimal-risk condition . Thus, safe operation of the motor vehicle can be guaranteed based on clear and concise princip les .

According to another embodiment of this aspect of the invention, the at least one safety policy relates to: a minimum distance that the motor vehicle shall keep to a followed vehicle, a speed limit that the motor vehicle shall keep, definitions of safe stop loca- tions that the motor vehicle shall be capable of reaching in case of a fault in the motor vehicle (e.g. a number of safe stops that shall always be reachable and respective qualities thereof), and a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle. This renders the design highly efficient, especially in terms of future updates and deve- lopments. According to other embodiments of this aspect of the invention, the watch unit contains a system-health-supervision unit and a safety unit. The system-health-supervision unit is configured to receive the sensor signals, and based thereon derive vehicle- health data representing a functional status of the motor vehicle. The safety unit is configured to receive the vehicle-health data and the at least one safety policy, and based thereon generate the commands to the data storage.

Additionally, the watch unit may include a second data-interface unit configured to receive and store at least one regulatory re- quirement that shall be followed during operation of the motor vehicle. Here, the safety unit is configured to receive the at least one regulatory requirement and generate the commands on the further basis of the at least one regulatory requirement to the safety unit. This means that it becomes straightforward to en- sure that the design fulfills various regulatory requirements, e.g . following specific traffic rules.

Moreover, the watch unit may contain a risk-assessment unit configured to dynamically assess a respective estimated risk that the motor vehicle collides with each of any other road user and/or obstacle located in proximity to the motor vehicle, which respective estimated risk is expressed by at least one signal. Here, the safety unit is configured to receive the at least one signal and generate the commands on the further basis of the at least one signal. As a result, collision avoidance functionality is resourcefully implemented.

According to yet another embodiment of this aspect of the in vention, the risk-assessment unit is further configured to monitor an environment around the motor vehicle to determine if the mo- tor vehicle is currently operating within a range of parameters under which it is designed to operate. Here, the at least one sig- nal further reflects whether or not the motor vehicle is currently operating within said range of parameters. Thus, if the motor ve- hicle is found to be outside said range, adequate actions can be taken immediately.

According to still another embodiment of this aspect of the in vention, the risk-assessment unit is further configured to deter- mine an estimated risk that the motor vehicle and/or any other road user in proximity thereto violates a traffic rule. Here, the at least one signal further reflects said estimated risk. Thereby, the vehicle control implemented by the auto control units can be ef- fected such that the overall risk of violations of the traffic regu- lations is reduced. According to one embodiment of this aspect of the invention , the safety unit is further configured to determine if at least one re- ceived safety-related parameter describes at least one condition under which the motor vehicle is currently operated, which at least one condition is such that a risk that the motor vehicle can- not move autonomously in agreement with the nominal path ex- ceeds a failure-risk threshold. If the failure-risk threshold is ex- ceeded, the safety unit is configured to produce safety control signals adapted to cause the motor vehicle to move autono- mously in agreement with a safe path. The safe path takes precedence over the nominal path represented by the nominal control signals. In other words, if the safety control signals are present, the motor vehicle is configured to ignore any received nominal control signals. Consequently, even in emergency situa- tions, a safe vehicle handling is ensured. Alternatively, or in addition thereto, the safety unit may be confi- gured to generate a control signal indicating whether or not the failure-risk threshold is exceeded. Furthermore, the system in- cludes a control switch arranged in communicative connection with the bank of control units. The control switch is arranged in communicative connection with the bank of control units and the safety unit, and the control switch is configured to: receive the control signal ; receive the nominal control signals and any safe- ty control signals respectively; and in response to the control signal, forward either the nominal control signals or the safety control signals to the motor vehicle. In such a case, the motor vehicle itself does not need to take any measures to ensure that the safe path takes precedence over the nominal path.

According to further embodiments of this aspect of the invention, either each of the auto control units is individually configured to generate a set of the nominal control signals adapted to cause the motor vehicle to move autonomously in agreement with a respective nominal path ; or two or more of the auto control units are configured to generate a conjoint set of the nominal control signals adapted to cause the motor vehicle to move autono- mously in agreement with the nominal path . This provides a high degree of freedom as how to implement the system.

