Method of a vehicle for context-dependent processing of a potential fault of a vehicle component and vehicle

Abstract

Method of a vehicle (1) for processing a potential fault in a vehicle component, the method comprising the process steps: - Determine (S5) a current context (K1, K2, K3) of the vehicle (1) and at least one similar vehicle component of the vehicle (1); if no similar vehicle component is determined (W2a): - Determine (S6) a context-dependent relevance of the vehicle component, whereby the relevance is determined taking into account a permissible failure rate of the vehicle component in the current context (K1, K2, K3) and / or an availability of diverse and / or similar vehicle components in the current context (K1, K2, K3); and - based on the determined context-dependent relevance, handling (S7a) the potential fault of the vehicle component or initiating (S7b) an emergency operating mode of the vehicle (1), wherein fault handling (S7a) is carried out if the determined relevance falls below a predetermined relevance threshold, and wherein the emergency operating mode (S7b) is initiated if the determined relevance exceeds a predetermined relevance threshold; if at least one similar vehicle component is identified (W2b): context-dependent verification (S8) of the potential fault taking into account the at least one similar vehicle component.

Description

[0001] The invention relates to a method for a vehicle to process a potential fault in a vehicle component in a context-dependent manner. Furthermore, the invention relates to a vehicle comprising at least one vehicle component and a control unit configured to carry out the method according to the invention.

[0002] Modern vehicles are complex technical systems with a multitude of interacting components. Detecting and processing faults in these components is crucial for safety, as even a single fault in one component can have critical consequences for the entire system. Therefore, reliable fault handling is particularly important for vehicles that transport passengers.

[0003] Especially in the field of autonomous driving, error detection and processing are of great importance. Automated vehicles offer numerous opportunities to improve driving safety and the driving experience for the driver. However, the driver's autonomy regarding driving decisions is increasingly being transferred to the vehicle or the control units operating within it. Ultimately, these developments will result in an automated vehicle that can maneuver completely without human intervention.

[0004] SAE J3016 categorizes automated vehicles into different levels. In SAE Level 4 and 5 autonomous vehicles, the systems responsible for autonomous driving operate partially or completely autonomously. This also means that driver intervention is either partially or not at all possible. In these cases, careful monitoring of all systems is essential to quickly and accurately detect and address errors and malfunctions.

[0005] Conventional fault handling methods typically compare the behavior of vehicle components under test with predefined static limits and, if a fault is detected, execute predefined fault handling protocols. However, the use of static limits and predefined fault handling protocols does not adequately address the diverse and varied requirements of different driving scenarios, especially in automated vehicles. For example, a sensor's performance in terms of driving safety during automated driving on a highway may differ from its performance in urban driving. Current methods for fault detection and processing do not adequately represent this diversity.

[0006] DE 10 2017 214 611 A1 discloses a method for checking a reaction signal of a vehicle component as well as a checking device and a motor vehicle.

[0007] DE 10 2018 204 848 A1 discloses a method and a device for operating a device, in particular a vehicle, in the event of a fault.

[0008] DE 10 2019 211 154 A1 discloses a method of a network server for maintaining vehicle components.

[0009] DE 10 2015 217 386 A1 discloses a method and system for operating a motor vehicle.

[0010] DE 10 2017 107 284 A1 discloses a method and control unit for monitoring a vehicle's electrical system.

[0011] DE 10 2015 218 326 A1 discloses a method for monitoring a battery.

[0012] The invention is based on the objective of enriching the state of the art and overcoming or at least reducing the disadvantages arising from it, and of providing an improved method for processing potential defects in vehicle components.

[0013] The problem according to the invention is solved by a method and vehicle according to the claims. Preferred embodiments are the subject of the dependent claims.

[0014] A first aspect of the invention relates to a method for a vehicle to process a potential defect in a vehicle component. For the purposes of this disclosure, a vehicle is preferably a means of transportation designed to transport persons and / or loads on Earth, in the air, and / or in space. Preferably, the vehicle is a passenger car with an internal combustion engine, an electric motor, or a hybrid engine. Particularly preferably, the vehicle is a vehicle designed for autonomous driving and, for example, designed for operation according to SAE Level 4 or 5. For the purposes of this disclosure, a defect is an unacceptable deviation of a feature from a predetermined requirement. Preferably, the potential defect of the vehicle component is determined contextually by the vehicle itself. The context-dependent determination of a potential defect is explained in detail below.

