CN111367726B - Safe redundant automatic driving computing platform and control method thereof - Google Patents
Safe redundant automatic driving computing platform and control method thereof Download PDFInfo
- Publication number
- CN111367726B CN111367726B CN202010468991.1A CN202010468991A CN111367726B CN 111367726 B CN111367726 B CN 111367726B CN 202010468991 A CN202010468991 A CN 202010468991A CN 111367726 B CN111367726 B CN 111367726B
- Authority
- CN
- China
- Prior art keywords
- mpu
- computing platform
- performance processor
- redundant
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/20—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
- G06F11/202—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
- G06F11/2038—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant with a single idle spare processing component
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G06F15/163—Interprocessor communication
- G06F15/173—Interprocessor communication using an interconnection network, e.g. matrix, shuffle, pyramid, star, snowflake
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Hardware Redundancy (AREA)
Abstract
The invention discloses a safe and redundant automatic driving computing platform and a control method thereof, wherein the computing platform comprises at least two performance processors MPUs (micro processing units) for controlling an expansion computing unit, namely a functional algorithm module, to operate; at least one microcontroller MCU for controlling the switching of the performance processor MPU; and the at least two Ethernet switches are used for realizing the communication between the performance processors MPUs. The MPUs of the performance processors are mutually backup, and when the MPU of the main performance processor is abnormal, the MPU of the redundant backup performance processor controls the functional algorithm module to run. The invention realizes the redundancy function of the automatic driving computing platform (controller) through the design of the network, the hardware and the middleware software, can realize the real-time redundancy take-over when the network, the hardware and the algorithm unit of the computing platform have faults, and gives the vehicle sufficient capacity to carry out exception handling.
Description
Technical Field
The invention belongs to the technical field of automatic driving, and particularly relates to a safe and redundant automatic driving computing platform and a control method thereof.
Background
Autopilot is a field of personal safety and requires full safety. In terms of safety, the following designs exist:
(1) the redundancy of the vehicle actuator, namely a braking and steering control unit of the vehicle, under the condition that a set of main systems fail, a set of standby systems can complete braking and steering operations;
(2) the multiple sensors are backups of each other, and when one or one type of sensor fails, the system can also perform effective environment perception and decision;
(3) the redundancy of the vehicle body bus, no matter the Ethernet or the CAN bus is adopted, a backup link is provided to deal with the condition of communication interruption;
(4) and the algorithm level design can continuously control the vehicle to safely stop when the abnormity occurs.
However, when the network, hardware and algorithm unit of the computing platform itself fail, the vehicle still cannot complete the abnormal processing flow such as parking at the side, and therefore, the safety redundancy design of the automatic driving computing platform is required.
Disclosure of Invention
The invention aims to provide a safe and redundant automatic driving computing platform and a control method thereof.
The technical solution for realizing the purpose of the invention is as follows: a safety redundant autopilot computing platform comprising:
at least two performance processors MPUs (micro processing units) for controlling the operation of the expansion calculation unit, namely the functional algorithm module;
at least one microcontroller MCU for controlling the switching of the performance processor MPU;
at least two Ethernet switches for implementing communication between the performance processors MPU;
the MPUs of the performance processors are mutually backup, and when the MPU of the main performance processor is abnormal, the MPU of the redundant backup performance processor controls the functional algorithm module to run.
Furthermore, the computing platform realizes redundancy through a plurality of computing unit boards, each computing unit board comprises a performance processor MPU, a microcontroller MCU and an Ethernet switch, and the computing unit boards are communicated with one another through the corresponding Ethernet switches.
Furthermore, the computing platform realizes redundancy through a computing unit board, the computing unit board is provided with a microcontroller MCU, at least two performance processor MPUs and at least two Ethernet switches, and the performance processor MPUs are communicated with one another through the corresponding Ethernet switches.
Furthermore, the external device of the computing platform is connected with the computing platform through a CAN bus or an Ethernet.
Furthermore, the performance processors MPUs communicate with each other based on a QoS protocol of the DDS, and the same functional algorithm modules run on the performance processors MPUs which are mutually backed up.
Further, the MPU on the performance processor runs monitoring software to monitor the running time, running result, QoS parameter, and running state of each functional algorithm module, and performs an exception notification when an exception is found in a functional algorithm module.
Furthermore, the micro controller unit MCU determines whether the performance processor MPU and the monitoring software running thereon are in a normal operating state by monitoring heartbeat interaction between the monitoring tasks thereon and the monitoring software.
Further, if the extended computing unit is hardware redundancy, the redundant extended computing units need to be connected to each ethernet switch respectively; otherwise, a plurality of ethernet interfaces are required to be set, and are respectively connected to each ethernet switch, and share the same IP address in a network card binding manner.
A safety redundancy control method based on the automatic driving computing platform comprises the following steps:
the Micro Controller Unit (MCU) monitors the running state of the main performance processor MPU;
when the MPU of the main performance processor generates an abnormality, the MPU of the redundant performance processor takes over control.
Furthermore, the performance processors MPUs communicate with each other based on a QoS protocol of the DDS, and the same functional algorithm modules run on the performance processors MPUs which are mutually backed up.
Compared with the prior art, the invention has the following remarkable advantages: the invention realizes the redundancy function of the automatic driving computing platform (controller) through the design of the network, the hardware and the middleware software, can realize the real-time redundancy take-over when the network, the hardware and the algorithm unit of the computing platform have faults, and gives the vehicle sufficient capacity to carry out exception handling.
Drawings
FIG. 1 is an exemplary diagram of the architecture of the safety redundant autopilot computing platform of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The invention provides a safe and redundant automatic driving computing platform, which comprises:
at least two performance processors MPUs (micro processing units) for controlling the operation of the expansion calculation unit, namely the functional algorithm module;
at least one microcontroller MCU for controlling the switching of the performance processor MPU;
at least two Ethernet switches for implementing communication between the performance processors MPU;
the MPUs of the performance processors are mutually backup, and when the MPU of the main performance processor is abnormal, the MPU of the redundant backup performance processor controls the functional algorithm module to run.
For network design, the method can be divided into two parts of a computing platform internal network and an external network:
1) inside the computing platform, the performance processors MPUs are communicated by connecting corresponding Ethernet switches. Furthermore, the ethernet switch also needs to be connected to an extended computing unit.
If the hardware of the expansion computing unit is redundant, the redundant expansion computing units are respectively connected to each Ethernet switch to realize communication redundancy. If the expansion computing unit is not hardware redundancy, a plurality of Ethernet interfaces are required to be arranged, are respectively connected to each Ethernet switch, and share the same IP address in a network card binding mode so as to realize communication redundancy.
Fig. 1 shows an example of an autopilot computing platform including two computing unit boards, where there is hardware redundancy between two extended computing units, two ethernet switches are connected to each other, and a main extended computing unit and an extended backup computing unit are connected to one ethernet switch respectively, so as to finally implement communication between a performance processor MPU and the extended computing units.
2) Outside the computing platform, sensors, body networks and the like are connected to the computing platform through a CAN bus or an Ethernet, wherein:
a) for external equipment accessed through a CAN bus, communication redundancy CAN be realized only by simultaneously connecting a microcontroller MCU.
b) For external equipment accessed through the Ethernet, the MPU and the MPU are required to be connected simultaneously, and share the same external IP address through the VRRP protocol so as to realize the redundancy of external network data communication.
In order to support the design of redundant backup, the method can be realized by two hardware architecture modes:
1) the redundancy is realized by a plurality of same computing unit boards, so that each computing unit board needs a performance processor MPU, a microcontroller MCU and an Ethernet switch, and the redundancy is realized by the interconnection of the computing unit boards.
FIG. 1 shows an example of an autopilot computing platform that includes two computing unit boards, one as a primary computing unit and one as a backup computing unit. Each computing unit board is provided with a performance processor MPU, a microcontroller MCU and an Ethernet switch. The MPUs of the performance processors of the main computing unit and the standby computing unit are interconnected through the Ethernet, and when the MPU of the performance processor of the main computing unit fails, the MPU of the performance processor of the standby computing unit controls the expansion computing unit, namely the function algorithm module to act.
2) The redundancy is realized on a computing unit board, the board is provided with a microcontroller MCU supporting the lockstep function, a plurality of performance processors MPUs and a plurality of Ethernet switches, and the number of the performance processors MPUs is consistent with that of the Ethernet switches.
For a compute unit board containing two performance processors MPUs, one performance processor MPU acts as the primary performance processor and the other performance processor MPU acts as the backup performance processor. The main performance processor and the standby performance processor are interconnected through the Ethernet, and when the main performance processor fails, the microcontroller MCU switches the standby performance processor to control the functional algorithm module to act.
For the middleware implementation of implementing safety redundancy control, the following is specifically implemented:
whether in the computing unit or the interconnection between different computing units, the communication between different software modules is performed through middleware conforming to the DDS standard. The DDS-based QoS protocol can realize that the same functional algorithm module is operated on the MPUs of the performance processors which are mutually backups to generate the same output without conflict. When one of the functional modules generates an exception, the results of the other one of the same modules may be used according to the QoS configuration.