According to yet embodiment of this aspect of the invention the system includes a platform interface configured to receive the sensor signals from the motor vehicle; and send out the nominal control signals to the motor vehicle. Hence, the communication between the system and the motor vehicle can be made efficient and flexible.

According to another aspect of the invention, the above objects are achieved by a method of controlling a motor vehicle to drive autonomously. The method involves producing nominal control signals via a bank of control units containing a number of auto control units. The nominal control signals are adapted to cause the motor vehicle to move autonomously in agreement with a no- minal path. The method also involves receiving sensor signals from the motor vehicle in a watch unit. The sensor signals des- cribe a current status of the motor vehicle. Additionally, the me- thod involves: storing, in a data storage, a set of boundary con- ditions that the nominal path shall satisfy in order to be consi- dered safe; and providing, via a first data-interface unit, at least one safety policy describing a respective mission-related rule to be followed during operation of the motor vehicle. The at least one safety policy is provided based on a safety case stipulating how the motor vehicle shall be controlled to meet a functional safety standard. The method further involves generating com- mands in the watch unit based on the sensor signals, which commands influence how the bank of control units produces the nominal control signals. Specifically, the commands are genera- ted repeatedly by the watch unit to update the boundary condi- tions aiming at confining the nominal path within limits that are given by the sensor signals and the at least one safety policy. Moreover, the method involves: reading out the set of boundary conditions from the data storage into the bank of control units; and controlling the motor vehicle to move in such a manner that the nominal path satisfies the boundary conditions. The advan- tages of this method, as well as the preferred embodiments the reof, are apparent from the discussion above with reference to the proposed system. According to a further aspect of the invention the objects are ac- hieved by a computer program containing instructions which, when executed on at least one processor, cause the at least one processor to carry out the above-described method.

According to another aspect of the invention the objects are ac- hieved by a non-volatile data carrier containing such a computer program .

Further advantages, beneficial features and applications of the present invention will be apparent from the following description and the dependent claims. BRI EF DESCRIPTION OF THE DRAWINGS

The invention is now to be explained more closely by means of preferred embodiments, which are disclosed as examples, and with reference to the attached drawings.

Figure 1 schematically depicts a system according to em- bodiments of the invention ;

Figure 2 schematically shows a system according to other embodiments of the invention ; and Figure 3 illustrates, by means of a flow diagram, the gene- ral method according to the invention .

DETAILED DESCRIPTION

Referring to Figure 1 , we will describe a system according to one embodiment of the invention for controlling a motor vehicle MV to drive autonomously. The system includes a bank of con- trol units 1 10, a watch unit 160, a data storage 140 and a first data-interface unit 163.

The bank of control units 1 10 containing one or more auto con- trol units ACU 1 , ... , ACUn is configured to produce nominal control signals NCS, which are adapted to cause the motor ve- hicle MV to move autonomously in agreement with a nominal path. Either each of the auto control units ACU 1 , ... , ACUn is configured to generate a set of the nominal control signals NCS, which set of the nominal control signals NCS is adapted to cause the motor vehicle MV to move autonomously in agreement with a respective nominal path ; or two or more of the auto con- trol units ACU 1 , ... , ACUn are configured to generate a conjoint set of the nominal control signals NCS, which conjoint set of the nominal control signals NCS is adapted to cause the motor vehicle MV to move autonomously in agreement with the no- minal path. For instance, one auto control unit may be adapted to control the motor vehicle MV in a longitudinal direction , while another auto control unit is adapted to control the motor vehicle MV in a transverse direction . Alternatively, a first auto control unit ACU 1 may implement a highway pilot, a second auto control unit may implement a traffic jam pilot, a third auto control unit may implement a platooning pilot, and so on, up to an n :th auto control unit ACUn that may for example be configured to operate the motor vehicle MV in a mining environment. Although, of course, the auto control units ACU 1 , ... , ACUn may be imple- mented in hardware, it is advantageous if they are realized in software. In such a case, there may either be a specific software module for each auto control unit in the bank of control units 1 10, or the entire bank of control units 1 10 may be represented by a common piece of software.

In any case, the bank of control units 1 10 is configured to read out a set of boundary conditions {be} from the data storage 140, and control the motor vehicle MV to move in such a manner that the nominal path satisfies the boundary conditions {be}.