[0015] The method according to the invention includes, as one process step, determining the current context of the vehicle. The context preferably defines an environment and / or driving situation of the vehicle. For example, the context represents whether the vehicle is driving on a highway or in a city, whether it is day or night, and / or whether it is dry or raining. The context can also represent whether the vehicle is driving manually, semi-automated, or fully automated. The level of detail in representing an environment and / or driving situation of the vehicle through the context can vary. The context can be determined using data acquired within the vehicle and / or externally, as will be explained in more detail below.

[0016] Furthermore, the procedure identifies at least one similar vehicle component. In other words, it determines whether the vehicle has at least one component that is identical to the vehicle component under test. It is preferably determined whether the vehicle component is redundant. A vehicle component is preferably identified as similar if it is used or can be used for the same function as the vehicle component under test. It is also preferably identified as similar if it is structurally identical to the vehicle component under test.

[0017] If no similar vehicle component to the one under test is identified, a context-dependent relevance of the vehicle component is determined. The primary focus is on determining how relevant the vehicle component is to the safe operation of the vehicle in the current context. Based on this determined context-dependent relevance, either the potential fault of the vehicle component is addressed or an emergency operating mode of the vehicle is initiated.

[0018] Addressing a potential fault preferably involves identifying and implementing actions to either definitively resolve the fault or initially limit its impact. Furthermore, addressing a potential fault preferably includes countermeasures to reduce the likelihood of serious consequences. This addressing may include, for example, restarting the vehicle component, calibrating the vehicle component, resetting the vehicle component's settings, or shutting down the vehicle component. When a vehicle component is shut down, its tasks and / or functions are preferably transferred to another, preferably diverse, component of the vehicle. This diverse component may assume some of the functionalities of the affected vehicle component. The vehicle's emergency operating mode preferably brings the vehicle into a safe state.The transition to a safe state preferably involves providing a reduced number of emergency functionalities. Furthermore, the transition to a safe state preferably includes emergency braking and / or emergency shutdown of the vehicle.

[0019] If, in the inventive method, at least one similar vehicle component to the vehicle component to be tested is identified, then a context-dependent verification of the potential fault of the vehicle component is carried out taking into account the at least one similar vehicle component.

[0020] The method according to the invention advantageously enables more precise and application-specific error processing by taking into account the current context of the vehicle, leading to increased safety. In the prior art error processing method, the situation in which the vehicle finds itself at the time of error detection and processing was disregarded. However, context-dependent differences can be made in error processing. For example, if a vehicle's own near-field camera fails during a parking maneuver, aborting the maneuver, for instance by emergency braking, is one possible error handling method. However, if a failed near-field camera were also treated with emergency braking while the vehicle is on the highway, this error handling would pose a significant safety risk.According to the present invention, this circumstance is taken into account and an improved method for fault processing of vehicle components is provided, thus increasing the safety of the vehicle by taking into account the current context of the vehicle.

[0021] In a preferred embodiment of the method according to the invention, the context-dependent verification includes, as a process step, determining that no potential fault exists in the at least one identical vehicle component. In other words, during the context-dependent verification, it is determined that the at least one identical vehicle component is fault-free. Preferably, it is determined that a majority of the at least one identical vehicle component is fault-free. Subsequently, in a further process step, the potential fault of the vehicle component is addressed. This addressing preferably includes restarting the vehicle component, calibrating the vehicle component, resetting the settings of the vehicle component, and / or switching off the vehicle component.Particularly preferably, the treatment also includes transferring the tasks and / or functions of the vehicle component to at least one fault-free, similar vehicle component.

[0022] In a further preferred embodiment of the method according to the invention, the context-dependent verification includes, as a process step, determining whether a potential defect exists in the at least one similar vehicle component. This process step is preferably alternative to, and performed simultaneously with, the determination described above that no potential defect exists in the similar vehicle component. In other words, during the context-dependent verification, it is determined that the at least one similar vehicle component also has a potential defect. Preferably, it is determined that a majority of the at least one similar vehicle component has a potential defect. Subsequently, in a further process step, sample values ​​and / or diagnostic values ​​of the vehicle component and the at least one similar vehicle component are compared.Preferably, a sample and / or diagnostic value of the vehicle component is compared with a plurality of sample and / or diagnostic values ​​of at least one similar vehicle component. Sample values ​​are always compared with sample values, or diagnostic values ​​with diagnostic values.

[0023] Based on the results of the comparison of the sample and / or diagnostic values, the inventive method either rejects the potential fault of the vehicle component under test or determines a context-dependent relevance of the vehicle component under test. If a context-dependent relevance is determined, then, as described above, either the potential fault of the vehicle component is addressed or an emergency operating mode of the vehicle is initiated based on this relevance. If the potential fault is rejected, the inventive method is preferably restarted by determining a further potential fault of the vehicle component, with adjustments to the fault determination being made as necessary.

