The invention relates to a radio remote control for controlling vehicle functions of a motor vehicle according to the preamble of claim 1.
Due to the possibility that, in German, the term “Sicherheit” within the meaning of the English term ‘security’ (access protection, protection from intruders, protection from data tampering, and the like) and “Sicherheit” within meaning of the English term ‘safety’ (protection from unreasonable risks to life and limb) could be mixed up, hereafter generally the term “security” is used in the first instance, and the term “operational safety” or “functional safety” is used in the second instance.
It is known to control individual vehicle systems that are not directly related to driving a vehicle by remote control (for example, integrated into the remote key fob of the vehicle). Examples of these include the access functions for the central locking system, the opening of the convertible top or the opening of the windows. In many vehicles, the remote key fob additionally includes a portion of the immobilizer. Moreover, further comfort functions, such as engine-independent air conditioning or auxiliary heating, can at times also be controlled by remote control. In contrast, moving the vehicle cannot be remotely controlled in the majority of cases.
For theft protection reasons, current remote key fobs generally incorporate the necessity of cryptographic protection. This is typically achieved by way of symmetric or asymmetric encryption/signing. Moreover, the radio link of such remote controls is safeguarded against tampering, for example by way of a checksum method, and more particularly by way of a cyclic redundancy check (CRC), or signatures. This can be useful both for robustness and for further increasing the security of transmission.
There are many functions in vehicles which are relevant for operational safety/functional safety. Such functions are developed and safeguarded, for example, in accordance with the standards IEC 61508 (IEC—International Electrotechnical Commission) or—in the automotive field—with ISO 26262 (ISO—International Organization for Standardization).
When remotely controlling functions in the vehicle which are relevant for operational safety/functional safety, requirements in regard to operational safety/functional safety (within the meaning of safety) exist for the entire remote control, in addition to the known requirements in regard to robustness and security (within the meaning of security).
For example, the erroneous activation of a remotely controlled function that is relevant for functional safety due to faults in the remote control (which is to say in the transmitter) must be sufficiently precluded or safeguarded against.
These requirements in terms of functional safety must be met, for example, by developing and safeguarding the entire remote control system (both on the transmitter side and on the receiver side) in keeping with ISO standard 26262 used in the automotive field.
This conventional approach to assuring functional safety, however, results in considerable complexity and additional problems, in particular for the remote control (which is to say the transmitter). For example, compared to simple remote key fobs, the software development process is very complex and the quantitative failure rates are considerably higher. Moreover, typical solutions that are used to assure functional safety, such as redundant processing of those input signals that are relevant for assuring the functional safety, are subject to tight limits in remote radio key controls due to the installation space and power consumption alone.
FIG. 1 shows a conventional transmitter/receiver system, which is used to remotely control a vehicle function. A remote control 1 comprises input means 2 for controlling the vehicle functions, for example various buttons for triggering different vehicle functions, such as a button for unlocking the vehicle and a button for locking the vehicle. A user input E is obtained by way of the input means 1. The user input E is converted by a transmitter logic controller 3 into the data S to be sent, containing the user input E in encoded form, which is to say S is a function of E: S=f(E). For example, f(E) can involve simple encoding (S=E), or S—for security reasons, for example—contains further information such as the identification of the transmitter (transmitter ID) or checksums (for example within the meaning of a CRC) or sequence counter. The transmitter logic controller 3 is implemented by way of a microcontroller, for example, and optionally further electronics components. The modulation of the data to be sent on a corresponding radio frequency carrier is not shown in FIG. 1 for the sake of simplification. On the receiver side, the user input E is ascertained from the received data S after demodulation (not shown) in the evaluation logic controller 4, which is to say E=f−1(S), and the corresponding output signal A for carrying out the vehicle function that is associated with the user input is output.
In a vehicle function that is relevant for functional safety, such as a parking function triggerable from outside the vehicle for automatically maneuvering a passenger car into or out of parking space, all parts of the remote control that come in contact with the remote control unit of such a vehicle function must be designed in keeping with the specifications for functional safety in the case of a conventional approach. Consequently, this results in considerable added complexity, which cannot be accommodated, or is only very difficult to accommodate, with the given boundary conditions of the existing installation space and the power consumption. This applies in particular to the microcontroller used in the remote control.
It is the object of the invention to provide a radio remote control, which in addition to controlling vehicle functions (such as unlocking and locking the central locking system) that are not relevant for functional safety, also allows vehicle functions (such as automatic parking) that are relevant for functional safety to be controlled, without the requirements in connection with functional safety being essentially completely applied to the entire transmitter-side microcontroller.
The object is achieved by the features of the independent claims. Advantageous embodiments are described in the dependent claims.
