CN113247022A - Automatic driving redundancy control system and method - Google Patents
Automatic driving redundancy control system and method Download PDFInfo
- Publication number
- CN113247022A CN113247022A CN202110694612.5A CN202110694612A CN113247022A CN 113247022 A CN113247022 A CN 113247022A CN 202110694612 A CN202110694612 A CN 202110694612A CN 113247022 A CN113247022 A CN 113247022A
- Authority
- CN
- China
- Prior art keywords
- main
- backup
- controller
- control instruction
- steering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W60/00—Drive control systems specially adapted for autonomous road vehicles
- B60W60/001—Planning or execution of driving tasks
- B60W60/0011—Planning or execution of driving tasks involving control alternatives for a single driving scenario, e.g. planning several paths to avoid obstacles
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W60/00—Drive control systems specially adapted for autonomous road vehicles
- B60W60/001—Planning or execution of driving tasks
- B60W60/0015—Planning or execution of driving tasks specially adapted for safety
Abstract
The invention provides an automatic driving redundancy control system and method, comprising the following steps: the system comprises a main control subsystem and a backup control subsystem, wherein when the condition that a driver has a malfunction or any one or more of a main sensing device, a main execution device, a backup controller and a backup execution device is in a fault state is monitored, a minimum risk mechanism is entered, the main controller carries out path planning and sends a control instruction to the main execution device and/or sends a control instruction to the backup execution device through the backup controller; and when the main controller is monitored to be in a fault state, the main execution device stops responding to a control instruction sent by the main controller, and the backup controller receives the real-time driving environment information detected by the main sensing device, carries out path planning and sends the control instruction to the backup execution device. With the adoption of the method, various minimum risk mechanisms such as safe parking of the vehicle lane, safe parking of an emergency lane, deceleration of the vehicle lane, obstacle avoidance and deceleration can be realized.
Description
Technical Field
The invention relates to the technical field of automatic driving, in particular to an automatic driving redundancy control system and method capable of realizing multiple minimum risk mechanisms.
Background
With the rapid development of automobile technology, manual driving cannot meet daily requirements, and automatic driving becomes a new explosion point and is displayed in front of people in different forms. The rapid progress of diversified sensor technology, high-performance computing platform technology and high-safety control technology is benefited, the automatic driving research is rapidly developed, the industrial development is greatly influenced, and the great change of future travel modes is led. At present, the industries applying the automatic driving technology mainly comprise closed park (such as wharfs) freight transportation, sweeping robots for closed parks (such as high and new technology parks) and the like, auxiliary driving of urban road passenger vehicles, automatic driving of expressways, automatic driving of expressway commercial vehicles and the like.
Currently, two hierarchical policies recognized by the global automobile industry are proposed by the united states highway security administration (NHTSA for short) and the international society of automotive engineers (SAE for short), respectively. The NHTAS rating for autopilot is: l0: no automatic driving; L1-L2: driving assistance; l3: the driver automatically drives in the ring; L4-L5: and (4) automatic driving. At present, the auxiliary driving functions of the L1-L2 level are in a mature state, and automatic driving of the L3 level and above is under development.
In the existing automatic driving system scheme at the level of L3 and above, in the automatic driving state, the control process is generally divided into three parts of environment perception, path planning and control execution; in the environment sensing part, an automatic driving system carries out information fusion through information of various sensors arranged on a vehicle, then carries out path planning (such as cruising, following, lane changing and overtaking and the like in a lane) according to the environment around the vehicle, the state and the intention of the vehicle, and finally leads the vehicle to run according to the planned path by controlling a steering system, a power system and a braking system of the vehicle. Considering that the driver has the factor of out-of-loop, two sets of main/auxiliary control systems are needed. When the main control subsystem has problems, the redundant auxiliary control system takes over to control the vehicle.
Please refer to fig. 1, which is a schematic diagram of a conventional automated driving redundancy control system 10 with level L3 and above. The primary control subsystem 101 includes a primary sensing device 110, a primary controller 111, and a primary execution device 112, and the backup control subsystem 102 includes a backup sensing device 120, a backup controller 121, and a backup execution device 122. The main/backup sensing equipment is responsible for monitoring and providing information such as dynamic traffic flow environment, lane lines and the like; the main/backup controller is responsible for analyzing the path and controlling the track; the main/backup execution equipment is responsible for executing control instructions of vehicle acceleration and deceleration, steering and the like.
In the existing redundancy control scheme, there are two problems as follows: firstly, after the main sensing equipment fails, the main controller receives information of the backup sensing equipment through the backup controller, and because the main/auxiliary sensing equipment and the main/auxiliary controller have differences in monitoring, algorithm and the like, in order to ensure the consistency of regulation and control data, the backup controller needs to increase calibration matching and the like. In view of cost, the occurrence of the backup sensing equipment can cause the problems of cost increase of redundancy, change of sensing spatial arrangement, resetting of each automation link of a production line and the like.
Disclosure of Invention
The purpose of the present application is to provide an autopilot redundancy control system and method, which can implement multiple minimum risk mechanisms without setting a backup sensing device, and ensure the functional safety and reliability of autopilot.
To achieve the above object, a first embodiment of the present application provides an automatic driving redundancy control system, including: a primary control subsystem and a backup control subsystem; the main control subsystem comprises main sensing equipment, a main controller and main execution equipment, wherein the main controller is respectively connected with the main sensing equipment and the main execution equipment, and the main execution equipment at least comprises a steering main execution mechanism and a braking main execution mechanism; the backup control subsystem comprises a backup controller and a backup execution device, the backup controller is respectively connected with the main sensing device, the main controller and the backup execution device, the backup execution device at least comprises a steering backup execution mechanism and a braking backup execution mechanism, the steering backup execution mechanism is connected with the steering main execution mechanism, and the braking backup execution mechanism is connected with the braking main execution mechanism; when a main execution mechanism in the main execution equipment is monitored to be in a fault state, a minimum risk mechanism is entered, the main controller receives real-time driving environment information detected by the main sensing equipment, carries out path planning, sends a first control instruction to the main execution mechanism in the main execution equipment in a normal working state, sends a second control instruction to the backup controller, and distributes the second control instruction to a backup execution mechanism corresponding to the main execution mechanism in the fault state in the backup execution equipment by the backup controller; and when the main controller is monitored to be in a fault state, entering a minimum risk mechanism, stopping responding to a control instruction sent by the main controller by the main execution device, and receiving the real-time driving environment information detected by the main sensing device, planning a path and sending the control instruction to the backup execution device by the backup controller.
