CN113050605A - Safety control redundancy system and method for automatic driving test platform - Google Patents

Safety control redundancy system and method for automatic driving test platform Download PDF

Info

Publication number
CN113050605A
CN113050605A CN202110334434.5A CN202110334434A CN113050605A CN 113050605 A CN113050605 A CN 113050605A CN 202110334434 A CN202110334434 A CN 202110334434A CN 113050605 A CN113050605 A CN 113050605A
Authority
CN
China
Prior art keywords
control
vehicle
mode
state
equal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110334434.5A
Other languages
Chinese (zh)
Other versions
CN113050605B (en
Inventor
王毅
王宜飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ziqing Zhixing Technology Beijing Co ltd
Original Assignee
Ziqing Zhixing Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ziqing Zhixing Technology Beijing Co ltd filed Critical Ziqing Zhixing Technology Beijing Co ltd
Priority to CN202110334434.5A priority Critical patent/CN113050605B/en
Publication of CN113050605A publication Critical patent/CN113050605A/en
Application granted granted Critical
Publication of CN113050605B publication Critical patent/CN113050605B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0286Modifications to the monitored process, e.g. stopping operation or adapting control
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24065Real time diagnostics

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Control Of Driving Devices And Active Controlling Of Vehicle (AREA)

Abstract

The invention discloses a safety control redundancy system and a method for an automatic driving test platform, wherein the system comprises the following steps: the fault on-line monitoring unit is used for subscribing, analyzing and presenting the running state information of each functional module and the underlying controller of the automatic driving control system; the human-computer interaction safety control unit is used for inputting a vehicle control command in a human-computer interaction mode; the bottom layer control physical switch unit inputs the vehicle control instruction by controlling a vehicle control mode zone bit output by a bottom layer controller; and the bottom layer control power switch unit is used for controlling the disconnection and the connection between the bottom layer controller and the power supply. The invention can ensure that a test engineer is warned in time when one or more modules in the control program of the automatic driving test platform have faults, and the test engineer can still maintain the basic control on the vehicle until the vehicle is safely stopped.