[0024] In a further preferred embodiment of the method according to the invention, when comparing the sample and / or diagnostic values, it is determined whether the sample and / or diagnostic value of the vehicle component to be tested lies within a range of variation of sample and / or diagnostic values ​​of at least one similar vehicle component. The range of variation is preferably the range in which a majority of the sample and / or diagnostic values ​​of the at least one similar vehicle component lie. The range of variation is defined, for example, as an interval around an expected value or median of the diagnostic values. The range of variation is defined, for example, by the interquartile range. Alternatively, intervals between other quantiles can be chosen as the range of variation, for example, the interval between the tertiles.The potential fault of the vehicle component is rejected if the sample and / or diagnostic value of the vehicle component under test lies within a range of variation of sample and / or diagnostic values ​​of at least one similar vehicle component. Otherwise, the context-dependent relevance of the vehicle component under test is determined. If its context-dependent relevance is determined, then, as described above, either the potential fault of the vehicle component is addressed or an emergency operating mode of the vehicle is initiated based on the relevance. If the potential fault is rejected, the inventive method is preferably restarted by determining a further potential fault of the vehicle component, with adjustments to the fault determination being made as necessary.

[0025] A further preferred embodiment of the method according to the invention provides that the determination of a potential defect in a vehicle component is carried out in a context-dependent manner. Preferably, the potential defect of the vehicle component is determined in this way. Equally preferred is the determination of the potential defect of at least one similar vehicle component in this way.

[0026] Determining the potential defect initially involves determining a sample value of the vehicle component within at least one determined metric. For the purposes of this disclosure, a metric is preferably a reference system for measuring quantifiable quantities. Preferably, at least one suitable metric is assigned to each vehicle component for monitoring. Preferably, this assignment is made during the manufacturing of the respective vehicle component. The metrics assigned to each vehicle component are preferably stored in a first lookup table (LUT). Preferably, the component-specific metric is determined by looking it up in the LUT.The metric is preferably a scale for plotting a measured value from a sensor, an estimated data volume in a line and / or memory, expected outputs from a software component, RAM and / or CPU usage, vehicle speed and / or acceleration, current, voltage, and / or temperature. In other words, the metric provides a space for each vehicle component in which sample values ​​relating to that component can be plotted against each other and compared. Particularly preferably, each metric is defined by a standard, especially a distance standard, for comparing sample values. Preferably, the sample value within the determined metric is determined as an output of the vehicle component during its operation. Alternatively, and more preferably, the vehicle component is stimulated with an input to determine the sample value.Furthermore, the sample value is preferably determined using a sensor on the vehicle component.

[0027] Furthermore, during the determination of the potential fault, a set of limit values ​​within the determined metric is determined depending on the current context. Preferably, a lower and an upper context-dependent limit value are determined within the determined metric. The context-dependent limit values ​​are preferably stored in a second LUT. Preferably, the first and second LUTs are parts of a single LUT. Preferably, the set of limit values ​​is determined by looking them up in the LUT. The LUT is preferably stored locally in the vehicle's memory or retrieved from a network server. The vehicle is preferably configured to manage and update the LUT. When the inventive method is restarted after the potential fault of the vehicle component has been rejected, the vehicle preferably updates the limit values ​​in the LUT based on feedback.Preferably, the limit values ​​are updated such that the sample value associated with the rejected potential fault lies within the updated limit values. Also preferably, the limit values ​​are updated such that the diagnostic value associated with the rejected potential fault lies between 0 and 1 when determined based on the updated limit values. Preferably, the limit values ​​are updated such that a majority of the sample values ​​of at least one similar vehicle component lie within the updated limit values. Furthermore, preferably, the limit values ​​are updated such that a majority of diagnostic values ​​determined using the majority of sample values ​​and the updated limit values ​​lie between 0 and 1. The server is also preferably configured to manage and update the LUT.Preferably, the server communicates with a multitude of vehicles performing the inventive method and updates the LUT based on feedback from these vehicles. Managing the LUT via a network server or the vehicle itself thus advantageously leads to continuous adaptation and improvement of the LUT and, consequently, the limit values ​​used.