In order to achieve the above object, a second embodiment of the present application provides an autopilot redundancy control method, which uses the autopilot redundancy control system described in the present application, and the method includes: when one of the steering main execution mechanism and the braking main execution mechanism is monitored to be in a fault state, the main controller receives real-time driving environment information detected by the main sensing equipment, carries out path planning, sends a first control instruction to the main execution mechanism in a normal working state in the main execution equipment, sends a second control instruction to the backup controller, and distributes the second control instruction to the backup execution mechanism corresponding to the main execution mechanism in the fault state in the backup execution equipment by the backup controller; and when the main controller is monitored to be in a fault state, entering a minimum risk mechanism, stopping responding to a control instruction sent by the main controller by the main execution device, and receiving the real-time driving environment information detected by the main sensing device, planning a path and sending the control instruction to the backup execution device by the backup controller.
Compared with the prior art, the automatic driving redundancy control system provided by the embodiment of the application can realize multiple minimum risk mechanisms of safe parking of the vehicle lane, safe parking of an emergency lane, speed reduction of the vehicle lane, obstacle avoidance and speed reduction, and the like, and the embodiment is connected with the main sensing equipment through the backup controller, so that the backup control subsystem does not need to be provided with the backup sensing equipment, the problem of configuration work such as calibration matching and the like for ensuring the consistency of specified control data is avoided, the cost increase caused by the setting of the backup sensing equipment is saved, and the problems of change of sensing spatial arrangement, resetting of each automatic link of a production line and the like are avoided. And when one main execution mechanism is abnormal, the other main execution mechanisms can still respond to the control instruction of the main controller to normally work, so that the condition that all execution controls need to be switched to the backup execution mechanism when one main execution mechanism is in failure is avoided, the timeliness and the accuracy of backup are ensured, and the functional safety and the reliability of automatic driving are further ensured. When different parts used for automatic driving are in fault, the corresponding scheme strategies are adopted to carry out MRM processing, and the MRM can support various forms.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are required to be used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort;
FIG. 1 is a schematic diagram of a prior art autopilot redundancy control system;
FIG. 2 is a schematic diagram of an architecture of an autopilot redundancy control system according to an embodiment of the present application;
FIGS. 3-8 are schematic diagrams of different application scenarios of an autopilot redundancy control system according to an embodiment of the present disclosure;
fig. 9 is a schematic flowchart of an automatic driving redundancy control method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It is noted that the terms "comprises" and "comprising," and variations thereof, as referred to in the specification of the present application, are intended to cover non-exclusive inclusions. The terms "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order, unless otherwise clearly indicated by the context, and it is to be understood that the data so used is interchangeable under appropriate circumstances. In addition, the embodiments and features of the embodiments in the present application may be combined with each other without conflict. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present application.
The terms referred to in the embodiments of the present application are to be construed as follows:
mrm (minimum rice manoeuvre): a minimum risk mechanism;
PILOT: the full-speed driving auxiliary function can realize the functions of line patrol driving, automatic avoidance and the like;
NOA (Navigate on Autopilot): the high-speed overhead navigation is assisted, and the functions of automatically ascending/descending a ramp and the like based on a navigation instruction can be realized;
E2E: the city navigation is assisted, and the functions of automatic left turn/right turn of the intersection and the like based on a navigation instruction can be realized;
SP: the super-driving assistance can realize the hands-free driving function.
Please refer to fig. 2, which is a schematic structural diagram of an autopilot redundancy control system according to an embodiment of the present application. As shown in fig. 2, the autopilot redundancy control system 20 according to this embodiment includes a main control subsystem 201 and a backup control subsystem 202, where the main control subsystem 201 includes a main sensing device 210, a main controller 211, and a main execution device 212, and the backup control subsystem 202 includes a backup controller 221 and a backup execution device 222.
Specifically, the main controller 211 is connected to the main sensing device 210 and the main execution device 212 respectively; the backup controller 221 is respectively connected to the main sensing device 210, the main controller 211, and the backup execution device 222 is further connected to the main execution device 212. When the driver malfunction or one or more of the main sensing device 210, the main execution device 212, the backup controller 221, and the backup execution device 222 is/are in a failure state, a Minimum Risk Mechanism (MRM) is entered, the main controller 211 performs path planning, and sends a control instruction to the main execution device 212 and/or sends a control instruction to the backup execution device 222 through the backup controller 221; when it is monitored that the main controller 211 is in a failure state, the main execution device 212 terminates responding to the control instruction sent by the main controller 211, and the backup controller 221 receives the real-time driving environment information detected by the main sensing device 210, performs path planning, and sends a control instruction to the backup execution device 222. That is, in this embodiment, the main controller is connected to the main sensing device and the related main executing device required for automatic driving, and is connected to the backup executing device through the backup controller; the backup controller is connected with the main sensing equipment, so that the backup control subsystem does not need to be provided with the backup sensing equipment, the problems of configuration work such as calibration matching and the like for ensuring the consistency of the regulated and controlled data are solved, the cost increase caused by the setting of the backup sensing equipment is saved, and the problems of change of sensing space arrangement, resetting of each automatic link of a production line and the like are solved. When the main controller 211 fails, the backup controller 221 performs path planning by itself through the same main sensing device 210 and converts the path planning into a control instruction, and at this time, the backup controller 211 can design real and effective path information with dynamic changes according to the main sensing device 210, so that the converted control instruction is more accurate. Meanwhile, the control instructions are executed by all the backup execution devices 222, and the backup controller 211 and the backup execution devices 222 can be accurately matched (the adjustment and the correction can be completed in the off-line matching and debugging stage of the vehicle to realize accurate matching), so that the vehicle is accurately controlled.
In some embodiments, under normal operating conditions of the system, the main controller performs sensing fusion on the real-time driving environment information detected by the main sensing device, and further performs path planning (for example, path planning is implemented through path analysis and calculation), and decision control, so as to send control instructions (including but not limited to steering control instructions and braking control instructions) to the main execution device, thereby completing comprehensive control, so as to support automatic driving functions at the level of L1-L3.
In some embodiments, the minimum risk mechanism is entered when the main controller works normally and the system works abnormally (the driver malfunctions or any one or more of the main sensing device, the main execution device, the backup controller and the backup execution device are in a failure state) is monitored; at this time, the main controller performs path planning and sends a control instruction to the main execution device (under the condition that the main execution device normally works) or sends a control instruction to the backup execution device through the backup controller (under the condition that the main execution device is totally abnormally operated and the backup execution device normally works), or sends a control instruction to the main execution device and sends a control instruction to the backup execution device through the backup controller (under the condition that the main execution device partially normally works and the backup execution device partially normally works and fault mechanisms of the main execution device and the backup execution device do not overlap), so that the vehicle can realize minimum risk mechanisms, such as safe parking of the own lane, safe parking of an emergency lane, deceleration of the own lane, obstacle avoidance and deceleration, thereby avoiding the occurrence of accidents and ensuring safe driving of the vehicle.
