Planner system recovery for autonomous vehicles
US-10782685-B1 · Sep 22, 2020 · US
Method and device for operating an automatically driving vehicle
US11745748B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11745748-B2 |
| Application number | US-202117148871-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 14, 2021 |
| Priority date | Jan 15, 2020 |
| Publication date | Sep 5, 2023 |
| Grant date | Sep 5, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The disclosure provides a method for operating an automatically driving vehicle, wherein application instances are executed over several computational nodes, wherein recognized faults are reacted to by switching to redundant application instances and then reconfiguring the configuration to restore specified redundancy conditions and/or segregation conditions, wherein the vehicle is transitioned to a safe state using at least one failover apparatus when at least one specified redundancy condition and/or at least one segregation condition cannot be met by the reconfiguration, and/or a specified time for reconfiguration is exceeded, and/or an unrecoverable malfunction has been recognized, wherein the at least one failover apparatus plans an emergency trajectory using a trajectory planner, wherein sensor data are detected via separate signal lines and supplied to the at least one failover apparatus, and wherein control signals are generated and transmitted via separate control lines to an actuator system of the vehicle.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for operating an automatically driving vehicle, comprising: executing active software application instances according to a specified configuration over more than two computational nodes, forming a distributed computing setup, wherein the specified configuration provides predefined redundancy conditions and/or predefined segregation conditions with respect to the distributed computing setup; monitoring the active application instances for a fault; determine a fault in one of the active application instances; in response to determining the fault, selectively switching a functionality of the active application instance having the fault to at least one redundant software application instance being executed on the computational nodes and reconfiguring the specified configuration to restore predefined redundancy conditions and/or predefined segregation conditions; determining a safe state upon at least one of the following conditions: one or more specified redundancy conditions cannot be met by the reconfiguration, at least one segregation condition cannot be met by the reconfiguration, a specified time for reconfiguration is exceeded, and an unrecoverable malfunction has been recognized; and in response to the safe state being determined, planning and executing an emergency trajectory. 2. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit obtains exclusive access to the actuator system of the vehicle in an emergency. 3. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated in a robust housing. 4. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated at a location in the vehicle protected from external influences and manipulations. 5. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the failover circuit comprises a trajectory planner and other functions of the at least one failover circuit are provided using a separate computing apparatus. 6. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is supplied by a separate energy supply at least during an emergency. 7. The method of claim 1 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated redundantly. 8. An autonomous vehicle driving system, wherein in the vehicle, active software application instances are executed according to a specified configuration over more than two computational nodes, forming a distributed computing setup, wherein the specified configuration provides predefined redundancy conditions and/or predefined segregation conditions with respect to the distributed computing setup, the autonomous vehicle driving system comprising: at least one failover circuit with separate signal lines to a sensor system of the vehicle and with separate control lines to an actuator system; wherein the system is configured to: monitor the active application instances for a fault; determine a fault in one of the active application instances; in response to determining the fault, selectively switching a functionality of the active application instance having the fault to at least one redundant software application instance being executed on the computational nodes and reconfiguring the specified configuration to restore the specified predefined redundancy conditions and/or the predefined segregation conditions; wherein the at least one failover circuit is configured to determine a safe state upon at least one of the following conditions: one of more specified redundancy conditions cannot be met by the reconfiguration, at least one segregation condition cannot be met by the reconfiguration, a specified time for reconfiguration is exceeded, and a malfunction has been recognized; wherein the at least one failover circuit comprises a trajectory planner circuit that is configured to plan and execute an emergency trajectory in response to the safe state being determined. 9. The device of claim 8 , wherein the at least one failover circuit has a robust housing. 10. The device of claim 8 , wherein the at least one failover circuit has a separate energy supply that is configured to supply the at least one failover circuit with energy at least during an emergency. 11. A vehicle comprising at least one system of claim 8 , wherein the at least one failover circuit is arranged at a location in the vehicle protected from external influences and manipulations. 12. The method of claim 2 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated in a robust housing. 13. The method of claim 2 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated at a location in the vehicle protected from external influences and manipulations. 14. The method of claim 3 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is operated at a location in the vehicle protected from external influences and manipulations. 15. The method of claim 2 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the failover circuit comprises a trajectory planner and other functions of the at least one failover circuit are provided using a separate computing apparatus. 16. The method of claim 3 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the failover circuit comprises a trajectory planner and other functions of the at least one failover circuit are provided using a separate computing apparatus. 17. The method of claim 4 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the failover circuit comprises a trajectory planner and other functions of the at least one failover circuit are provided using a separate computing apparatus. 18. The method of claim 2 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is supplied by a separate energy supply at least during an emergency. 19. The method of claim 3 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is supplied by a separate energy supply at least during an emergency. 20. The method of claim 4 , wherein planning and executing the emergency trajectory is conducted by at least one failover circuit and the at least one failover circuit is supplied by a separate energy supply at least during an emergency.
Assignees
Inventors
Classifications
- B60W50/023Primary
Avoiding failures by using redundant parts · CPC title
Diagnosing or detecting failures; Failure detection models · CPC title
- B60W60/007Primary
Emergency override (Handing over between remote control and on-board control or handing over between remote control arrangements G05D1/227) · CPC title
specially adapted for safety · CPC title
Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11745748B2 cover?
- The disclosure provides a method for operating an automatically driving vehicle, wherein application instances are executed over several computational nodes, wherein recognized faults are reacted to by switching to redundant application instances and then reconfiguring the configuration to restore specified redundancy conditions and/or segregation conditions, wherein the vehicle is transitioned…
- Who is the assignee on this patent?
- Volkswagen Ag
- What technology area does this patent fall under?
- Primary CPC classification B60W50/023. Mapped technology areas include Operations & Transport.
- When was this patent published?
- Publication date Tue Sep 05 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).