Use of the vehicle infotainment system as a redundant control system

WO2026082778A3PCT designated stage Publication Date: 2026-06-11ZF FRIEDRICHSHAFEN AG

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
ZF FRIEDRICHSHAFEN AG
Filing Date
2025-10-15
Publication Date
2026-06-11

AI Technical Summary

Technical Problem

The challenge in semi-autonomous and autonomous vehicles is to enhance safety, reliability, and fault tolerance while managing high bandwidth data distribution and processing, particularly in redundant control unit designs that incur significant costs.

Method used

A vehicle system with redundant interface and application units, each as a system-on-a-chip, preprocesses and synchronizes sensor data, utilizing an infotainment system as a backup for critical control functions, ensuring fail-safe operation without additional hardware.

Benefits of technology

This design achieves maximum safety, reliability, and fault tolerance by allowing seamless redundancy and fail-safe operation, reducing the need for additional hardware and maintaining vehicle control even in failures.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure EP2025079726_11062026_PF_FP_ABST
    Figure EP2025079726_11062026_PF_FP_ABST
Patent Text Reader

Abstract

A vehicle system (10) for a vehicle comprises a first interface unit (12a) and a second interface unit (12b), as well as a first application unit (14a), a second application unit (14b), and a third application unit (14c). The first interface unit (12a) and the second interface unit (12b) are designed to each receive sensor data (22) from a plurality of sensors (16a, 16b, 16c, 16d); wherein the first interface unit (12a) is connected to the first application unit (14a) and to the second interface unit (12b) via a respective output interface (44); wherein the second interface unit (12b) is connected to the second application unit (14b) and the third application unit (14c) via a respective output interface (44) and to the second interface unit (12b) via a respective output interface (44). The first application unit (14a) and the second application unit (14b) are each designed to carry out control functions of the vehicle on the basis of the sensor data (22); wherein the third application unit (14c) is designed to carry out further functions for the vehicle; and wherein the third application unit (14c) is designed, in the event of a failure of the first application unit (14a) and / or of the second application unit (14b), to carry out at least one part of the control functions.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0002] Using a vehicle's infotainment system as a redundant control system

[0003] The invention relates to a vehicle system for a vehicle and a method for controlling the vehicle with this vehicle system.

[0004] Semi-autonomous and fully autonomous vehicles have significantly increased the number of sensors installed in vehicles. Camera systems, lidar systems, and radar systems with high bandwidth requirements present new challenges regarding data distribution, preprocessing, and security. Currently, various systems-on-a-chip (SoCs) exist that can handle the distribution (PCIe and Ethernet switches), processing (performance SoCs), time synchronization, and other tasks of this data.

[0005] Since the safety, reliability, and fault tolerance of systems and processors play a crucial role in the automotive sector, devices performing critical functions are implemented redundantly (usually with nearly identical processing units). This is especially true for autonomous vehicles. Safety is paramount in autonomous vehicles because no driver can intervene in the vehicle's behavior or take over control. The redundant devices, such as control units or processing units, only come into play if the primary device malfunctions, experiences a partial failure, or completely fails. Redundant control unit design results in significant additional costs.

[0006] It is an object of the invention to increase the safety, reliability and fail-safety of a vehicle system for the semi-autonomous or autonomous control of a vehicle, in particular a driver assistance system or a system for autonomous driving.

[0007] This problem is solved by the subject matter of the independent claims. Further embodiments of the invention are described in the dependent claims and in the following description. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0008] One aspect of the invention relates to a vehicle system for a vehicle. The vehicle can be a road vehicle, such as a car, truck, or bus. The vehicle system can be the main computer or ECU of the vehicle, which enables autonomous or semi-autonomous control of the vehicle.

[0009] According to one embodiment, the vehicle system comprises a first interface unit and a second interface unit, as well as a first application unit, a second application unit, and a third application unit. These processing units can each be a system-on-a-chip.