The radio remote control according to the invention is used to control at least one first vehicle function that is relevant for functional safety, for example a function for carrying out an autonomous driving operation of a vehicle, and more particularly a parking function for the automated maneuvering of a passenger car into or out of a parking space. Preferably, it is a parking function for (forward and/or reverse) parking in a head parking space, and more particularly for parking in a forwardly drivable head parking space (such as in an individual garage). Such a parking function that can be controlled by remote control is described in the German patent application 10 2011 084 366.3 with the title “Remote control for a parking assistance system and a parking assistance system which can be controlled by remote control” by the same applicant, which was filed on Oct. 12, 2011. The description of the parking function and of the operation thereof described there is hereby included by reference in the disclosure of the present application.
In addition to one or more such functions, the remote control is also used to control further vehicle functions, for example for unlocking and locking the central locking system.
The remote control according to the invention comprises input means for the user selection of vehicle functions and for obtaining a user input corresponding to the selected vehicle function, as was already described in connection with FIG. 1. The input means are also used to select the first vehicle function, so that a user input associated with the first vehicle function is present upon selection of the first vehicle function. The input means are buttons, for example, wherein either each button is associated with exactly one vehicle function or, alternatively, one or more buttons are associated with more than one vehicle function. The remote control moreover comprises a transmitter logic controller for processing the user input, as was already described in connection with FIG. 1.
In contrast to conventional remote controls, however, the remote control according to the invention additionally comprises a certain security device for safeguarding the first vehicle function.
The security device itself comprises a security input means, which must be actuated for the first vehicle function to be carried out. The security input means is preferably transferred into a first state upon actuation, and remains in this state while the first vehicle function is being carried out. For example, it may be provided for this purpose that the remote control is configured in such a way that the security input means must be maintained in the first state by the user while the first vehicle function is being carried out, in particular by the user applying a force, such as by continuously actuating a button against a counter-force of the button, or by continuously holding a pulled-out operating part against a counter-force. It would also be conceivable that a (mechanical, for example) timing element is provided, wherein the timing element maintains the security input means (in the form of a button, for example) in the first state after one-time activation and then resets the same in a—preferably defined—time period. In this example, continuous actuation of the security input means by the user would be possible, but not necessarily required. For example, it would also be possible to use an electric or electronic timing element that is integrated into the security input means or connected downstream thereof, wherein the timing element maintains the button in the first state after activation and then resets the same after a, preferably defined, time period has lapsed.
The security input means can be a switch, which is switched by a force applied by the user. However, this is not essential. The security input means preferably has at least two different states and is actuated by an action of the user (for example, by pushing a button or touching a particular region on the remote control) and transferred into another state. The security input element is a switching element, for example.
The security device moreover comprises a security circuit, which is coupled to the security input means and includes security information. When the security input means is actuated, for example, the security information is enabled for processing.
The remote control is configured in such a way that, in the case of a user input associated with the first vehicle function, the security information is only used to generate transmission data that cause the first vehicle function to be carried out if the security input means has been actuated. In the case of a user input associated with the first vehicle function, the security information is preferably only used to generate transmission data that cause the first vehicle function to be carried if the first state of the security input means is present, and when the first state is left, the use of the security information for this purpose is precluded. Thus, only if the first state is present can such transmission data that allow the first vehicle function to be carried out be generated, using the security information (and preferably using the user input associated with the first vehicle function). The actuation of the security input means thus constitutes a security input by the user. During a subsequent change of the state of the security input means, the use of the security information is then disabled again.
According to the invention, undesired activation of the first vehicle function can be prevented by providing a secret in the form of the security information, which must be used in the generation of transmission data so as to receive valid transmission data for triggering the first vehicle function. The secret, which is to say the security information, should preferably be so complex that it can be excluded with sufficient likelihood that one element in the chain that encompasses the transmitter, transmission link, receiver and evaluation logic controller accidentally generates the secret—even in the event of a fault! The security information is preferably at least 16 bits long, and more particularly at least 32 bits long, for example, it is 16, 32, 64, 128 or 256 bits long.
The use of the secret for the generation of the transmission data must be activated on the transmitter side by a security input on the part of the user, this being by actuating the additional security input means. A check is carried out in the receiver whether the secret was used in the generation of the transmission data, and only in this case is the first vehicle function activated.
It is preferably provided that use of the security information for the generation of valid transmission data that cause the first vehicle function to be carried out is precluded when the first state is left. It is thus made possible for the first vehicle function to be safely deactivated as soon as the user cancels the security input. In the implementation of the remote control, it should be ensured—even in the event of a fault—with sufficient likelihood that the secret, which is to say the security information, is deactivated when the user cancels the security input and the security input means leaves the first state. In this case, it is established on the receiver side that the security information is no longer used to generate the transmission data, wherein the first function is suppressed from being further carried out. For example, the transmitter repeatedly sends corresponding data in a particular time pattern, such as every 10 ms, to the receiver for carrying out the first vehicle function. If after a certain time duration (for example, 100 ms) after valid data for carrying out the first vehicle function have been received, no valid data are received any longer, which were generated on the transmitter side using the security information, the first vehicle function is stopped from being further carried out, for example.