The data storage 140 contains the set of boundary conditions {be} to be satisfied by the nominal path in order to be conside- red safe. The first data-interface unit 163 is configured to provide at least one safety policy P that describes a respective mission-related rule to be followed during operation of the motor vehicle MV. Specifically, the at least one safety policy P provided by the first data-interface unit 163 is based on a safety case SC stipulating how the motor vehicle MV shall be controlled to meet a functio- nal safety standard, for example ISO 26262. Such a linking bet- ween the safety policies P and the safety case SC renders it possible to define substantial safety-critical parts of the design via the safety policies P. Consequently, functionality can be ad- ded to the system and/or the system can be updated without re- qualifying the auto control units ACU 1 , ... , ACUn as such in terms of safety compliance.

The safety policies P of the first data-interface unit 163 may re- late to: a minimum distance that the motor vehicle MV shall keep to a followed vehicle (e.g. during platooning) ; a speed limit that the motor vehicle MV shall keep; a set of actions to be taken in case one or more of a predefined set of faults occurs in the motor vehicle MV; and/or definitions of safe stop locations that the motor vehicle MV shall be capable of reaching in case of a fault in the motor vehicle MV. The safe stops, in turn, may be further defined in terms of quantities and qualities, such as a mi nimum number of safe stop locations that shall be reachable by the motor vehicle MV at all times, and where the safe stops shall be located relative to the current location of the motor vehicle. For example, 1 to 20 safe stop locations may be required, a first subset thereof may be located in the same lane, a second sub- set thereof may be located in a rightmost lane, third subset the- reof may be located on a hard shoulder of the road, a fourth subset thereof may be located in in a parking spot on a highway. A fifth subset thereof may be represented by a predefined at an n :th exit from the highway, a sixth subset thereof may be located at an identified workshop, and a seventh subset thereof may be a final goal of a route being followed. Maximum and/or minimum times to reach a safe stop location may also be defined by the safety policy P. Apparently, considering other road users, a shortest possible time to the safety stop location is not always ideal. Typically, a strategy balancing the safety interests of mul- tiple road users is optimal.

The watch unit 160 is configured to receive sensor signals SS from the motor vehicle MV. The sensor signals SS describe a current status of the motor vehicle MV. The sensor signals SS may be received from the motor vehicle MV via a platform inter- face 130. Preferably such a platform interface 130 is bi-direc- tional, and is thus also configured to send out the nominal cont- rol signals NCS to the motor vehicle MV. Nevertheless, accor- ding to the invention, even if the platform interface 130 is inclu- ded in the design, one or more of the sensor signals SS may be received through alternative channels and/or one or more of the nominal control signals NCS may be fed to the motor vehicle MV in other ways than via the platform interface 130.

The watch unit 160 is configured to generate commands {cmd} based on the sensor signals SS, which commands {cmd} influen- ce how the bank of control units 1 10 produces the nominal con- trol signals NCS. More precisely, the watch unit 160 is configu- red to generate the commands {cmd} repeatedly to update the boundary conditions {be} aiming at confining the nominal path within limits that are given by the sensor signals SS and the at least one safety policy P. According to one embodiment of the invention , the safety case SC also stipulates a set of operation modes in which the motor vehicle MV shall be controlled to operate depending on a current fault status of the motor vehicle MV. For example, the set of operation modes may include first, se- cond, third and fourth operation modes. Here, the motor vehicle MV may be controlled to operate in the first operation mode, if a current fault status of the motor vehicle MV is such that the mo- tor vehicle’s MV capability is unimpeded. Minor faults may be present, however none of these impedes the capability of the motor vehicle MV. If the current fault status is such that motor vehicle’s MV capability is limited, but not critically, the motor ve- hicle MV may be controlled to operate in the second operation mode. If, instead, the current fault status is such that motor ve- hide MV must be brought to a minimal-risk condition (say a stand-still), the motor vehicle MV may be controlled to operate in the third operation mode. The fourth operation mode may rep- resent the minimal-risk condition, in which for example the motor vehicle MV should not be driven at all. Figure 2 schematically shows a system according to other em- bodiments of the invention. Here, all units, signals, commands and parameters that are also represented in Figure 1 denote the same units, signals, commands and parameters as described above with reference to Figure 1 . According to one of the embodiments of the invention exemp- lified in Figure 2, the watch unit 1 60 contains a system-health- supervision unit 150 and a safety unit 120. The system-health- supervision unit 1 50 is configured to receive the sensor signals SS, and based thereon derive vehicle-health data H represen- ting a functional status of the motor vehicle MV. The safety unit 120 is configured to receive the vehicle-health data H and the at least one safety policy P; and based thereon generate the com- mands {cmd} to the data storage 140. According to another embodiment of the invention, the watch unit 160 further contains a second data-interface unit 165, which is configured to receive and store at least one regulatory requi- rement R that shall be followed during operation of the motor ve- hide MV. Here, the safety unit 120 is configured to receive the at least one regulatory requirement R and generate the com- mands {cmd} on the further basis of the at least one regulatory requirement R to the safety unit 120. Market specific regulations enumerated at mission start time, for example relating to traffic rules (e.g. right/left hand traffic, local road laws and various street signs) are examples of regulatory requirement R.