[0010] According to one embodiment, the first interface unit and the second interface unit are configured to receive sensor data from a plurality of sensors. Each interface unit has one or more input interfaces connected to these multiple sensors. By using multiple interface units, for example, on a single chip, all of which can be identically structured, the vehicle system can be implemented redundantly and in a functionally safe manner. Each interface unit comprises a plurality of interfaces with different protocols for reading sensor data from various sensors and outputting it using a specific interface or protocol. Within an interface unit, the sensor data is preprocessed and / or synchronized.Each of the interface units is designed to perform safety-compliant preprocessing and optional synchronization of sensor data from a plurality of sensors.

[0011] According to one embodiment, the application units are designed to execute application software of the vehicle system. The interface units enable the implementation of specific application software independently of embedded software. The preprocessing provided by an interface unit can improve the software architecture of the vehicle system and relieve the application units of some processing load, allowing them to perform better in more intensive tasks, such as AI processing.

[0012] According to one embodiment, the vehicle system further comprises a plurality of sensors for monitoring the vehicle's environment. These sensors can be present in one or more sets connected to the interface units.

[0013] According to one embodiment, the first interface unit is connected to the first application unit and to the second interface unit via respective output interfaces. The second interface unit is connected to the second and third application units via respective output interfaces and to the third interface unit via respective output interfaces. Each interface unit has at least two output interfaces through which the interface units are connected to each other and / or to the application units.

[0014] According to one embodiment, the first application unit and the second application unit are each configured to execute vehicle control functions based on sensor data and thus control the vehicle. These control functions can be functions that perform semi-autonomous or autonomous vehicle control.

[0015] According to one embodiment, the third application unit is configured to perform additional functions for the vehicle, particularly those not related to vehicle control. This third application unit is configured to perform at least some of the control functions in the event of a failure of the first and / or second application unit. These additional functions can include, for example, infotainment functions such as playing an audio stream. To increase the safety, reliability, and fault tolerance of the vehicle system, an additional resource, namely the third application unit, which can be the processing unit of an infotainment system (IVI), is used. It can operate either in support of or as a replacement for the first and / or second application unit, which can represent an AD system.The powerful computing unit of the infotainment system is usually already present in the vehicle and linked to the AD system via interfaces.

[0016] In this way, despite further redundancy, a third, usually nearly identical, computing unit for autonomous driving can be omitted. Maximum safety, reliability, and fault tolerance can be achieved without additional hardware.

[0017] According to one embodiment, the first, second, and third application units are housed in a single enclosure. The AD domain (i.e., the first and second application units) and the infotainment domain (i.e., the third application unit) can be located in one enclosure, forming a single control unit. The application units can be located on separate PCBs or on a single board.

[0018] In the event of a failure of the first and second application units, the third application unit can take over functions such as the so-called minimum risk maneuver. The third application unit can provide minimal functions as a fallback system and simultaneously as a so-called "hot standby" system. Therefore, in the event of a fault or failure of the central control unit, i.e., the first and / or second application unit, the third application unit can immediately and without delay assume control of the vehicle, albeit in a reduced capacity. This reduced control can, for example, bring the vehicle to a desired safe state.

[0019] According to one embodiment, the second application unit is designed to execute at least some of the control functions of the first application unit in the event of a failure of the first application unit. Similarly, the first application unit can be designed to perform, in the event of a failure of the second ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0020] The first application unit must execute at least some of the control functions of the second application unit. The first and second application units can be implemented redundantly or at least partially redundantly.

[0021] According to one embodiment, the first interface unit is configured to receive initial sensor data from initial sensors, and the second interface unit is configured to receive subsequent sensor data from subsequent sensors. The interface units can be connected to different sets of sensors, which may include redundant sensors.

[0022] According to one embodiment, the first interface unit is configured to transmit the first sensor data to the second interface unit in the event of a failure of the second sensors. Similarly, the second interface unit can be configured to transmit the second sensor data to the first interface unit in the event of a failure of the first sensors. In this way, each interface unit can provide the corresponding application units with pre-processed sensor data, even if the associated sensor set has failed, at least partially.