In some embodiments, the minimum risk mechanism is entered upon monitoring that the master controller is in a failure state; at this time, the backup controller performs sensing fusion on the real-time driving environment information detected by the main sensing device, and then performs path planning (for example, path planning is realized through path analysis and calculation) and decision control, so as to send control instructions (including but not limited to steering control instructions and braking control instructions) to the backup execution device, thereby enabling the vehicle to realize a minimum risk mechanism, such as safe parking of the own lane, safe parking of an emergency lane, deceleration of the own lane, obstacle avoidance and deceleration, avoiding accidents, and ensuring safe driving of the vehicle. That is, the backup controller may interact with the primary sensing device and the backup execution device when the primary controller is in a failure state, so as to implement redundancy control.
In some embodiments, the master controller may have a powerful and complete computing capability, so as to perform sensing fusion on the real-time driving environment information detected by the master sensing device, thereby performing complete path planning, for example, path planning and obstacle avoidance capabilities such as single-lane automatic driving, multi-lane automatic driving (autonomous lane changing, command lane changing, and the like) may be completed, and a control instruction may be sent to the master execution device and a control instruction may be sent to the backup execution device through the backup controller. The backup controller may adopt the same controller as the main controller, or adopt a controller with performance lower than that of the main controller (for example, a controller with limited performance of path planning and obstacle avoidance capability of single lane automatic driving), so as to perform sensing fusion, path planning and decision control when the main controller fails.
In some embodiments, the master sensory device includes a standalone camera to detect real-time driving environment information. The main sensing equipment can also comprise sensors required by automatic driving, such as radars (for example millimeter wave radars and laser radars) and the like, so that the driving environment is fully sensed, the sensing fusion of the main controller/the backup controller is facilitated, and a data basis is provided for path planning.
In some embodiments, when it is monitored that a driver is in error or any one or more of the backup controller 221 and the backup execution device 222 is in a failure state, the main controller 211 receives the real-time driving environment information detected by the main sensing device 210, performs path planning, and sends a control instruction for deceleration and/or steering to the main execution device 212. When the main execution device 212 at least includes the steering main execution mechanism 2121 and the braking main execution mechanism 2122, the main controller 211 sends the deceleration control command to the braking main execution mechanism 2122 and sends the steering control command to the steering main execution mechanism 2121, so that the vehicle can realize a minimum risk mechanism, such as safe parking in the own lane, safe parking in an emergency lane, deceleration in the own lane, obstacle avoidance and deceleration, thereby avoiding occurrence of an accident and ensuring safe driving of the vehicle.
In some embodiments, when the master sensing device 210 is in a failure state, there are two cases: one is that the master-aware device 210 is malfunctioning, but currently has navigation MAP data (e.g., HD MAP data); the other is that the master-aware device 210 is malfunctioning and is currently not having navigation MAP data (e.g., HD MAP data). For the case that the main sensing device 210 has a fault but navigation map data exists currently, the main controller 211 extracts lane line information according to the navigation map data stored in the main controller 211, extracts dynamic traffic flow information according to radar data, performs path planning, and sends a control instruction for deceleration and/or steering to the main execution device to decelerate in the lane. For the case that the main sensing device 210 has a fault and does not have navigation map data at present, the main controller 211 extracts dynamic traffic information according to the radar data, performs path planning, and sends a control instruction of deceleration and/or steering to the main execution device to perform obstacle avoidance and deceleration.
In some embodiments, the master actuator 212 includes at least a steering master actuator 2121 and a braking master actuator 2122; the backup execution device 222 at least includes a steering backup execution mechanism 2221 and a braking backup execution mechanism 2222. The steering main actuator 2121 is connected to the steering backup actuator 2221, and the braking main actuator 2122 is connected to the braking backup actuator 2222. When one of the steering main actuator 2121 and the brake main actuator 2122 is monitored to be in a failure state, the master controller 211 receives the real-time driving environment information detected by the master sensing device 210, and performs path planning, sends a first control command to the main actuator in the normal operation state in the main execution device 212 (i.e. the one of the steering main actuator 2121 and the braking main actuator 2122 that operates normally), and transmitting a second control command to the backup controller 221, and assigning the second control command to a backup actuator corresponding to the failed main actuator in the backup actuator 222 (i.e., a backup actuator connected to the failed one of the steering main actuator 2121 and the braking main actuator 2122) by the backup controller 221. The first control instruction and the second control instruction are selected from a deceleration control instruction and a steering control instruction and are different from each other, so that a vehicle can realize a minimum risk mechanism, such as safe parking in a lane, safe parking in an emergency lane, deceleration in the lane, obstacle avoidance and deceleration, accidents are avoided, and safe driving of the vehicle is ensured. For example, when the steering main actuator 2121 is in a failure state and the brake main actuator 2122 is in a normal operation state, the main controller 211 sends a deceleration control command to the brake main actuator 2122, and sends a steering control command to the backup controller 221, and the backup controller 221 distributes the steering control command to the steering backup actuator 2221; when the brake main actuator 2122 is in a failure state and the steering main actuator 2121 is in a normal working state, the main controller 211 sends a steering control command to the steering main actuator 2121, and sends a deceleration control command to the backup controller 221, and the backup controller 221 distributes the deceleration control command to the brake backup actuator 2222. In this embodiment, after one of the main execution devices 212 fails, the backup controller 221 is equivalent to a communication middleware, only needs to forward a control instruction, does not need to perform path planning, and can implement accurate control of a vehicle. In the off-line matching and debugging stage of the vehicle, the specific control command forwarded by the backup controller 221 is subjected to deviation correction matching (the command execution deviation possibly existing due to the structural performance difference between the main execution mechanism and the corresponding backup execution mechanism is corrected), so that the main controller 211 and the backup execution mechanism can be matched to achieve the same accurate control effect when the main controller 211 and the main execution mechanism are matched. That is, under normal conditions, the main controller 211 performs path planning, converts the path planning into a specific control instruction, and sends the specific control instruction to the main execution device 212; the main controller 211 and the main execution device 212 are key parts for automatic driving, so that specific control instructions are debugged and adapted, and accurate vehicle control can be completed by matching with each other. When one of the main execution devices 212 fails, the other normal main execution mechanisms and the backup execution mechanism taking over the failed main execution mechanism complete MRM together; for example, when the brake master actuator 2122 fails, the master controller 211 still performs path planning, and the steering command converted from the path is executed by the steering master actuator 2121, which is consistent with normal conditions and also ensures accurate vehicle control between master control and master steering; when the main controller 211 transmits the braking instruction converted by the path planning to the braking backup executing mechanism 2222 through the backup controller 221, the braking backup executing mechanism 2222 has been subjected to deviation correction matching in advance, so that the received braking instruction can be automatically adjusted, and finally, the accurate control of the vehicle braking can be completed. In a further embodiment, when one of the main execution devices 212 is used, the backup controller 221 may also participate in path planning, and the precise control effect of the matching of the proximity controller 211 and the main execution mechanism is achieved by adding the matching calibration work of the backup controller 221 and performing the deviation rectification matching of the control instruction. For example, when the brake master actuator 2122 fails, if the backup controller 221 also participates in path planning, the coordination between the backup controller 221 and the brake backup actuator 2222 may occur, which may cause a difference in final vehicle control effect with the coordination between the master controller 211 and the brake master actuator 2122, and if the matching calibration work and the control instruction deviation correction matching of the backup controller 221 are not performed, a control deviation may occur when the normal other master actuators and the succeeding backup actuators jointly complete the MRM.