The threshold value for the above-described sufficient likelihoods depends on the security level of the first vehicle function. For example, the threshold value can be derived from specifications in the standards for functional safety; for example ISO 26262 proposes a value of smaller than/equal to 1-7 per operating hour for Automotive Safety Integrity Level C (ASIL C).
The proposed radio remote control allows control (such as activation and deactivation) with regard to the functional safety of sensitive vehicle functions, without the entire remote control having to comply with the corresponding requirements of the standard for functional safety. Instead, preferably only the security device (which is to say the security input means, the security circuit, and optionally further components of the security device) are developed and safeguarded in accordance with the specifications of the standard for functional safety. The complexity for developing and safeguarding the remote control is thus reduced, despite adherence to the standards for functional safety such as IEC 61508 or ISO 26262. Since it is not the entire transmitter-side scope, but only the security circuit that is developed and safeguarded according to the specifications of the respective standard, the approach proposed here results in a considerable cost reduction. In addition, however, the functional safety of the system also tends to be increased as compared to the traditional approach of safeguarding the entire transmitter, since the scope of the remote control that must in fact be safeguarded according to the respective standard is less complex. Moreover, independently from the functional safety, the robustness of the function also increases, since faulty activations, which even though potentially would not result in a true hazard, nonetheless represent undesirable behavior from the view of the user, can also be prevented.
The remote control preferably comprises a first button, which in turn comprises the security input means in the form of a security switching element.
According to a first embodiment variant for the first button, in addition to the security switching element, the first button can comprise a further switching element, which is used to obtain a user input that is associated with the first vehicle function. The further switching element is thus associated with the input means for the user selection of a vehicle function, while the security switching element is associated with the security device. The first button is then configured in such a way that upon actuation of the first button, both the security switching element and also the further switching element are actuated.
As an alternative, it may be provided that the remote control comprises at least one further button, in addition to the first button, and that the further button is used as an input means for selecting the first vehicle function.
As an alternative to the use of a button, wherein upon actuation of the button the security input means is actuated, it is also possible to use an entirely different concept in order to actuate the security input means. For example, it may be provided that the remote control comprises a main body and an operating part comprising at least one operating element. The at least one operating element is used to select the first vehicle function, for example for the autonomous parking of a vehicle. In a hidden state of the operating part, the at least one operating element of the operating part is hidden and cannot be operated. By a movement of the operating part in relation to the main body, in particular by pushing out, pulling out or folding the operating part, the operating part can be transferred from the hidden state into an open state of the operating part, in which the at least one operating element is visible and can be operated. Such a system comprising a main body and an operating part is described in the above-described German patent application 10 2011 084 366.3. The description of such a system and of the operating principle thereof described there is hereby included by reference in the disclosure of the present application.
A security input means is used in the present invention, wherein in this case the security input means is actuated by the movement of the operating part in relation to the main body and is brought into the first state, wherein in the open state it is then in the first state. For example, the security input means could be designed as a microswitch, wherein the microswitch is actuated, which is to say transferred into the first state, by the movement of the operating part in relation to the main body.
In a further implementation, the security input means could be designed as a reed relay, for example, wherein a magnet is brought closer to the reed relay by the movement of the operating part in relation to the main body, and the security input means is thus transferred into the first state.
For this purpose, it is preferably provided that the user must actively maintain the security input means in the first state by the user having to hold the operating part in the open state against a counter force (caused by a spring mechanism, for example) when the operating part is in the open state, since otherwise, without sufficient force application on the part of the user, the operating part returns again to the closed state due to the counter force, and the security input means leaves the first state again.
A second aspect of the invention relates to a receiver for an above-described remote control, the receiver being integrated into a motor vehicle. The receiver is configured to check the received data as to whether or not these were generated on the transmitter side, using the above-described security information.
A third aspect of the invention relates to a motor vehicle comprising an above-described receiver. The motor vehicle can be remotely controlled by way of an above-described remote control in such a way that at least one first vehicle function that is relevant for functional safety (for example, a parking function for the automated maneuvering into or out of a parking space) and one or more second vehicle functions (for example, an unlocking function and a locking function for a central locking system) can be triggered by the remote control. However, the first vehicle function is only carried out when it has been confirmed, based on the check carried out in the receiver, that the received data were generated on the transmitter side using the security information.
The invention will be described hereafter based on multiple exemplary embodiments with the aid of the accompanying drawings. In the drawings:
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.