The invention relates to methods and an arrangement for performing driver identity verification.
The transport industry suffers from problems with smuggling and theft of valuable goods. Different security issues are a top subject around the world, especially since terror threats seem to intensify. One way to increase the level of security might be to have a verification system installed in commercial trucks, in order to assure that the driver is the proper one.
DE 43 26 514 A1 discloses an electronic anti-theft device for vehicles which gradually makes a motor vehicle with electronic engine control inoperative if a theft, robbery or attack takes place, if the driver cannot prove his use authorisation by keying in a personal identification number (PIN). The inquiry controlled by the electronic security system in order to prove identification takes place at suitable determined intervals in the travel time or along the route while the vehicle is being used. If the driver is not capable of proving his identity within a response time window, the speed of the vehicle is incrementally throttled till it comes to a standstill without endangering traffic by intervening in the electronic engine control and then as soon as it is stationary the vehicle is blocked against being driven away or towed away by intervening in the brake system, and further drive train electronic systems if they are present.
DE 101 56 731 A1 discloses a method and an apparatus for verification of authorized operators of a vehicle. Biometric data of the operator to be verified are determined before and/or during driving the vehicle and compared to reference data. If no match is found between the measured biometric data and the reference data, an autonomously operating control system takes over the control of the vehicle.
US 2004078118 A1 relates to a device for controlling an appliance, which cooperates with a human operator, wherein the appliance comprises an appliance-side safety device, which can interact with an enabling element provided with memory means and associated with a particular, authorized human operator, the appliance being operable only after interaction with the enabling element.
In one application the occurrences to be watched can be stored in the memory means of the enabling element, for example for watching motor vehicles with regard to unacceptably long driving times of a particular driver. In another application, the control means of aircraft are watched to ensure that the aircraft can be flown only by an authorized pilot. Invariable body characteristics of the driver or pilot, for example a finger print, are stored in the enabling element. The real body characteristics are detected by sensors and are compared with the stored ones. The vehicle or aircraft can only be used, if detected and stored body characteristics are identical.
U.S. Pat. No. 5,686,765 A provides a system for use with an automotive vehicle having a normally disabled ignition system. The system includes a reader, such as a fingerprint reader or retina reader, to identify the driver. The output from the reader is compared to corresponding physiological data stored in memory to determine if the driver is authorized to operate the vehicle. Optionally, a timer is employed to permit operation of the vehicle only during preset prescribed time periods.
It is desirable to provide flexible, easy-to-use, non-intrusive, imposture-safe methods and systems for truck driver verification. It is also desirable to provide similar verification and/or identification methods and systems.
An aspect of the application has two purposes. One is to find appropriate methods for driver verification and build a prototype of a verification system which can be used for testing and further development. The other is to study how truck drivers perceive such a system and how their conception goes along with the growing demand for higher security. The application focuses on the transport industry.
Eleven available verification methods were studied. To enable a well-based selection of methods to implement in a prototype, inquiries and interviews with truck drivers and haulage contractors were carried out to complement the theoretical study.
One regular and three biometric verification methods were chosen for a test; fingerprint verification, face recognition, voice recognition and PIN code. These methods were put together to a system that was implemented in a truck-driving simulator. A graphical user interface was developed in order to make the system user friendly. 18 truck drivers tested the verification system. They were thoroughly interviewed before and after the test in order to retrieve their background, expectations and opinions.
Most of the test participants were positive to the system. Even though they did not feel a need for it today they believed it to “be the future”. However, some participants felt uncomfortable with the system since they felt controlled by it. It became clear how important it is to have a system that respects the users' privacy and to assure that the users are well informed about how the system is used. Some of the technology used for the verification system requires more development to fit in the automotive context, but it is considered to be possible to achieve a secure and robust system.
As will be described in greater detail hereinbelow, a number of inventions have been made in the course of the described research and analysis regarding driver verification systems.
In at least one embodiment, the invention takes the form of a method for assuring that the operator of a vehicle is an authorized driver. This is accomplished through the utilization of an onboard, multi-mode driver identification system used to ascertain whether an operator is an authorized driver. A first driver identification procedure is performed on the operator in the vehicle and it is determined whether or not he or she is an authorized or unauthorized driver of the vehicle. Normally the test will only be to confirm whether the person being evaluated is an authorized driver. If the identification procedure fails to confirm that he or she is authorized, it will be assumed and acted upon as if it has been confirmed that they are unauthorized. Regardless of the outcome of the first identification procedure, a second driver identification procedure is subsequently performed on the operator and it is again attempted to determine whether he or she is an authorized or unauthorized driver. The first and second driver identification procedures are performed with a time interval therebetween, and this time interval is dependent upon the nature of the work being performed by the operator. As an example, the interval between identification confirmations will be different for urban delivery drivers making frequent stops and entrances/exits to and from the vehicle as compared to long-haul drivers making only a few stops during the day and presenting far fewer opportunities for unauthorized operators to slip behind the wheel of the vehicle. Finally, remedial (remedying) measures will be exercised in order to avert potentially negative impact when the present operator of the vehicle is determined to be an unauthorized driver based upon at least one of the performed identification procedures. While the truck will normally not be brought to an immediate stop based on a failure to ID the operator as an authorized driver, such things as notifications to the home office may be telematically affected or the vehicle prevented from restarting after the next driver-made stop.
It is contemplated that the driver identification procedures can be different from one another, or alike.
The second driver identification may be initiated immediately following a determination that the operator is an unauthorized driver in the first driver identification procedure.
Alternatively, the second driver identification procedure may be performed only when it cannot be determined that the operator is an authorized driver based on performance of the first driver identification procedure.
In at least one embodiment, one of the identification procedures is a passive identification test that does not require conscious interaction by the operator in association with the performance of the driver identification procedures. In one example, the passive identification test comprises a scan of a physical characteristic of the operator from which an image is compared to a set of control images representative of authorized drivers of the vehicle.
At least one of the first and second driver identification procedures is an active identification test that requires conscious interaction by the operator in association with the performance of the at least one of the driver identification procedures. An example would be the placement of a finger or hand on a scanner. Alternatively, the active identification test can include issuing a request to the operator to input a personal identification number into the system identifying the operator as an authorized driver. Another form of an active identification test comprises reading hard-coded identification information on an identification card presented by the operator. The system then may request that the operator input a personal identification number into the system that corresponds to a hard-coded identification number read from the identification card. Similarly, the active identification test can comprise issuing a command to the operator to speak a prescribed phrase, recording the spoken phrase as a speech pattern and comparing that pattern to a set of control speech patterns of authorized drivers of the vehicle.
In one variant or development of the invention, the first and second identification procedures are of two different types from one another and they are performed with random time intervals therebetween.
In another inventive aspect, an automated verification system is disclosed that appreciates that one of the issues human factors experts struggle with in this area is when and how should a driver be verified. Since the use of commercial vehicles differs depending on the application, some drivers might leave and enter their vehicle twenty times a day while some driver do the same only two to three times per day. In order to maintain a high enough security level without the system becoming annoying to the driver, several different strategies can be used. One of them is to perform automatic verification while driving. For instance, a face recognition (verification) can be performed during driving, without the driver being aware of it. If it fails the driver can be prompted to input his PIN-code or to use another method. The verification can be performed with random intervals.
In still another inventive aspect, a vehicle is equipped with several verification methods the driver can be prompted with different methods at different times. If the choice of method and time is randomized the driver will have no way of knowing when or how to verify himself. Implementing this kind of unpredictability in the system increases the security level since an imposture would never know when or in which way he would have to verify himself.
In yet another inventive aspect, it is appreciated that in biometric systems it is not the measured biometric (image) itself that is verified (matched), but rather a template of the biometric; that is, a template is extracted from the measured biometric and compared to an existing template in the database. One of the problems with matching against a stored template (or the biometric measure itself) is the fact that a person's biometrics might change over time while the stored template does not. For instance, a person's fingerprint might change due to a scar or a spoken password due to illness or age. One solution to this problem is to update the template (manually or automatically). An automatic update can be achieved in a multi-modal verification system; that is, a verification system using more than one biometric/PIN-code/smart card. One or more verification methods can then be used to verify the driver while one of the methods not used updates its template (if the verification process was a success). By way of example, the driver enters his vehicle and is prompted to verify himself using PIN-code, fingerprint and face recognition. The system verifies him using PIN-code and face recognition and uses the fingerprint biometric to update the fingerprint template in the database.
In a related aspect regarding the stored biometrics template, a crucial issue is where to store the template. Basically there are three alternatives: (i) a database in the truck; (ii) a database in the back-office (requires real-time communication between the vehicle and the back-office; and/or (interconnection) a database that the driver carries with him such as a smart card. On option is to use the digital Tachograph driver's card to store verification templates. The card is a smart card and thus suitable for this kind storage, but more importantly, it is something that the driver is enforced to use by law (at least in Europe) and is thus always carried with the driver.
In another inventive aspect, redundancy is instituted in appreciation of the uncertainty typically related to known identification verification systems. The performance of a face recognition method might for example be affected by lighting conditions. Using several methods (e.g. face recognition and PIN-code), redundancy is achieved in the system. For example, a driver is driving down the road and a scheduled automatic facial recognition is performed and it fails for some reason (lighting conditions may be bad or the like). The driver is then asked to verify himself using fingerprint and PIN-code.
Finally, it should be appreciated that each of the aspects described above, either alone or in combination, can be implemented in a telematics context. That is, the verification system can report/receive information and the like to/from a back-office or a security network on a company/national/international level. As an example, ex-convicts can be prevented from driving hazardous goods by verifying their detected biometric data against a national/international database on criminals.