Description

Safety control redundancy system and method for automatic driving test platform
Technical Field
The invention relates to the technical field of automatic driving, in particular to a safety control redundancy system and a safety control redundancy method for an automatic driving test platform.
Background
The test is an important link in the research and development of the automatic driving automobile and also an important support for the development of the automatic driving technology. With the development and application of adas (advanced Driving Assistance system) and auto-driven automobiles, there is an increasing interest in the safety of auto-driven vehicles. However, as with all systems that rely on software algorithms, the automatic driving control system is prone to make wrong behavior decisions in some scenes with complex traffic environments, resulting in accidents, and at the same time, there is a possibility of malicious attacks, resulting in system failure. Thus, autonomous vehicles require rigorous and comprehensive testing and validation to ensure reliable vehicle utilization. How to ensure the safety of the test process is a key problem faced by the automatic driving test.
At present, a related automobile automatic driving test technology is provided, a fault inference logic is established according to vehicle state information, but the fault types are various, the fault inference logic is difficult to cover all possible fault types, and if a system fails but is not detected, an accident can be caused in the test process; meanwhile, the safety control system cannot realize safety redundancy control of automatic driving test.
Disclosure of Invention
It is an object of the present invention to provide a safety control redundancy system and method for an autopilot test platform that overcomes or at least mitigates at least one of the above-identified deficiencies of the prior art.
To achieve the above object, the present invention provides a safety control redundancy system for an automatic driving test platform, the system comprising:
the fault on-line monitoring unit is arranged on the vehicle-mounted computing platform and is used for subscribing, analyzing and presenting the running state information of each functional module and the underlying controller of the automatic driving control system; the running state information comprises a fault type and a reason;
the human-computer interaction safety control unit is arranged on the human-computer interaction platform and used for inputting a vehicle control command in a human-computer interaction mode; wherein the vehicle maneuver instruction has a corresponding vehicle control mode flag bit;
the bottom layer control physical switch unit inputs the vehicle operation instruction by controlling a vehicle control mode zone bit output by a bottom layer controller, and the logical relationship between the vehicle control mode zone bit and the vehicle control mode zone bit comprises the following steps:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle stops;
a2. the vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: in the automatic driving mode, the vehicle executes an automatic driving control program to output a decision instruction;
a3. the vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: in the transverse automatic driving mode and the longitudinal manual driving mode, the transverse control executes an automatic driving control program to output an expected steering angle;
a4. the vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: the method comprises the following steps that in a transverse manual driving mode and a longitudinal automatic driving mode, an automatic driving control program is controlled and executed longitudinally to output an expected vehicle speed;
a5. the vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: in the manual driving mode, the vehicle executes actual operation instructions of a test engineer; and
and the bottom layer control power switch unit is used for controlling the disconnection and the connection between the bottom layer controller and the power supply.
Further, the bottom controller comprises a parking control module, a transverse control module and a longitudinal control module; wherein the bottom layer control physical switch unit includes:
an emergency stop physical switch for outputting a switch signal StopCtrl _ State to the stop control module and controlling a vehicle control mode flag outputted from the stop control module using the switch signal stopctl _ State;
the transverse control physical switch is used for outputting a switch signal Sctrl _ State to the transverse control module, and the vehicle control mode flag bit output by the transverse control module is controlled by the switch signal Sctrl _ State;
the longitudinal control physical switch is used for outputting a switch signal Vctrl _ State to the longitudinal control module and controlling a vehicle control mode flag bit output by the longitudinal control module by using the switch signal Vctrl _ State;
wherein, the logic relation between the switching signal Vctrl _ State and the vehicle control mode flag bit comprises:
b1. if the emergency physical parking switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag bit Control _ Mode is equal to 0;
b2. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is on, the switch signal StopCtrl _ State is 0, the switch signal sctrl _ State is 1, and the switch signal Vctrl _ State is 1, then the vehicle Control Mode flag Control _ Mode is 1;
b3. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 2;
b4. if the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3;
b5. if the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, the vehicle Control Mode flag Control _ Mode is equal to 4.
Further, the online fault monitoring unit comprises:
the first fault diagnosis subunit is used for calculating a time interval between the moment when the monitored module broadcasts the latest message and the moment when the monitored module broadcasts the last broadcast message according to the frequency of the broadcast message of the monitored module, comparing the time interval with a preset broadcast period, and outputting a fault diagnosis result that the subscription information of the monitored module is lost if the time interval is greater than the preset broadcast period;
the second fault diagnosis subunit is used for identifying the flag bit state of the monitored module in the received broadcast message under the condition that the time interval is not greater than the preset broadcast period, and outputting a fault diagnosis result of the abnormal state of the monitored module if the flag bit state is abnormal;
the third fault diagnosis subunit is used for receiving and comprehensively analyzing the broadcast information of all the monitored modules under the condition that the status of the zone bit is normal, performing fault mode matching, and outputting a diagnosis result that the system has a fault if the broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally.
Further, the vehicle operation command also has a corresponding safety control flag bit, and the logical relationship of the safety control flag bit comprises:
c1. if the vehicle operation command of vehicle start and stop corresponds to the safety control flag bit UI _ StopFlag being 0, the vehicle operation command is a vehicle stop command, and if the UI is detected, the vehicle operation command is a vehicle stop commandStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. if the vehicle operation command in the transverse control mode corresponds to the safety flag bit UI _ SctrlFlag which is equal to 1, the vehicle operation command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is equal to 0, the vehicle operation command is in a transverse manual driving mode;
c3. if the vehicle steering command in the vertical control mode corresponds to the safety flag bit UI _ VctrlFlag being equal to 1, the vehicle steering command is in the vertical automatic driving mode, and if UI _ VctrlFlag being equal to 0, the vehicle steering command is in the vertical manual driving mode.
Further, when the bottom layer control power switch unit is closed, the bottom layer controller supplies power normally and broadcasts target control parameters to the CAN bus regularly, and each controller connected with the CAN bus CAN subscribe the message and control the execution mechanism to complete target actions; when the bottom layer control power switch unit is disconnected, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
The invention also provides a method for controlling redundancy of safety of the automatic driving test platform, which comprises the following steps:
step 1, subscribing, analyzing and presenting running state information of each functional module and a bottom layer controller of an automatic driving control system; the running state information comprises a fault type and a reason;
step 2, inputting a vehicle control instruction in a man-machine interaction mode; wherein the vehicle maneuver instruction has a corresponding vehicle control mode flag bit;