[0028] Preferably, during the determination of the potential fault, a plurality of metrics for monitoring the vehicle component are determined, and for each of the plurality of metrics, a sample value and a set of context-dependent limit values ​​are defined. Preferably, the determination of the potential fault is carried out using each of the plurality of metrics. Using multiple metrics per vehicle component allows for a multidimensional definition of context-dependent fault states, which advantageously further increases the application-specificity of fault detection. Furthermore, the statistical relevance of the fault determination can be increased by using multiple metrics.

[0029] In a further step, a diagnostic value is preferably determined as the quotient of the difference between the determined sample value and the lower limit value, and the difference between the upper limit value and the lower limit value. In other words, the diagnostic value is calculated as the result of the following formula: Diagnostic value = Sample value − lower limit value / upper limit value − lower limit value

[0030] In other words, the diagnostic value is formed by normalizing the sample value to the set of limit values.

[0031] By determining the diagnostic value according to the preferred embodiment described above, the inventive method advantageously allows for the determination of scaled diagnostic values ​​for all vehicle components. The diagnostic value thus advantageously enables the comparison of vehicle components monitored using different metrics. This allows for the straightforward determination of the overall vehicle condition. Furthermore, determining the diagnostic value has the advantage that such a value also allows for a more precise assessment of the vehicle components' condition. For example, if a decision must be made between two redundant vehicle components, the diagnostic value is advantageous if it is determined as a floating-point number. Between two vehicle components with diagnostic values ​​of 0.9 and 0.6, the decision will favor the second vehicle component.Both diagnostic values ​​are valid, however the second is closer to the optimal diagnostic value of 0.5, which defines optimal functionality.

[0032] In a further preferred embodiment, a potential error is determined if the sample value is not within the determined limit values ​​and / or if the diagnostic value does not have a value between 0 and 1.

[0033] The preferred configurations described above advantageously enable more precise and application-specific fault detection through the use of context-dependent limit values ​​of a component-specific metric. This advantageously leads to increased vehicle safety. In the prior art method for fault detection by testing a vehicle component, the situation in which the vehicle is located at the time of testing was disregarded. However, it is possible that a vehicle component's behavior is fault-free or even desirable in one context, while the same behavior would be dangerous in another. For example, if a vehicle control unit sets a speed of 130 km / h on the highway, this is perfectly normal behavior. However, if this occurs in a pedestrian zone, a fault must be assumed.According to the present invention, this circumstance is taken into account and an improved fault detection of vehicle components is provided, thus increasing the safety of the vehicle by taking the current context of the vehicle into account.

[0034] In a preferred embodiment of the method according to the invention, the context is defined as a function of a plurality of parameters characterizing the vehicle's environment and / or driving situation. The vehicle's environment is preferably characterized by parameters relating to the vehicle's surroundings, such as geographical data, weather data, traffic data, and legal requirements. A driving situation is preferably characterized by parameters relating to the vehicle itself, such as the state of the assistance systems, an SAE level, the number of passengers, the range, or the distance remaining. The parameters are preferably determined by means of vehicle sensors and / or based on external inputs. The context can be determined by the vehicle itself and / or by an external server. The context preferably consists of a plurality of subcontexts.A subcontext preferably includes a single feature of the vehicle's environment and / or driving situation, such as the weather or road type. Preferably, the context corresponds to an operational design domain (ODD) determined by the vehicle. According to the SAE J3016 standard, an ODD comprises the conditions under which a specific automated driving system or a function thereof is specifically designed to operate.

[0035] The error handling described above is always performed when the determined relevance falls below a predetermined relevance threshold. Furthermore, the emergency operating mode described above is always initiated when the determined relevance exceeds a predetermined relevance threshold.

[0036] Relevance is determined by considering an acceptable failure rate of the vehicle component in the current context and / or the availability of diverse vehicle components in the current context. Preferably, relevance is determined to be low if a high failure rate of the vehicle component is acceptable in the current context. Furthermore, relevance is preferably calculated as low if at least one diverse or similar vehicle component is available in the current context. The available similar vehicle component is preferably fault-free. A diverse vehicle component is preferably not identical in construction to the vehicle component but can perform the same tasks and / or functions as the vehicle component in the current context. For example, a LiDAR sensor for distance measurement during parking could also be replaced by an ultrasonic sensor, since long measurement ranges are not required in this context.Furthermore, relevance is preferably determined by considering an event tree analysis. The event tree analysis preferably identifies possible consequences of a potential failure of the vehicle component. Relevance is preferably determined to be low if the identified consequences are classified as not safety-relevant.