In a further embodiment, when the steering main actuator 2121 and the braking main actuator 2122 are in a failure state, the main controller 211 sends a deceleration control command and a steering control command to the backup controller 221, the backup controller 221 distributes the steering control command to the steering backup actuator 2221, and distributes the deceleration control command to the braking backup actuator 2222. In this embodiment, after all the main execution devices 212 fail, the backup controller 221 is equivalent to a communication middleware, only needs to forward a control instruction, does not need to perform path planning, and can implement accurate control of a vehicle.
The automatic driving redundancy control system can be applied to high-grade intelligent driving in an EP33 vehicle type, functions such as PILOT, NOA, E2E and SP are achieved, and various minimum risk mechanisms such as safe parking of the lane, safe parking of an emergency lane, deceleration of the lane, obstacle avoidance and deceleration can be achieved on the system architecture. In addition, the embodiment is connected with the main sensing device through the backup controller, so that the backup control subsystem does not need to be provided with the backup sensing device, the problem that configuration work such as calibration matching and the like is required to be added to the backup controller to ensure the consistency of the regulated and controlled data is solved, the cost increase caused by the setting of the backup sensing device is saved, and the problems of change of sensing space arrangement, resetting of each automatic link of a production line and the like are solved.
The following explains how the automatic driving redundancy control system of the present application implements safe automatic driving control in different application scenarios through some specific embodiments.
Please refer to fig. 3, which is a schematic diagram of a first application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for indicating the working principle of a minimum risk mechanism for realizing safe parking of the lane or safe parking of the emergency lane under the condition of misoperation of a driver. In the figure, the solid line connection indicates that there is signal or control instruction transmission between the two components after the failure occurs, and the dotted line connection indicates that there is no signal or control instruction transmission between the two components after the failure occurs.
Specifically, when the driver has a factor of being out of the loop (such as long-time hands-off driving and/or long-time eyes-off driving), the system may monitor the driver malfunction (for example, the master controller receives the hands-off state of the driver through the steering wheel detection device, and the master controller receives the eyes-off state of the driver through the eyes-off state detection device), so as to enter the MRM state. In the MRM state, the master sensing device 210 transmits detected real-time driving environment information (including but not limited to traffic flow dynamics, lane line information, etc.) to the master controller 211; the main controller 211 analyzes and calculates a path according to the real-time driving environment information and the fault information, and distributes a deceleration control command to the braking main actuator 2122 and a steering control command to the steering main actuator 2121, thereby realizing safe parking in the lane or safe parking in the emergency lane. That is, when the driver has a factor of being out of the loop, the brake master actuator 2122 and the steering master actuator 2121 may support the vehicle to stop at a decelerated speed to a safe area. The safety zone is distinguished according to different conditions of the vehicles, and if the vehicles are not in the right-most lane, the safety zone is the nearest straight lane zone in front of the lane; if the vehicle is on the rightmost lane and an emergency lane is arranged on the right side of the right lane, the safety area is the right lane; if the vehicle is in the rightmost traffic lane and the right side of the vehicle has no emergency lane, the safety area is the nearest straight lane area in front of the vehicle lane.
Please refer to fig. 4, which is a diagram illustrating a second application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for indicating the working principle of a minimum risk mechanism for realizing safe parking of the lane or safe parking of the emergency lane under the fault scene of the brake main actuator. In the figure, the broken line indicates that there is no signal or control command transmission between the two components after the fault occurs.
Specifically, the brake master actuator 2122 is connected to the master controller 211 for information exchange, the brake backup actuator 2222 is connected to the backup controller 221 for information exchange, and the brake master actuator 2122 is connected to the brake backup actuator 2222 for information exchange. When any one of the two brake executing mechanisms is in a fault state, the brake executing mechanism in a normal state completes corresponding brake operation based on the received brake control command; that is, either brake actuator can independently perform a braking operation based on a braking control command, and when one of the brake actuators fails, the other brake actuator will perform the braking operation. The system has safety mechanisms such as a counter and node fault detection, and can monitor the fault of the brake actuating mechanism. For example, the brake actuator sends its own working condition to the corresponding controller according to a preset rule (e.g., every 1S active or passive); if the corresponding controller does not receive the message sent by the brake actuator within a certain time, it can be determined that the communication with the brake actuator is faulty. Of course, if the corresponding controller receives the message sent by the brake actuator within a certain time, the working condition and the communication condition of the brake actuator can be determined by judging whether the content, the format or the time and the like of the message meet the preset rules.
When the brake master 2122 fails (e.g., communication fails, a component of the system fails), the system may monitor the failure and enter the MRM state. In the MRM state, the master sensing device 210 transmits detected real-time driving environment information (including but not limited to traffic flow dynamics, lane line information, etc.) to the master controller 211; the main controller 211 performs path analysis and calculation according to the real-time driving environment information and the fault information, and generates a deceleration control instruction and a steering control instruction; the main controller 211 sends a deceleration control command to the backup controller 221, the backup controller 221 distributes the deceleration control command to the brake backup executing mechanism 2222, and the main controller 211 continuously distributes a steering control command to the steering main executing mechanism 2121, so that the safe parking of the lane or the safe parking of the emergency lane is realized. That is, when the brake main actuator 2122 fails, the brake backup actuator 2222 and the steering main actuator 2121 may support the vehicle to stop at a reduced speed to a safe area.
Please refer to fig. 5, which is a schematic diagram illustrating a third application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for indicating the working principle of a minimum risk mechanism for realizing safe parking of the lane or safe parking of the emergency lane under the fault scene of the steering main actuating mechanism. In the figure, the broken line indicates that there is no signal or control command transmission between the two components after the fault occurs.
Specifically, the steering main actuator 2121 is connected to the main controller 211 for information exchange, the steering backup actuator 2221 is connected to the backup controller 221 for information exchange, and the steering main actuator 2121 is connected to the steering backup actuator 2221 for information exchange. When any one of the two steering executing mechanisms is in a fault state, the steering executing mechanism in a normal state completes corresponding steering operation based on the received steering control command; that is, either of the steering actuators may independently perform a steering operation based on a steering control command, and when one of the steering actuators fails, the other steering actuator will perform the steering operation. The system has safety mechanisms such as counters and node fault detection, and can monitor the fault of the steering actuating mechanism. For example, the steering actuator sends the working condition of the steering actuator to the corresponding controller according to a preset rule (such as every 1S of active or passive operation); if the corresponding controller does not receive the message sent by the steering actuator within a certain time, the communication with the steering actuator can be judged to be faulty. Of course, if the corresponding controller receives the message sent by the steering actuator within a certain time, the working condition and the communication condition of the steering actuator can be determined by judging whether the content, the format, the time and the like of the message meet the preset rules.