Analogous to the first data-interface unit 163, the second data- 15 interface unit 1 65 is communicatively connected to the safety unit 1 20 so as to provide the at least one regulatory requirement R to the safety unit 120, and thus enable the safety unit 120 to generate the at least one command {cmd} based on the at least one regulatory requirement R.

According to one embodiment of the invention, the watch unit 160 contains a risk-assessment unit 167, which is configured to dynamically assess a respective estimated risk that the motor vehicle MV collides with each of any other road user and/or obstacle located in proximity to the motor vehicle MV. The res- pective estimated risk may be expressed by at least one signal S j . Here, the safety unit 120 is configured to receive the at least one signal S j , and generate the commands {cmd} on the further basis of the at least one signal S j . The assessment may involve lane-markings monitoring , and if no sufficiently clearly detect- able lane markings can be found, the at least one signal Sj ref lects this in the form of an estimated risk of traffic-rule violation. The risk-assessment unit 167 may be further configured to moni- tor an environment around the motor vehicle MV to determine if the motor vehicle MV is currently operating within a range of pa- rameters under which it is designed to operate. Here, the at least one signal S j also reflects whether or not the motor vehicle MV is currently operating within said range of parameters.

According to one embodiment of the invention , the safety unit 120 is further configured to determine if the set of safety-related parameters P, R, S j and H describes one or more conditions under which the motor vehicle MV is currently operated, which condition(s) is(are) such that a risk that the motor vehicle MV cannot move autonomously in agreement with the nominal path exceeds a failure-risk threshold.

If this failure-risk threshold is exceeded, the safety unit 1 20 is configured to generate safety control signals SCS adapted to cause the motor vehicle MV to move autonomously in agreement with a safe path . The safe path constitutes an alternative to the nominal path, and the safe path shall be followed instead of the nominal path calculated by the bank of control units 1 1 0. In other words, the safe path takes precedence over the nominal path represented by the nominal control signals NCS.

In one embodiment shown in Figure 1 , the motor vehicle MV it- self effects said precedence by being configured to ignore any received nominal control signals NCS if the safety control sig- nals SCS are received, for example via the platform interface 130 as illustrated in Figure 1 . Consequently, even in emergency situations, a safe vehicle handling is ensured.

Figure 2 schematically shows a system according to another embodiment of the invention . Here, all units, signals, commands and parameters that are also represented in Figure 1 denote the same units, signals, commands and parameters as described above with reference to Figure 1 .

In the system exemplified in Figure 2, the safety unit 120 is con- figured to generate a control signal Ctrl that indicates whether or not the failure-risk threshold is exceeded.

The system also includes a control switch 210, which is arran- ged in communicative connection with the bank of control units 1 10 and the safety unit 120. The control switch 210 is configu- red to: receive the control signal Ctrl ; receive the nominal con- trol signals NCS and any safety control signals SCS respective- iy- The control switch 210 is configured to forward either the nomi- nal control signals NCS or the safety control signals SCS to the motor vehicle MV. Specifically, if the safety unit 120 generates the safety control signals SCS, the safety unit 120 also genera- tes the control signal Ctrl in such a manner that upon receipt thereof in the control switch 210, the control switch 210 prevents the nominal control signals NCS from being forwarded to the motor vehicle MV. Instead, the control signal Ctrl forwards the safety control signals SCS to the motor vehicle MV. This mitiga- tes the requirements of the motor vehicle MV in terms of not be- ing required to select between nominal control signals NCS and the safety control signals SCS; and analogous to the above, a safe handling of the motor vehicle MV is ensured even in emer- gency situations.