[0037] Another aspect of the invention relates to a vehicle, in particular a passenger car with an internal combustion, electric, or hybrid engine. The vehicle is particularly preferably a vehicle designed for automated driving and, for example, configured for operation according to SAE Level 4 or 5. The vehicle preferably comprises a vehicle component. Furthermore, the vehicle comprises a control unit configured to perform the previously described inventive method for processing a potential fault in the vehicle component.

[0038] A preferred embodiment of the vehicle according to the invention comprises a plurality of vehicle components. The control unit is preferably configured to perform a method as described above for each of the plurality of vehicle components.

[0039] Preferably, the control unit performs the procedure by determining a diagnostic value, as described above. Preferably, the control unit is configured to assign a diagnostic value determined in the respective procedure to each of the plurality of vehicle components. Preferably, the control unit is further configured to determine an overall condition of the vehicle based on the determined diagnostic values.

[0040] Another aspect of the invention relates to a computer program comprising instructions which, when the program is executed by a computer, such as a control unit of a motor vehicle, cause it to execute the method according to the invention as described above.

[0041] Another aspect of the invention relates to a computer-readable storage medium comprising instructions which, when executed by a computer, such as a control unit of a motor vehicle, cause it to execute the method according to the invention as described above.

[0042] Unless otherwise stated in individual cases, the various embodiments of the invention mentioned in this application can be advantageously combined with one another.

[0043] The invention is explained below using exemplary embodiments with reference to the accompanying drawings. These show: Fig. 1 a schematic flowchart of a method according to the invention; Fig. 2 a schematic flowchart of part of a method according to the invention in an exemplary embodiment; Fig. 3 a schematic flowchart of a determination of a potential fault according to an exemplary embodiment of a process step according to the invention; Fig. 4a a graphical representation of an exemplary sample value determined over a period of time and static limit values; Fig. 4b a graphical representation of an exemplary sample value determined over a period of time and context-dependent limit values ​​and Fig. 5 a schematic representation of a motor vehicle according to the invention in one embodiment.

[0044] Fig. Figure 1 shows a schematic flowchart of a method according to the invention for processing a potential fault in a vehicle component. In this exemplary embodiment, the potential fault of the vehicle component is determined context-dependently by the vehicle itself. The context-dependent determination of a potential fault is in Fig. 3 is shown and will be explained in more detail below.

[0045] In a fifth process step, S5, the current context of the vehicle is first determined. This context defines, in particular, the vehicle's environment and / or driving situation. Furthermore, process step S5 determines whether at least one similar vehicle component is present.

[0046] If no similar vehicle component is identified in process step S5, the procedure follows the third path W2a, and in the sixth process step S6, a context-dependent relevance of the vehicle component is determined. Specifically, process step S6 determines how relevant the vehicle component is for the safe operation of the vehicle in the current context.

[0047] If the relevance is determined to be low in process step S6, particularly if it falls below a predetermined relevance threshold, the process follows the fifth path, W3a. In the seventh process step, S7a, the potential fault of the vehicle component is then addressed. This addressing may include, for example, restarting the vehicle component, calibrating the vehicle component, resetting the vehicle component's settings, or shutting down the vehicle component while simultaneously transferring its tasks to a diverse vehicle component.

[0048] If the relevance in process step S6 is determined to be high, i.e., if it falls below a predetermined relevance threshold, the process follows the sixth path, W3b. Then, in the next process step, S7b, an emergency operating mode of the vehicle is initiated. This emergency operating mode ensures, in particular, that the vehicle is brought into a safe state, for example, by providing only a reduced number of emergency functionalities, performing emergency braking, or shutting down the vehicle.

[0049] If at least one similar vehicle component is identified in process step S5, the procedure follows the fourth path W2b. In the eighth process step S8, a context-dependent verification of the potential fault of the vehicle component is then initiated, in particular a context-dependent verification taking into account the at least one similar vehicle component.

[0050] The context-dependent verification according to an exemplary embodiment of the method according to the invention is in Fig. Figure 2 is shown schematically. A ninth process step, S9, involves determining whether a potential defect exists in at least one similar component. If process step S9 determines that no potential defect exists in at least one similar vehicle component, the process follows an eighth path, W4b. Subsequently, in process step S7b, the potential defect of the vehicle component is addressed as described previously. In this case, addressing the potential defect preferably involves transferring the tasks and / or functions of the vehicle component to the at least one similar vehicle component that was determined to be defect-free in process step S9.

[0051] If, in procedure step S9, it is determined that a potential fault exists in at least one similar vehicle component, in particular that a majority of the at least one similar vehicle component has a potential fault, the procedure follows a seventh path W4a.