step 3, inputting the vehicle control instruction by controlling the vehicle control mode zone bit output by the bottom controller; wherein the logical relationship of the vehicle control mode flag bit and the vehicle control mode flag bit is set to:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle stops;
a2. the vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: in the automatic driving mode, the vehicle executes an automatic driving control program to output a decision instruction;
a3. the vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: in the transverse automatic driving mode and the longitudinal manual driving mode, the transverse control executes an automatic driving control program to output an expected steering angle;
a4. the vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: the method comprises the following steps that in a transverse manual driving mode and a longitudinal automatic driving mode, an automatic driving control program is controlled and executed longitudinally to output an expected vehicle speed;
a5. the vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: in the manual driving mode, the vehicle executes actual operation instructions of a test engineer;
step 4, by controlling the disconnection and the connection between the bottom layer controller and the power supply, when the bottom layer controller is connected with the power supply, the bottom layer controller supplies power normally and broadcasts target control parameters to the CAN bus regularly, and each controller connected with the CAN bus CAN subscribe the message and control an executing mechanism to finish target actions; when the bottom layer controller is disconnected with the power supply, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
Further, the method for controlling the vehicle control mode flag bit output by the underlying controller in step 3 specifically includes:
step 31, outputting a switch signal StopCtrl _ State by using an emergency shutdown physical switch to control a parking control module in the bottom layer controller, outputting a switch signal Sctrl _ State by using a transverse control physical switch to control a transverse control module in the bottom layer controller, and outputting a switch signal Vctrl _ State by using a longitudinal control physical switch to control a longitudinal control module in the bottom layer controller;
step 32, setting the logic relationship between the switching signal Vctrl _ State and the vehicle control mode flag bit to:
b1. if the emergency physical parking switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag bit Control _ Mode is equal to 0;
b2. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is on, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 1;
b3. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 2;
b4. if the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3;
b5. if the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 4.
Further, the method for analyzing the operation state information of each functional module and the underlying controller of the automatic driving control system in the step 1 specifically includes:
step 11, according to the frequency of the monitored module broadcast message, calculating the time interval between the moment when the monitored module broadcasts the latest message and the moment when the monitored module broadcasts the last broadcast message, comparing the time interval with a preset broadcast period, and if the time interval is greater than the preset broadcast period, outputting the fault diagnosis result that the monitored module subscription information is lost;
step 12, under the condition that the time interval is not greater than the preset broadcast period, identifying the flag bit state of the monitored module in the received broadcast message, and if the flag bit state is abnormal, outputting a fault diagnosis result of the abnormal state of the monitored module; if the flag bit state is normal, entering step 13;
step 13, receiving and comprehensively analyzing the broadcast information of all the monitored modules, performing fault mode matching, and outputting a diagnosis result that the system has faults if the broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally.
Further, the vehicle operation command also has a corresponding safety control zone bit, and the logic relationship is set as follows:
c1. if the vehicle operation command for starting and stopping the vehicle corresponds to the safety control zone bit UI _ StopFlag, UIStopFlagIf it is 0, the vehicle operation command is a vehicle stop command, and if it is UIStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. if the vehicle operation command of the transverse control mode corresponds to the safety flag bit UI _ SctrlFlag, and if the UI _ SctrlFlag is 1, the vehicle operation command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is 0, the vehicle operation command is in a transverse manual driving mode;
c3. if the vehicle steering command in the longitudinal control mode corresponds to the safety flag bit UI _ VctrlFlag, and UI _ VctrlFlag is equal to 1, the vehicle steering command is in the longitudinal automatic driving mode, and if UI _ VctrlFlag is equal to 0, the vehicle steering command is in the longitudinal manual driving mode.
By adopting the technical scheme, the invention can ensure that a test engineer is warned in time when one or more modules in the control program of the automatic driving test platform have faults, and the test engineer can still maintain the basic control on the vehicle until the vehicle is safely stopped. In the test process, when different dangerous test scenes are met or the automatic vehicle driving system fails, a test engineer can select a proper safety control mode timely according to system prompts to ensure test safety, and meanwhile, the remote control of starting and stopping of the vehicle and the switching of the control mode can be realized.
Drawings
Fig. 1 is a schematic diagram of a safety control redundancy system for an autopilot test platform according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a work flow of the online fault monitoring unit according to the embodiment of the present invention.
Fig. 3 is a schematic flow chart of a human-computer interaction security control unit according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an operating principle of a bottom-layer control physical switch unit according to an embodiment of the present invention.
Fig. 5 is a schematic diagram illustrating an operation principle of a bottom-layer control power switch unit according to an embodiment of the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and examples.
As shown in fig. 1, the safety control redundancy system for an autopilot test platform according to the embodiment of the present invention includes an online fault monitoring unit 1, a human-computer interaction safety control unit 2, a bottom layer control physical switch unit 3, and a bottom layer control power switch unit 4.
Referring to fig. 2, the online fault monitoring unit 1 is disposed on a vehicle-mounted computing platform provided by the autopilot platform control system, and is configured to subscribe, analyze, and present operating state information of each functional module and the underlying controller of the autopilot platform control system. Wherein the operation state information includes a fault type and a cause. The "subscription" can be understood as that the automatic driving control program broadcasts the running result of a certain computing node in the work process of "publish-subscribe", and other nodes can subscribe the message according to the requirement. "analysis" refers primarily to the analysis of fault diagnosis according to the flow shown in FIG. 2, which is described in detail below. The division of the "function module" is related to the automatic driving control program, and generally includes modules such as data fusion, sensor interaction, man-machine interaction, upper control (map), car networking, driving decision, bottom control and the like.
In one embodiment, the online fault monitoring unit 1 includes a first fault diagnosis subunit, a second fault diagnosis subunit, and a third fault diagnosis subunit, wherein:
the first fault diagnosis subunit is configured to calculate a time interval between a time when the monitored module broadcasts the latest message and a previous broadcast message according to the frequency of the broadcast message of the monitored module, compare the time interval with a preset broadcast period, and output a fault diagnosis result that the subscription information of the monitored module is lost if the time interval is greater than the preset broadcast period.