When the steering main actuator 2121 fails (e.g., communication failure, failure of its components, etc.), the system may monitor the failure and enter the MRM state. In the MRM state, the master sensing device 210 transmits detected real-time driving environment information (including but not limited to traffic flow dynamics, lane line information, etc.) to the master controller 211; the main controller 211 performs path analysis and calculation according to the real-time driving environment information and the fault information, and generates a deceleration control instruction and a steering control instruction; the main controller 211 sends a steering control command to the backup controller 221, the backup controller 221 distributes the steering control command to the steering backup actuator 2221, and the main controller 211 continuously distributes a deceleration control command to the braking main actuator 2122, so as to realize safe parking in the lane or safe parking in the emergency lane. That is, when the steering main actuator 2121 fails, the brake main actuator 2122 and the steering backup actuator 2221 may support the vehicle to stop to a safe area at a reduced speed.
It should be noted that, when both the steering main actuator 2121 and the braking main actuator 2122 are in a failure state, the main controller 211 sends a deceleration control command and a steering control command to the backup controller 221, and the backup controller 221 distributes the steering control command to the steering backup actuator 2221 and the deceleration control command to the braking backup actuator 2222. That is, when both the steering main actuator 2121 and the braking main actuator 2122 fail, the braking backup actuator 2222 and the steering backup actuator 2221 may support the vehicle to stop to a safe area at a reduced speed.
Please refer to fig. 6, which is a schematic diagram illustrating a fourth application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for indicating the working principle of a minimum risk mechanism for realizing safe parking of the lane or safe parking of the emergency lane under the fault scene of the backup control subsystem. In the figure, the dashed box indicates a faulty component (which may be one of the faulty components), the solid line connection indicates that there is no signal or control command transmission between the two components after the fault occurs, and the dashed line connection indicates that there is no signal or control command transmission between the two components after the fault occurs.
When any one or more components in the backup control subsystem 202 (backup controller 221, brake backup actuator 2222, and steering backup actuator 2221) are in a failure state, the system may monitor the failure and enter the MRM state, and the primary control subsystem 201 in the normal state performs corresponding operations. The system has safety mechanisms such as counters and node fault detection, and can monitor the fault of the backup control subsystem 202. For example, the backup execution mechanism sends its own working condition to the backup controller according to a preset rule (e.g., every 1S actively or passively); if the backup controller does not receive the message sent by the backup execution mechanism within a certain time, the communication between the backup controller and the corresponding backup execution mechanism can be judged to be failed. Of course, if the backup controller receives the message sent by the backup execution mechanism within a certain time, the working condition and the communication condition of the corresponding backup execution mechanism can be determined by judging whether the content, format or time and the like of the message meet the preset rules. The backup controller can also send the working condition of the backup controller to the main controller according to a preset rule (such as every 1S active or passive); if the main controller does not receive the message sent by the backup controller within a certain time, the communication with the backup controller can be judged to be failed. Of course, if the main controller receives the message sent by the backup controller within a certain time, the working condition and the communication condition of the backup controller can be determined by judging whether the content, format or time and the like of the message meet the preset rules.
When the backup controller 221 fails (e.g., communication failure, failure of its own device, etc.) and/or the steering backup actuator 2221 fails (e.g., communication failure, failure of its own device, etc.) and/or when the brake backup actuator 2222 fails (e.g., communication failure, failure of its own device, etc.), the system may monitor the failure and enter the MRM state. In the MRM state, the master sensing device 210 transmits detected real-time driving environment information (including but not limited to traffic flow dynamics, lane line information, etc.) to the master controller 211; the main controller 211 performs path analysis and calculation according to the real-time driving environment information and the fault information, and generates a deceleration control instruction and a steering control instruction; the main controller 211 distributes a steering control command to the steering main actuator 2121 and a deceleration control command to the braking main actuator 2122, thereby achieving safe parking in the own lane or safe parking in the emergency lane. That is, when one of the backup controller 221, the steering backup actuator 2221, and the brake backup actuator 2222 fails, or when any two of them fail, or when three of them fail, the brake master actuator 2122 and the steering master actuator 2121 can support the vehicle to decelerate to a safe region.
Please refer to fig. 7, which is a schematic diagram illustrating a fifth application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for illustrating the working principle of a minimum risk mechanism for realizing deceleration or obstacle avoidance deceleration in the lane under the fault scene of the main sensing equipment. In the figure, the broken line indicates that there is no signal or control command transmission between the two components after the fault occurs.
Specifically, the master sensing apparatus 210 is connected with the master controller 211 for information exchange, and the master sensing apparatus 210 is connected with the backup controller 221 for information exchange. When the main sensing device 210 is in a failure state, the main controller 211 in a normal state generates a control command based on the navigation map data and/or the radar data, and completes a corresponding safe driving control operation. The system has safety mechanisms such as counters and node fault detection, and can monitor faults of the main sensing equipment. For example, the master sensing device sends its own working condition to the corresponding controller according to a preset rule (e.g., every 1S active or passive); if the corresponding controller does not receive the message sent by the master sensing device within a certain time, the communication with the master sensing device can be judged to be failed. Of course, if the corresponding controller receives the message sent by the master sensing device within a certain time, the working condition and the communication condition of the master sensing device can be determined by judging whether the content, format or time and the like of the message meet the preset rules. And when the communication between the main sensing equipment and any one of the main controller and the backup controller fails, the main sensing equipment is judged to be in fault.
When the master sensing device 210 is in a fault state (e.g., communication failure, component failure, etc.), but there is navigation MAP data (e.g., HD MAP data), the system may monitor the fault and enter the MRM state. In the MRM state, the main controller 211 extracts lane line information from the navigation map data stored in the main controller 211, and extracts dynamic traffic information from the radar data, thereby performing path analysis and calculation, and generating a deceleration control command and a steering control command; the main controller 211 distributes a steering control command to the steering main actuator 2121 and a deceleration control command to the braking main actuator 2122, thereby realizing deceleration in the own lane. That is, when the master sensing device 210 malfunctions but currently has navigation map data, the master controller 211 may perform path planning based on the existing navigation map data and radar data, and the brake master actuator 2122 and the steering master actuator 2121 may support deceleration of the vehicle until parking to a safe area.