[0052] Subsequently, in a tenth process step S10, a sample and / or diagnostic value of the vehicle component is compared with a plurality of sample and / or diagnostic values ​​of at least one similar vehicle component. In particular, it is determined whether the sample and / or diagnostic value of the vehicle component lies within a range of variation among sample and / or diagnostic values ​​of at least one similar vehicle component. The range of variation is the area in which a majority of the diagnostic values ​​of at least one similar vehicle component lie.

[0053] If the sample and / or diagnostic value of the vehicle component lies within a range of sample and / or diagnostic values ​​of at least one similar vehicle component, the method follows a ninth path W5a. In an eleventh process step S11, the potential fault of the vehicle component is then discarded, and the method according to the invention is restarted by determining another potential fault of the vehicle component. Here, the context-dependent limit values ​​of the fault detection (see below) are adjusted based on the range of variation of similar vehicle components determined in step S10.

[0054] If, in process step S10, it is determined that the sample and / or diagnostic value of the vehicle component is outside the range of variation of the sample and / or diagnostic values ​​of at least one similar vehicle component, the process follows a tenth path, W5b. In process step S6, a context-dependent relevance is then determined as described above. Based on the determined relevance, also as described above, the process then either follows the fifth path, W3a, and in process step S7a the potential fault of the vehicle component is addressed, or it follows the sixth path, W3b, and in process step S7b an emergency operating mode of the vehicle is initiated.

[0055] Fig. Figure 3 shows a schematic flowchart of the process for determining a potential defect according to an exemplary embodiment of the method according to the invention. In the first process step S1, a component-specific metric and a current context of the vehicle are determined. In the first part of the second process step S2a, a sample value is determined within the determined metric. In the second part of the process step S2b, a set of limit values ​​is then determined depending on the context determined in the first process step S1.

[0056] The third procedure step, S3, follows, in which a diagnostic value is determined. The diagnostic value is calculated as the quotient of the difference between the determined sample value and the lower limit value, and the difference between the upper limit value and the lower limit value. The diagnostic value is therefore determined as the result of the following formula: Diagnostic value = Sample value − lower limit value / upper limit value − lower limit value

[0057] If the determined diagnostic value in process step S3 is not between 0 and 1, the process follows the first path W1a. In the fourth process step S4, context-dependent processing of the determined error is then initiated, as explained in detail above. If the diagnostic value is classified as valid, the process follows the second path W1b. In this case, no error was determined. The process then begins again in the first part of the second process step S2a by determining the sample value.

[0058] Fig. 4a and Fig. Section 4b illustrates, using graphical examples, how a sample value P and limit values ​​G1, G2, G1', G2' are determined and compared over a period of time. This involves... Fig. 4a static limit values ​​G1', G2' and in Fig. 4b Context-dependent limit values ​​G1, G2 are shown.

[0059] The sample value P is determined within a defined metric. In the inventive method, this metric is determined specifically for the vehicle component being monitored. Sensors, for example, typically have defined operating ranges. This operating range can be used to indicate whether the data supplied by the sensor is correct. Switches are equipped with message buffers to process multiple messages. The maximum number of messages in the buffer is known. Therefore, monitoring the number of messages in the buffer can detect a potential overload of the switch. Applications required for vehicle operation perform actions on a set of input parameters and provide an output, which can be used as a metric to monitor the respective application. It is also possible to monitor a vehicle component using multiple metrics.For example, both utilization and throughput can be used as metrics for a software component. In such a case, the method according to the invention is preferably carried out with the majority of metrics.

[0060] In the Fig. 4a and Fig. In example 4b, a vehicle control unit is to be monitored. The control unit's output includes, for example, instructions that control the vehicle's longitudinal and lateral movement. Therefore, an output for a set vehicle speed was determined as an example metric.

[0061] The sample value P determined within the metric is represented as a solid line. It initially rises rapidly, then decreases over time until it experiences a brief, sharp increase. This increase in the determined sample value P is marked with a lightning bolt, as it indicates an error F in the control unit.

[0062] In Fig. Figure 4a shows how the sample value P is compared with a set of static limit values ​​G1', G2', which are represented as dashed lines. The lower limit value G2' has the value 0 km / h and the upper limit value G1' has the value of the vehicle's maximum speed. The sample value P lies consistently between the static limit values ​​G1', G2', which means that the error F is not determined.