The second fault diagnosis subunit is configured to, in a case where the time interval is not greater than the preset broadcast period, identify a flag state of the monitored module in the received broadcast message, and output a fault diagnosis result that the monitored module state is abnormal if the flag state is abnormal (for example, displayed as 0). For example: the data fusion module broadcasts the working state zone bits of each sensor, the second level of the fault on-line monitoring unit can know the operation condition of the sensing part by using the information, and the fault diagnosis efficiency of the monitoring system can be improved by using the diagnosis logic of the broadcast information of the monitored module.
The third fault diagnosis subunit is configured to receive and comprehensively analyze broadcast information of all the monitored modules under the condition that the flag bit state is normal (for example, shown as 1), perform fault pattern matching, and output a diagnosis result indicating that a system has a fault if broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally. For example: if the target steering angle broadcast by the transverse control module conflicts with the target vehicle speed broadcast by the longitudinal control module, namely the target vehicle speed is greater than the safe vehicle speed threshold value of the curvature corresponding to the current target steering angle, the dangerous driving behavior is judged to exist and a test engineer is warned. The "comprehensive analysis" in the third failure diagnosis subunit includes logical or numerical judgment of whether the parameter exceeds the threshold, whether the control parameter conflicts, and the like, and is used for performing failure mode matching.
The embodiment establishes the fault diagnosis logic and reasoning method by defining the fault type in the automatic driving program, and realizes the on-line monitoring of the fault of the automatic driving control system and improves the accurate identification rate of the fault category.
The man-machine interaction safety control unit 2 is arranged on a man-machine interaction platform, provides a vehicle control instruction for operating the automatic driving test vehicle to stop or switch the driving mode by using a wireless communication technology through the man-machine interaction platform, sends the vehicle control instruction to the vehicle-mounted computing platform, and inputs the vehicle control instruction to the automatic driving control program to realize remote control of the vehicle. Wherein the vehicle maneuver command has a corresponding safety control flag bit.
The logical relationship between the vehicle operation command and the safety control zone bit comprises the following steps:
c1. the vehicle operation command of starting and stopping the vehicle corresponds to a safety control flag bit UI _ SctrlFlag, if the UI isStopFlagIf it is 0, the vehicle operation command is a vehicle stop command, and if it is UIStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. the vehicle control command in the transverse control mode corresponds to a safety flag bit UI _ SctrlFlag, if the UI _ SctrlFlag is equal to 1, the vehicle control command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is equal to 0, the vehicle control command is in a transverse manual driving mode;
c3. the vehicle steering command in the longitudinal control mode corresponds to the safety flag bit UI _ VctrlFlag, and is in the longitudinal automatic driving mode if UI _ VctrlFlag is 1, and is in the longitudinal manual driving mode if UI _ VctrlFlag is 0.
As shown in fig. 3, after receiving the safety control flag bit, the automatic driving control program operating on the vehicle-mounted computing platform calculates the expected vehicle speed and the expected steering angle according to the state of the safety control flag bit, and sends the safety control flag bit, the expected vehicle speed and the expected steering angle to the bottom control program operating on the bottom controller, the bottom control program calculates the vehicle control mode and the target control parameter, and issues a message to the vehicle CAN bus, and each controller connected to the CAN bus CAN subscribe the message and control the execution mechanism to complete the target action, so as to realize the vehicle operation command input by the man-machine interaction platform.
The controller connected with the CAN bus comprises a Vehicle Control Unit (VCU), a Base Controller (BCU), a driving Motor Controller (MCU), an electric power steering system controller (EPS), a vehicle body electronic stability system controller (ESP) and the like.
The embodiment realizes remote control of the vehicle security system through human-computer interaction and communication technology.
The bottom layer control physical switch unit 3 inputs the vehicle control instruction by controlling the vehicle control mode zone bit output by the bottom layer controller. The vehicle operation command is provided with a corresponding vehicle control mode zone bit, and the logical relation between the vehicle control mode zone bit and the vehicle control mode zone bit comprises the following steps:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle is stopped.
a2. The vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: and in the automatic driving mode, the vehicle executes an automatic driving control program and outputs a decision instruction.
a3. The vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: and in a transverse automatic driving mode and a longitudinal manual driving mode, the transverse control execution automatic driving control program outputs a desired steering angle.
a4. The vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: and in a transverse manual driving mode and a longitudinal automatic driving mode, the longitudinal control execution automatic driving control program outputs the expected vehicle speed.
a5. The vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: and in the manual driving mode, the vehicle executes actual operation instructions of a test engineer.
In one embodiment, as shown in fig. 4, the floor controller includes a parking control module, a lateral control module, and a longitudinal control module. The bottom layer control physical switch unit 3 includes an emergency stop physical switch, a lateral control physical switch, and a longitudinal control physical switch.
The emergency parking physical switch is used for outputting a switch signal StopCtrl _ State to the parking control module and controlling a vehicle control mode zone bit output by the parking control module by using the switch signal StopCtrl _ State.
The transverse control physical switch is used for outputting a switch signal Sctrl _ State to the transverse control module, and the switch signal Sctrl _ State is used for controlling a vehicle control mode flag bit output by the transverse control module.
The longitudinal control physical switch is used for outputting a switch signal Vctrl _ State to the longitudinal control module and controlling a vehicle control mode zone bit output by the longitudinal control module by using the switch signal Vctrl _ State.
Wherein, the logic relation between the switching signal Vctrl _ State and the vehicle control mode flag bit comprises:
b1. if the emergency physical parking switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag bit Control _ Mode is equal to 0;
b2. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is on, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 1;
b3. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is 0, the switch signal Sctrl _ State is 1, and the switch signal Vctrl _ State is 0, then the vehicle Control Mode flag bit Control _ Mode is 2;
b4. if the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3;
b5. if the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 4.
The emergency stop physical switch, the transverse control physical switch and the longitudinal control physical switch are respectively connected with the bottom layer controller enabling switch in series through a wire harness, and the functions of activating and quitting the emergency stop, transverse and longitudinal control modes of the vehicle can be realized. Particularly, when the human-computer interaction platform fails due to network, communication and other related reasons, the underlying control physical switch unit 3 can replace the human-computer interaction safety control unit 2 to realize the conversion of the vehicle from the automatic driving mode to the manual driving mode.
The safety control redundancy system is established in software and hardware in the embodiment, and various safety control measures are provided for a test engineer to deal with dangerous test scenes or automatic driving control system faults.
The bottom layer control power switch unit 4 is used for controlling disconnection and connection between the bottom layer controller and a power supply. When the bottom layer control power switch unit 4 is closed, the bottom layer controller supplies power normally and broadcasts target control parameters to the CAN bus regularly, and each controller connected with the CAN bus CAN subscribe the message and control the execution mechanism to complete target actions; when the bottom layer control power switch unit 4 is switched off, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