And configuring and monitoring the running time, the running result, the QoS parameters and the running state of each functional algorithm module through monitoring software running on each performance processor MPU. And when the functional module is found to be abnormal, performing abnormal notification.
And for the monitoring software running on the performance processor MPU, whether the monitoring software is in a normal working state can be determined by carrying out heartbeat information interaction with the monitoring task on the microcontroller MCU. When a certain monitoring software is found to be abnormal, the MPU of the corresponding performance processor can be confirmed to be in an abnormal state, and the redundant backup unit is used for taking over.
The invention also provides a safety redundancy control method based on the automatic driving computing platform, which comprises the following steps:
the Micro Controller Unit (MCU) monitors the running state of the main performance processor MPU;
when the MPU of the main performance processor generates an abnormality, the MPU of the redundant performance processor takes over control.
Furthermore, the performance processors MPUs communicate with each other based on a QoS protocol of the DDS, and the same functional algorithm modules run on the performance processors MPUs which are mutually backed up.
Furthermore, monitoring software is operated on the performance processor MPU, and the operation time, the operation result, the QoS parameters and the operation state of each functional algorithm module are configured and monitored. And when the functional module is found to be abnormal, performing abnormal notification.
Further, the micro controller unit MCU determines whether the performance processor MPU and the monitoring software running thereon are in a normal operating state by monitoring heartbeat interaction between the monitoring task thereon and the monitoring software.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (6)
1. A safety redundant autopilot computing platform comprising:
at least two performance processors MPUs (micro processing units) for controlling the operation of the expansion calculation unit, namely the functional algorithm module;
at least one microcontroller MCU for controlling the switching of the performance processor MPU;
at least two Ethernet switches for implementing communication between the performance processors MPU;
the performance processor MPUs are mutually backed up, and when the main performance processor MPU is abnormal, the redundant performance processor MPU controls the functional algorithm module to run;
the external equipment of the computing platform is connected with the computing platform through a CAN bus or an Ethernet, and for the external equipment accessed through the CAN bus, the communication redundancy is realized by simultaneously connecting a microcontroller MCU; for external equipment accessed through the Ethernet, a main performance processor MPU and a standby performance processor MPU are required to be connected simultaneously, and share the same external IP address through a VRRP protocol so as to realize the redundancy of external network data communication;
the Micro Controller Unit (MCU) monitors the running state of the MPU;
when the MPU of the main performance processor is abnormal, the MPU of the redundant backup performance processor takes over control;
the performance processor MPUs communicate based on a DDS QoS protocol to realize the operation of the same functional algorithm module on the performance processor MPUs which are mutually backed up;
the external network is a network of sensors and bodies disposed outside of the computing platform.
2. The safety-redundant autopilot computing platform of claim 1 wherein said computing platform is redundant by a plurality of computing unit boards, each computing unit board including a performance processor MPU, a microcontroller MCU, and an ethernet switch, said computing unit boards being in communication with each other via the corresponding ethernet switch.
3. The safety redundant autopilot computing platform of claim 1 wherein said computing platform is redundant by a computing unit board having a microcontroller MCU, at least two performance processors MPU, and at least two ethernet switches, said performance processors MPU communicating with each other via their respective ethernet switches.
4. The safety redundant autopilot computing platform of claim 1 or 2 or 3 wherein the performance processor MPU runs monitoring software to monitor the run time, run results, QoS parameters, run status of each functional algorithm module and to notify an anomaly when a functional algorithm module is found to be abnormal.
5. The safety-redundant autopilot computing platform of claim 4 wherein said microcontroller MCU determines whether the monitoring software running on the performance processor MPU is in a normal operating condition by monitoring heartbeat interactions of the monitoring tasks thereon with the monitoring software.
6. The safety-redundant autopilot computing platform according to claim 1, 2 or 3 wherein if the extended computing units are hardware-redundant, the redundant extended computing units are required to be connected to the respective Ethernet switches; otherwise, a plurality of ethernet interfaces are required to be set, and are respectively connected to each ethernet switch, and share the same IP address in a network card binding manner.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010468991.1A CN111367726B (en) | 2020-05-28 | 2020-05-28 | Safe redundant automatic driving computing platform and control method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010468991.1A CN111367726B (en) | 2020-05-28 | 2020-05-28 | Safe redundant automatic driving computing platform and control method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111367726A CN111367726A (en) | 2020-07-03 |
| CN111367726B true CN111367726B (en) | 2022-03-01 |
Family
ID=71209656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010468991.1A Active CN111367726B (en) | 2020-05-28 | 2020-05-28 | Safe redundant automatic driving computing platform and control method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111367726B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113721503A (en) * | 2021-08-16 | 2021-11-30 | 北京超星未来科技有限公司 | Vehicle-mounted computing platform, unmanned system and vehicle |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101179697A (en) * | 2007-12-04 | 2008-05-14 | 中兴通讯股份有限公司 | Method and apparatus for implementing data backup of multi-point processor in multi-point control cell |
| KR20080070105A (en) * | 2007-01-25 | 2008-07-30 | 조용현 | Navigation having a safely driving function and imformation providing method |
| CN104394012A (en) * | 2014-11-12 | 2015-03-04 | 北京华为数字技术有限公司 | Cluster router, MPU (microprocessor unit), determining method for faults of MPU and sensing controller |
| CN208165094U (en) * | 2018-02-13 | 2018-11-30 | 重庆长安汽车股份有限公司 | The redundant electronic steering system of automatic driving vehicle |
-
2020
- 2020-05-28 CN CN202010468991.1A patent/CN111367726B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080070105A (en) * | 2007-01-25 | 2008-07-30 | 조용현 | Navigation having a safely driving function and imformation providing method |
| CN101179697A (en) * | 2007-12-04 | 2008-05-14 | 中兴通讯股份有限公司 | Method and apparatus for implementing data backup of multi-point processor in multi-point control cell |
| CN104394012A (en) * | 2014-11-12 | 2015-03-04 | 北京华为数字技术有限公司 | Cluster router, MPU (microprocessor unit), determining method for faults of MPU and sensing controller |
| CN208165094U (en) * | 2018-02-13 | 2018-11-30 | 重庆长安汽车股份有限公司 | The redundant electronic steering system of automatic driving vehicle |
Non-Patent Citations (1)
| Title |
|---|
| 现代汽车微控制系统失效保护策略;李强;《汽车维修与保养》;20110215(第2期);第53-56页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111367726A (en) | 2020-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109495312B (en) | Method and system for realizing high-availability cluster based on arbitration disk and double links | |
| US8099179B2 (en) | Fault tolerant control system | |
| US20160009235A1 (en) | Failure management in a vehicle | |
| JPWO2018138775A1 (en) | Shared backup unit and control system | |
| US10663930B2 (en) | Control of aircraft systems with at least two remote data concentrators for control of an aircraft system component | |
| CN112109728B (en) | Automatic driving fault control method, system, equipment and storage medium | |
| CN111367726B (en) | Safe redundant automatic driving computing platform and control method thereof | |
| JP2020067972A (en) | Dispersion cooperative control system | |
| AU2023223006A1 (en) | Self-healing process control system | |
| CN115826393A (en) | Dual-redundancy management method and device of flight control system | |
| CN113515408A (en) | Data disaster tolerance method, device, equipment and medium | |
| CN107038095B (en) | Method for redundantly processing data | |
| WO2020260050A1 (en) | An apparatus and a method for providing a redundant communication within a vehicle architecture and a corresponding control architecture | |
| CN114348027B (en) | Vehicle control method, device, platform and storage medium | |
| JP6681304B2 (en) | Vehicle control device and vehicle internal combustion engine control device | |
| WO2023007209A1 (en) | Fault-tolerant distributed computing for vehicular systems | |
| JP2007304700A (en) | System and method for address management in duplex node system | |
| JP4348485B2 (en) | Process control device | |
| KR100227611B1 (en) | Double control device for storage in communication system | |
| JP4613019B2 (en) | Computer system | |
| JP7277229B2 (en) | Control device, control method and control program | |
| RU2745946C1 (en) | Redundant control system based on programmable controllers | |
| CN114924476A (en) | Interaction control device, equipment and medium based on vehicular redundant reliable system | |
| JP2005115472A (en) | Operation control system | |
| CN114750774B (en) | Safety monitoring method and automobile |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 210012 room 401-404, building 5, chuqiaocheng, No. 57, Andemen street, Yuhuatai District, Nanjing, Jiangsu Province Applicant after: AUTOCORE INTELLIGENT TECHNOLOGY (NANJING) Co.,Ltd. Address before: 211800 building 12-289, 29 buyue Road, Qiaolin street, Pukou District, Nanjing City, Jiangsu Province Applicant before: AUTOCORE INTELLIGENT TECHNOLOGY (NANJING) Co.,Ltd. |