[0063] In Fig. In step 4b, the sample value P is compared with a set of context-dependent limits G1 and G2. The lower limit G2 is set to 0 km / h. The upper limit G1 takes on different values ​​depending on the context K1, K2, and K3. In the first context K1, the vehicle is on a motorway without a speed limit. Therefore, the upper limit G1 is set to the vehicle's maximum speed. In the second context K2, the vehicle is in a city, so the upper limit G1 is set to 50 km / h. In the third context K3, the vehicle is in a parking lot, so the upper limit G1 is set to walking speed. Now, in the third context K3, the sample value P lies outside the limits G1 and G2. The error F is determined and can be addressed.

[0064] The in Fig. 4a and Fig. Example 4b illustrates the advantage of context-dependent fault detection in the method according to the invention. The method enables a more precise determination of faults F in vehicle components and therefore advantageously leads to increased vehicle safety. To enable more accurate fault detection, a context K1, K2, K3 consists, in particular, of a plurality of subcontexts. If, for example, context K1 were to include, in addition to the subcontext "highway," also the subcontext "rain" or "traffic jam," the speed of the upper limit value G1 would be determined to be lower.

[0065] Fig.Figure 5 shows a schematic representation, in particular a block diagram, of an exemplary vehicle 1, specifically a two-track motor vehicle with an internal combustion, electric, or hybrid engine. The vehicle 1 is specifically designed to perform autonomous driving at SAE Level 4 or 5. The vehicle 1 comprises a multitude of vehicle components.

[0066] A number of first sensors comprise a portion of the vehicle components, specifically a first sensor 11, a second sensor 12, and a third sensor 13. The first sensors 11, 12, and 13 are configured to acquire environmental data from the vehicle 1 and include, for example, a camera for capturing an image of the roadway, traffic signs, and / or lane markings in front of the vehicle 1; distance sensors, such as ultrasonic sensors, for detecting distances to objects surrounding the vehicle 1; thermometers for detecting the vehicle's ambient temperature; and / or a rain sensor for detecting weather data. The first sensors 11, 12, and 13 transmit the environmental signals they acquire to a control unit 40 of the vehicle 1.

[0067] The vehicle 1 also has several secondary sensors as additional vehicle components, in particular a fourth sensor 21, a fifth sensor 22, and a sixth sensor 23. The secondary sensors 21, 22, and 23 are sensors for determining vehicle data relating to the vehicle 1 itself, in particular current position and movement information of the vehicle 1. The secondary sensors are therefore, for example, speed sensors, acceleration sensors, tilt sensors, or the like. The secondary sensors 21, 22, and 23 transmit the status signals they detect to the control unit 40 of the vehicle 1.

[0068] Another vehicle component is a communication module 30 with a memory 31 and one or more transponders or receivers 32. The transponder 32 is a radio, WLAN, GPS, or Bluetooth receiver, or the like, in particular a transponder configured for communication in a communication network. The transponder communicates with the internal memory 31 of the communication module 30, for example, via a suitable data bus. Using the transponder 32, the current position of the vehicle 1 can, for example, be determined by communication with a GPS satellite 51 and stored in the internal memory 31. Furthermore, the communication module 30 is configured to communicate with another vehicle 52 via V2V communication, preferably via a communication network 53.Furthermore, the communication module 30 can also be configured to communicate with a server of the communication network 53. The communication module 30 also communicates with the control unit 40. In particular, it transmits received data to the control unit and / or receives data to be sent from it.

[0069] The communication network 53 is preferably a network conforming to the 3GPP standard, for example, an LTE, LTE-A (4G), or 5G communication network. The communication network may also be designed for the following operations or conform to the following standards: High Speed ​​Packet Access (HSPA), a Universal Mobile Telecommunication System (UMTS), UMTS Terrestrial Radio Access Network (UTRAN), evolved-UTRAN (e-UTRAN), Global System for Mobile Communication (GSM), Enhanced Data Rates for GSM Evolution (EDGE), or GSM / EDGE Radio Access Network (GERAN). Alternatively or additionally, the communication network may also be designed according to one of the following standards: Worldwide Inter-operability for Microwave Access (WiMAX) network IEEE 802.16 or Wireless Local Area Network (WLAN) IEEE 802.11.The communication network also preferably uses one of the following encoding methods: Orthogonal Frequency Division Multiple Access (OFDMA), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband-CDMA (WCDMA), Frequency Division Multiple Access (FDMA) or Spatial Division Multiple Access (SDMA), etc.