When the master sensing device 210 is in a fault state (e.g., communication failure, component failure, etc.), and there is no navigation map data currently, the system may monitor the fault and enter the MRM state. In the MRM state, the main controller 211 extracts dynamic traffic information according to the radar data, performs path analysis and calculation, and generates a deceleration control instruction and a steering control instruction; the main controller 211 distributes a steering control command to the steering main actuator 2121 and a deceleration control command to the braking main actuator 2122, thereby realizing obstacle avoidance and deceleration. That is, when the master sensing apparatus 210 is out of order and there is no navigation map data currently, the master controller 211 may perform path planning based on only radar data, and the brake master actuator 2122 and the steering master actuator 2121 may support vehicle deceleration until parking to a safe area.
Please refer to fig. 8, which is a schematic diagram illustrating a sixth application scenario of an autopilot redundancy control system according to an embodiment of the present application. The embodiment is used for illustrating the working principle of a minimum risk mechanism for realizing safe parking of the lane or safe parking of the emergency lane under the fault scene of the main controller. In the figure, the broken line indicates that there is no signal or control command transmission between the two components after the fault occurs.
Specifically, the main controller 211 is connected with the backup controller 221 for information interaction. When any one of the two controllers is in a fault state, the controller in the normal state generates a control instruction to complete corresponding safe driving control operation; that is, either controller can independently perform control operations based on data provided by the master-aware device 210, and in the event of a failure of one of the controllers, control instructions will be generated by the other controller. The system has safety mechanisms such as counters and node fault detection, and can monitor the faults of the main controller. For example, the backup controller receives a synchronization command of the primary controller according to a preset rule (such as every 1S active or passive); if the backup controller does not receive the message sent by the main controller within a certain time, the communication with the main controller can be judged to be failed. Considering that the backup controller cannot receive the synchronous command when the communication of the main controller is lost, in order to ensure that the backup controller can take over the control right in time, the backup controller can also be used for monitoring whether the communication between the backup controller and the main controller is interrupted, and when the communication between the backup controller and the main controller is interrupted, the backup controller takes over the control right in time.
When the main controller 211 fails (e.g., communication failure, component failure, etc.), the system may monitor the failure and enter the MRM state. In the MRM state, the master sensing device 210 transmits detected real-time driving environment information (including but not limited to traffic flow dynamics, lane line information, etc.) to the backup controller 221; the backup controller 221 performs path analysis and calculation according to the real-time driving environment information and the fault information to generate a deceleration control instruction and a steering control instruction; the backup controller 221 distributes the steering control command to the steering backup actuator 2221 and distributes the deceleration control command to the braking backup actuator 2222, thereby realizing obstacle avoidance and deceleration. That is, when the main controller 211 fails, the brake backup actuator 2222 and the steering backup actuator 2221 may support deceleration of the vehicle until parking to a safe area.
According to the above, the automatic driving redundancy control system provided by the embodiment of the application can realize multiple minimum risk mechanisms such as safe parking of the vehicle lane, safe parking of an emergency lane, speed reduction of the vehicle lane, obstacle avoidance and speed reduction, and the like, and the embodiment is connected with the main sensing device through the backup controller, so that the backup control subsystem does not need to be provided with the backup sensing device, the problem that configuration work such as calibration matching and the like is required to be added to the backup controller to ensure the consistency of the regulated control data is solved, the cost increase caused by the setting of the backup sensing device is saved, and the problems of changing of sensing spatial arrangement, resetting of each automatic link of a production line and the like are avoided. And when one main execution mechanism is abnormal, the other main execution mechanisms can still respond to the control instruction of the main controller to normally work, so that the condition that all execution controls need to be switched to the backup execution mechanism when one main execution mechanism is in failure is avoided, the timeliness and the accuracy of backup are ensured, and the functional safety and the reliability of automatic driving are further ensured.
Based on the same inventive concept, the application also provides an automatic driving redundancy control method adopting the automatic driving redundancy control system. Because the method adopts the automatic driving redundancy control system provided by the embodiment of the application and the principle of solving the problems of the method is similar to that of the system, the embodiment of the method can refer to the implementation of the system, and repeated parts are not repeated.
Please refer to fig. 9, which is a flowchart illustrating an autopilot redundancy control method according to an embodiment of the present application. As shown in fig. 9, the above method may include the steps of: s91, when one of the steering main executing mechanism and the braking main executing mechanism is monitored to be in a fault state, the main controller receives real-time driving environment information detected by the main sensing equipment, carries out path planning, sends a first control instruction to the main executing mechanism in a normal working state in the main executing equipment, sends a second control instruction to the backup controller, and distributes the second control instruction to the backup executing mechanism corresponding to the main executing mechanism in the fault state in the backup executing equipment; and S92, entering a minimum risk mechanism when the main controller is monitored to be in a fault state, stopping responding a control instruction sent by the main controller by the main execution device, and receiving the real-time driving environment information detected by the main sensing device, planning a path and sending the control instruction to the backup execution device by the backup controller. It should be noted that the above-described actions or steps may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Wherein the first control instruction and the second control instruction are selected from a deceleration control instruction and a steering control instruction and are different from each other. For example, when the steering main actuator 2121 is in a failure state and the brake main actuator 2122 is in a normal operation state, the main controller 211 sends a deceleration control command to the brake main actuator 2122, and sends a steering control command to the backup controller 221, and the backup controller 221 distributes the steering control command to the steering backup actuator 2221; when the brake main actuator 2122 is in a failure state and the steering main actuator 2121 is in a normal working state, the main controller 211 sends a steering control command to the steering main actuator 2121, and sends a deceleration control command to the backup controller 221, and the backup controller 221 distributes the deceleration control command to the brake backup actuator 2222.
In a further embodiment, when the steering main actuator 2121 and the braking main actuator 2122 are in a failure state, the main controller 211 sends a deceleration control command and a steering control command to the backup controller 221, the backup controller 221 distributes the steering control command to the steering backup actuator 2221, and distributes the deceleration control command to the braking backup actuator 2222.
In an optional embodiment, the method further comprises: when the misoperation of a driver is monitored or any one or more of the backup controller and the backup execution equipment is in a fault state, the main controller receives the real-time driving environment information detected by the main sensing equipment, performs path planning and sends a control instruction of deceleration and/or steering to the main execution equipment. That is, when the main actuator 212 at least includes the steering main actuator 2121 and the braking main actuator 2122, the main controller 211 sends the deceleration control command to the braking main actuator 2122 and sends the steering control command to the steering main actuator 2121, so that the vehicle can realize the minimum risk mechanism, such as safe parking in the own lane, safe parking in the emergency lane, deceleration in the own lane, obstacle avoidance deceleration, avoiding occurrence of an accident, and ensuring safe driving of the vehicle.