In one embodiment, as shown in fig. 5, the bottom-layer control power switch unit 4 is connected in series between the bottom-layer controller and the power supply through a wire harness, so as to realize disconnection and connection between the bottom-layer controller and the power supply. When the hardware of the bottom controller fails, for example, the physical circuit of the enabling switch fails to cause the function failure of the bottom control physical switch unit, the power supply of the bottom controller CAN be cut off by controlling the bottom control power switch unit, and then the control parameters obtained by the operation of the bottom controller cannot be sent to the CAN bus, so that the vehicle CAN be completely recovered to an artificial driving mode.
The bottom layer control power switch unit 4 is suitable for a scene that single chip microcomputer hardware or bottom layer control software breaks down, when an emergency condition occurs, the man-machine interaction safety control unit and the bottom layer control physical switch unit cannot achieve manual driving or safe vehicle parking, the power supply of the bottom layer controller CAN be cut off by disconnecting the bottom layer power switch, the bottom layer controller stops working and does not broadcast target control parameters to the CAN bus any more, and at the moment, the vehicle recovers the manual driving mode.
When the bottom layer control power switch unit is closed, the bottom layer controller normally supplies power and regularly broadcasts target control parameters to the CAN bus, and each controller connected with the CAN bus CAN subscribe the message and control the execution mechanism to complete target actions; when the bottom layer control power switch unit is disconnected, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
The automatic driving platform Control system acquires traffic environment information through a vehicle-mounted sensor and a vehicle network, and sends a decision instruction to a Bottom Controller (BCU); and the bottom layer controller generates control parameters according to the decision instructions and sends the control parameters to the vehicle CAN bus to control the motion of the vehicle drive-by-wire chassis executing mechanism, and meanwhile, the current state parameters of the vehicle are obtained through the vehicle CAN bus gateway. In the test process of the automatic driving platform control system, the safety control redundancy system provided by the invention can realize real-time monitoring of the system state, when the system fails, a vehicle can be remotely controlled through the man-machine interaction platform to ensure the operation safety of the system, and a test engineer can convert automatic driving into manual driving through the bottom layer control physical switch unit or the bottom layer control power switch unit.
As shown in fig. 1, an embodiment of the present invention further provides a method for safety control redundancy of an autopilot test platform, including:
step 1, subscribing, analyzing and presenting running state information of each functional module and a bottom layer controller of an automatic driving control system; wherein the operation state information includes a fault type and a cause. Wherein the operation state information includes a fault type and a cause. The "subscription" can be understood as that the automatic driving control program broadcasts the running result of a certain computing node in the work process of "publish-subscribe", and other nodes can subscribe the message according to the requirement. The division of the "function module" is related to the automatic driving control program, and generally includes modules such as data fusion, sensor interaction, man-machine interaction, upper control (map), car networking, driving decision, bottom control and the like.
In one embodiment, with reference to fig. 2, the method for "analyzing the operating state information of each functional module and the underlying controller of the automatic driving control system" in step 1 specifically includes:
step 11, according to the frequency of the monitored module broadcast message, calculating the time interval between the moment when the monitored module broadcasts the latest message and the moment when the monitored module broadcasts the last broadcast message, comparing the time interval with a preset broadcast period, and if the time interval is greater than the preset broadcast period, outputting the fault diagnosis result that the monitored module subscription information is lost.
Step 12, under the condition that the time interval is not greater than the preset broadcast period, identifying the flag bit state of the monitored module in the received broadcast message, and if the flag bit state is abnormal (for example, displayed as 0), outputting a fault diagnosis result of the abnormal state of the monitored module; if the flag bit status is normal (e.g., 1), go to step 13.
Step 13, receiving and comprehensively analyzing the broadcast information of all the monitored modules, performing fault mode matching, and outputting a diagnosis result that the system has faults if the broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally. Wherein, the 'comprehensive analysis' comprises logic or numerical judgment of whether the parameter exceeds a threshold value, whether the control parameter conflicts and the like, and is used for matching the fault modes.
And 2, providing a vehicle control instruction for operating the automatic driving test vehicle to stop or switch the driving mode by using a wireless communication technology through the man-machine interaction platform, sending the vehicle control instruction to the vehicle-mounted computing platform, and inputting the vehicle control instruction to the automatic driving control program to realize remote control of the vehicle. Wherein the vehicle maneuver command has a corresponding safety control flag bit.
The vehicle operation command also has a corresponding safety control zone bit, and the logic relationship is set as follows:
c1. the vehicle operation command for starting and stopping the vehicle corresponds to the safety control zone bit UI _ StopFlag, if UIStopFlagIf it is 0, the vehicle operation command is a vehicle stop command, and if it is 0UIStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. the vehicle control command in the transverse control mode corresponds to a safety flag bit UI _ SctrlFlag, if the UI _ SctrlFlag is equal to 1, the vehicle control command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is equal to 0, the vehicle control command is in a transverse manual driving mode;
c3. the vehicle steering command in the longitudinal control mode corresponds to the safety flag bit UI _ VctrlFlag, and is in the longitudinal automatic driving mode if UI _ VctrlFlag is 1, and is in the longitudinal manual driving mode if UI _ VctrlFlag is 0.
As shown in fig. 3, after receiving the safety control flag bit, the automatic driving control program operating on the vehicle-mounted computing platform calculates the expected vehicle speed and the expected steering angle according to the state of the safety control flag bit, and sends the safety control flag bit, the expected vehicle speed and the expected steering angle to the bottom control program operating on the bottom controller, the bottom control program calculates the vehicle control mode and the target control parameter, and issues a message to the vehicle CAN bus, and each controller connected to the CAN bus CAN subscribe the message and control the execution mechanism to complete the target action, so as to realize the vehicle operation command input by the man-machine interaction platform.
The controller connected with the CAN bus comprises a Vehicle Control Unit (VCU), a Base Controller (BCU), a driving Motor Controller (MCU), an electric power steering system controller (EPS), a vehicle body electronic stability system controller (ESP) and the like.
And 3, inputting the vehicle control command by controlling the vehicle control mode zone bit output by the bottom layer controller. Wherein the vehicle operation command has a corresponding vehicle control mode flag bit, and the logical relationship between the vehicle control mode flag bit and the vehicle control mode flag bit is set as follows:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle is stopped.
a2. The vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: and in the automatic driving mode, the vehicle executes an automatic driving control program and outputs a decision instruction.
a3. The vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: and in a transverse automatic driving mode and a longitudinal manual driving mode, the transverse control execution automatic driving control program outputs a desired steering angle.
a4. The vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: and in a transverse manual driving mode and a longitudinal automatic driving mode, the longitudinal control execution automatic driving control program outputs the expected vehicle speed.