[0070] The vehicle 1 further comprises a control unit 40 according to the invention, which is configured for fully automated driving operation, in particular for longitudinal and lateral control of the vehicle 1. For this purpose, the control unit 40 has an internal memory 41 and a CPU 42, which communicate with each other, for example via a suitable data bus. In addition, the control unit 40 is in communication connection with at least the first sensors 11, 12, 13, the second sensors 21, 22, 23 and the communication module 30, for example via one or more respective CAN connections, one or more respective SPI connections or other suitable data connections. The control unit 40 is also specifically configured to carry out the method according to the invention, described in detail above, for each of the plurality of vehicle components. Reference symbol list 1 vehicle 11 first sensor 12 second sensor 13 third sensor 21 fourth sensor 22 fifth sensor 23 sixth sensor 30 communication units 31 storage 32 transponders 40 Control unit 41 GB internal storage 42 CPU 51 satellite 52 more vehicles 53 Network S1 first process step S2a first part of the procedure step S2b second part of the procedure step S3 third process step S4 fourth process step S5 fifth process step S6 sixth procedure step S7a seventh procedure step S7b next procedure step S8 eighth procedure step S9 ninth procedure step S10 tenth procedure step S11 eleventh procedure step K1 first context K2 second context K3 third context W1a first way W1b second way W2a third way W2b fourth way W3a fifth way W3b sixth way W4a seventh way W4b eighth way W5a ninth way W5b tenth way F error P Sample value G1 upper context-dependent limit G1' upper static limit G2 lower context-dependent limit G2' lower static limit

Claims

A vehicle (1) method for processing a potential failure of a vehicle component, the method comprising the following steps: - Determining (S5) a current context (K1, K2, K3) of the vehicle (1) and at least one similar vehicle component of the vehicle (1); if no similar vehicle component is determined (W2a): - Determining (S6) a context-dependent relevance of the vehicle component, whereby the relevance is determined taking into account a permissible failure rate of the vehicle component in the current context (K1, K2, K3) and / or an availability of diverse and / or similar vehicle components in the current context (K1, K2, K3);and- based on the determined context-dependent relevance, handling (S7a) the potential fault of the vehicle component or initiating (S7b) an emergency operating mode of the vehicle (1), wherein the fault handling (S7a) is carried out if the determined relevance falls below a predetermined relevance threshold, and wherein the emergency operating mode (S7b) is initiated if the determined relevance exceeds a predetermined relevance threshold; if at least one similar vehicle component is identified (W2b): context-dependent verification (S8) of the potential fault taking into account the at least one similar vehicle component.; The method of claim 1, comprising context-dependent verification (S8) comprising the steps: - Determining that there is no potential fault in the at least one similar vehicle component (W4b); and - Treating (S7a) the potential fault in the vehicle component. The method of claim 1, comprising context-dependent verification (S8) comprising the steps of: - determining that a potential fault exists in the at least one similar vehicle component (W4a); - comparing (S10) sample values ​​(P) and / or diagnostic values ​​of the vehicle component and the at least one similar vehicle component; and based on the comparison: - rejecting (S11) the potential fault of the vehicle component; or - determining (S6) a context-dependent relevance of the vehicle component and, based on the determined context-dependent relevance, treating (S7a) the potential fault of the vehicle component or initiating (S7b) an emergency operating mode of the vehicle (1). Method according to claim 3, wherein when comparing (S10) the sample values ​​(P) and / or diagnostic values, it is determined whether the sample value (P) and / or diagnostic value of the vehicle component is within a range of sample values ​​(P) and / or diagnostic values ​​of the at least one similar vehicle component, wherein the potential fault of the vehicle component is rejected (S11) if the sample value (P) and / or diagnostic value of the vehicle component is within a range of sample values ​​(P) and / or diagnostic values ​​of the at least one similar vehicle component (W5a), and wherein otherwise (W5b) the context-dependent relevance is determined (S6). Method according to one of the preceding claims, wherein the determination (S9) of a potential defect of a vehicle component comprises the steps: - Determining (S1, S2a, S2b) a sample value (P) of the vehicle component within at least one determined metric and, depending on the determined context (K1, K2, K3), a set of limit values ​​(G1, G2) within the determined metric; - Determining a diagnostic value as the quotient of the difference of determined sample value (P) and lower limit value (G2) and the difference of upper limit value (G1) and lower limit value (G2). Method according to claim 5, wherein a potential error is determined if the sample value (P) is not within the determined limit values ​​(G1, G2) and / or if the diagnostic value does not have a value between 0 and 1. Method according to one of the preceding claims, wherein the context (K1, K2, K3) is defined depending on a plurality of parameters characterizing an environment and / or a driving situation of the vehicle (1). Vehicle (1) comprising at least one vehicle component and a control unit (40) designed to carry out a method according to one of claims 1 to 7.

Images