Analogous to the auto control units ACU 1 , ... , ACUn, the safety unit 120, the system health-supervision unit 150, the first data interface 163, the second data interface 165, the risk-assess- ment unit 167 and/or the control switch 21 0 may be implemented partly or entirely in software. Such, software, in turn, may be in- stalled to run on one or more processors. Further, a common piece of software may implement two or more of said units and interfaces.

For example, the safety unit 1 20 may contain a processing unit with processing means including at least one processor, such as one or more general purpose processors. Further, this proces- sing unit is further preferably communicatively connected to a data carrier 125 in the form computer-readable storage medium, such as a Random Access Memory (RAM), a Flash memory, or the like. The data carrier 125 contains computer-executable inst ructions, i.e. a computer program 127, for causing the proces- sing unit and the other units of the system to perform in accor- dance with the embodiments of the invention as described he- rein, when the computer-executable instructions are executed on the at least one processor of the processing unit. In order to sum up, and with reference to the flow diagram in Figure 3, we will now describe the general method according to the invention for controlling a motor vehicle to drive autono- mously.

In a first step 310, sensor signals are received from the motor vehicle. The sensor signals describe a current status of the mo- tor vehicle. Then , in a step 320, a set of boundary conditions are read out from a data storage. In a subsequent step 330, at least one command is generated based on the sensor signals.

In a step 340 following step 330, nominal control signals are produced under influence of the least one command. The nomi- nal control signals are adapted to cause the motor vehicle to move autonomously in agreement with a nominal path that satis- fies the set of boundary conditions, and thus is considered to be safe. Thereafter, in a step 350, the nominal control signals are sent out to the motor vehicle for controlling the motor vehicle to move in agreement with the nominal path.

In a step 360 thereafter, the boundary conditions are updated ai- ming at confining the nominal path within limits that are given by the sensor signals and at least one safety policy. The at least one safety policy describe a respective mission-related rule to be followed during operation of the motor vehicle. The at least one safety policy, in turn, is provided based on a safety case that stipulates how the motor vehicle shall be controlled to meet a functional safety standard. In a step 370, the updated set of boundary conditions is stored in the data storage, and thereafter the procedure loops back to step 31 0. Naturally, although the method according to the invention is per- formed in a general sequential order as shown in Figure 3, it should be pointed out that a subsequent step of the procedure may be initiated before a preceding step has ended. In fact, ba- sically all steps are active all the time. For example, sensor sig- nals are preferably received in step 310 with respect to a parti- cular time interval while the boundary conditions are updated in step 360 in relation to a set of safety-related parameters refer- ring to a time interval preceding said particular time interval, and so on.

All of the process steps, as well as any sub-sequence of steps, described with reference to Figure 3 above may be controlled by means of at least one programmed processor. Moreover, although the embodiments of the invention described above with reference to the drawings comprise processor and processes performed in at least one processor, the invention thus also extends to com- puter programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source and object code such as in partially compiled form, or in any other form suitable for use in the implementation of the pro- cess according to the invention. The program may either be a part of an operating system, or be a separate application. The carrier may be any entity or device capable of carrying the program. For example, the carrier may comprise a storage medium, such as a Flash memory, a ROM (Read Only Memory), for example a DVD (Digital Video/Versatile Disk), a CD (Compact Disc) or a semi- conductor ROM, an EPROM (Erasable Programmable Read-Only Memory), an EEPROM (Electrically Erasable Programmable Read-Only Memory), or a magnetic recording medium, for ex- ample a floppy disc or hard disc. Further, the carrier may be a transmissible carrier such as an electrical or optical signal which may be conveyed via electrical or optical cable or by radio or by other means. When the program is embodied in a signal which may be conveyed directly by a cable or other device or means, the carrier may be constituted by such cable or device or means. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant proces- ses.

The term“comprises/comprising” when used in this specification is taken to specify the presence of stated features, integers, steps or components. However, the term does not preclude the presen- ce or addition of one or more additional features, integers, steps or components or groups thereof.

The invention is not restricted to the described embodiments in the figures, but may be varied freely within the scope of the claims.