[0023] According to one embodiment, the third application unit is an infotainment system. The other functions may include infotainment features. For example, the infotainment system can output video and / or audio streams to vehicle occupants.

[0024] According to one embodiment, the first interface unit and the second interface unit each comprise a plurality of input interfaces configured for at least two different communication protocols and designed to receive sensor data from the plurality of sensors. The sensors may include a camera, radar, and / or lidar, and / or may be configured to monitor the vehicle's environment. An input interface may be provided for each sensor. The communication protocols may provide serial data and / or data packets. The communication protocols may include MIPI (Mobile Industry Processor ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15).

[0025] interface), CSI (Camera Serial Interface), GMSL (Gigabit Multimedia Serial Link), FPD-Link (Flat Panel Display Link) and / or Ethernet.

[0026] An input interface of an interface unit can be connected to the respective sensor via a physical interface that implements protocol components of the physical layer. It is also possible that a deserializer, which generates data packets from a serial data stream, is connected between the sensor and the input interface.

[0027] According to one embodiment, at least one of the input interfaces is implemented for the CSI protocol. The CSI protocol is primarily used for communication with a camera acting as a sensor.

[0028] According to one embodiment, at least one of the input interfaces is implemented for the Ethernet protocol. Communication with a radar or lidar sensor, for example, can be achieved via the Ethernet protocol.

[0029] According to one embodiment, the output interfaces of the first and second interface units are configured for a specific communication protocol for outputting sensor data. The specific communication protocol for the output interface can be PCI Express or UCI Express. Each interface unit can have multiple output interfaces with the specific communication protocol, each of which can be connected to an application unit, another interface unit, and / or other systems, such as a diagnostic interface for other vehicle computing systems (such as ECUs), storage, cloud systems, data logging systems, etc.

[0030] According to one embodiment, the first interface unit and the second interface unit each comprise an automotive interface for data communication with the vehicle's control units. The automotive interface can operate with communication protocols typical for vehicles, such as CAN, CAN-FD, I2C, SPI, FlexRay, etc. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0031] According to one embodiment, the first interface unit and the second interface unit each comprise a preprocessing unit for preprocessing the sensor data. The first interface unit and the second interface unit are configured to perform preprocessing of the sensor data. The data from a large number of sensors can be preprocessed in real time with high bandwidth by efficient hardware, optimally reducing energy consumption.

[0032] According to one embodiment, the preprocessing unit includes an image signal processor for processing image data. The image signal processor can convert image data in an image format specific to the camera as a sensor into an image format that can be processed by the application units.

[0033] According to one embodiment, the preprocessing unit includes a digital signal processor, for example, for processing radar data and / or lidar data. In general, sensor data provided by a sensor in a specific format can be transferred or converted into a format that can be processed by the application units.

[0034] According to one embodiment, the first interface unit and the second interface unit each further comprise a synchronization unit for synchronizing the sensor data, whereby, for example, sensor data recorded at the same time are given the same timestamp. All input data can be synchronized by the synchronization unit, which may have its own internal clock. During synchronization, the sensor data can be timestamped. The interface unit can be designed to operate in streaming mode, resulting in a more deterministic system. Timestamping and sensor synchronization are much easier to implement when all data is combined in just one component, i.e., the interface unit. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0035] According to one embodiment, the first interface unit and the second interface unit each further comprise a safety unit, for example with at least two or three parallel processors, respectively, whose results are compared by the safety unit. The safety unit can execute safety-relevant functions that still deliver safe results even if a processor fails or malfunctions.

[0036] According to one embodiment, the first interface unit and the second interface unit each further comprise a processor unit with a plurality of processors. The processor unit can perform additional functions of the interface unit.

[0037] According to one embodiment, the first interface unit and the second interface unit each further comprise a data communication network for distributing data between units of the interface unit. The data communication network can be a so-called NoC (network on chip) or a bus system.

[0038] According to one embodiment, the first interface unit and the second interface unit each further comprise an internal memory, which is used, for example, by the preprocessing unit and the processors.

[0039] According to one embodiment, the first interface unit and the second interface unit each further include a memory interface for accessing external memory, which can be used, for example, to expand the internal memory.

[0040] According to one embodiment, the first interface unit, the second interface unit, the first application unit, the second application unit, and / or the third application unit are implemented as a system-on-a-chip. A system-on-a-chip is an integrated circuit (IC), particularly one implemented on a single chip. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0041] Another aspect of the invention relates to a method for controlling a vehicle with a vehicle system, as described herein. The method can be executed as software or a computer program by the processors of the vehicle system.

[0042] According to one embodiment, the method comprises: receiving sensor data from a plurality of sensors with the first interface unit and the second interface unit; transmitting the sensor data to the first application unit and to the second application unit; executing control functions of the vehicle based on the sensor data with the first application unit and the second application unit; executing further functions for the vehicle with the third application unit; and, in the event of a failure of the first application unit and / or the second application unit, executing at least part of the control functions with the third application unit.

[0043] In the following, exemplary embodiments of the invention are described in detail with reference to the accompanying figures.

[0044] Fig. 1 schematically shows a vehicle system according to one embodiment of the invention.

[0045] Fig. 2 schematically shows an interface unit for the vehicle system from Fig. 1.

[0046] Fig. 3 schematically shows an interface unit for the vehicle system from Fig. 1.

[0047] Fig. 4 shows a flowchart for a method for controlling the vehicle with this vehicle system according to one embodiment of the invention. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0048] The reference symbols used in the figures and their meanings are summarized in the list of reference symbols. Generally, identical or similar parts are designated with the same reference symbols.

[0049] Fig. 1 schematically shows a vehicle system 10 with two interface units 12a, 12b and three application units 14a, 14b, 14c. The vehicle system 10 provides part of the control system for an autonomous or semi-autonomous vehicle. Embedded software 13, i.e., software adapted to specific hardware of the vehicle system 10, is executed in the interface units 12a, 12b. Application software 15, i.e., software implemented independently of the hardware of the vehicle system 10, is executed in the application units 14a, 14b, 14c.

[0050] Units 12a, 12b, 14a, 14b, and 14c are connected via a data communication link 18 based on PCIe or UCIe. The data communication link 18 represents an abstraction layer 20 between the application software layer 15 and the embedded software layer 13.

[0051] Each interface unit 12a, 12b receives sensor data 22 from the hardware of the vehicle system 10 and converts it into standardized data, which is then transferred to the application units 14a, 14b, 14c. Conversely, each interface unit 12a, 12b can convert control commands from the application units 14a, 14b, 14c into hardware-specific control commands for hardware components. Thus, the interface units 12a, 12b handle the implementation of the hardware-specific requirements of the sensors and / or actuators of the vehicle system 10. The application software 15 of the application units 14a, 14b, 14c can be implemented independently of specific hardware components. Furthermore, an application unit 14a, 14b, 14c can be replaced without requiring any modifications to the embedded software 13 of the interface units 12a, 12b. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0052] The interface units 12a, 12b and the application units 14a, 14b, 14c can each be implemented as a system-on-a-chip 24 or comprise a system-on-a-chip 24 as a computing unit. The vehicle system 10 can, for example, be a high-performance computer for an ECU (electronic control unit) of an autonomous or semi-autonomous vehicle.

[0053] Each of the interface units 12a, 12b is connected via various interfaces to a sensor set 28a, 28b. Each sensor set 28 can comprise a camera 16a, a radar 16b, a lidar 16c and / or a microphone 16d. It should be understood that multiple cameras 16a, radars 16b, lidars 16c and / or microphones 16d may be present.

[0054] Together, the interface units are 12 with a

[0055] Data communication link 18 is based on PCIe or UCIe. The interface units 12a and 12b are connected by means of further

[0056] Data communication links 18 based on PCIe or UCIe are connected to the application units 14a, 14b, 14c.

[0057] The first interface unit 12a is connected to the first application unit 14a and to the second interface unit 12b via a respective output interface or data communication connection 18. The second interface unit 12b is connected to the second application unit 14b and the third application unit 14c via a respective output interface or data communication connection 18.

[0058] 18 data communication connections connected.

[0059] The application units 14a, 14b, 14c can perform various functions. The two sensor sets 28a, 28b and the two interface units 12a, 12b divide the vehicle system 10 into two redundant areas, so that even if one of the sensor sets 28a, 28b and / or the interface units 12a, 12b fails, the vehicle system 10 can continue to perform its function. The data communication link 18 between the first interface unit 12a and the second interface unit 12b can be used to transmit sensor data 22 from the sensor sets 28a, 28b and / or control data from the ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0060] To share application units 14a, 14b, 14c between interface units 12a, 12b to create more redundancy.

[0061] Through the abstraction layer 20, the application software 15 becomes independent of the implementation of the interface units 12a, 12b and / or the hardware components, such as the sensor sets 28a, 28b, and generally independent of sensors, fans, coolers, AD and DA converters, controllers, etc. The application software 15 can be used purely for object recognition, pixel segmentation, L4 functions, etc.

[0062] Fig. 2 further shows that the interface unit 12a, 12b and the application units 14a, 14b, 14c, in addition to the computing units 24, which can each be located on a chip, have further components which can also each be located on an associated chip 24.

[0063] An external RAM 30 can expand the internal RAM of the computing units 24.

[0064] To support the computing units 24, a microcontroller (MCU, micro controller unit) 32 may be present.

[0065] Each sensor 16a, 16b, 16c, 16d can have a physical interface 34a, 34b, which receives the sensor data of the respective sensor at a physical layer and forwards it to the interface unit 12. To process sensor data from a camera 16a, a deserializer 34a can be provided, which generates data packets for the interface unit 12a, 12b from the serial data of the camera 16a. As a further example, each sensor 16b, 16c that communicates via Ethernet can have a physical Ethernet interface 34b.

[0066] It is also possible to have 36 GB of SSD storage.

[0067] Another data communication link 18 via PCIe or UCIe can be used to provide a diagnostic interface (MDI) and / or an interface to ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15 another high-performance computer or ECU 40 of the vehicle system 10.

[0068] Figures 2 and 3 show the structure of the interface units 12a, 12b in more detail, with Figure 3 showing the configuration of the interface unit 12a in the vehicle system 10 and Figure 4 showing the configuration of the interface unit 12a in the vehicle system 10.

[0069] The interface unit 12a, 12b comprises a plurality of input interfaces 42a, 42b, 42c, which are configured for at least two different communication protocols and which are configured to receive sensor data 22 from a plurality of sensors 16a, 16b, 16c, 16d.

[0070] The interface unit 12a, 12b further comprises a plurality of output interfaces 44, which are designed for a specific communication protocol, for outputting the sensor data 22, which have been preprocessed and optionally synchronized by the interface unit 12a, 12b.

[0071] One of the input interfaces 42a can be configured for the CS1 protocol. The CS1 protocol is primarily used for communication with a camera 16a as a sensor. One of the input interfaces 42b can be configured for the Ethernet protocol. The Ethernet protocol allows communication with, for example, a radar 16b or lidar 16c as a sensor. Each input interface 42 can be connected to the respective sensor 16a, 16b, or 16c via a physical interface 34a or 34b, which implements protocol components of the physical layer. A deserializer 34a, which generates data packets from serial data from the sensor, can also be connected between the sensor 16a and the input interface.

[0072] Another input interface 42c can be an automotive interface, for example for data communication with the vehicle's control units, such as via a CAN bus. Furthermore, a sensor 16d, such as a microphone 16d, can also be connected to such an input interface 42c. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0073] Some of the sensor data 22, in particular image data, can be preprocessed by a preprocessing unit 46. The preprocessing unit 46 can comprise one or more image signal processors 46a for processing image data and / or one or more digital signal processors 46b for processing more general data.

[0074] The interface unit 12a, 12b comprises a data communication network 48, such as a bus system, for distributing data between the input interfaces 42a, 42b, 42c, the output interfaces 44, the preprocessing unit 46, and other components of the interface unit 12a, 12b. The optionally preprocessed sensor data 22 from the sensors 16a, 16b, 16c, 16d are forwarded via the data communication network 48 to the output interfaces 44, which then make the sensor data 22 available to other components of the vehicle system 10 using a specific communication protocol, such as PCIe or UCIe.

[0075] The sensor data 22 from camera 16a flows through a digital signal processor 46b and then via the data communication network 48 to the output interfaces 44. The sensor data 22 from radar 16b and lidar 16c flows directly into the data communication network 48, which forwards it, for example, to a digital signal processor 46b and / or a processor unit 50. The processor unit 50 can comprise a plurality of processors that preprocess the sensor data 22 using software.

[0076] Intermediate results and software can be stored in internal memory 52 or external memory 30. Internal memory 52 is directly connected to the data communication network 48. A storage interface 54 connected to the data communication network 48 is used to access external memory 30. Internal memory 52 is used primarily to avoid slower external access to external memory 30. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0077] The interface unit 12a, 12b further comprises a synchronization unit 56 for synchronizing the sensor data 22, whereby sensor data 22 recorded at the same time are given the same timestamp. This can also occur if the frequency of the sensor data or of the sensors 16a, 16b, 16c, 16d is different.

[0078] The interface unit 12a, 12b can also include a security unit 60, which enables functions to be executed in a secure manner. The security unit 60 can have at least two parallel processors, the results of which are compared by the security unit 60.

[0079] The pre-processed and synchronized sensor data 22 are forwarded by the data communication network 48 to the output interfaces 44.

[0080] The output interfaces 44 can provide this sensor data 22 to a plurality of components of the vehicle system 10 at the application level. Performance systems 14, such as CPUs and GPUs, can perform computationally intensive tasks, such as AI classification, autonomous driving functions, etc. Furthermore, data logging and recording devices, such as external SSDs, HDDs, and / or a cloud connection, can be connected to the output interfaces 44.

[0081] The interface units 12a and 12b have the same structure but are configured differently in the vehicle system 10. As shown in Fig. 3, the first interface unit 12a is connected to the first application unit 14a and to the second interface unit 12b via their respective output interfaces 44. Fig. 4 shows that the second interface unit 12b is connected to the second application unit 14b and the third application unit 14c via their respective output interfaces 44, and is also connected to the second interface unit 12a via its respective output interface 44.

[0082] Figure 4 shows a flowchart for a method for controlling a vehicle with the vehicle system 10 from Figure 1. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0083] In step S10, the first interface unit 12a and the second interface unit 12b receive sensor data 22 from a plurality of sensors 16a, 16b, 16c, 16d. The first interface unit 12a receives the sensor data 22 of sensor set 28a via input interfaces 42a, 42b. The second interface unit 12b receives the sensor data 22 of sensor set 28b via input interfaces 42a, 42b.

[0084] In step S10, the sensor data 22 are preprocessed and synchronized. The first interface unit 12a preprocesses and synchronizes the sensor data 22 of sensor set 28a. The second interface unit 12b preprocesses and synchronizes the sensor data 22 of sensor set 28b.

[0085] At the end of step S10, the sensor data 22 are transmitted to the first application unit 14a and the second application unit 14b via the output interfaces 44. The first interface unit 12a transmits the sensor data 22 of sensor set 28a to the first application unit 14a. The second interface unit 12b transmits the sensor data 22 of sensor set 28b to the second application unit 14b.

[0086] In step S12, the first application unit 14a and the second application unit 14b execute vehicle control functions based on sensor data 22. This occurs in the first application unit 14a based on sensor data 22 from sensor set 28a and in the second application unit 14b based on sensor data 22 from sensor set 28b. The control functions include functions for semi-autonomous or autonomous vehicle control. Vehicle control in this context means that acceleration, braking, and / or steering are performed independently of a driver.

[0087] In step S14, the third application unit 14c performs further functions for the vehicle that are independent of the vehicle's control system. These functions are not relevant to the vehicle's control system and / or have no influence on it (ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15). For example, these functions include infotainment features.

[0088] In optional step S16, it is detected that a sensor 16a, 16b, 16c, 16d from the first sensor set 28a or a sensor 16a, 16b, 16c, 16d from the second sensor set 28b has failed. In this case, the sensor data 22 of the corresponding sensor from the other sensor set 28a, 28b is transmitted from the respective interface unit 12a, 12b connected to the corresponding sensor to the interface unit 12a, 12b connected to the failed sensor. The interface unit 12a, 12b connected to the failed sensor then preprocesses and synchronizes the sensor data 22 transmitted by the other interface unit and then transmits it to the application unit 14a, 14b.

[0089] In step S18, it is determined that either the first application unit 14a, the second application unit 14b, and / or both application units 14a and 14b have failed. If the first application unit 14a fails, the second application unit 14b performs at least some of the control functions of the first application unit 14a. If the second application unit 14b fails, the first application unit 14a performs at least some of the control functions of the second application unit 14b.

[0090] If one of the application units 14a, 14b has failed, the third application unit 14c may perform at least some of the control functions of the failed application units 14a, 14b.

[0091] If both application units 14a and 14b have failed, the third application unit 14c performs at least some of the control functions. For example, application unit 14c can initiate and carry out emergency braking until the vehicle comes to a standstill.

[0092] When application unit 14c executes control functions, it is possible that all or some of the other functions, which are independent of the control of the ZF Friedrichshafen AG file 304950 Friedrichshafen 2024-10-15

[0093] Vehicles are no longer executed in order to free up the resources of application unit 14c for the control functions.

[0094] The following table shows an example of which functions are available in the vehicle system when one of the units 12a, 12b, 14a, 14b, 14c is fully operational (1) or has failed (0). The status describes the availability of the control functions, while the level describes the degree of restriction of the control functions. For interface units 12a and 12b, it is assumed that they can no longer receive and process sensor data 22 from the associated sensor sets 28a and 28b, but data can still be transmitted via interfaces 44. ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0095] It should also be noted that "comprehensive" does not exclude any other elements or steps, and "a" or "an" does not exclude a plurality. Furthermore, it should be noted that features or steps described with reference to one of the above embodiments can also be combined with other features or steps from other embodiments described above.

[0096] Exemplary embodiments may be used. Reference numerals in the claims are not to be regarded as limitations.

[0097] ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0098] Reference sign

[0099] 10 Vehicle systems

[0100] 12a first interface unit

[0101] 12b second interface unit

[0102] 13 embedded software

[0103] 14a first application unit

[0104] 14b second application unit

[0105] 14c third application unit

[0106] 15 Application software

[0107] 16a Vehicle sensor, camera

[0108] 16b Vehicle sensor, radar

[0109] 16c vehicle sensor, lidar

[0110] 16d vehicle sensor, microphone

[0111] 18 Data communication connection

[0112] 20 Abstraction layer

[0113] 22 data points, sensor data

[0114] 24-chip system on a chip

[0115] 28a first sensor set

[0116] 28b second sensor set

[0117] 30 external storage

[0118] 32 microcontrollers

[0119] 34a physical interface, deserializer

[0120] 34b physical interface, physical Ethernet interface

[0121] 36 external SSD storage

[0122] 40 high-performance computers, ECUs

[0123] 42a Input interface

[0124] 42b Input interface

[0125] 42c input interface

[0126] 44 Output interface

[0127] 46 Pre-processing unit

[0128] 46a DSP

[0129] 46b ISP ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15

[0130] 48 Data communication network

[0131] 50 processor units

[0132] 52 GB internal storage

[0133] 54 memory interface

[0134] 56 Synchronization unit

[0135] 60 security units

Claims

ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15 Patent claims 1. Vehicle system (10) for a vehicle, comprising: a first interface unit (12a) and a second interface unit (12b); a first application unit (14a), a second application unit (14b) and a third application unit (14c); wherein the first interface unit (12a) and the second interface unit (12b) are configured to each receive sensor data (22) from a plurality of sensors (16a, 16b, 16c, 16d); wherein the first interface unit (12a) is connected to the first application unit (14a) and to the second interface unit (12b) via respective output interfaces (44); wherein the second interface unit (12b) is connected to the second application unit (14b) and the third application unit (14c) via respective output interfaces (44) and to the second interface unit (12b) via respective output interfaces (44);wherein the first application unit (14a) and the second application unit (14b) are each configured to perform control functions of the vehicle based on the sensor data (22); wherein the third application unit (14c) is configured to perform further functions for the vehicle; wherein the third application unit (14c) is configured to perform at least some of the control functions in the event of a failure of the first application unit (14a) and / or the second application unit (14b).

2. Vehicle system (10) according to claim 1, wherein the second application unit (14b) is configured to perform at least some of the control functions of the first application unit (14a) in the event of a failure of the first application unit (14a); wherein the first application unit (14a) is configured to perform at least some of the control functions of the second application unit (14b) in the event of a failure of the second application unit (14b). ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15 3. Vehicle system (10) according to claim 1 or 2, wherein the first interface unit (12a) is configured to receive first sensor data (22) from first sensors (28a); wherein the second interface unit (12b) is configured to receive second sensor data (22) from second sensors (28b); wherein the first interface unit (12a) is configured to transmit the first sensor data (22) to the second interface unit (12b) in the event of a failure of the second sensors (28b); wherein the second interface unit (12b) is configured to transmit the second sensor data (22) to the first interface unit (12a) in the event of a failure of the first sensors (28a).

4. Vehicle system (10) according to claim 1, wherein the third application unit (14c) is an infotainment system; and / or the further functions comprise infotainment functions.

5. Vehicle system (10) according to one of the preceding claims, wherein the first interface unit (12a) and the second interface unit (12b) each comprise a plurality of input interfaces (42a, 42b, 42c) configured for at least two different communication protocols and configured to receive sensor data (22) from the plurality of sensors (16a, 16b, 16c).

6. Vehicle system (10) according to one of the preceding claims, wherein the output interfaces (44) of the first interface unit (12a) and the second interface unit (12b) are configured for a specific communication protocol for outputting the sensor data (22); wherein the specific communication protocol for the output interface (44) is PCI express or UCI express.

7. Vehicle system (10) according to one of the preceding claims, wherein the first interface unit (12a) and the second interface unit ZF Friedrichshafen AG File 304950 Friedrichshafen 2024-10-15 (12b) each include an automotive interface (42c) for data communication with the vehicle's control units.

8. Vehicle system (10) according to one of the preceding claims, wherein the first interface unit (12a) and the second interface unit (12b) each comprise a preprocessing unit (46) for preprocessing the sensor data (22); wherein the preprocessing unit (46) comprises an image signal processor (46a) for processing image data; and / or wherein the preprocessing unit (46) comprises a digital signal processor (46b) for processing radar data and / or lidar data.

9. Vehicle system (10) according to one of the preceding claims, wherein the first interface unit (12a), the second interface unit (12b), the first application unit (14a), the second application unit (14b) and / or the third application unit (14c) are implemented as a system on a chip.

10. Method for controlling a vehicle with a vehicle system (10) according to any one of the preceding claims, the method comprising: Receiving sensor data (22) from a plurality of sensors (16a, 16b, 16c, 16d) with the first interface unit (12a) and the second interface unit (12b); Transmitting the sensor data (22) to the first application unit (14a) and the second application unit (14b); Execution of vehicle control functions based on sensor data (22) using the first application unit (14a) and the second application unit (14b); Performing further functions for the vehicle with the third application unit (14c); in the event of a failure of the first application unit (14a) and / or the second application unit (14b), performing at least part of the control functions with the third application unit (14c).