a5. The vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: and in the manual driving mode, the vehicle executes actual operation instructions of a test engineer.
In one embodiment, as shown in fig. 4, the floor controller includes a parking control module, a lateral control module, and a longitudinal control module. The method for controlling the vehicle control mode flag bit output by the underlying controller in the step 3 specifically comprises the following steps:
and step 31, utilizing an emergency stop physical switch to output a switch signal StopCtrl _ State to control a stop control module in the bottom layer controller, utilizing a transverse control physical switch to output a switch signal Sctrl _ State to control a transverse control module in the bottom layer controller, and utilizing a longitudinal control physical switch to output a switch signal Vctrl _ State to control a longitudinal control module in the bottom layer controller.
Step 32, setting the logic relationship between the switching signal Vctrl _ State and the vehicle control mode flag bit to:
b1. if the emergency physical stop switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag Control _ Mode is equal to 0.
b2. If the emergency stop physical switch is open, the lateral Control physical switch is closed, and the longitudinal Control physical switch is closed, the switch signal StopCtrl _ State is 0, the switch signal Sctrl _ State is 1, and the switch signal Vctrl _ State is 1, then the vehicle Control Mode flag Control _ Mode is 1.
b3. If the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is 0, the switch signal Sctrl _ State is 1, and the switch signal Vctrl _ State is 0, then the vehicle Control Mode flag Control _ Mode is 2.
b4. If the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3.
b5. If the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 4.
Step 4, by controlling the disconnection and the connection between the bottom layer controller and the power supply, when the bottom layer controller is connected with the power supply, the bottom layer controller supplies power normally and broadcasts target control parameters to the CAN bus regularly, and each controller connected with the CAN bus CAN subscribe the message and control an executing mechanism to finish target actions; when the bottom layer controller is disconnected with the power supply, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode. The power supply can be a vehicle-mounted original starting power supply or a 12V power supply newly added to the automatic driving test platform.
The safety control redundancy system suitable for the automatic driving test platform can ensure that a test engineer is warned in time when one or more modules in a control program of the automatic driving test platform have faults, and the test engineer can still maintain basic control on a vehicle until the vehicle is safely stopped. In the test process, when different dangerous test scenes are met or the automatic vehicle driving system fails, a test engineer can select a proper safety control mode timely according to system prompts to ensure test safety, and meanwhile, the remote control of starting and stopping of the vehicle and the switching of the control mode can be realized.
Finally, it should be pointed out that: the above examples are only for illustrating the technical solutions of the present invention, and are not limited thereto. Those of ordinary skill in the art will understand that: modifications can be made to the technical solutions described in the foregoing embodiments, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A safety control redundancy system for an autonomous driving test platform, comprising:
the fault on-line monitoring unit (1) is arranged on the vehicle-mounted computing platform and is used for subscribing, analyzing and presenting the running state information of each functional module and the underlying controller of the automatic driving control system; the running state information comprises a fault type and a reason;
the human-computer interaction safety control unit (2) is arranged on the human-computer interaction platform and is used for inputting vehicle control instructions in a human-computer interaction mode; wherein the vehicle maneuver instruction has a corresponding vehicle control mode flag bit;
the bottom layer control physical switch unit (3) inputs the vehicle operation instruction by controlling a vehicle control mode zone bit output by a bottom layer controller, and the logical relation between the vehicle control mode zone bit and the vehicle control mode zone bit comprises the following steps:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle stops;
a2. the vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: in the automatic driving mode, the vehicle executes an automatic driving control program to output a decision instruction;
a3. the vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: in the transverse automatic driving mode and the longitudinal manual driving mode, the transverse control executes an automatic driving control program to output an expected steering angle;
a4. the vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: the method comprises the following steps that in a transverse manual driving mode and a longitudinal automatic driving mode, an automatic driving control program is controlled and executed longitudinally to output an expected vehicle speed;
a5. the vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: in the manual driving mode, the vehicle executes actual operation instructions of a test engineer; and
and the bottom layer control power switch unit (4) is used for controlling the disconnection and the connection between the bottom layer controller and a power supply.
2. The safety control redundancy system for an automated driving test platform of claim 1, wherein the underlying controller comprises a parking control module, a lateral control module, and a longitudinal control module; wherein the bottom layer control physical switch unit (3) comprises:
an emergency stop physical switch for outputting a switch signal StopCtrl _ State to the stop control module and controlling a vehicle control mode flag outputted from the stop control module using the switch signal stopctl _ State;
the transverse control physical switch is used for outputting a switch signal Sctrl _ State to the transverse control module, and the vehicle control mode flag bit output by the transverse control module is controlled by the switch signal Sctrl _ State;
the longitudinal control physical switch is used for outputting a switch signal Vctrl _ State to the longitudinal control module and controlling a vehicle control mode flag bit output by the longitudinal control module by using the switch signal Vctrl _ State;
wherein, the logic relation between the switching signal Vctrl _ State and the vehicle control mode flag bit comprises:
b1. if the emergency physical parking switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag bit Control _ Mode is equal to 0;
b2. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is on, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 1;
b3. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 2;
b4. if the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3;
b5. if the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 4.
3. The safety control redundancy system for automated driving test platforms according to claim 1 or 2, characterized in that the fail-over monitoring unit (1) comprises:
the first fault diagnosis subunit is used for calculating a time interval between the moment when the monitored module broadcasts the latest message and the moment when the monitored module broadcasts the last broadcast message according to the frequency of the broadcast message of the monitored module, comparing the time interval with a preset broadcast period, and outputting a fault diagnosis result that the subscription information of the monitored module is lost if the time interval is greater than the preset broadcast period;
the second fault diagnosis subunit is used for identifying the flag bit state of the monitored module in the received broadcast message under the condition that the time interval is not greater than the preset broadcast period, and outputting a fault diagnosis result of the abnormal state of the monitored module if the flag bit state is abnormal;
the third fault diagnosis subunit is used for receiving and comprehensively analyzing the broadcast information of all the monitored modules under the condition that the status of the zone bit is normal, performing fault mode matching, and outputting a diagnosis result that the system has a fault if the broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally.
4. The safety control redundancy system for an automated driving test platform according to claim 1 or 2, wherein the vehicle maneuver command further has a corresponding safety control flag bit, the logical relationship of which comprises:
