The term multimedia control unit is intended to be understood in a wide sense in this document and to relate to all devices in the vehicle which are associated with the term “multimedia” or “infotainment”. These are, in particular, telematics applications (for example map displays, a navigation system or the like), voice communication applications (mobile radio or mobile radio applications), entertainment electronics (radio, television, video or the like) as well as data interfaces with user devices (Bluetooth, W-LAN or the like) which vehicle occupants carry with them and would like to integrate into the vehicle electronics system. These applications have in common the fact that they do not perform any safety-related functions in the vehicle.
Such safety-related functions are reserved for safety control devices which include, in particular, driver assistance systems which, when hazardous situations are detected by vehicle sensors (vehicle dynamics sensors), environment sensors (sensors which sense the surroundings of the vehicle) or vehicle-to-vehicle or vehicle-to-surroundings communication (C2C or C2X communication)—with C2X communication comprising C2C communication as a special case—engage actively in the control of the vehicle, for example by means of emergency braking. Examples of this are ADAS (Advanced Driver Assistance System) or ESC (Electronic Stability Control).
Until now, the systems in the vehicle were separated into systems or units with high safety requirements, that is to say systems which are necessary for safe operation of the vehicle and/or which increase the safety of the vehicle, and such systems which serve to provide entertainment and information to the driver, such as navigation systems or radio units. This differentiation results from the different requirements made of the reliability of the multimedia systems and of the safety systems. Safety units which participate in the safety systems are developed on a “safety-driven” basis, while multimedia units of the multimedia systems have to keep up with developments in consumer electronics and are therefore developed on a “feature-driven” basis.
The multimedia units which are developed on a “feature-driven” basis have a multiplicity of functions which are to be quickly integrated into the vehicle units, but in the case of incorrect operation or in certain situations lead to malfunctions and, under certain circumstances, to the system failing, which system then has to be restored by a restart. This does not have any further significant effects in the case of multimedia functions since they only serve to entertain and inform the driver, with the result that a restart or a malfunction does not have any effects on the safety of the vehicle.
In contrast, safety units which relate to vehicle functions which are directly relevant to safety or which inform the driver about safety risks, have direct effects on the safety in road traffic. For this reason, significantly more stringent demands are made of the reliability and stability of these systems. These systems are developed substantially more slowly and are so robust that in a normal case they do not fail and, under certain circumstances, can even cope with the failure of some electronic components through redundancies which are provided.
For this reason, such safety units are very expensive to develop so that the two worlds in the vehicle electronics are usually kept separate. In some cases it is possible to bring about communication between the two worlds via a vehicle communication network, but the said network then does not need to satisfy the stringent safety requirements. However, when the two worlds are connected and information is exchanged over these system boundaries, the various basic requirements (“feature-driven” versus “safety-driven”) constitute a problem since a safety system is developed significantly more slowly and owing to the rapid development cycles a multimedia unit does not have to focus on compliance with safety criteria, for example according to IEC 61508 or the analogous automotive standard. These systems are developed significantly more quickly so that difficulties increasingly occur at the communication interfaces between these two problems.
WO 2009/101163 A2, which is incorporated herein, discloses a vehicle system for carrying out navigation and providing driver assistance with a navigations unit, a provider unit, a sensor unit and a driver assistance system, in which the navigation unit supplies, as part of a multimedia control unit, map excerpts from the surroundings on the map to a provider unit which reconciles these data with further sensor information or other information and generates a map of the surroundings of the vehicle which is used by the driver assistance system to be able to react suitably in hazardous situations. This system runs according to the keyword “assistance horizon” and is used, for example, in the ADAS system as eHORIZON. While the navigation unit, as a multimedia unit, is developed with only low safety requirements, it is desirable for the provider unit as the unit which makes available the horizon for the driver assistance system that this unit has a high safety level so that in the interface between the navigation unit and the provider unit the transition from a system which is developed on a “feature-driven” basis to a system which is developed on a “safety-driven” basis takes place and the provider unit constitutes a correspondingly high value and expensive unit. In this context, it is problematic that the multimedia control units are developed quickly and, under certain circumstances, interfaces and functions are no longer standardized in a replaceable fashion with respect to the provider unit. This requires modification of the provider unit, but this proceeds more slowly and is significantly more expensive since the interface itself must again satisfy the stringent safety requirements.