In an optional embodiment, the method further comprises: when the main sensing equipment is in a fault state, the main controller extracts lane line information according to navigation map data, extracts dynamic traffic flow information according to radar data, performs path planning and sends a control instruction of speed reduction and/or steering to the main execution equipment; or the main controller extracts dynamic traffic flow information according to the radar data, performs path planning, and sends a deceleration and/or steering control instruction to the main execution equipment. That is, when the master sensing device 210 is in a failure state, there are two cases: one is that the master-aware device 210 is malfunctioning, but currently has navigation MAP data (e.g., HD MAP data); the other is that the master-aware device 210 is malfunctioning and is currently not having navigation MAP data (e.g., HD MAP data). For the case that the main sensing device 210 has a fault but navigation map data exists currently, the main controller 211 extracts lane line information according to the navigation map data stored in the main controller 211, extracts dynamic traffic flow information according to radar data, performs path planning, and sends a control instruction for deceleration and/or steering to the main execution device to decelerate in the lane. For the case that the main sensing device 210 has a fault and does not have navigation map data at present, the main controller 211 extracts dynamic traffic information according to the radar data, performs path planning, and sends a control instruction of deceleration and/or steering to the main execution device to perform obstacle avoidance and deceleration.
According to the above, the automatic driving redundancy control system provided by the embodiment of the application can realize multiple minimum risk mechanisms such as safe parking of the vehicle lane, safe parking of an emergency lane, speed reduction of the vehicle lane, obstacle avoidance and speed reduction, and the like, and the embodiment is connected with the main sensing device through the backup controller, so that the backup control subsystem does not need to be provided with the backup sensing device, the problem that configuration work such as calibration matching and the like is required to be added to the backup controller to ensure the consistency of the regulated control data is solved, the cost increase caused by the setting of the backup sensing device is saved, and the problems of changing of sensing spatial arrangement, resetting of each automatic link of a production line and the like are avoided. And when one main execution mechanism is abnormal, the other main execution mechanisms can still respond to the control instruction of the main controller to normally work, so that the condition that all execution controls need to be switched to the backup execution mechanism when one main execution mechanism is in failure is avoided, the timeliness and the accuracy of backup are ensured, and the functional safety and the reliability of automatic driving are further ensured.
It should be noted that the embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same/similar parts in the embodiments are referred to each other. For the method embodiment disclosed by the embodiment, since the method embodiment corresponds to the system embodiment disclosed by the embodiment, the description is relatively simple, and the relevant points can be referred to the partial description of the system embodiment.
Those of skill would further appreciate that the various illustrative systems and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. The computer software may be disposed in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
Claims (12)
1. An autonomous driving redundancy control system, comprising: a primary control subsystem and a backup control subsystem; it is characterized in that the preparation method is characterized in that,
the main control subsystem comprises main sensing equipment, a main controller and main execution equipment, wherein the main controller is respectively connected with the main sensing equipment and the main execution equipment, and the main execution equipment at least comprises a steering main execution mechanism and a braking main execution mechanism;
the backup control subsystem comprises a backup controller and a backup execution device, the backup controller is respectively connected with the main sensing device, the main controller and the backup execution device, the backup execution device at least comprises a steering backup execution mechanism and a braking backup execution mechanism, the steering backup execution mechanism is connected with the steering main execution mechanism, and the braking backup execution mechanism is connected with the braking main execution mechanism;
when a main execution mechanism in the main execution equipment is monitored to be in a fault state, a minimum risk mechanism is entered, the main controller receives real-time driving environment information detected by the main sensing equipment, carries out path planning, sends a first control instruction to the main execution mechanism in the main execution equipment in a normal working state, sends a second control instruction to the backup controller, and distributes the second control instruction to a backup execution mechanism corresponding to the main execution mechanism in the fault state in the backup execution equipment by the backup controller;
and when the main controller is monitored to be in a fault state, entering a minimum risk mechanism, stopping responding to a control instruction sent by the main controller by the main execution device, and receiving the real-time driving environment information detected by the main sensing device, planning a path and sending the control instruction to the backup execution device by the backup controller.
2. The system according to claim 1, wherein when a driver malfunction or a failure state of any one or more of the backup controller and the backup execution device is monitored, the main controller receives real-time driving environment information detected by the main sensing device, performs path planning, and sends a deceleration and/or steering control command to the main execution device.
3. The system of claim 1, wherein upon monitoring the master sensory device to be in a failure state,
the main controller extracts lane line information according to navigation map data stored in the main controller, extracts dynamic traffic flow information according to radar data, performs path planning, and sends a control instruction of deceleration and/or steering to the main execution equipment; or
And the main controller extracts dynamic traffic flow information according to the radar data, performs path planning and sends a deceleration and/or steering control command to the main execution equipment.
4. The system of claim 1,
the first control instruction and the second control instruction are selected from a deceleration control instruction and a steering control instruction and are different from each other.
5. The system of claim 1,
when the main steering executing mechanism and the main braking executing mechanism are monitored to be in a fault state, the main controller sends a deceleration control instruction and a steering control instruction to the backup controller, the backup controller distributes the deceleration control instruction to the backup braking executing mechanism, and the steering control instruction is distributed to the backup steering executing mechanism.
6. The system of claim 1, wherein the risk minimization mechanism comprises safe parking in the own lane, safe parking in an emergency lane, deceleration in the own lane, and obstacle avoidance deceleration.
7. The system of claim 1, wherein the master perception device comprises a standalone camera.
8. An autonomous driving redundancy control method, characterized in that the autonomous driving redundancy control system of claim 1 is employed, the method comprising:
when one of the steering main execution mechanism and the braking main execution mechanism is monitored to be in a fault state, the main controller receives real-time driving environment information detected by the main sensing equipment, carries out path planning, sends a first control instruction to the main execution mechanism in a normal working state in the main execution equipment, sends a second control instruction to the backup controller, and distributes the second control instruction to the backup execution mechanism corresponding to the main execution mechanism in the fault state in the backup execution equipment by the backup controller;
and when the main controller is monitored to be in a fault state, entering a minimum risk mechanism, stopping responding to a control instruction sent by the main controller by the main execution device, and receiving the real-time driving environment information detected by the main sensing device, planning a path and sending the control instruction to the backup execution device by the backup controller.
9. The method of claim 8, further comprising: when the misoperation of a driver is monitored or any one or more of the backup controller and the backup execution equipment is in a fault state, the main controller receives the real-time driving environment information detected by the main sensing equipment, performs path planning and sends a control instruction of deceleration and/or steering to the main execution equipment.
10. The method of claim 8, further comprising: upon monitoring that the master sensing device is in a failure state,
the main controller extracts lane line information according to navigation map data stored in the main controller, extracts dynamic traffic flow information according to radar data, performs path planning, and sends a control instruction of deceleration and/or steering to the main execution equipment; or
And the main controller extracts dynamic traffic flow information according to the radar data, performs path planning and sends a deceleration and/or steering control command to the main execution equipment.
11. The method of claim 8,
the first control instruction and the second control instruction are selected from a deceleration control instruction and a steering control instruction and are different from each other.
12. The method of claim 8, further comprising:
when the main steering executing mechanism and the main braking executing mechanism are monitored to be in a fault state, the main controller sends a deceleration control instruction and a steering control instruction to the backup controller, the backup controller distributes the deceleration control instruction to the backup braking executing mechanism, and the steering control instruction is distributed to the backup steering executing mechanism.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110694612.5A CN113247022A (en) | 2021-06-23 | 2021-06-23 | Automatic driving redundancy control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110694612.5A CN113247022A (en) | 2021-06-23 | 2021-06-23 | Automatic driving redundancy control system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113247022A true CN113247022A (en) | 2021-08-13 |
Family
ID=77189176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110694612.5A Pending CN113247022A (en) | 2021-06-23 | 2021-06-23 | Automatic driving redundancy control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113247022A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113848950A (en) * | 2021-10-21 | 2021-12-28 | 广州文远知行科技有限公司 | Controller control method and device, vehicle and storage medium |
| CN114013454A (en) * | 2021-10-29 | 2022-02-08 | 北京汽车研究总院有限公司 | Control system and method for automatic driving vehicle and vehicle |
| CN114237104A (en) * | 2021-12-02 | 2022-03-25 | 东软睿驰汽车技术(沈阳)有限公司 | Automatic driving area controller and vehicle |
| CN114291115A (en) * | 2022-01-06 | 2022-04-08 | 云控智行科技有限公司 | Automatic driving vehicle safe parking track planning method |
| CN114326476A (en) * | 2021-11-30 | 2022-04-12 | 际络科技(上海)有限公司 | Degradation control method and system for automatic driving controller |
| CN114348027A (en) * | 2022-02-07 | 2022-04-15 | 中国第一汽车股份有限公司 | Vehicle control method, device, platform and storage medium |
| WO2023077967A1 (en) * | 2021-11-04 | 2023-05-11 | 武汉路特斯汽车有限公司 | Autonomous driving control system and vehicle |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196547A (en) * | 2018-01-08 | 2018-06-22 | 北京图森未来科技有限公司 | A kind of automated driving system |
| CN108958248A (en) * | 2018-07-05 | 2018-12-07 | 北京智行者科技有限公司 | Standby system |
| CN109917779A (en) * | 2019-03-26 | 2019-06-21 | 中国第一汽车股份有限公司 | Redundancy control system towards L3 automatic Pilot |
| CN110682920A (en) * | 2019-12-09 | 2020-01-14 | 吉利汽车研究院(宁波)有限公司 | Automatic driving control system, control method and equipment |
| CN110745144A (en) * | 2019-12-23 | 2020-02-04 | 吉利汽车研究院(宁波)有限公司 | Automatic driving control system, control method and equipment |
-
2021
- 2021-06-23 CN CN202110694612.5A patent/CN113247022A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196547A (en) * | 2018-01-08 | 2018-06-22 | 北京图森未来科技有限公司 | A kind of automated driving system |
| CN108958248A (en) * | 2018-07-05 | 2018-12-07 | 北京智行者科技有限公司 | Standby system |
| CN109917779A (en) * | 2019-03-26 | 2019-06-21 | 中国第一汽车股份有限公司 | Redundancy control system towards L3 automatic Pilot |
| CN110682920A (en) * | 2019-12-09 | 2020-01-14 | 吉利汽车研究院(宁波)有限公司 | Automatic driving control system, control method and equipment |
| CN110745144A (en) * | 2019-12-23 | 2020-02-04 | 吉利汽车研究院(宁波)有限公司 | Automatic driving control system, control method and equipment |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113848950A (en) * | 2021-10-21 | 2021-12-28 | 广州文远知行科技有限公司 | Controller control method and device, vehicle and storage medium |
| CN114013454A (en) * | 2021-10-29 | 2022-02-08 | 北京汽车研究总院有限公司 | Control system and method for automatic driving vehicle and vehicle |
| WO2023077967A1 (en) * | 2021-11-04 | 2023-05-11 | 武汉路特斯汽车有限公司 | Autonomous driving control system and vehicle |
| CN114326476A (en) * | 2021-11-30 | 2022-04-12 | 际络科技(上海)有限公司 | Degradation control method and system for automatic driving controller |
| CN114237104A (en) * | 2021-12-02 | 2022-03-25 | 东软睿驰汽车技术(沈阳)有限公司 | Automatic driving area controller and vehicle |
| CN114291115A (en) * | 2022-01-06 | 2022-04-08 | 云控智行科技有限公司 | Automatic driving vehicle safe parking track planning method |
| CN114348027A (en) * | 2022-02-07 | 2022-04-15 | 中国第一汽车股份有限公司 | Vehicle control method, device, platform and storage medium |
| CN114348027B (en) * | 2022-02-07 | 2023-11-28 | 中国第一汽车股份有限公司 | Vehicle control method, device, platform and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113247022A (en) | Automatic driving redundancy control system and method | |
| US11644831B2 (en) | Multi-stage operation of autonomous vehicles | |
| JP7425174B2 (en) | Vehicle control system and control method | |
| US20230110082A1 (en) | Vehicular control system | |
| US11472428B2 (en) | Vehicle control system and control method | |
| JP6320522B2 (en) | Method and apparatus for operating a vehicle in automatic driving mode | |
| WO2020066304A1 (en) | Vehicle-mounted electronic control system | |
| CN114348020B (en) | 5G remote and automatic driving safety redundancy system and control method | |
| CN115023380A (en) | Asymmetrical fail-safe system architecture | |
| CN112805648A (en) | Fail-safe handling system for autonomously driven vehicles | |
| JP7259716B2 (en) | Vehicle control system and vehicle control method | |
| WO2023077967A1 (en) | Autonomous driving control system and vehicle | |
| JPS63155307A (en) | Obstacle monitoring system for unmanned self-traveling object | |
| Hoffmann et al. | Safe corridor: A trajectory-based safety concept for teleoperated road vehicles | |
| CN114620064A (en) | Vehicle control system, autonomous vehicle, and vehicle control method | |
| Huang et al. | Control system design of an automated bus in revenue service | |
| US20210255618A1 (en) | Scalable Remote Operation of Autonomous Robots | |
| CN114056351B (en) | Automatic driving method and device | |
| KR102416612B1 (en) | Control system having isolated user computing part and method thereof | |
| JP2024509206A (en) | Method for operating assistant system as well as assistant system | |
| Tan et al. | The design and implementation of an automated bus in revenue service on a bus rapid transit line | |
| US20230409704A1 (en) | Control system having isolated user computing unit and control method therefor | |
| US20240140489A1 (en) | Vehicle for performing minimal risk maneuver and operation method thereof | |
| KR102405002B1 (en) | Automatic Driving System for supporting MRM(Minimal Risk Maneuver) | |
| EP4250040A1 (en) | Driving control apparatus for vehicle |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |