Search

EP-4398124-B1 - DIGITAL MAP DATA WITH ENHANCED FUNCTIONAL SAFETY

EP4398124B1EP 4398124 B1EP4398124 B1EP 4398124B1EP-4398124-B1

Inventors

  • SCHUERMAN, Kees, Cornelis, Pieter
  • ROSIER, Roland, Alaric, Ian
  • VAN DE VORST, Edward
  • LIEVERSE, Paul

Dates

Publication Date
20260506
Application Date
20210225

Claims (14)

  1. A method of operating a client application (9) running on one or more processing units of a vehicle traversing a navigable network in a geographical area to provide digital map data from at least one remote server (16) to one or more map-based application(s) (11) running on an electronic control unit (ECU) of the vehicle, wherein: the client application comprises a first application (92; 92A, 92B) running on the ECU and a second application (91; 91A, 91B), the first application (92; 92A, 92B) being in communication with the map-based application (11) and the second application (91; 91A, 91B), and the second application (91; 91A, 91B) being in communication with the at least one remote server (16), and wherein the second application (91; 91A, 91B) is developed according to a lower functional safety standard than the first application (92; 92A, 92B); wherein the at least one remote server (16) has access to a map tile data store (18) storing a plurality of map tiles, each map tile representing the navigable network in a portion of the geographical area as a plurality of arcs connected by nodes, wherein each arc and node of a tile have object data associated therewith; and the second application comprises a map tile cache (203; 401) storing a plurality of map tiles obtained from the at least one remote server 916), the method comprising: receiving, by the first application (92; 92A, 92B), a request from the map-based application (11) for digital map data concerning a feature of the navigable network; requesting, by the first application (92; 92A, 92B), the object data for the at least one arc or node relating to the requested digital map data from the second application (91; 91A, 91B); obtaining, by the second application (91; 91A, 91B), the requested object data, wherein the requested object data is either obtained from the map tile cache (203; 401) if the requested object data is present in the map tile cache (203; 401) or from the map tile data store (16) if the required tile associate with the requested object data is not present in the map tile cache; providing the requested object data to the first application (92; 92A, 92B); identifying, by the first application (92; 92A, 92B), a portion of the object data corresponding to the feature of the navigable network; and providing, by the first application (92; 92A, 92B), the requested digital map data to the map-based application (11) using the identified portion of the object data.
  2. The method of claim 1, wherein the first application (92; 92A, 92B) is developed at least according to an ISO 26262:2018 ASIL-B functional safety standard.
  3. The method of any preceding claim, wherein the first application (92; 92A, 92B) is implemented redundantly.
  4. The method of any preceding claim, wherein the first application (92; 92A, 92B) is executed on the same processing platform as the map-based application, the processing platform comprising the electronic control unit (ECU) of the vehicle.
  5. The method of any preceding claim, wherein each map tile has an associated map tile data structure including: object data indicative of a set of one or more object(s) falling at least partially within the geographical area covered by the map tile and/or within the geographical area covered by another one or more of the map tile(s) representing the digital map; and object-level security data for verifying the integrity of the object data associated with at least one object for which object data is stored in the map tile data structure; wherein the map tile data structure further has a digital signature for verifying the authenticity and/or integrity of the map tile data structure, the digital signature for the map tile data structure being applied by a server from which the map tile data structures are transmitted to the second application; and wherein the method comprises: obtaining, from the respective map tile data structure, associated object-level security data for the obtained requested object data; and the first application (92; 92A, 92B) using the associated object-level security data to verify the integrity of the obtained object data.
  6. The method of claim 5, wherein the map-based application (11) is an autonomous driving application or wherein the map-based application (11) is a vehicle horizon provider that in turn provides map data to an autonomous driving application, and wherein when a verification of requested object data based on the associated security data fails, the autonomous driving application operates the vehicle in a safe mode and/or brings the vehicle to a safe stop.
  7. The method of claim 5 or 6, wherein the associated object-level security data for an object comprises a hash value calculated using at least the object data for the object, and wherein verifying the integrity of the object data comprises the first application (92; 92A, 92B) re-calculating the hash and comparing the re-calculated hash value with the hash value for the object that is included in the tile data structure.
  8. The method of any of claims 5, 6 or 7, wherein the second application (91; 91A, 91B) obtains the requested object data and its associated object-level security data and provides the requested object data and the associated object-level security data to the first application (92; 92A, 92B), the first application (92; 92A, 92B) using the object-level security data to verify the integrity of the requested object data, and when the verification of the requested object data fails, the first application (92; 92A, 92B) generates an integrity error message and/or generates another request for the requested object data.
  9. The method of any one of claims 5 to 8, wherein the second application (91; 91A, 91B) is operable to obtain the requested object data by first checking whether the requested object data is present in the map tile cache (203; 401), wherein when the requested object data is present in the map tile cache (203; 401), the second application (91; 91A, 91B) reads the requested object data from the map tile cache, whereas when the object data is not present in the map tile cache, the second application (91; 91A, 91B) issues a request for the requested object data to the at least one remote server, optionally wherein the second application (91; 91A, 91B) verifies the authenticity and/or integrity of the map tile data structure(s) received from the at least one remote server, using the associated digital signature, before adding the data into the map tile cache (203; 401).
  10. The method of operating a client application running on one or more processing units of a vehicle traversing a navigable network in a geographical area to provide digital map data from at least one remote server (16) to one or more map-based application(s) (11) running on an electronic control unit (ECU) of the vehicle according to any preceding claim, wherein: the at least one remote server (16) has access to a map tile metadata data store (14) storing metadata for each of the map tiles in the map tile data store (18), wherein each arc and node of a tile have object data and object-level security data in the form of a hash value associated therewith, the hash value being calculated at the at least one remote server 916) based on at least the object data for the respective arc or node and tile metadata for the tile containing the object data for the respective arc or node; and the second application (91; 91A, 91B) comprises: a map tile metadata cache (402) storing the metadata for each of the map tiles in the map tile cache (401) obtained from the at least one remote server, the method comprising: receiving, by the first application (92; 92A, 92B), a request from the map-based application (11) for digital map data concerning a feature of the navigable network; requesting, by the first application (92; 92A, 92B), the object data and hash value for the at least one arc or node relating to the requested digital map data from the second application; obtaining, by the second application (91; 91A, 91B) the requested object data and hash value(s) from the map tile cache, or the map tile data store if the required tile is not stored in the map tile cache, and providing them to the first application; requesting, by the first application (92; 92A, 92B), the metadata for the map tile concerning the at least one arc or node relating to the requested digital map data from the second application (91; 91A, 91B); obtaining, by the second application (91; 91A, 91B), the requested tile metadata from the map tile metadata cache, or the map tile metadata data store if the required tile metadata is not stored in the map tile metadata cache, and providing it to the first application (92; 92A, 92B); calculating, by the first application (92; 92A, 92B), a new hash value for the at least one arc or node based on the received object data and tile metadata; comparing, by the first application (92; 92A, 92B), the new hash value with the received hash value; and providing, by the first application (92; 92A, 92B), either the requested digital map data or integrity error message to the map-based application (11) based on the comparison.
  11. The method of claim 10, wherein the requested metadata for the map tile is transferred separately from the map data.
  12. The method of any preceding claim, wherein the map tiles represent the navigable network in a portion of the geographical area as a plurality of arcs connected by nodes, wherein each arc and node of a tile have object data and object-level security data associated therewith.
  13. An electronic control unit (ECU) of a vehicle executing one or more client applications that are configured to perform a method according to any preceding claim.
  14. A computer program product comprising computer readable instructions to perform a method according to any of claims 1 to 12.

Description

Field of the Invention The present invention relates generally to methods and systems for providing digital map data, e.g., that is being transmitted from a cloud server environment, to a map-based application executing on-board a vehicle. Embodiments relate to methods and systems for providing such digital map data with enhanced functional safety. In particular, embodiments of the present invention relate to techniques for verifying the integrity (and authenticity) of high definition (HD) map data, e.g., before it is provided for use in advanced/autonomous driving applications. Embodiments also relate to methods of operating a client application for such contexts. Background Navigation systems use digital maps for supporting a driver to reach a desired destination. Such digital maps typically consist of a set of plural navigable segments (or 'arcs') and nodes connecting the road segments together to form a suitable graph representation of the navigable (e.g. road) network. The digital map elements have associated navigation cost parameters that can be used in determining a cost for a path to a destination, e.g. for route planning purposes. Digital maps supporting basic road-level navigation and route-planning services (only) are sometimes referred to as Standard Definition maps (SD maps). In order to provide more advanced autonomous driving (AD) and advanced driver assistance system (ADAS) functionality, it is necessary to use so-called High Definition maps (HD Maps) providing a highly detailed and precise three-dimensional view of both the road and lane geometry. Thus in addition to the arcs and nodes defining the road geometry, such HD maps also include a lane model describing the lane markings, lane center lines, road boundaries, and so on. A typical HD Map thus comprises a set of arcs representing junction areas and lane groups and a set of nodes describing the connections between the arcs. Junction areas and lane groups describe the road surface from side to side (as well as along a direction of travel). A HD map in effect extends the range of view for a vehicle beyond the range of its local sensors and thereby enables smoother, safer and more efficient driving scenarios. It will be appreciated that AD/ADAS applications may provide highly automated driving functionality, the safety of which is critically reliant on receiving accurate and up-to-date HD map data reflective of the area of the navigable (e.g. road) network within which the vehicle is travelling. If the integrity or authenticity of such data being used by an AD/ADAS application to navigate a vehicle around the navigable (e.g. road) network is compromised this can therefore have serious (even fatal) consequences. The digital map data is therefore 'safety critical' and its reliability must be ensured in order to meet the required regulatory standards for automated in-vehicle systems. For instance, it should be ensured that the data is not corrupted, e.g., during storage and/or transmission. Furthermore, security of the data is a prerequisite for safety and it must be ensured that the AD/ADAS application is protected against security threats. These aspects must therefore be considered when achieving functional safety for the AD/ADAS applications. The functional safety of in-vehicle safety critical systems is generally realized by developing those in compliance with the ISO 26262 functional safety standard. The production of safety critical map data will be subject to the ISO 21448 standard for the safety of the intended functionality (SoTIF). Ensuring the reliability of such digital map data thus places certain requirements on the development of the map data delivery and distribution systems. However, it will be appreciated that due to the number of interfaces and functional components associated with a map distribution system, i.e. a map client (interface), such map client (interfaces) are functionally complex software components. Implementing map data delivery and distribution systems at the required functional safety levels can therefore be both labour-intensive and complex. Meeting the desired functional safety requirements for AD/ADAS applications thus typically involves a significant burden for the design, testing and support of the map delivery and distribution systems, with such complex implementations typically requiring increased processing and storage resource. Digital map data for AD/ADAS applications is typically generated remotely, e.g. in a cloud server environment, by compiling suitable source data from one or more map data source(s), and then the map data is delivered from the cloud to vehicles requiring the map data. An in-vehicle distribution network then distributes the map data as required to the AD application requiring the map data (and/or to any other map-based applications executing on-board the vehicle). To provide a more efficient delivery of the map data, it is known to represent the digital map as a plurality of m