c1. if the vehicle operation command of vehicle start and stop corresponds to the safety control flag bit UI _ StopFlag being 0, the vehicle operation command is a vehicle stop command, and if the UI is detected, the vehicle operation command is a vehicle stop commandStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. if the vehicle operation command in the transverse control mode corresponds to the safety flag bit UI _ SctrlFlag which is equal to 1, the vehicle operation command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is equal to 0, the vehicle operation command is in a transverse manual driving mode;
c3. if the vehicle steering command in the vertical control mode corresponds to the safety flag bit UI _ VctrlFlag being equal to 1, the vehicle steering command is in the vertical automatic driving mode, and if UI _ VctrlFlag being equal to 0, the vehicle steering command is in the vertical manual driving mode.
5. The safety control redundancy system for the automated driving test platform according to claim 1 or 2, wherein when the bottom layer control power switch unit (4) is closed, the bottom layer controller is normally powered and periodically broadcasts the target control parameters to the CAN bus, and each controller connected with the CAN bus CAN subscribe the message and control the execution mechanism to complete the target action; when the bottom layer control power switch unit (4) is disconnected, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
6. A method for safety control redundancy for an autonomous driving test platform, comprising:
step 1, subscribing, analyzing and presenting running state information of each functional module and a bottom layer controller of an automatic driving control system; the running state information comprises a fault type and a reason;
step 2, inputting a vehicle control instruction in a man-machine interaction mode; wherein the vehicle maneuver instruction has a corresponding vehicle control mode flag bit;
step 3, inputting the vehicle control instruction by controlling the vehicle control mode zone bit output by the bottom controller; wherein the logical relationship of the vehicle control mode flag bit and the vehicle control mode flag bit is set to:
a1. the vehicle Control Mode flag bit Control _ Mode is 0, and the vehicle operation command is as follows: an automatic driving mode, and the vehicle performs automatic emergency braking until the vehicle stops;
a2. the vehicle Control Mode flag bit Control _ Mode is 1, and the vehicle operation command is as follows: in the automatic driving mode, the vehicle executes an automatic driving control program to output a decision instruction;
a3. the vehicle Control Mode flag bit Control _ Mode is 2, and the vehicle operation command is as follows: in the transverse automatic driving mode and the longitudinal manual driving mode, the transverse control executes an automatic driving control program to output an expected steering angle;
a4. the vehicle Control Mode flag bit Control _ Mode is 3, and the vehicle operation command is as follows: the method comprises the following steps that in a transverse manual driving mode and a longitudinal automatic driving mode, an automatic driving control program is controlled and executed longitudinally to output an expected vehicle speed;
a5. the vehicle Control Mode flag bit Control _ Mode is 4, and the vehicle operation command is as follows: in the manual driving mode, the vehicle executes actual operation instructions of a test engineer;
step 4, by controlling the disconnection and the connection between the bottom layer controller and the power supply, when the bottom layer controller is connected with the power supply, the bottom layer controller supplies power normally and broadcasts target control parameters to the CAN bus regularly, and each controller connected with the CAN bus CAN subscribe the message and control an executing mechanism to finish target actions; when the bottom layer controller is disconnected with the power supply, the bottom layer controller stops working and does not broadcast the target control parameters to the CAN bus any more, and at the moment, the vehicle resumes the manual driving mode.
7. The method for safety control redundancy of the automatic driving test platform according to claim 6, wherein the method for controlling the vehicle control mode flag bit output by the underlying controller in the step 3 specifically comprises:
step 31, outputting a switch signal StopCtrl _ State by using an emergency shutdown physical switch to control a parking control module in the bottom layer controller, outputting a switch signal Sctrl _ State by using a transverse control physical switch to control a transverse control module in the bottom layer controller, and outputting a switch signal Vctrl _ State by using a longitudinal control physical switch to control a longitudinal control module in the bottom layer controller;
step 32, setting the logic relationship between the switching signal Vctrl _ State and the vehicle control mode flag bit to:
b1. if the emergency physical parking switch is closed and the switch signal StopCtrl _ State is equal to 1, the vehicle Control Mode flag bit Control _ Mode is equal to 0;
b2. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is on, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 1;
b3. if the emergency stop physical switch is off, the lateral Control physical switch is on, and the longitudinal Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 1, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 2;
b4. if the emergency stop physical switch is off, the longitudinal Control physical switch is on, and the lateral Control physical switch is off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 1, then the vehicle Control Mode flag Control _ Mode is equal to 3;
b5. if the emergency stop physical switch is turned off, the lateral Control physical switch is turned off, and the longitudinal Control physical switch is turned off, the switch signal StopCtrl _ State is equal to 0, the switch signal Sctrl _ State is equal to 0, and the switch signal Vctrl _ State is equal to 0, then the vehicle Control Mode flag Control _ Mode is equal to 4.
8. The method as claimed in claim 6 or 7, wherein the step 1 of analyzing the operation status information of each functional module and the underlying controller of the automatic driving control system specifically comprises:
step 11, according to the frequency of the monitored module broadcast message, calculating the time interval between the moment when the monitored module broadcasts the latest message and the moment when the monitored module broadcasts the last broadcast message, comparing the time interval with a preset broadcast period, and if the time interval is greater than the preset broadcast period, outputting the fault diagnosis result that the monitored module subscription information is lost;
step 12, under the condition that the time interval is not greater than the preset broadcast period, identifying the flag bit state of the monitored module in the received broadcast message, and if the flag bit state is abnormal, outputting a fault diagnosis result of the abnormal state of the monitored module; if the flag bit state is normal, entering step 13;
step 13, receiving and comprehensively analyzing the broadcast information of all the monitored modules, performing fault mode matching, and outputting a diagnosis result that the system has faults if the broadcast information of different monitored modules conflicts; if the fault modes are matched normally, the output diagnosis result is that the system works normally.
9. The method of claim 6 or 7, wherein the vehicle maneuver command further has a corresponding safety control flag bit logically configured to:
c1. if the vehicle operation command for starting and stopping the vehicle corresponds to the safety control zone bit UI _ StopFlag, UIStopFlagIf it is 0, the vehicle operation command is a vehicle stop command, and if it is UIStopFlagIf the vehicle operating instruction is 1, the vehicle operating instruction is a vehicle starting instruction;
c2. if the vehicle operation command of the transverse control mode corresponds to the safety flag bit UI _ SctrlFlag, and if the UI _ SctrlFlag is 1, the vehicle operation command is in a transverse automatic driving mode, and if the UI _ SctrlFlag is 0, the vehicle operation command is in a transverse manual driving mode;
c3. if the vehicle steering command in the longitudinal control mode corresponds to the safety flag bit UI _ VctrlFlag, and UI _ VctrlFlag is equal to 1, the vehicle steering command is in the longitudinal automatic driving mode, and if UI _ VctrlFlag is equal to 0, the vehicle steering command is in the longitudinal manual driving mode.
CN202110334434.5A 2021-03-29 2021-03-29 Safety control redundancy system and method for automatic driving test platform Active CN113050605B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110334434.5A CN113050605B (en) 2021-03-29 2021-03-29 Safety control redundancy system and method for automatic driving test platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110334434.5A CN113050605B (en) 2021-03-29 2021-03-29 Safety control redundancy system and method for automatic driving test platform

Publications (2)

Publication Number Publication Date
CN113050605A true CN113050605A (en) 2021-06-29
CN113050605B CN113050605B (en) 2022-01-07

Family

ID=76516014

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110334434.5A Active CN113050605B (en) 2021-03-29 2021-03-29 Safety control redundancy system and method for automatic driving test platform

Country Status (1)

Country Link
CN (1) CN113050605B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114044000A (en) * 2021-11-05 2022-02-15 东风汽车集团股份有限公司 Safety redundancy system for human-machine interaction of automatic driving vehicle HMI
CN114291017A (en) * 2021-12-31 2022-04-08 三一智矿科技有限公司 Vehicle control method, device, system, electronic device and storage medium
CN115123129A (en) * 2022-07-01 2022-09-30 浙江极氪智能科技有限公司 Driving safety guarantee method, device, equipment and storage medium
WO2023093536A1 (en) * 2021-11-26 2023-06-01 宇通客车股份有限公司 Autonomous driving control system and vehicle

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107797534A (en) * 2017-09-30 2018-03-13 安徽江淮汽车集团股份有限公司 A kind of pure electronic automated driving system
CN109017806A (en) * 2018-08-09 2018-12-18 北京智行者科技有限公司 Vehicle control syetem
CN110865638A (en) * 2019-08-01 2020-03-06 天津大学 Remote control system of unmanned engineering operation equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107797534A (en) * 2017-09-30 2018-03-13 安徽江淮汽车集团股份有限公司 A kind of pure electronic automated driving system
CN109017806A (en) * 2018-08-09 2018-12-18 北京智行者科技有限公司 Vehicle control syetem
CN110865638A (en) * 2019-08-01 2020-03-06 天津大学 Remote control system of unmanned engineering operation equipment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114044000A (en) * 2021-11-05 2022-02-15 东风汽车集团股份有限公司 Safety redundancy system for human-machine interaction of automatic driving vehicle HMI
CN114044000B (en) * 2021-11-05 2023-06-23 东风汽车集团股份有限公司 Safety redundant system for human-machine interaction of automatic driving vehicle HMI
WO2023093536A1 (en) * 2021-11-26 2023-06-01 宇通客车股份有限公司 Autonomous driving control system and vehicle
CN114291017A (en) * 2021-12-31 2022-04-08 三一智矿科技有限公司 Vehicle control method, device, system, electronic device and storage medium
CN115123129A (en) * 2022-07-01 2022-09-30 浙江极氪智能科技有限公司 Driving safety guarantee method, device, equipment and storage medium
CN115123129B (en) * 2022-07-01 2023-11-07 浙江极氪智能科技有限公司 Driving safety guarantee method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113050605B (en) 2022-01-07

Similar Documents

Publication Publication Date Title
CN113050605B (en) Safety control redundancy system and method for automatic driving test platform
CN111038480B (en) Automatic driving execution system and automatic driving control command execution method
CN110737192A (en) Automobile driving redundancy control system and method thereof
CN111791896B (en) Safety control method and system for unmanned vehicle
CN110682876B (en) Automatic driving method and system for vehicle, storage medium and automatic driving automobile
CN109367500B (en) Vehicle control processing method, device, equipment and storage medium
CN112041213B (en) Method for operating an autonomously operable device and autonomously operable device
CN110053630B (en) Vehicle control method and device
CN113247006B (en) Automatic wake-up method and vehicle
CN113085885A (en) Driving mode switching method, device and equipment and readable storage medium
CN113895450A (en) Safety redundancy system and control method for unmanned vehicle sensing system
CN111775954A (en) Emergency fault processing method and system for passenger-replacing parking vehicle and automobile
CN112947482B (en) Automatic driving and remote driving hot switching method and system
CN111669306A (en) Emergency stop device and method for automatic driving logistics vehicle running in city
CN110533947A (en) Control system, method, electronic equipment and the computer storage medium of the vehicles
CN113771870A (en) Fault detection method and system for automatic driving vehicle
CN107792094B (en) Method and device for controlling locomotive to automatically run
CN114940183B (en) Distributed power backup control system capable of achieving automatic driving and vehicle
CN115071680B (en) Safety limiting method for vehicle driving auxiliary transverse control system and readable storage medium
CN109435875A (en) A kind of pilotless automobile chassis power supply system backup method
CN113282039A (en) Self-checking control method, vehicle and TCMS
CN113126589A (en) Vehicle-mounted self-diagnosis method, vehicle-mounted intelligent system and self-diagnosis system
CN110874098A (en) Control module, intelligent vehicle control method and control system thereof
CN115675475A (en) Multi-source multi-model driving switching control system and method based on multiple safety constraints
CN109308067A (en) A kind of pilotless automobile chassis drive system backup method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant