WO2019058962A1 - Control system for mobile body and control method for mobile body - Google Patents

Control system for mobile body and control method for mobile body Download PDF

Info

Publication number
WO2019058962A1
WO2019058962A1 PCT/JP2018/032806 JP2018032806W WO2019058962A1 WO 2019058962 A1 WO2019058962 A1 WO 2019058962A1 JP 2018032806 W JP2018032806 W JP 2018032806W WO 2019058962 A1 WO2019058962 A1 WO 2019058962A1
Authority
WO
WIPO (PCT)
Prior art keywords
control
control information
unit
information
vehicle
Prior art date
Application number
PCT/JP2018/032806
Other languages
French (fr)
Japanese (ja)
Inventor
敏史 大塚
成沢 文雄
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2019058962A1 publication Critical patent/WO2019058962A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W30/00Purposes of road vehicle drive control systems not related to the control of a particular sub-unit, e.g. of systems using conjoint control of vehicle sub-units, or advanced driver assistance systems for ensuring comfort, stability and safety or drive control systems for propelling or retarding the vehicle
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W30/00Purposes of road vehicle drive control systems not related to the control of a particular sub-unit, e.g. of systems using conjoint control of vehicle sub-units, or advanced driver assistance systems for ensuring comfort, stability and safety or drive control systems for propelling or retarding the vehicle
    • B60W30/18Propelling the vehicle
    • B60W30/182Selecting between different operative modes, e.g. comfort and performance modes
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/023Avoiding failures by using redundant parts
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements

Definitions

  • the present invention relates to a control system of a mobile unit and a control method of the mobile unit.
  • Patent Document 1 discloses, in a control system of a vehicle, a technique for relieving a control step that occurs when a failure is repaired and the system is restored to a normal state.
  • time-series information (control output) of the future vehicle position (track) is output from two systems of a normal function and an alternative function. is there.
  • future motion information used in the alternative function not only future motion information used in the alternative function, but also operation information when the driver performs an operation during automatic driving (when overriding) or more urgently Emergency information of high vehicles may also be output.
  • Patent Document 1 The technology disclosed in Patent Document 1 is a technology that simply compares the information output from each of the normal function and the alternative function, and outputs a plurality of functions when a failure occurs in part of the control system.
  • the control output can not be properly selected from among the plurality of control outputs.
  • An object of the present invention is to provide a control system capable of appropriately selecting an output.
  • the 1st control part which generates the 1st control information for usually controlling movement of a mobile
  • the 2nd control information which generates the 2nd control information for unusually controlling movement of a mobile.
  • a switching unit for outputting any one of the first control information and the second control information, and the switching unit is configured such that the difference between the first control information and the second control information is equal to or less than a predetermined threshold value. When it is, it is set as the structure which outputs 2nd control information.
  • a control system capable of appropriately selecting a control output from among a plurality of control outputs output from a plurality of functions when a failure occurs in a part of a control system of a moving object.
  • FIG. 1 is a block diagram for explaining the function of a mobile object control system 1 (hereinafter simply referred to as the control system 1) according to the embodiment.
  • the control system 1 includes an AD1-ECU 2 and a VMC-ECU 3.
  • the AD1-ECU 2 and the VMC-ECU 3 are gateways (hereinafter referred to as GWs (hereinafter referred to as GWs) that connect the respective network links. It is connected via Gateway) 97).
  • GWs gateways
  • AD is used on the assumption of Automated Driving or Autonomous Driving.
  • VMC is used assuming Vehicle Motion Control.
  • the ECU is assumed to be an Electronic Control Unit.
  • AD1-ECU2 is a high-level high-performance ECU that performs overall control of the vehicle 100.
  • a detection device 80 for detecting a surrounding condition of the vehicle 100 such as a corner rider 81, a corner radar 82, a front camera 83, a sonar 84 and the like.
  • the AD 1 -ECU 2 generates (calculates) future position information (track) of the vehicle 100 based on the detection result of the surrounding condition of the vehicle 100 by the detection device 80.
  • the future means a time earlier than the current time.
  • the detection device 80 includes a corner rider 85, a front radar 86, and a 360 ° camera 87.
  • the detection devices 80 are selectively connected to the AD1-ECU 2 and the VMC-ECU 3 (CPU 3B described later) via a switch (hereinafter referred to as SW 88), and switching of the switch 88 causes the AD1-ECU 2 and It is connected to one or both of VMC-ECU3.
  • the AD 1 -ECU 2 performs control for controlling the vehicle 100 based on the surrounding situation detected by the detection device 80 described above and the future position information (track) of the vehicle 100. Generate output. AD1-ECU2 transmits the generated control output to VMC-ECU3.
  • the VMC-ECU 3 is a lower-level single-function ECU that directly controls an actuator of a drive device (for example, an engine, an accelerator, a brake, a steering, etc.) involved in the motion of the vehicle 100.
  • a drive device for example, an engine, an accelerator, a brake, a steering, etc.
  • the VMC-ECU 3 is connected to a drive device 90 of the vehicle 100 such as the brake 91, the steering 92, the other ECU 93, the EMC 94, and the ATCU 95 via a controller area network (hereinafter referred to as CAN 99).
  • the VMC-ECU 3 controls these drive devices 90 based on the control output from the AD 1 -ECU 2.
  • the CAN 99 includes communication lines such as CAN FD (CAN With Flexible Data-rate, Ethernet (registered trademark)).
  • CAN FD CAN With Flexible Data-rate, Ethernet (registered trademark)
  • the VMC-ECU 3 is a dual core processor having two CPUs, a central processing unit (CPU) 3A and a CPU 3B provided in parallel with the CPU 3A.
  • the VMC-ECU 3 exemplifies and describes a dual core processor having the CPU 3A and the CPU 3B in parallel, but the present invention is not limited to this.
  • the VMC-ECU 3 may be a quad core processor having four CPUs in parallel, a hexa core processor having six CPUs in parallel, or a multi-core processor having more CPUs in parallel.
  • a memory 33 is provided in the VMC-ECU 3.
  • the memory 33 stores a control program (not shown) used to control the VMC-ECU 3 and various control parameters (not shown).
  • the CPU 3A controls the drive device 90 (for example, the brake 91, the steering 92, an accelerator (not shown)) and the like involved in the motion of the vehicle 100.
  • the CPU 3A is connected to the AD1-ECU 2 via the GW 97.
  • the CPU 3A is connected to the CPU 3B, and mutually communicates various information processed by the CPU 3A or the CPU 3B with the CPU 3B.
  • the CPU 3 B is connected to a detection device 80 such as a corner rider 85, a front radar 86, and a 360 ° camera 87, and acquires the surrounding situation from the detection device 80.
  • the CPU 3B transmits the surrounding situation acquired from the detection device 80 to the CPU 3A.
  • resources such as an arithmetic device and a memory are prepared, which are capable of installing and executing the degeneration module 96 for degenerating the function of the CPU 3A or CPU 3B.
  • degeneracy means that the CPU 3A or CPU 3B lowers the performance than the basic function (main function) for controlling the drive device 90, or continues the control while limiting the main function and limiting it, or When a predetermined function of the CPU 3A or the CPU 3B can not be used, it means switching to another function which is a substitute, or its function or configuration.
  • control of the vehicle 100 by the main function may be referred to as normal control
  • control of the vehicle 100 by the degeneration function may be referred to as non-normal control.
  • the VMC-ECU 3 can degenerate the function of the other CPU 3A or CPU 3B based on the degeneration module 96. Therefore, the VMC-ECU 3 can control the drive device 90 such as the brake 91 and the steering 92 by either of the CPU 3A or the CPU 3B by the degeneration function.
  • the GW 97 is connected to the body 971, the HMI 972, the connection device 973, and the information providing device 974 via a network link or a dedicated line.
  • the CPU 3A of the VMC-ECU 3 described above constitutes a first control unit of the present invention, and the CPU 3B constitutes a second control unit of the present invention.
  • FIG. 2 is a schematic view illustrating the configuration of a vehicle 100 equipped with the control system 1.
  • the control system 1 is disposed inside the vehicle 100.
  • another vehicle control device configured by a network using a different or the same protocol as the vehicle control device 4 such as the AD1-ECU 2 or the VMC-ECU 3, the communication device 5, and the vehicle control device 4.
  • ECU equivalent to ECU 93 in FIG. 1
  • 6 an external output device 7, an input device 8, a notification device 9, a detection device 80, and a drive device 90 are connected.
  • the communication device 5 is a device that enables wireless communication between the control system 1 provided inside the vehicle 100 and an external device (not shown) of the vehicle 100.
  • the communication device 5 is, for example, mobile phone communication, wireless LAN (Local Area Network), WAN (Wide Area Network), C2X (Car to X: communication between a vehicle and a vehicle or communication between a vehicle and an infrastructure device on the road) Etc., or communication using GPS (Global Positioning System).
  • the communication device 5 performs wireless communication with an external device (not shown), acquires the surrounding situation of the vehicle 100 (for example, information on road infrastructure equipment, position information and speed information of other vehicles, map information), and controls the vehicle
  • the ambient situation is transmitted to the device 4 (AD1-ECU 2 described above). Transmission of the surrounding situation to the vehicle control device 4 by the communication device 5 is performed by using a diagnostic terminal (On-board diagnostics: OBD) for the self-diagnosis function of the vehicle provided in the communication device 5, an external storage medium (for example, USB (for example, It is performed via the Universal Serial Bus) memory and SD memory card) terminals.
  • OBD On-board diagnostics: OBD
  • USB for example, It is performed via the Universal Serial Bus
  • SD memory card Secure Digital
  • the external output device 7 is a device for notifying the driver or the like of the motion state or the surrounding condition of the vehicle 100.
  • the external output device 7 is a liquid crystal display, a warning light, or a speaker that outputs acquired information as a video or sound.
  • the input device 8 is a device for the driver to give the control system 1 an operation instruction regarding the driving of the vehicle 100.
  • the input device 8 is a handle, a foot pedal, various operation buttons, an operation lever, a touch panel, or the like.
  • the notification device 9 is a device for the control system 1 to notify the outside world of the motion state of the vehicle 100.
  • the notification device 9 is a light (headlight or the like), a lamp (a warning lamp such as a brake lamp, a tail lamp, a fog lamp or a small lamp), an LED, a speaker or the like.
  • the detection device 80 is a device that acquires the surrounding situation detected by a sensor or the like provided in the vehicle 100.
  • the detection device 80 may be an on-board camera, a radar, an external sensor such as a lidar (LIDAR) or a sonar (ultrasonic sensor), and a state (motion state, position information, acceleration, wheel state) of the control system 1. It is a dynamic sensor etc. which recognizes rotation speed etc.).
  • LIDAR lidar
  • sonar ultrasonic sensor
  • the drive device 90 is a drive device such as an actuator that drives the mechanical and electrical devices that control the motion of the vehicle 100 according to the control of the control system 1.
  • the drive device 90 is an engine, a transmission, a wheel, a brake 91, a steering 92, an accelerator, or the like.
  • FIG. 3 is a block diagram for explaining an apparatus configuration of the control system 1.
  • a plurality of VMC-ECUs 3 (hereinafter simply referred to as ECUs 3) for controlling the respective detecting devices 80 and the driving devices 90 are connected to CAN 99 which is an in-vehicle network. There is.
  • the communication device 5 and other vehicle control systems 6, the respective detection devices 80, and drive devices 90 (actuators) such as the brake 91 are connected to the respective ECUs 3.
  • Each ECU 3 is also connected to another in-vehicle network (including a dedicated line) other than the CAN 99, and transmits and receives information with the drive device 90 and the like via the other in-vehicle network.
  • another in-vehicle network including a dedicated line
  • CAN99 mentioned above illustrated and demonstrated the case of the bus
  • the network topology of CAN99 is limited to this It is not a thing.
  • a star type in which a plurality of ECUs 3 are arranged radially a link type in which a plurality of ECUs 3 are connected to a bus arranged in a ring, and a mixture type in which each type is mixed Or the like.
  • the ECU 3 transmits a control output to the drive device 90 based on the information of the detection device 80 and the like acquired via the on-vehicle network such as the CAN 99, and performs control processing such as change of the internal state.
  • FIG. 4 is a block diagram for explaining an example of the internal configuration of the ECU 3.
  • the ECU 3 has a processor 31, an I / O (Input / Output) 32, a timer 33, a ROM (Read Only Memory) 34, and a RAM (Random Access Memory) 35. These are connected by an internal bus 36 used for communication inside the ECU 3.
  • the processor 31 is a device such as a CPU that has a storage element such as a cash register and executes control.
  • the processor 31 configures the CPU 3A and the CPU 3B described above.
  • the I / O 32 is a device that transmits and receives information to and from the detection device 80 or the drive device 90 connected to the ECU 3 via the CAN 99 or a dedicated line (not shown).
  • the timer 33 is a device that manages time and time using a clock function (not shown) that the processor 31 or the like has.
  • the ROM 34 is a non-volatile storage device that stores a control program for controlling the ECU 3 and various parameters.
  • the RAM 35 is a volatile storage device that temporarily stores various programs for executing the functions of the ECU 3 and information processed by a processor or the like.
  • FIG. 5 is a diagram for explaining the configuration of a software module operating on the processor 31. As shown in FIG.
  • the processor 31 includes a control unit 311, a communication management unit 312, a time management unit 313, a data table 314, and a buffer 315.
  • the control unit 311 performs overall control of the processor 31. Specifically, the control unit 311 executes a predetermined control program and performs processing based on the control program. By the operation of the control unit 311, execution of each function of the control system 1 is performed.
  • the communication management unit 312 instructs the I / O 32 to transmit and receive information via the internal bus 36.
  • the time management unit 313 manages the timer 33, acquires information related to time and time, and performs control such as counting of time and time.
  • the data table 314 stores various information necessary for control of the vehicle 100.
  • the buffer 315 temporarily stores the information calculated by the control unit 311 and the time management unit 313.
  • the control unit 311, the communication management unit 312, and the time management unit 313 described above read the information necessary for the operation from the ROM 34 or the RAM 35, or write the information into the ROM 34 or the RAM 35.
  • FIG. 6 is a functional block diagram for explaining the functional configuration of the control system 1 as a whole.
  • the control system 1 switches between the integrated recognition unit 11, the automatic driving control unit 12, the user input unit 13, the output management unit 14, the notification management unit 15, the abnormality detection unit 16, and It has a unit 17, a motion control unit 18, and a safety control unit 19.
  • the safety control unit 19 is disposed in any of the aforementioned ECUs 3.
  • the integrated recognition unit 11 is connected to the plurality of detection devices 80 and the communication device 5, and acquires the surrounding situation L1 from these devices.
  • the integrated recognition unit 11 integrates the acquired surrounding situation L1 to generate an external world recognition map L2.
  • the integrated recognition unit 11 is connected to the automatic driving control unit 12, and transmits the generated external world recognition map L2 to the automatic driving control unit 12.
  • the autonomous driving control unit 12 generates autonomous driving control information L4 (such as a trajectory) based on the external world recognition map L2 generated by the integrated recognition unit 11 and the user input information L3 input through the user input unit 13. Generate The automatic driving control unit 12 outputs the generated automatic driving control information L4 to the output management unit 14, the notification management unit 15, the abnormality detection unit 16, and the switching unit 17.
  • autonomous driving control information L4 such as a trajectory
  • the user input unit 13 generates user input information L3 based on the user input from the input device 8.
  • the output management unit 14 is connected to the external output device 7.
  • Output management unit 14 outputs output information L6 generated based on automatic operation control information L4 received from automatic operation control unit 12 and abnormality detection information L5 received from abnormality detection unit 16 to external output device 7. .
  • the notification management unit 15 is connected to the notification device 9 and the communication device 5.
  • the notification management unit 15 outputs notification information L7 generated based on the automatic operation control information L4 received from the automatic operation control unit 12 and the abnormality detection information L5 received from the abnormality detection unit 16 to the notification device 9.
  • the abnormality detection unit 16 detects an abnormality in the control system 1 based on the automatic operation control information L4 acquired from the automatic operation control unit 12 and control information (not shown) acquired from other devices.
  • the abnormality detection unit 16 is connected to the output management unit 14, the notification management unit 15, the switching unit 17, and the safety control unit 19, and transmits the abnormality detection information L5 to these devices.
  • the switching unit 17 is connected to the abnormality detection unit 16, the automatic driving control unit 12, the user input unit 13, the safety control unit 19, and the exercise control unit 18.
  • the switching unit 17 controls the automatic driving control unit 12, the user input unit 13, and the safety control unit 19 to output the control output L 10 to the exercise control unit 18 based on the abnormality detection information L 5 acquired from the abnormality detection unit 16. Switch to the information obtained from any of them.
  • control output L10 is, for example, a target value of motion control parameters such as acceleration of the vehicle 100 and a yaw rate, control command values to the respective driving devices 90, and continuous values thereof in time series.
  • the motion control unit 18 is connected to the detection device 80 and the drive device 90, and acquires the control output L10 obtained from the switching unit 17, the surrounding situation L1 of the vehicle 100 obtained from the detection device 80, and the drive device 90
  • the drive control information L9 generated based on the driving condition (response) of the drive device 90 is transmitted to the plurality of drive devices 90.
  • the safety control unit 19 is connected to the abnormality detection unit 16, the switching unit 17, and the detection device 80.
  • the safety control unit 19 performs safe driving control information at the time of failure occurrence or the like of the vehicle 100 (control system 1) based on the surrounding situation L1 acquired from the detection device 80 and the abnormality detection information L5 acquired from the abnormality detection unit 16. Output L8 to the switching unit 17.
  • the safety control unit 19 includes the degeneration module 96 (see FIG. 1), and by degenerating the motion function of the vehicle 100 by the degeneration function of the degeneration module 96, the vehicle 100 is exercised with the minimum function. It can be done. Therefore, the safe driving control information L8 generated by the safety control unit 19 is control information for causing the motion control unit 18 to exhibit the degeneration function.
  • the motion control of the vehicle 100 by the automatic driving control unit 12 may be referred to as normal control
  • the motion control of the vehicle 100 by the safety control unit 19 may be referred to as abnormal control.
  • the automatic operation control unit 12 (the ECU 3 in which the automatic operation control unit 12 is disposed) and the safety control unit 19 (the ECU 3 in which the safety control unit 19 is disposed) It is provided in parallel (see FIG. 6).
  • the non-normal control by the safety control unit 19 Control is continuously performed according to the automatic operation control information output from the automatic operation control unit 12 until the preparation of the second control is completed, and the control by the safety control unit 19 is performed at the stage when the preparation of the non-normal control by the safety control unit 19 is completed By shifting, the control can be switched smoothly.
  • the respective control units share functions for causing the vehicle 100 to properly exercise, and thus a predetermined switching period (for example, It is possible to switch within 500 msec) and to perform switching in case of failure quickly and safely.
  • a predetermined switching period for example, It is possible to switch within 500 msec
  • the control system 1 may include part or all of the communication device 5, the detection device 80, the drive device 90, the external output device 7, the input device 8 or the notification device 9. Further, although the VMC-ECU 3 including the motion control unit 18, the output management unit 14, and the notification management unit 15 has been described as an example having a part of the functions of the control system 1, the VMC-ECU 3 may have all the functions. Good.
  • control system 1 is composed of a plurality of functions, and the function arrangement to the internal configuration of the ECU 3 shown in FIG. 4 may be a plurality of patterns.
  • each function of the control system 1 is separately provided in the plurality of ECUs 3.
  • the integrated recognition unit 11 and the automatic driving control unit 12, the abnormality detection unit 16 and the safety control unit 19, the switching unit 17 and the motion control unit 18, and the user input unit 13 are provided as an example in the case of being provided in the ECU 3.
  • the output management unit 14 and the notification management unit 15 are disposed in separate ECUs 3 provided in parallel.
  • FIG. 8 is a diagram for explaining an example of control of the vehicle 100 by the control system 1.
  • the control system 1 (the automatic driving control unit 12) of the own vehicle (vehicle 100) is such that the own vehicle (vehicle 100) travels in the left lane on a road of two lanes on one side. Since the preceding vehicle 101 is ahead, the motion control of the own vehicle will be described by way of example when the trajectory 801 (automatic driving control information L4) of the own vehicle is generated so as to overtake from the right lane.
  • the trajectory 801 generated by the main function of the autonomous driving control unit 12 is a safety constraint that the vehicle can travel safely (for example, a state where the possibility of collision with another vehicle or an obstacle is low). It is assumed that the motion constraints such as achievable acceleration, deceleration, and yaw rate are satisfied.
  • the position of the vehicle at time t0 (the current time) is (X0, Y0) and the position of the vehicle at t1 is (X1, Y1)
  • the position of the vehicle at time t2 is (X2, Y2).
  • position information for example, t3 (x3, Y3) to tn (Xn, Yn) is assumed to be generated similarly.
  • the automatic driving control unit 12 acquires the current motion state (current speed, current acceleration, current yaw rate) and the like of the current vehicle so that the vehicle moves along the track 801, and the acquired motion Based on the state, the target velocity, the target acceleration, the target yaw rate, etc. of the vehicle are calculated.
  • the automatic driving control unit 12 increases the output of the engine torque, controls the brake to increase the braking force, steers the steering, and makes the wheels uneven. Make braking and acceleration for each wheel.
  • the target exercise is performed by controlling the drive device 90 using this control value. Control can be performed.
  • abnormality detection method in anomaly detection section Next, an abnormality detection method in the abnormality detection unit 16 will be described.
  • abnormal refers to a state different from a state assumed under normal conditions that occurs due to a hardware failure or software failure of the control system 1, an unexpected input, or the like.
  • Each component device of the control system 1 performs communication via communication such as an in-vehicle network (CAN 99) or a dedicated line. Therefore, in the control system 1, in the case of a normal abnormality, communication can not be performed (the communication processing is an error response, the potential of the signal line is abnormal), an abnormality of the signal value of communication, and the like occur.
  • These communication abnormalities are errors by abnormality detection code such as abnormality detection in electric circuit (potential detection etc.), periodic survival confirmation (error detection by transmission and reception of heartbeat), cyclic redundancy check (CRC), etc. It is detectable by performing detection.
  • the abnormality can be detected by checking the result of the same operation (comparison of the operation result), and the memory failure can be detected when the ROM or RAM is accessed, etc. Can be detected.
  • the software defect can be detected by the output result being out of the predetermined range (above the threshold or below the threshold), in addition to comparison of checking results of the same operation.
  • the abnormality detection unit 16 of the control system 1 detects an abnormality of the control system 1 by receiving the abnormality information.
  • another apparatus may detect an abnormality, and the abnormality detection unit 16 may detect abnormality by receiving abnormality information from the other apparatus.
  • the automatic driving control unit 12 adds, to the automatic driving control information L4, that an abnormality has occurred in any part of the detection device 80, the communication device 5, the integrated recognition unit 11, and the communication between them.
  • the abnormality detection unit 16 detects this abnormality information to detect an abnormality in the control system 1.
  • the switching unit 17 executes control information switching processing described later based on the abnormality detection result (reception of the abnormality detection information L5) by the abnormality detection unit 16.
  • FIG. 9 is a flowchart of control information switching processing in the switching unit 17.
  • the switching unit 17 executes the following control signal switching process.
  • step S101 the switching unit 17 controls the automatic operation control information L4 (output of the first control) acquired from the automatic operation control unit 12 and the safe operation control information L8 (second control) acquired from the safety control unit 19. And the output of the) in time series.
  • step S102 the switching unit 17 compares the automatic driving control information L4 (output of the first control) with the safe driving control information L8 (output of the second control), and as a result, the difference d has a predetermined prescribed value (predetermined value If it is determined that the value is not less than the threshold dth (step S102: No), the process proceeds to step S103, and the automatic driving control information L4 (output of the first control) is output to the motion control unit 18.
  • the switching unit 17 performs safety based on control based on the autonomous driving control information L4 of the vehicle 100.
  • the impact (control step) at the switching of the control becomes large, and it is determined that the driver's discomfort increases, and control based on the automatic driving control information L4 is performed as it is.
  • the driver's discomfort due to the switching of the control information can be reduced, and the vehicle 100 can be driven safely and safely.
  • the switching unit 17 determines that the difference d has a predetermined prescribed value (predetermined threshold dth). If it is determined that the following is true (step S102: Yes), the process proceeds to step S104, and the safe driving control information L8 (output of the second control) is output to the exercise control unit 18.
  • the switching unit 17 performs the safe driving from the control based on the automatic driving control information L4 of the vehicle 100. Even when switching to control based on control information L8, it is determined that there is less discomfort for the driver when switching, and switching to control based on safe driving control information L8 ensures safety of the vehicle 100 by motion control by the degeneration function. It is possible to perform motion control of the vehicle 100 without giving the driver a sense of discomfort.
  • the automatic driving control unit 12 even after abnormality detection by the abnormality detecting unit 16, the automatic driving control is performed for a predetermined period of time until the switching from control by the automatic driving control information L4 to control by the safe driving control information L8 is completed. Since it is necessary to continue the control based on the automatic driving control information L4 generated by the unit 12, the automatic driving control information L4 which has been verified if no abnormality has occurred is held for a predetermined time, and output is performed for a predetermined time.
  • the automatic driving control information L4 is held by the automatic driving control unit 12 as an example, but the present invention is not limited to this.
  • the automatic driving control information L4 is not limited to the automatic driving control It is good also as composition which devices other than part 12 hold.
  • a control system 1A in which the automatic driving control information L4 is held by the control information holding unit 40 other than the automatic driving control unit 12 will be described.
  • FIG. 10 is a functional block diagram for explaining the functional configuration of the entire control system 1A according to the modification.
  • the control information holding unit 40 of the control system 1A is connected to the switching unit 17.
  • the control information holding unit 40 acquires the automatic driving control information L4 generated by the automatic driving control unit 12 for a predetermined time via the switching unit 17, and holds the automatic driving control information L4 for the predetermined time.
  • control information holding unit 40 determines, for a predetermined time, automatic operation control information L4 verified to be able to guarantee safe traveling of vehicle 100 as a minimum. A minute is held, and when an abnormality occurs, the automatic operation control information L4 (hereinafter referred to as holding control information L11) held is output to the switching unit 17.
  • the switching unit 17 outputs the holding control information L11 held by the control information holding unit 40 to the motion control unit 18 when the abnormality detecting unit 16 detects that an abnormality has occurred in the control system 1A.
  • the motion control unit 18 can control the vehicle 100 (drive device 90) based on the holding control information L11. Therefore, since movement control based on the holding control information L11 in which safe traveling is minimum guaranteed is performed, the vehicle 100 can travel safely even when an abnormality occurs.
  • the holding control information L11 held by the control information holding unit 40 is automatic driving control information up to a predetermined time (future) generated by the automatic driving control unit 12, for example, traveling along the current lane,
  • the information is, for example, information for causing the vehicle 100 to perform control such as deceleration slowly while traveling along the lane, and retraction to the road shoulder and stop.
  • control information holding unit 40 other than the automatic driving control unit 12 holds the holding control information L11 (automatic driving control information L4)
  • the control information switching process described in FIG. Processing is performed with the holding control information L11 output from 40 as the output of the first control, and the safe driving control information L8 output from the safety control unit 19 as the output of the second control.
  • the vehicle 100 can maintain a predetermined trajectory by the main function based on the holding control information L11 output from the control information holding unit 40.
  • the automatic traveling along the line 801 can be performed, and the degeneration function based on the safe driving control information L8 output from the safety control unit 19 enables the automatic traveling along the predetermined track 801 with the minimum movement.
  • the control information holding unit 40 may hold the safe driving control information L8 generated by the safety control unit 19, and holds either or both of the holding control information L11 and the safe driving control information L8. You may do it. According to this configuration, when any failure occurs in the ECU 3 in which the safety control unit 19 is disposed, the motion of the vehicle 100 is safely controlled using the safe driving control information L8 held by the control information holding unit 40. be able to.
  • FIG. 11 is a diagram for explaining an example of a control method of the vehicle 100 by the control system 1A.
  • the trajectory of the main function based on the output of the first control (for example, the holding control information L11) is the trajectory 1001
  • the trajectory of the degeneration function based on the output of the second control (for example, the safe operation control information L8) is It is a trajectory 1002.
  • Each of the trajectory 1001 based on the main function and the trajectory 1002 based on the degeneracy function has position information of the own vehicle (vehicle 100) up to a predetermined time point (future) in time series.
  • the time t0 represents the current time
  • the position based on the holding control information L11 at the time t1 from the current time t0 to the predetermined time ahead and the position based on the safe driving control information L8 are They are (xa0, ya0) and (xb0, yb0), (xa1, ya1) and (xb1, yb1), (xa2, ya2) and (xb2, yb2), respectively.
  • the difference between the position (xa1, ya1) based on the holding control information L11 at time t1 and the position (xb1, yb1) based on the safe driving control information L8 is constant. If it is determined that the threshold dth (for example, 0.5 m) or more of the vehicle is exceeded, it is determined that the motion control of the vehicle accompanying switching from the holding control information L11 to the safe driving control information L8 becomes large. 2) The control based on the holding control information L11 (the output of the first control) is performed without switching to the control based on the output of (2) control.
  • the threshold dth for example, 0.5 m
  • the vehicle 100 when the difference d is larger than the predetermined threshold value dth, the vehicle 100 does not advance to the trajectory 1002 based on the safe driving control information L8 (degeneration function) even if there is some abnormality in the control system 1, It will travel on the track 1001 based on the information L11 (main function).
  • the difference d is compared with the predetermined threshold dth at a predetermined cycle, and when the difference d becomes equal to or less than the threshold dth, the process proceeds to the trajectory 1002 based on the safe driving control information L8 (degeneration function) .
  • the vehicle 100 travels on the trajectory 1002 based on the degeneration function when the difference d becomes equal to or less than the threshold dth after the vehicle 100 proceeds to the trajectory 1001 based on the main function and enters the right lane (for example, right Slow down while traveling along the lane etc.)
  • the comparison is made with the absolute distance at time t1, but for example, determination is made only by the positional relationship in the x-axis (traveling direction of the vehicle 100) or y-axis direction (perpendicular to traveling direction of the vehicle 100). You may For example, by determining only the position of the vehicle 100 in the x-axis direction, it is possible to determine that the output value deviates only when the position of the vehicle 100 on the lane is different. Further, by determining only the position of the vehicle 100 in the y-axis direction, it is possible to determine that the control output value deviates only when the acceleration / deceleration largely differs.
  • the switching unit 17 exemplifies the case where the switching output of the control output is determined based on the difference d based on the position information of the vehicle 100.
  • the switching unit 17 may make the determination based on the speed information and the acceleration information.
  • the respective information for example, by using the output of the first control (the automatic operation control information L4 or the holding control information L11) only when the speed information largely deviates, a large speed change (vertical direction, It is possible to suppress the occurrence of the lateral direction or the rotational direction).
  • the large acceleration change (longitudinal direction, lateral direction, or absolute value) It can suppress that it occurs.
  • the comparison determination when the comparison determination is made based on the speed or acceleration of the vehicle 100, the case where the signs of the respective X component, Y component or angular velocity direction are different may be used as the threshold. If the velocity or acceleration X component, Y component, or sign of the angular velocity direction is different, this generally means that the motion control of the vehicle 100 is significantly different, and it is effective to use this as the determination, and the determination is easy It becomes.
  • the speed change of the vehicle 100 is large and the motion control of the vehicle 100 becomes unstable (for example, spin, slip) as a method of setting a threshold other than the above.
  • An estimated limit value of movement may be set as a threshold. Thereby, the safety of the motion control of the vehicle 100 can be reliably ensured.
  • the switching method like a switch was demonstrated as an output method of the switching part 17 here, you may switch an output gradually according to time information, for example. For example, when switching from the output of the first control (the automatic driving control information L4 or the holding control information L11) to the output of the second control (the safe driving control information L8), an intermediate value (average value etc.) And then switch to the output of the second control. By doing this, it becomes possible to suppress large fluctuations at the time of switching of the control output.
  • the respective time information need not exactly match, and for example, the middle value between time t0 and t1 may be averaged and taken (for example, (xa0 + xa1) / 2) and compared . Even when there is a gap in the generated time information or a shortage in the track information, the determination can be appropriately performed.
  • the output of the first control is, for example, the holding control information L11
  • the second control safety driving control information L8
  • the difference such as the position or the speed does not fall below the predetermined value within the held holding control information L11
  • the time when the difference becomes the minimum value within the range of the holding control information L11 Switching of the control output (switching to the safe driving control information L8) is performed.
  • switching of the control output can be performed at the time when the influence on the motion control becomes the smallest within the range of the holding control information L11, and the driver's discomfort can be minimized.
  • the abnormality detection unit 16 determines that the abnormality is a transient, a time (for example, partial time) which is expected to recover from the transient abnormality If it is within the required time required for restart, the result of the judgment by the judgment method of the control output mentioned above, even if the difference is less than the predetermined value, the switching is not performed and the output of the first control (automatic operation control information The processing may be continued based on L4 or the holding control information L11). This can prevent unnecessary switching in the case of a transient abnormality.
  • a time for example, partial time
  • the output of the second control (safety operation control information L8) is output from the first control (automatic operation) by switching to the original control output by performing the determination by the control output determination method similar to that described above.
  • the stability of the motion control when switching to the control information L4 or the holding control information L11) can be secured.
  • the control system 1 (1A) has been described by exemplifying the case where there is one safety control unit 19.
  • the control system has two safety control units, that is, the safety control unit 19A and the safety control unit 19B, and when a failure occurs in the main function, the safety control unit 19A is used according to the priority and the safety control unit The reliability can be improved by further switching to the safety control unit 19B when an abnormality occurs in 19A.
  • the determination of the control output comparison method described above is performed for the output of the first control and the control output of the safety control unit 19A (safety operation control information L8A) that is the output of the second control.
  • the control output described above for the output of the first control and the control output (safety operation control information L8B) of the safety control unit 19B which is the output of the second control When the difference is less than or equal to a predetermined value as a result of the determination by the comparison method of the above, the control output can be used.
  • the automatic driving control unit 12 (first control unit) that generates automatic driving control information L4 (first control information) for normally controlling the motion of the vehicle 100 (moving object), and the motion of the vehicle 100
  • a safety control unit 19 (second control unit) that generates safe driving control information L8 (second control information) for non-ordinary control and one of automatic driving control information L4 and safe driving control information L8 is output.
  • the switching unit 17 has the safe driving control information L8 when the difference d between the automatic driving control information L4 and the safe driving control information L8 is equal to or less than a predetermined threshold dth (d ⁇ dth). It was set as the structure to output.
  • the switching part 17 will output the safe driving control information L8 for abnormal control, when the difference d of the automatic driving control information L4 and the safe driving control information L8 is small enough. Therefore, for example, when a failure occurs in a part of the control system 1 of the vehicle 100, the switching unit 17 outputs a plurality of control outputs (a plurality of functions (automatic driving control unit 12, safety control unit 19)) From the automatic driving control information L4 and the safe driving control information L8), it is possible to select a control output that can further maintain the safety.
  • a plurality of control outputs a plurality of functions (automatic driving control unit 12, safety control unit 19)
  • the switching unit 17 outputs the safe driving control information L8, so the motion of the vehicle 100 can be converted to the safe driving control information L8. Even based on the control, the motion of the vehicle 100 can be controlled safely and safely without giving the driver a sense of incongruity such as an impact at the time of switching.
  • the automatic driving control information L4 and the safe driving control information L8 include time information (for example, t0, t1, t2, ..., tn) with time, and the switching unit 17 uses the same time information ((2) For example, when the difference d between the automatic driving control information L4 and the safe driving control information L8 at t1) (for example, the difference between distance, speed, acceleration, and yaw rate) is less than or equal to a predetermined threshold dth (d ⁇ dth), safety The operation control information L8 is output.
  • time information for example, t0, t1, t2, ..., tn
  • the switching unit 17 can make the determination based on the same reference by judging based on the difference between the automatic driving control information L4 and the safe driving control information L8 at the same time, and the automatic driving control information L4 and the safe driving can be determined. It is possible to appropriately determine which of the control information L8 is to be output.
  • the threshold dth used to determine the difference d by the switching unit 17 is the reverse (plus or minus) sign of the difference d or the limit value of the motion of the vehicle 100 (for example, the vehicle 100 spins or slips) Limit value of the exercise to be
  • the switching unit 17 is configured to output the safe driving control information L8 after the time information in which the difference d becomes the smallest when all the differences d acquired over time are not less than or equal to the predetermined threshold dth. did.
  • the switching unit 17 outputs the safe driving control information L8 when the difference d becomes the minimum even when the difference d does not become equal to or smaller than the predetermined threshold dth. Can be reliably performed based on the safe driving control information L8.
  • the safety control unit 19B (third control unit) that generates safe driving control information L8B (third control information) for controlling the movement of the vehicle 100 is included, and the switching unit 17 holds Difference between information L11 (first control information) and safe driving control information L8A (second control information), difference between holding control information L11 (first control information) and safe driving control information L8B (third control information) And the safe driving control information L8A or the safe driving control information 8B of which the difference with the holding control information L11 is smaller.
  • control system 1 (1A) exemplifies the case where the control output to the motion control unit 18 is generated by the automatic operation control unit 12 or the safety control unit 19; Is not limited to this.
  • the original control program for moving the vehicle 100 of any control unit with the main function may be replaced (replaced) with an alternative program for moving with the degeneration function.
  • a control program possessed by the safety control unit 19 will be described by exemplifying a case where it is replaced (replaced) with an alternative program.
  • the safety control unit 19 generates a control output that causes the vehicle 100 to move with the degeneracy function according to the replaced alternative program.
  • FIG. 12 is a block diagram for explaining the functional configuration of the entire control system 1B according to the second embodiment.
  • FIG. 13 is a block diagram for explaining the functional configuration of the reconfiguration management unit 41.
  • FIG. 14 is a block diagram for explaining the functional configuration of the reconfiguration execution unit 42. As shown in FIG.
  • the control system 1B includes a reconfiguration management unit 41 and a reconfiguration execution unit 42, and the reconfiguration execution unit 42 It differs from the control system 1A of the embodiment described above in that the control program is replaced with an alternative program (reconfiguration) when a failure occurs in the control system 1B.
  • the motion control of the vehicle 100 with the degeneracy function based on the reconstructed alternative program corresponds to the non-ordinary control.
  • the reconfiguration management unit 41 and the reconfiguration execution unit 42 are arranged in different ECUs 3 (see FIG. 7).
  • the reconfiguration management unit 41 is disposed in the same ECU 3 as the integrated recognition unit 11 and the automatic driving control unit 12 (see FIG. 7), and the reconfiguration execution unit 42 is the same as the switching unit 17 and the motion control unit 18 It is arrange
  • the reconfiguration management unit 41 arranges the alternative program in the ECU 3 in which the reconfiguration execution unit 42 is disposed.
  • the ECU 3 in which no failure occurs the ECU 3 in which the reconfiguration execution unit 42 is disposed
  • execution of the alternative program by the reconfiguration execution unit 42 becomes possible.
  • the reconfiguration management unit 41 is connected to the abnormality detection unit 16, and prepares an alternative program (a program for realizing the degeneration function) based on the abnormality detection information L5 detected by the abnormality detection unit 16.
  • the reconfiguration management unit 41 has a control state monitoring unit 411, a control state determination unit 412, an information notification unit 413, an alternative program acquisition unit 414, an alternative program transmission unit 415, and an abnormality. And a control determination unit 416.
  • the control state monitoring unit 411 acquires the current control state of the vehicle 100 from the automatic driving control unit 12 or the like, and transmits the acquired control state of the vehicle 100 to the control state determination unit 412.
  • control state determination unit 412 determines a policy of reconfiguration as to which alternative program is to be arranged in which control unit (ECU 3).
  • the information notification unit 413 notifies one or both of the output management unit 14 and the notification management unit 15 of the information related to the reconfiguration determined by the control state determination unit 412.
  • the alternative program acquisition unit 414 is a storage area (cloud network, ROM, HDD) of different places via any ECU 3 in which the reconfiguration management unit 41 is arranged, an in-vehicle network such as CAN 99 or the communication device 5 etc. , RAM, etc.).
  • the alternative program transmission unit 415 transmits the alternative program acquired by the alternative program acquisition unit 414 to the reconfiguration execution unit 42.
  • the abnormality control determination unit 416 determines the control output according to an abnormality control determination method described later.
  • the reconfiguration execution unit 42 includes an alternative program reception unit 421, an alternative program allocation unit 422, an arrangement completion notification unit 423, a reconfiguration instruction reception unit 424, and an alternative program execution unit. And 425.
  • the alternative program reception unit 421 receives the alternative program transmitted from the alternative program transmission unit 415 of the reconfiguration management unit 41.
  • the alternative program placement unit 422 places the received alternative program in a predetermined storage area (ROM, RAM, etc.) of any one of the ECUs 3 in which the reconfiguration execution unit 42 is placed.
  • the arrangement completion notifying unit 423 notifies the reconfiguration management unit 41 that the arrangement of the alternative program to the predetermined storage area by the alternative program arranging unit 422 is completed.
  • the reconfiguration instruction reception unit 424 receives a reception instruction or an execution instruction of the alternative program from the reconfiguration management unit 41.
  • the alternative program execution unit 425 executes an alternative program arranged in a predetermined storage area.
  • the respective units in the above-mentioned reconfiguration management unit 41 and reconfiguration execution unit 42 communicate with each other to exchange necessary information and instructions.
  • the allocation of functions between the reconfiguration management unit 41 and the reconfiguration execution unit 42 is not limited to the above embodiment, and, for example, acquisition of an alternative program is not directly performed by the reconfiguration management unit 41 but by the reconfiguration execution unit 42 directly. It may be executed. In that case, the processing of transmitting and receiving the alternative program by the reconfiguration management unit 41 becomes unnecessary, and the processing load can be reduced.
  • the vehicle control state indicates a control state of the control system 1B of the vehicle 100.
  • ON / OFF of the automatic operation state when OFF, the driver operates and the system assists or the system does not control
  • travel on a general road or a highway ON / OFF during automatic parking
  • travel Speed low speed, medium speed, high speed
  • driver's condition operble or difficult to drive
  • situations where automatic driving is difficult such as weather (strong rain, fog, back light, roads not on the map, etc.), etc. are shown.
  • the ECU 3 requiring an alternative function or the ECU 3 capable of performing an alternative function is changed according to the vehicle control state. For example, when automatic parking is not performed, resources such as CPU, ROM, and RAM, which are necessary for realizing the function, are temporarily unnecessary, and an alternative program is arranged in that area. . Further, in another example, the general road is allocated to resources of the integrated recognition unit 11 and the automatic operation control unit 12 which are not used during automatic driving.
  • FIG. 15 is a diagram for explaining the sequence of the reconfiguration process in the control system 1B in the second embodiment described above.
  • the ECU 3A (for example, equivalent to the CPU 3A shown in FIG. 1) performs a reconfiguration instruction by the alternative program, a reconfiguration management unit 41, and a control unit where a failure occurs (eg: automatic operation control unit 12) will be described as an example.
  • the ECU 3B (for example, corresponding to the CPU 3B shown in FIG. 1) has a reconfiguration execution unit 42 that executes the alternative program reconfigured by the reconfiguration management unit 41, and the ECU 3B and ECU 3C that execute alternative control are normally The case where control is received from the ECU 3A will be described as an example.
  • the ECU 3A In traveling of the vehicle 100 at the normal time, the ECU 3A outputs a control output for executing the normal control to the ECU 3C (S1301). The ECU 3B also outputs a control output for executing the normal control to the ECU 3C at normal times (S1302).
  • the automatic driving control unit 12 of the ECU 3A determines that, and instructs the reconfiguration management unit 41 A change of the vehicle control state is notified (S1303).
  • the reconfiguration management unit 41 notified of itself acquires the alternative program by itself.
  • the reconfiguration management unit 41 instructs the other ECU 3B, 3C or storage (HDD or the like) to output a substitute program (S1304).
  • the acquisition destination of the alternative program by the reconfiguration management unit 41 is any ECU inside the control system 1B of the vehicle 100, or storage (HDD etc.), or the outside of the control system 1B via the communication device 5 or GW97. Acquire from the device. Alternatively, it is held in advance in an ECU that requests functional substitution, such as in the ECU 3A.
  • the ECU 3A that has acquired the alternative program (S1305) transmits the alternative program acquired by the reconfiguration management unit 41 to the ECU 3B that performs functional substitution at the time of failure (S1306).
  • the ECU 3B having received the alternative program arranges the alternative program by the reconstruction execution unit 42.
  • the ECU 3B notifies the completion of the placement when receiving all the substitute programs and completing the placement (S1307).
  • the ECU 3A continues the control at the normal time while managing the reconfiguration (S1308).
  • the failure detection unit 16 of the control system 1 detects the failure and notifies the ECU 3B of the occurrence of the failure.
  • the ECU 3B detects an abnormality in response to the interruption of communication (S1310).
  • the ECU 3B recognizing the failure starts the execution of the alternative program held by the reconfiguration execution unit 42 (S1311). At that time, the control is taken over, and control (unusual control) based on the alternative program is performed from the ECU 3B to the ECU 3C (S1312). In this way, alternative functions are implemented.
  • the reconstruction management unit 41 receives a notification from the automatic driving control unit 12 or the like as described above, and the alternative program is not necessary for the ECU 3B.
  • a state change notification including the information of (1) is issued (S1314).
  • the ECU 3B discards the alternative program held by the reconfiguration execution unit 42 in response to receiving the state change notification (S1315). Thereafter, as necessary, the ECU 3B performs control at normal times based on a normal control program (S1316).
  • the alternative program for alternative processing is arranged in advance in the ECU 3B according to the vehicle control state, and when a failure occurs, the program is switched to the alternative program.
  • FIG. 16 is a flowchart of control information switching processing of the switching unit 17 according to the second embodiment.
  • control information switching process of the switching unit 17 has a reconfiguration completion determining process (step S1401) for determining whether or not the reconfiguration is completed. This is mainly different from the processing (see FIG. 6).
  • step S1401 after the switching unit 17 of the control system 1B acquires the notification of abnormality detection from the abnormality detection unit 16, whether or not reconfiguration (replacement of the alternative program by the reconfiguration management unit 41) is completed or not If it is determined that the reconfiguration is not completed (step S1401: NO), the process proceeds to step S1405, and the reconfigured control output can not be used, and therefore the retention control information acquired from the control information retention unit 40 L11 is output to the motion control unit 18.
  • Step S1401 If the switching unit 17 determines that the reconfiguration is completed (Yes at Step S1401), the process proceeds to Step S1402, and the reconfigured control output acquired from the reconfiguration execution unit 42 and the acquired control information storage unit 40 The comparison with the holding control information L11 is performed, and in step S1403, it is determined whether the difference d of the comparison result is less than or equal to a predetermined specified value (threshold dth).
  • step S1403: YES If the switching unit 17 determines that the difference d is equal to or less than the predetermined threshold dth (step S1403: YES), the process proceeds to step S1404 and the reconfigured control output (for controlling the motion of the vehicle 100 with the degeneration function) When it is determined that the safe driving control information L8) is output to the motion control unit 18 and the difference d is not less than the predetermined threshold dth (step S1403: No), the process proceeds to step S1405 and the holding control information L11 is transferred to the motion control unit 18 Output to
  • the reconstruction management unit 41 having an alternative program for controlling the motion of the vehicle 100, and the reconstruction execution unit 42 (the reconstruction management unit 41 and the reconstruction execution unit 42 are combined to reconstruct the present invention
  • the safety control unit 19 controls the vehicle 100 based on an alternative program that the reconstruction execution unit 42 has, instead of the control program that exhibits the main function.
  • safety control unit 19 can control vehicle 100 with an alternative program that exhibits a degeneracy function instead of the control program that exhibits a normal main function. Even when a failure (failure) occurs, the safety control of the vehicle 100 can be appropriately performed based on the alternative program.
  • the switching unit 17 is ready to generate the safety control information L8 (control output) using the alternative program instead of the control program that exerts the normal main function by the safety control unit 19 If not, the holding control information L11 held by the control information holding unit 40 is output.
  • the switching unit 17 can appropriately perform the control of the vehicle 100 without stopping the control even before the preparation of the control by the alternative program is completed.
  • control information switching process by the switching unit 17 may be executed based on the determination result.
  • FIG. 17 is a block diagram for explaining the functional configuration of the entire control system 1C according to the third embodiment.
  • FIG. 18 is a diagram for explaining an example of vehicle control by the control system 1C of the third embodiment.
  • the control system 1C differs from the control system 1B described above in that the control system 1C further includes an emergency control unit 43 that determines an emergency state of the vehicle 100 in addition to the configuration of the control system 1B described above.
  • the emergency control unit 43 is connected to a plurality of detection devices 80, and determines whether the vehicle 100 is in an emergency state based on the surrounding situation L1 of the vehicle 100 detected by the detection devices 80.
  • the emergency control unit 43 determines that the vehicle 100 is in the emergency state
  • the emergency control information L12 for avoiding the emergency state of the vehicle 100 (for example, control to decelerate the vehicle 100 toward the road shoulder and stop it at the road shoulder) Information) is output to the switching unit 17.
  • the emergency control unit 43 acquires relative information from the surrounding situation L1 of the vehicle 100 detected by the 360 ° camera 87, the sonar 84 or the like, and based on the relative information, whether the vehicle 100 is in an emergency state or not judge.
  • relative information is information that can be acquired from the external world recognition information, particularly from the detection device 80, and can be calculated from the relative position and relative velocity between the surrounding object and the vehicle, relative acceleration, and their values. Is any combination of information.
  • FIG. An example of the relative information is shown in FIG.
  • an example in which the preceding vehicle 101 is recognized by the detection device 80 is shown.
  • the relative speed indicates the speed at which the own vehicle (vehicle 100) and the preceding vehicle 101 (object) approach or leave.
  • the direction from the host vehicle (vehicle 100) to the leading vehicle 101 and the traveling direction of both are the same, it can be represented by the difference between the speeds of the leading vehicle 101 and the host vehicle.
  • the method of expressing the relative position may be expressed by a coordinate system with the vehicle at the origin as well as the relative distance and angle.
  • the vehicle can be represented by (rxa, rxy), with the vehicle as the origin, y-coordinate in the front-rear direction of the vehicle, positive in the forward direction, and x-coordinate in the left-right direction with the right.
  • the emergency control unit 43 of the control system 1C creates drive control information based on the state of the host vehicle (vehicle 100) acquired from the detection device 80.
  • the emergency control unit 43 determines the relative information and the state of the vehicle acquired from the detection device 80, and outputs drive control information for performing deceleration to the switching unit 17.
  • the emergency control unit 23 controls acceleration or deceleration so that the relative position of the preceding vehicle 101 ahead does not exceed a predetermined amount or falls below a predetermined amount.
  • the emergency control unit 43 similarly performs control so that the relative position does not exceed a predetermined amount or falls below a predetermined amount.
  • the determination may be performed based on not only the relative position but also the relative velocity and the relative acceleration. For example, if there is a preceding vehicle 101 ahead and there is a high possibility of approaching the vehicle due to relative speed or relative acceleration even if the relative position is the same, deceleration control is performed.
  • the equation for calculating the risk value for the above judgment can be expressed by the following equation 2 with the risk value R, the relative distance dl, the relative velocity dv, and the relative acceleration da.
  • R the risk value
  • dl the relative distance
  • dv the relative velocity
  • da the relative acceleration da.
  • A, B and C are constants.
  • acceleration or deceleration is controlled so that the risk value R does not exceed a certain amount, as in the determination based on the relative position.
  • the control based on the relative information can be performed by the determination by the emergency control unit 23 described above and the control of acceleration / deceleration.
  • control is performed so that the relative position is separated from the near one. For example, deceleration is controlled when another vehicle ahead is closer, or acceleration is controlled when another vehicle behind is closer. Further, not only in the front-rear direction but also in the left-right direction, it is recognized from the relative position, and steering is performed in the direction in which other vehicles are not present, for example, control to avoid a collision in the front-rear direction.
  • the target yaw rate for that purpose also includes the drive control information, and the emergency control unit 43 outputs the switching unit 17.
  • FIG. 19 is a flowchart of control information switching processing of the switching unit 17 according to the third embodiment.
  • step S1701 the switching unit 17 of the control system 1C determines whether or not the emergency control information L12 (control output) from the emergency control unit 43 is received, and receives the emergency control information L12 from the emergency control unit 43. If it is determined (step S1701: YES), the process proceeds to step S1706, and the emergency control information L12 received from the emergency control unit 43 is output to the exercise control unit 18.
  • step S1701 determines that the received control output is not the emergency control information L12 from the emergency control unit 43 (step S1701: No)
  • the process proceeds to step S1702, and the same as in the first embodiment. , The first control output and the second control output are compared.
  • step S1703 the switching unit 17 determines whether the difference d of the comparison result in step S1702 is less than or equal to a predetermined specified value (threshold dth), and is equal to or less than the predetermined specified value (threshold dth). (Step S1703: Yes), the process proceeds to step S1705, and the output of the second control (for example, safe driving control information L8) is output to the motion control unit 18.
  • a predetermined specified value for example, safe driving control information L8
  • step S1703 determines that the difference d is not less than or equal to the predetermined specified value (threshold dth) (step S1703: No)
  • the impact at the switching of the control is increased as it is, and the switching of the control can not be performed.
  • the output of the first control (for example, the holding control information L11) is output to the motion control unit 18.
  • the control should be preferentially implemented when a highly urgent process is required, such as a change in surrounding conditions. Can.
  • the safety control unit 19 and the emergency control unit 43 are illustrated as different functional blocks, but they may be the same functional block, for example, the control output of the safety control unit 19. And information indicating that it is emergency control may be added. With this configuration, it is possible to reduce functional blocks and facilitate determination.
  • the emergency control unit 43 that performs emergency control of the vehicle 100 is provided, and when the switching unit 17 acquires the emergency control information L12 generated by the emergency control unit 43, the automatic control generated by the automatic operation control unit 12 Instead of the operation control information L4, the safe operation control information L8 generated by the safety control unit 19, or the holding control information L11 held by the control information holding unit 40, the emergency control information L12 is preferentially output. .
  • the switching unit 17 when the vehicle 100 is in an emergency state, the switching unit 17 outputs emergency control information L12 for avoiding the emergency state of the vehicle 100 instead of the other control information.
  • the emergency state of the vehicle 100 can be avoided quickly and reliably based on the control information L12.
  • the user input unit 13 uses the input device 8 to start the driving operation of the user (for example, stepping on a pedal, operating a steering, pushing an automatic driving end button, etc.) Detection, and notifies the switching unit 17 of this.
  • the switching unit 17 receives the notification of the start operation of the driving operation by the user, and performs user control switching determination processing described later.
  • FIG. 20 is a flowchart of user control switching determination processing of the switching unit 17 according to the fourth embodiment.
  • step S1801 the switching unit 17 outputs the control output (for example, the holding control information L11) by the control system as in the control information switching process (step S101) in the switching unit 17 of the first embodiment described above,
  • the control output (for example, user operation input) by user operation is compared.
  • the control output by the control system corresponds to the output of the first control
  • the control output by the user operation corresponds to the output of the second control.
  • step S1802 the switching unit 17 determines whether the difference d of the comparison result in step S1801 is less than or equal to a predetermined specified value (threshold dth), and is equal to or less than the predetermined specified value (threshold dth) When it is determined that (step S1802: Yes), the control can be switched safely, so the process proceeds to step S1804 and the control output by the user operation is output to the exercise control unit 18.
  • step S1802 determines that the difference d of the comparison result in step S1801 is not less than or equal to the predetermined specified value (threshold dth) (step S1802: No)
  • the shock at the time of switching the control remains unchanged.
  • the process proceeds to step S1803, and the control output by the control system is output to the motion control unit 18 without switching to the user operation.
  • control when there is a user operation input and control is switched, control is not switched when there is a significant difference between motion control by the time-series operation by the control system of the vehicle 100 and the user operation. It is possible to switch control safely, avoiding an unsafe motion control state.
  • the control system 1 of the vehicle 100 when switching the control output of the automatic driving, the output in the case where the result of the motion control by the automatic driving control information fluctuates largely in time series is suppressed. From the viewpoint, it is possible to switch to a different control output such as a degeneration system safely.
  • control when switching from the holding control information L11 to the output of the safe driving control information L8, the control can be switched safely by comparing in time series.
  • the safe driving control information L8 is configured to be operation control information by user operation.
  • the switching unit 17 when the switching unit 17 receives operation control information by user operation during automatic driving of the vehicle 100 based on the automatic driving control information L4 (when it is overridden), the automatic driving control information L4 and the user operation are Since the operation control information by the user operation is output when the difference d with the operation control information by the user is equal to or less than the predetermined threshold value dth, the switching to the user operation at the time of overriding can be smoothly performed.
  • control system 1 was applied to the vehicle 100
  • the control system 1 mentioned above is a construction machine, an escalator
  • the present invention can be suitably applied to all types of mobile objects such as elevators, railways, ships, aircraft, and drone.
  • the control switching is not performed when the shock at the control switching becomes large, and the specified value or less Since the control switching is performed only in the case of the above, it is possible to reduce the sense of discomfort when switching the control between the driver and the occupant, and it is possible to drive safely and safely.
  • the present invention is not limited to the one provided with all the configurations of the above-described embodiment, and a part of the configuration of the above-described embodiment is replaced with the configuration of the other embodiments. Alternatively, the configuration of the above-described embodiment may be replaced with the configuration of another embodiment.
  • control system 11 integrated recognition unit 12: automatic operation control unit 13: user input unit 14: output management unit 15: notification management unit 16: abnormality detection unit 17: switching unit 18: exercise Control unit, 19: Safety control unit, 2: AD1-ECU, 3: VMC-ECU, 31: CPU, 32: CPU, 33: Memory, 4: GW, 40: Control information holding unit, 41: Reconfiguration management unit , 42: reconfiguration execution unit, 43: emergency control unit, 5: communication device, 6: other vehicle control system, 7: external output device, 8: input device, 9: notification device, 80: detection device, 81, 85: corner rider, 82: corner radar, 83: front camera, 84: sonar, 86: front radar, 87: 360 ° camera, 90: drive device, 91: brake, 92: steering, 93: ECU, 94: EMC, 9 : ATCU, 971: Body, 972: HMI, 973: connection device, 974: information providing apparatus

Abstract

The present invention provides a control system for a mobile body which, in a case where a malfunction has occurred in a part of the control system, can suitably select a control output from among a plurality of control outputs output from a plurality of functions. The present invention comprises: an automatic operation control unit 12 for generating automatic operation control information L4 for ordinary control of the operation of a vehicle 100; a safety control unit 19 for generating safety operation control information L8 for non-ordinary control of the operation of the vehicle 100; and a switching unit 17 for outputting either the automatic operation control information L4 or the safety operation control information L8. In a case where a differential d between the automatic operation control information L4 and the safety operation control information L8 is less than or equal to a prescribed threshold dth (d≤dth), the switching unit 17 outputs the safety operation control information L8.

Description

移動体の制御システムおよび移動体の制御方法Mobile body control system and mobile body control method
 本発明は、移動体の制御システムおよび移動体の制御方法に関する。 The present invention relates to a control system of a mobile unit and a control method of the mobile unit.
 近年、車両、建設機械、エレベータなどの産業機器では、産業機器を制御する制御システムに不具合が発生した場合の影響が深刻となることがある。そのため、この種の産業機器では、制御システムの一部の機能に不具合が発生した場合、他の機能で代替させることが考えられる。
 このように、産業機器の制御システムにおいて、所定の機能を他の機能で代替させることができるようにしたものを、システムの多重化又は冗長化と言う。 In recent years, in industrial devices such as vehicles, construction machines, and elevators, the influence of a failure in a control system that controls industrial devices may be serious. Therefore, in this type of industrial equipment, when a failure occurs in some functions of the control system, it may be considered to substitute other functions.
As described above, in a control system of industrial equipment, one capable of replacing a predetermined function with another function is referred to as system multiplexing or redundancy.
 多重化又は冗長化された制御システムに不具合が発生した場合、または不具合が回復して正常機能に復帰する場合、正常機能と代替機能との相互の移行を、産業機器の制御を停止させることなく、所定の切り替え期間内にスムーズに行うことが産業機器の安全性と、機能の品質の点から求められている。 When a failure occurs in the multiplexed or redundant control system, or when the failure recovers and returns to the normal function, the mutual transition between the normal function and the alternative function is performed without stopping the control of the industrial equipment. To be performed smoothly within a predetermined switching period is required in terms of the safety of industrial equipment and the quality of functions.
 特許文献1には、車両の制御システムにおいて、故障を修復しシステムを正常な状態へと復元した際に発生する制御段差を緩和する技術が開示されている。 Patent Document 1 discloses, in a control system of a vehicle, a technique for relieving a control step that occurs when a failure is repaired and the system is restored to a normal state.
特開2017-33236号公報JP 2017-33236 A
 ここで、近年、開発が進められている車両の自動運転技術では、将来の自車位置(軌道)の時系列情報(制御出力)が、正常機能と代替機能の2系統から出力される場合がある。また、この種の車両の制御システムでは、代替機能で用いられる将来の運動情報だけでなく、自動運転中に運転者が操作を行った場合(オーバーライドした場合)の操作情報や、より緊急性の高い車両の緊急情報なども出力される場合がある。 Here, in the automatic driving technology of a vehicle under development in recent years, there may be cases where time-series information (control output) of the future vehicle position (track) is output from two systems of a normal function and an alternative function. is there. In addition, in the control system of this type of vehicle, not only future motion information used in the alternative function, but also operation information when the driver performs an operation during automatic driving (when overriding) or more urgently Emergency information of high vehicles may also be output.
 特許文献1に開示された技術は、正常機能と代替機能の各々から出力された情報を単純に比較するだけの技術であり、制御システムの一部に不具合が発生した場合、複数の機能から出力された複数の制御出力の中から、制御出力を適切に選択することはできない。 The technology disclosed in Patent Document 1 is a technology that simply compares the information output from each of the normal function and the alternative function, and outputs a plurality of functions when a failure occurs in part of the control system. The control output can not be properly selected from among the plurality of control outputs.
 したがって、本発明は、上記の課題に着目してなされたもので、移動体の制御システムの一部に不具合が発生した場合に、複数の機能から出力された複数の制御出力の中から、制御出力を適切に選択できる制御システムを提供することを目的とする。 Therefore, the present invention has been made focusing on the above-mentioned problems, and in the case where a failure occurs in a part of the control system of a moving object, control is performed from among a plurality of control outputs output from a plurality of functions. An object of the present invention is to provide a control system capable of appropriately selecting an output.
 上記課題を解決するため、移動体の運動を通常制御するための第1制御情報を生成する第1の制御部と、移動体の運動を非通常制御するための第2制御情報を生成する第2の制御部と、第1制御情報と第2制御情報の何れか一方を出力する切替部とを有し、切替部は、第1制御情報と第2制御情報との差分が所定の閾値以下である場合、第2制御情報を出力する構成とした。 In order to solve the above-mentioned subject, the 1st control part which generates the 1st control information for usually controlling movement of a mobile, and the 2nd control information which generates the 2nd control information for unusually controlling movement of a mobile. And a switching unit for outputting any one of the first control information and the second control information, and the switching unit is configured such that the difference between the first control information and the second control information is equal to or less than a predetermined threshold value. When it is, it is set as the structure which outputs 2nd control information.
 本発明によれば、移動体の制御システムの一部に不具合が発生した場合に、複数の機能から出力された複数の制御出力の中から、制御出力を適切に選択できる制御システムを提供することができる。 According to the present invention, there is provided a control system capable of appropriately selecting a control output from among a plurality of control outputs output from a plurality of functions when a failure occurs in a part of a control system of a moving object. Can.
実施の形態にかかる制御システムの機能を説明するブロック図である。It is a block diagram explaining the function of the control system concerning an embodiment. 制御システムを搭載した車両の構成を説明する概略図である。It is a schematic diagram explaining composition of a vehicle carrying a control system. 制御システムの装置構成を説明するブロック図である。It is a block diagram explaining an apparatus configuration of a control system. 制御装置(ECU)の内部構成の一例を説明するブロック図である。It is a block diagram explaining an example of an internal configuration of a control device (ECU). プロセッサで動作するソフトウェアモジュールの構成を説明する図である。It is a figure explaining the composition of the software module which operates with a processor. 制御システム全体の機能構成を説明する機能ブロック図である。It is a functional block diagram explaining the functional composition of the control system whole. 制御システムのECUの内部構成への機能配置の一例を説明する図である。It is a figure explaining an example of the functional arrangement to the internal configuration of ECU of a control system. 制御システムによる車両制御の一例を説明する図である。It is a figure explaining an example of vehicle control by a control system. 切替部における制御情報切替処理のフローチャートである。It is a flowchart of the control information switching process in a switching part. 変形例にかかる制御システム全体の機能構成を説明する機能ブロック図である。It is a functional block diagram explaining the functional composition of the whole control system concerning a modification. 制御システムによる車両の制御方法の一例を説明する図である。It is a figure explaining an example of the control method of the vehicle by a control system. 第2の実施の形態の制御システム全体の機能構成を説明するブロック図である。It is a block diagram explaining the functional composition of the whole control system of a 2nd embodiment. 再構成管理部の構成を説明するブロック部である。It is a block part explaining the structure of a reconfiguration | reconstruction management part. 再構成実行部の構成を説明するブロック図である。It is a block diagram explaining the structure of a reconfiguration | reconstruction execution part. 第2の実施の形態の制御システムにおける、再構成処理のシーケンスを説明する図である。It is a figure explaining the sequence of the reconstruction process in the control system of 2nd Embodiment. 第2の実施の形態の切替部における、制御情報切替処理のフローチャートである。It is a flow chart of control information change processing in a change part of a 2nd embodiment. 第3の実施の形態の制御システム全体の機能構成を説明するブロック図である。It is a block diagram explaining the functional composition of the whole control system of a 3rd embodiment. 第3の実施の形態の制御システムによる車両制御の一例を説明する図である。It is a figure explaining an example of vehicle control by a control system of a 3rd embodiment. 第3の実施の形態の切替部の制御情報切替処理のフローチャートである。It is a flowchart of the control information switch process of the switch part of 3rd Embodiment. 第4の実施の形態の切替部のユーザ制御切り替え判定処理のフローチャートである。It is a flow chart of user control change judging processing of a change part of a 4th embodiment.
[制御システム]
 以下、本発明の実施の形態にかかる制御システム1を説明する。実施の形態では、制御システム1を、車両100などの移動体の制御に用いられる制御システムに適用した場合を例示して説明する。
 図1は、実施の形態にかかる移動体の制御システム1(以下、単に制御システム1という)の機能を説明するブロック図である。 Control system
Hereinafter, a control system 1 according to an embodiment of the present invention will be described. In the embodiment, a case where the control system 1 is applied to a control system used to control a moving object such as a vehicle 100 will be described as an example.
FIG. 1 is a block diagram for explaining the function of a mobile object control system 1 (hereinafter simply referred to as the control system 1) according to the embodiment.
 図1に示すように、制御システム1は、AD1―ECU2と、VMC―ECU3とを有しており、AD1-ECU2とVMC-ECU3とは、各々のネットワークリンクを接続するゲートウェイ(以下、GW(Gateway)97と言う)を介して接続されている。ここでADは、Automated Driving、又はAutonomous Drivingを想定して用いている。またVMCは、Vehicle Motion Contorolを想定して用いている。またECUは、Electronic Control Unitを想定して用いている。 As shown in FIG. 1, the control system 1 includes an AD1-ECU 2 and a VMC-ECU 3. The AD1-ECU 2 and the VMC-ECU 3 are gateways (hereinafter referred to as GWs (hereinafter referred to as GWs) that connect the respective network links. It is connected via Gateway) 97). Here, AD is used on the assumption of Automated Driving or Autonomous Driving. Also, VMC is used assuming Vehicle Motion Control. Also, the ECU is assumed to be an Electronic Control Unit.
 実施の形態では、AD1-ECU2は、車両100の全体制御を行う上位の高機能ECUである。AD1-ECU2には、コーナライダ81、コーナレーダ82、フロントカメラ83、ソナー84などの車両100の周囲状況を検知する検知装置80が接続されている。AD1-ECU2は、この検知装置80による車両100の周囲状況の検知結果に基づいて、車両100の将来の位置情報(軌道)の生成(算出)を行う。実施の形態において、将来とは、現在時刻よりも先の時刻を意味する。 In the embodiment, AD1-ECU2 is a high-level high-performance ECU that performs overall control of the vehicle 100. Connected to the AD 1 -ECU 2 is a detection device 80 for detecting a surrounding condition of the vehicle 100 such as a corner rider 81, a corner radar 82, a front camera 83, a sonar 84 and the like. The AD 1 -ECU 2 generates (calculates) future position information (track) of the vehicle 100 based on the detection result of the surrounding condition of the vehicle 100 by the detection device 80. In the embodiment, the future means a time earlier than the current time.
 なお、検知装置80は、上記のほか、コーナライダ85、フロントレーダ86、360°カメラ87を有している。これらの検知装置80は、スイッチ(以下、SW88と言う)を介して、AD1-ECU2とVMC-ECU3(後述するCPU3B)に選択可能に接続されており、スイッチ88の切り換えにより、AD1-ECU2とVMC-ECU3の何れかまたは両方に接続される。 In addition to the above, the detection device 80 includes a corner rider 85, a front radar 86, and a 360 ° camera 87. The detection devices 80 are selectively connected to the AD1-ECU 2 and the VMC-ECU 3 (CPU 3B described later) via a switch (hereinafter referred to as SW 88), and switching of the switch 88 causes the AD1-ECU 2 and It is connected to one or both of VMC-ECU3.
 自動運転システムを搭載した車両100において、AD1-ECU2は、前述した検知装置80で検知した周囲状況と、車両100の将来の位置情報(軌道)とに基づいて、車両100を制御するための制御出力を生成する。AD1-ECU2は、生成した制御出力をVMC-ECU3に送信する。 In the vehicle 100 equipped with the automatic driving system, the AD 1 -ECU 2 performs control for controlling the vehicle 100 based on the surrounding situation detected by the detection device 80 described above and the future position information (track) of the vehicle 100. Generate output. AD1-ECU2 transmits the generated control output to VMC-ECU3.
 VMC-ECU3は、車両100の運動に関与する駆動装置(例えば、エンジン、アクセル、ブレーキ、ステアリングなど)のアクチュエータを直接制御する下位の単機能ECUである。 The VMC-ECU 3 is a lower-level single-function ECU that directly controls an actuator of a drive device (for example, an engine, an accelerator, a brake, a steering, etc.) involved in the motion of the vehicle 100.
 VMC-ECU3は、ブレーキ91、ステアリング92、他のECU93、EMC94、ATCU95などの車両100の駆動装置90に、車載ネットワーク(Controller Area Network:以下、CAN99と言う)を介して接続されている。VMC-ECU3は、AD1-ECU2からの制御出力に基づいてこれらの駆動装置90を制御する。 The VMC-ECU 3 is connected to a drive device 90 of the vehicle 100 such as the brake 91, the steering 92, the other ECU 93, the EMC 94, and the ATCU 95 via a controller area network (hereinafter referred to as CAN 99). The VMC-ECU 3 controls these drive devices 90 based on the control output from the AD 1 -ECU 2.
 なお、CAN99には、CANFD(CAN With Flexible Data-rate、Ethernet(登録商標)等の通信回線が含まれる。 The CAN 99 includes communication lines such as CAN FD (CAN With Flexible Data-rate, Ethernet (registered trademark)).
 VMC-ECU3は、CPU(Central Processing Unit)3Aと、このCPU3Aと並列に設けられたCPU3Bとの2個CPUを有するデュアルコアプロセッサである。実施の形態では、VMC-ECU3は、CPU3AとCPU3Bとを並列に有するデュアルコアプロセッサを例示して説明するが、これに限定されるものではない。例えば、VMC-ECU3は、4個のCPUを並列に有するクアッドコアプロセッサ、6個のCPUを並列に有するヘキサコアプロセッサ、それ以上のCPUを並列に有するマルチコアプロセッサであってもよい。 The VMC-ECU 3 is a dual core processor having two CPUs, a central processing unit (CPU) 3A and a CPU 3B provided in parallel with the CPU 3A. In the embodiment, the VMC-ECU 3 exemplifies and describes a dual core processor having the CPU 3A and the CPU 3B in parallel, but the present invention is not limited to this. For example, the VMC-ECU 3 may be a quad core processor having four CPUs in parallel, a hexa core processor having six CPUs in parallel, or a multi-core processor having more CPUs in parallel.
 また、VMC-ECU3には、メモリ33が設けられている。メモリ33には、VMC-ECU3の制御に用いられる制御プログラム(図示せず)や、制御用の各種パラメータ(図示せず)が記憶されている。 In addition, a memory 33 is provided in the VMC-ECU 3. The memory 33 stores a control program (not shown) used to control the VMC-ECU 3 and various control parameters (not shown).
 CPU3Aは、車両100の運動に関与する駆動装置90(例えば、ブレーキ91、ステアリング92、アクセル(図示せず))などの制御を行う。CPU3Aは、GW97を介してAD1-ECU2に接続されている。CPU3Aは、CPU3Bと接続されており、CPU3Bとの間で、CPU3A又はCPU3Bで処理された各種情報の通信を相互に行う。 The CPU 3A controls the drive device 90 (for example, the brake 91, the steering 92, an accelerator (not shown)) and the like involved in the motion of the vehicle 100. The CPU 3A is connected to the AD1-ECU 2 via the GW 97. The CPU 3A is connected to the CPU 3B, and mutually communicates various information processed by the CPU 3A or the CPU 3B with the CPU 3B.
 CPU3Bは、コーナライダ85、フロントレーダ86、360°カメラ87などの検知装置80に接続されており、これら検知装置80から周囲状況を取得する。CPU3Bは、検知装置80から取得した周囲状況をCPU3Aに送信する。 The CPU 3 B is connected to a detection device 80 such as a corner rider 85, a front radar 86, and a 360 ° camera 87, and acquires the surrounding situation from the detection device 80. The CPU 3B transmits the surrounding situation acquired from the detection device 80 to the CPU 3A.
 なお、CPU3AとCPU3Bとのうち、少なくとも何れか一方においては、当該CPU3A又はCPU3Bの機能を縮退させるための縮退モジュール96がインストールされ実行可能となる演算装置やメモリ等のリソースが準備されている。 In addition, in at least one of the CPU 3A and the CPU 3B, resources such as an arithmetic device and a memory are prepared, which are capable of installing and executing the degeneration module 96 for degenerating the function of the CPU 3A or CPU 3B.
 ここで縮退とは、CPU3A又はCPU3Bにおいて、駆動装置90を制御するための基本的な機能(主機能)よりも性能を落としたり、主機能を制限して限定的ながら制御を続行すること、又はCPU3A又はCPU3Bの所定の機能が使用できない場合、代替となる他の機能に切り替えること、又はその機能や構成を意味する。
 実施の形態では、この主機能による車両100の制御を通常制御、縮退機能による車両100の制御を非通常制御と言うこともある。 Here, degeneracy means that the CPU 3A or CPU 3B lowers the performance than the basic function (main function) for controlling the drive device 90, or continues the control while limiting the main function and limiting it, or When a predetermined function of the CPU 3A or the CPU 3B can not be used, it means switching to another function which is a substitute, or its function or configuration.
In the embodiment, control of the vehicle 100 by the main function may be referred to as normal control, and control of the vehicle 100 by the degeneration function may be referred to as non-normal control.
 これにより、VMC-ECU3は、CPU3A又はCPU3Bの何れか一方で駆動装置90を制御する場合、他方のCPU3A又はCPU3Bの機能を、縮退モジュール96に基づいて縮退させることができる。よって、VMC-ECU3は、CPU3A又はCPU3Bの何れか一方は、ブレーキ91、ステアリング92などの駆動装置90を縮退機能により制御することができる。 Thus, when the drive device 90 is controlled by either the CPU 3A or the CPU 3B, the VMC-ECU 3 can degenerate the function of the other CPU 3A or CPU 3B based on the degeneration module 96. Therefore, the VMC-ECU 3 can control the drive device 90 such as the brake 91 and the steering 92 by either of the CPU 3A or the CPU 3B by the degeneration function.
 GW97は、ネットワークリンク又は専用線を介してボディ971、HMI972、接続装置973、情報提供装置974に接続されている。 The GW 97 is connected to the body 971, the HMI 972, the connection device 973, and the information providing device 974 via a network link or a dedicated line.
 前述したVMC-ECU3のCPU3Aは、本発明の第1の制御部を構成し、CPU3Bは、本発明の第2の制御部を構成する。 The CPU 3A of the VMC-ECU 3 described above constitutes a first control unit of the present invention, and the CPU 3B constitutes a second control unit of the present invention.
 次に、前述した制御システム1を搭載した車両100の構成を説明する。
 図2は、制御システム1を搭載した車両100の構成を説明する概略図である。 Next, the configuration of the vehicle 100 equipped with the control system 1 described above will be described.
FIG. 2 is a schematic view illustrating the configuration of a vehicle 100 equipped with the control system 1.
 図2に示すように、制御システム1は、車両100の内部に配置されている。車両100の内部には、AD1-ECU2やVMC-ECU3などの車両制御装置4と、通信装置5と、車両制御装置4と異なる又は同一のプロトコルを用いたネットワークにより構成される他の車両制御装置(ECU:図1のECU93に相当)6と、外部出力装置7と、入力装置8と、報知装置9と、検知装置80と、駆動装置90と、が接続されている。 As shown in FIG. 2, the control system 1 is disposed inside the vehicle 100. Inside the vehicle 100, another vehicle control device configured by a network using a different or the same protocol as the vehicle control device 4 such as the AD1-ECU 2 or the VMC-ECU 3, the communication device 5, and the vehicle control device 4. (ECU: equivalent to ECU 93 in FIG. 1) 6, an external output device 7, an input device 8, a notification device 9, a detection device 80, and a drive device 90 are connected.
 通信装置5は、車両100内部に設けられた制御システム1と、車両100の外部機器(図示せず)との間で無線通信を可能とする装置である。通信装置5は、例えば、携帯電話の通信、無線LAN(Local Area Network)、WAN(Wide Area Network)、C2X(Car to X:車両と車両との通信又は車両と路上のインフラ機器との通信)等のプロトコルを使用した通信、又はGPS(Global Positioning System)を使用した通信を可能とする装置である。 The communication device 5 is a device that enables wireless communication between the control system 1 provided inside the vehicle 100 and an external device (not shown) of the vehicle 100. The communication device 5 is, for example, mobile phone communication, wireless LAN (Local Area Network), WAN (Wide Area Network), C2X (Car to X: communication between a vehicle and a vehicle or communication between a vehicle and an infrastructure device on the road) Etc., or communication using GPS (Global Positioning System).
 通信装置5は、外部機器(図示せず)と無線通信を行い、車両100の周囲状況(例えば、路上インフラ設備に関する情報、他車の位置情報や速度情報、地図情報)を取得し、車両制御装置4(前述したAD1-ECU2)に周囲状況を送信する。この通信装置5による車両制御装置4への周囲状況の送信は、通信装置5に設けられた車両の自己診断機能用の診断端子(On-board diagnostics:OBD)、外部記憶媒体(例えば、USB(Universal Serial Bus)メモリ、SDメモリカード)端子を介して行われる。 The communication device 5 performs wireless communication with an external device (not shown), acquires the surrounding situation of the vehicle 100 (for example, information on road infrastructure equipment, position information and speed information of other vehicles, map information), and controls the vehicle The ambient situation is transmitted to the device 4 (AD1-ECU 2 described above). Transmission of the surrounding situation to the vehicle control device 4 by the communication device 5 is performed by using a diagnostic terminal (On-board diagnostics: OBD) for the self-diagnosis function of the vehicle provided in the communication device 5, an external storage medium (for example, USB (for example, It is performed via the Universal Serial Bus) memory and SD memory card) terminals.
 外部出力装置7は、車両100の運動状態や周囲状況を運転者などに通知するための装置である。例えば、外部出力装置7は、取得した情報を映像や音などで出力する液晶ディスプレイ、警告灯、スピーカである。 The external output device 7 is a device for notifying the driver or the like of the motion state or the surrounding condition of the vehicle 100. For example, the external output device 7 is a liquid crystal display, a warning light, or a speaker that outputs acquired information as a video or sound.
 入力装置8は、運転者が制御システム1に対して、車両100の運転に関する操作指示を行うための装置である。例えば、入力装置8は、ハンドル、フットペダル、各種操作ボタン、操作レバー、タッチパネル等である。 The input device 8 is a device for the driver to give the control system 1 an operation instruction regarding the driving of the vehicle 100. For example, the input device 8 is a handle, a foot pedal, various operation buttons, an operation lever, a touch panel, or the like.
 報知装置9は、制御システム1が、外界に対して車両100の運動状態を報知するための装置である。例えば、報知装置9は、ライト(ヘッドライト等)、ランプ(ブレーキランプ、テールランプ、フォグランプ、スモールランプ等の警告灯)、LED、スピーカ等である。 The notification device 9 is a device for the control system 1 to notify the outside world of the motion state of the vehicle 100. For example, the notification device 9 is a light (headlight or the like), a lamp (a warning lamp such as a brake lamp, a tail lamp, a fog lamp or a small lamp), an LED, a speaker or the like.
 検知装置80は、車両100に設けられたセンサなどで検出された周囲状況を取得する装置である。例えば、検知装置80は、前述したように、車載カメラ、レーダ、ライダ(LIDAR)、ソナー(超音波センサ)などの外界センサ、及び制御システム1の状態(運動状態、位置情報、加速度、車輪の回転速度等)を認識する力学センサ等である。 The detection device 80 is a device that acquires the surrounding situation detected by a sensor or the like provided in the vehicle 100. For example, as described above, the detection device 80 may be an on-board camera, a radar, an external sensor such as a lidar (LIDAR) or a sonar (ultrasonic sensor), and a state (motion state, position information, acceleration, wheel state) of the control system 1. It is a dynamic sensor etc. which recognizes rotation speed etc.).
 駆動装置90は、制御システム1の制御に従い、車両100の運動を制御する機械及び電気装置の駆動を行うアクチュエータ等の駆動装置である。例えば、駆動装置90は、前述したように、エンジン、トランスミッション、ホイール、ブレーキ91、ステアリング92、アクセル等である。 The drive device 90 is a drive device such as an actuator that drives the mechanical and electrical devices that control the motion of the vehicle 100 according to the control of the control system 1. For example, as described above, the drive device 90 is an engine, a transmission, a wheel, a brake 91, a steering 92, an accelerator, or the like.
 次に、制御システム1の装置構成を説明する。
 図3は、制御システム1の装置構成を説明するブロック図である。 Next, the device configuration of the control system 1 will be described.
FIG. 3 is a block diagram for explaining an apparatus configuration of the control system 1.
 図3に示すように、制御システム1では、車載ネットワークであるCAN99に、各々の検知装置80や駆動装置90などを制御する複数のVMC-ECU3(以下、単にECU3と表記する)が接続されている。 As shown in FIG. 3, in the control system 1, a plurality of VMC-ECUs 3 (hereinafter simply referred to as ECUs 3) for controlling the respective detecting devices 80 and the driving devices 90 are connected to CAN 99 which is an in-vehicle network. There is.
 各々のECU3には、通信装置5や他の車両制御システム6や、各々の検知装置80、ブレーキ91等の駆動装置90(アクチュエータ)等が接続されている。 The communication device 5 and other vehicle control systems 6, the respective detection devices 80, and drive devices 90 (actuators) such as the brake 91 are connected to the respective ECUs 3.
 各々のECU3は、CAN99以外の他の車載ネットワーク(専用線含む)にも接続され、この他の車載ネットワークを介して駆動装置90等との間で情報の送受信を行う。 Each ECU 3 is also connected to another in-vehicle network (including a dedicated line) other than the CAN 99, and transmits and receives information with the drive device 90 and the like via the other in-vehicle network.
 なお、前述したCAN99は、車両100の内部に配設された2つのバスに複数のECU3が接続されているバス型の場合を例示して説明したが、CAN99のネットワークトポロジは、これに限定されるものではない。例えば、複数のECU3が放射状に配置されるスター型や、リング状に配設されたバスに複数のECU3が接続されたリンク型、各々の型が混在し、複数のネットワークにより構成された混在型等であってもよい。 In addition, although CAN99 mentioned above illustrated and demonstrated the case of the bus | bath type which several ECU3 is connected to two bus arrange | positioned inside the vehicle 100, the network topology of CAN99 is limited to this It is not a thing. For example, a star type in which a plurality of ECUs 3 are arranged radially, a link type in which a plurality of ECUs 3 are connected to a bus arranged in a ring, and a mixture type in which each type is mixed Or the like.
 ECU3は、CAN99等の車載ネットワークを介して取得した検知装置80等の情報に基づいて、駆動装置90へ制御出力を送信し、内部状態の変更などの制御処理を行う。 The ECU 3 transmits a control output to the drive device 90 based on the information of the detection device 80 and the like acquired via the on-vehicle network such as the CAN 99, and performs control processing such as change of the internal state.
[制御装置]
 次に、ECU3(制御装置)の内部構成の一例を説明する。
 図4は、ECU3の内部構成の一例を説明するブロック図である。 [Control device]
Next, an example of an internal configuration of the ECU 3 (control device) will be described.
FIG. 4 is a block diagram for explaining an example of the internal configuration of the ECU 3.
 図4に示すように、ECU3は、プロセッサ31と、I/O(Input/Output)32と、タイマ33と、ROM(Read Only Memory)34と、RAM(Random Access Memory)35と、を有し、これらは、ECU3内部での通信に用いられる内部バス36で接続されている。 As shown in FIG. 4, the ECU 3 has a processor 31, an I / O (Input / Output) 32, a timer 33, a ROM (Read Only Memory) 34, and a RAM (Random Access Memory) 35. These are connected by an internal bus 36 used for communication inside the ECU 3.
 プロセッサ31は、キャッシュレジスタなどの記憶素子を有し、制御を実行するCPUなどの装置である。プロセッサ31は、前述したCPU3A、CPU3Bを構成する。 The processor 31 is a device such as a CPU that has a storage element such as a cash register and executes control. The processor 31 configures the CPU 3A and the CPU 3B described above.
 I/O32は、ECU3に接続された検知装置80又は駆動装置90との間で、CAN99や専用線(図示せず)を介して情報の送受信を行う装置である。 The I / O 32 is a device that transmits and receives information to and from the detection device 80 or the drive device 90 connected to the ECU 3 via the CAN 99 or a dedicated line (not shown).
 タイマ33は、プロセッサ31等が有するクロック機能(図示せず)を使用し、時間及び時刻の管理を行う装置である。 The timer 33 is a device that manages time and time using a clock function (not shown) that the processor 31 or the like has.
 ROM34は、ECU3の制御を行うための制御プログラムや各種パラメータを記憶する不揮発性の記憶装置である。 The ROM 34 is a non-volatile storage device that stores a control program for controlling the ECU 3 and various parameters.
 RAM35は、ECU3の機能を実行するための各種プログラムや、プロセッサ等で処理された情報を一時的に記憶する揮発性の記憶装置である。 The RAM 35 is a volatile storage device that temporarily stores various programs for executing the functions of the ECU 3 and information processed by a processor or the like.
 次に、前述したプロセッサ31で動作するソフトウェアモジュールの構成を説明する。
 図5は、プロセッサ31で動作するソフトウェアモジュールの構成を説明する図である。 Next, the configuration of the software module operated by the processor 31 described above will be described.
FIG. 5 is a diagram for explaining the configuration of a software module operating on the processor 31. As shown in FIG.
 図5に示すように、プロセッサ31は、制御部311と、通信管理部312と、時間管理部313と、データテーブル314と、バッファ315とを有している。 As shown in FIG. 5, the processor 31 includes a control unit 311, a communication management unit 312, a time management unit 313, a data table 314, and a buffer 315.
 制御部311は、プロセッサ31の全体的な制御を行う。具体的には、制御部311は、所定の制御プログラムを実行し、その制御プログラムに基づいて処理を行う。この制御部311の動作により、制御システム1の各機能の実行が行われる。 The control unit 311 performs overall control of the processor 31. Specifically, the control unit 311 executes a predetermined control program and performs processing based on the control program. By the operation of the control unit 311, execution of each function of the control system 1 is performed.
 通信管理部312は、内部バス36を介して、I/O32に対して、情報の送受信の指示を行う。 The communication management unit 312 instructs the I / O 32 to transmit and receive information via the internal bus 36.
 時間管理部313は、タイマ33を管理し、時間や時刻に関する情報を取得すると共に、時間や時刻のカウントなどの制御を行う。 The time management unit 313 manages the timer 33, acquires information related to time and time, and performs control such as counting of time and time.
 データテーブル314は、車両100の制御に必要な各種情報を記憶する。 The data table 314 stores various information necessary for control of the vehicle 100.
 バッファ315は、制御部311や時間管理部313で演算された情報を、一時的に記憶する。 The buffer 315 temporarily stores the information calculated by the control unit 311 and the time management unit 313.
 前述した制御部311、通信管理部312、時間管理部313は、動作に必要な情報を、ROM34、RAM35から読み込み、又はこれらROM34やRAM35に書き込む動作を行う。 The control unit 311, the communication management unit 312, and the time management unit 313 described above read the information necessary for the operation from the ROM 34 or the RAM 35, or write the information into the ROM 34 or the RAM 35.
[制御システムの機能構成]
 次に、制御システム1全体の機能構成を説明する。
 図6は、制御システム1全体の機能構成を説明する機能ブロック図である。 [Functional configuration of control system]
Next, the functional configuration of the entire control system 1 will be described.
FIG. 6 is a functional block diagram for explaining the functional configuration of the control system 1 as a whole.
 図6に示すように、制御システム1は、統合認識部11と、自動運転制御部12と、ユーザ入力部13と、出力管理部14と、通知管理部15と、異常検出部16と、切替部17と、運動制御部18と、安全制御部19とを有している。 As shown in FIG. 6, the control system 1 switches between the integrated recognition unit 11, the automatic driving control unit 12, the user input unit 13, the output management unit 14, the notification management unit 15, the abnormality detection unit 16, and It has a unit 17, a motion control unit 18, and a safety control unit 19.
 これら、統合認識部11と、自動運転制御部12と、ユーザ入力部13と、出力管理部14と、通知管理部15と、異常検出部16と、切替部17と、運動制御部18と、安全制御部19は、前述した何れかのECU3に配置されている。 The integrated recognition unit 11, the automatic driving control unit 12, the user input unit 13, the output management unit 14, the notification management unit 15, the abnormality detection unit 16, the switching unit 17, and the exercise control unit 18; The safety control unit 19 is disposed in any of the aforementioned ECUs 3.
 統合認識部11は、複数の検知装置80や通信装置5に接続されており、これらの装置から周囲状況L1を取得する。統合認識部11は、取得した周囲状況L1を統合して外界認識マップL2を生成する。統合認識部11は、自動運転制御部12と接続されており、生成した外界認識マップL2を自動運転制御部12に送信する。 The integrated recognition unit 11 is connected to the plurality of detection devices 80 and the communication device 5, and acquires the surrounding situation L1 from these devices. The integrated recognition unit 11 integrates the acquired surrounding situation L1 to generate an external world recognition map L2. The integrated recognition unit 11 is connected to the automatic driving control unit 12, and transmits the generated external world recognition map L2 to the automatic driving control unit 12.
 自動運転制御部12は、統合認識部11で生成された外界認識マップL2と、ユーザ入力部13を介して入力されたユーザ入力情報L3とに基づいて、自動運転制御情報L4(軌道等)を生成する。自動運転制御部12は、生成した自動運転制御情報L4を、出力管理部14、通知管理部15、異常検出部16、切替部17に出力する。 The autonomous driving control unit 12 generates autonomous driving control information L4 (such as a trajectory) based on the external world recognition map L2 generated by the integrated recognition unit 11 and the user input information L3 input through the user input unit 13. Generate The automatic driving control unit 12 outputs the generated automatic driving control information L4 to the output management unit 14, the notification management unit 15, the abnormality detection unit 16, and the switching unit 17.
 ユーザ入力部13は、入力装置8からのユーザ入力に基づいて、ユーザ入力情報L3を生成する。 The user input unit 13 generates user input information L3 based on the user input from the input device 8.
 出力管理部14は、外部出力装置7に接続されている。出力管理部14は、自動運転制御部12から受信した自動運転制御情報L4と、異常検出部16から受信した異常検出情報L5とに基づいて生成した出力情報L6を、外部出力装置7に出力する。 The output management unit 14 is connected to the external output device 7. Output management unit 14 outputs output information L6 generated based on automatic operation control information L4 received from automatic operation control unit 12 and abnormality detection information L5 received from abnormality detection unit 16 to external output device 7. .
 通知管理部15は、報知装置9及び通信装置5に接続されている。通知管理部15は、自動運転制御部12から受信した自動運転制御情報L4と、異常検出部16から受信した異常検出情報L5とに基づいて生成した報知情報L7を、報知装置9に出力する。 The notification management unit 15 is connected to the notification device 9 and the communication device 5. The notification management unit 15 outputs notification information L7 generated based on the automatic operation control information L4 received from the automatic operation control unit 12 and the abnormality detection information L5 received from the abnormality detection unit 16 to the notification device 9.
 異常検出部16は、自動運転制御部12から取得した自動運転制御情報L4や、その他の装置から取得した制御情報(図示せず)に基づいて、制御システム1の異常を検出する。異常検出部16は、出力管理部14、通知管理部15、切替部17、安全制御部19に接続されており、これらの装置に異常検出情報L5を送信する。 The abnormality detection unit 16 detects an abnormality in the control system 1 based on the automatic operation control information L4 acquired from the automatic operation control unit 12 and control information (not shown) acquired from other devices. The abnormality detection unit 16 is connected to the output management unit 14, the notification management unit 15, the switching unit 17, and the safety control unit 19, and transmits the abnormality detection information L5 to these devices.
 切替部17は、異常検出部16、自動運転制御部12、ユーザ入力部13、安全制御部19、運動制御部18に接続されている。切替部17は、異常検出部16から取得した異常検出情報L5に基づいて、運動制御部18に対して出力する制御出力L10を、自動運転制御部12、ユーザ入力部13、安全制御部19の何れかから取得した情報に切り替える。 The switching unit 17 is connected to the abnormality detection unit 16, the automatic driving control unit 12, the user input unit 13, the safety control unit 19, and the exercise control unit 18. The switching unit 17 controls the automatic driving control unit 12, the user input unit 13, and the safety control unit 19 to output the control output L 10 to the exercise control unit 18 based on the abnormality detection information L 5 acquired from the abnormality detection unit 16. Switch to the information obtained from any of them.
 ここで、制御出力L10は、例えば、車両100の加速度やヨーレート等の運動制御パラメータの目標値、各駆動装置90への制御指令値、及びそれらの時系列での連続値である。 Here, the control output L10 is, for example, a target value of motion control parameters such as acceleration of the vehicle 100 and a yaw rate, control command values to the respective driving devices 90, and continuous values thereof in time series.
 運動制御部18は、検知装置80及び駆動装置90に接続されており、切替部17から取得した制御出力L10と、検知装置80から取得した車両100の周囲状況L1と、駆動装置90から取得した当該駆動装置90の運転状況(応答)などに基づいて生成した駆動制御情報L9を、複数の駆動装置90に対して送信する。 The motion control unit 18 is connected to the detection device 80 and the drive device 90, and acquires the control output L10 obtained from the switching unit 17, the surrounding situation L1 of the vehicle 100 obtained from the detection device 80, and the drive device 90 The drive control information L9 generated based on the driving condition (response) of the drive device 90 is transmitted to the plurality of drive devices 90.
 安全制御部19は、異常検出部16、切替部17、検知装置80と接続されている。安全制御部19は、検知装置80から取得した周囲状況L1と、異常検出部16から取得した異常検出情報L5とに基づいて、車両100(制御システム1)の故障発生時等に安全運転制御情報L8を切替部17に出力する。 The safety control unit 19 is connected to the abnormality detection unit 16, the switching unit 17, and the detection device 80. The safety control unit 19 performs safe driving control information at the time of failure occurrence or the like of the vehicle 100 (control system 1) based on the surrounding situation L1 acquired from the detection device 80 and the abnormality detection information L5 acquired from the abnormality detection unit 16. Output L8 to the switching unit 17.
 実施の形態では、安全制御部19は、縮退モジュール96(図1参照)を有し、縮退モジュール96の縮退機能により車両100の運動機能を縮退させることで、車両100を最低限の機能で運動させることができる。
 よって、安全制御部19で生成された安全運転制御情報L8は、運動制御部18に縮退機能を発揮させるための制御情報である。 In the embodiment, the safety control unit 19 includes the degeneration module 96 (see FIG. 1), and by degenerating the motion function of the vehicle 100 by the degeneration function of the degeneration module 96, the vehicle 100 is exercised with the minimum function. It can be done.
Therefore, the safe driving control information L8 generated by the safety control unit 19 is control information for causing the motion control unit 18 to exhibit the degeneration function.
 ここで、自動運転制御部12による車両100の運動制御を通常制御、安全制御部19による車両100の運動制御を非通常制御と言うこともある。 Here, the motion control of the vehicle 100 by the automatic driving control unit 12 may be referred to as normal control, and the motion control of the vehicle 100 by the safety control unit 19 may be referred to as abnormal control.
 前述したように、切替部17から見て、自動運転制御部12(自動運転制御部12が配置されたECU3)と、安全制御部19(安全制御部19が配置されtあECU3)とは、並列に設けられている(図6参照)。 As described above, when viewed from the switching unit 17, the automatic operation control unit 12 (the ECU 3 in which the automatic operation control unit 12 is disposed) and the safety control unit 19 (the ECU 3 in which the safety control unit 19 is disposed) It is provided in parallel (see FIG. 6).
 このため、制御システム1に何らかの故障が発生した場合、例えば、自動運転制御部12による通常制御から、安全制御部19による非通常制御(安全制御)に切り替える際、安全制御部19による非通常制御の準備が完了するまで、自動運転制御部12から出力された自動運転制御情報により継続して制御し、安全制御部19による非通常制御の準備が完了した段階で、安全制御部19による制御に移行することで、制御の切り替えをスムーズに行うことができる。 Therefore, when any failure occurs in the control system 1, for example, when switching from the normal control by the automatic operation control unit 12 to the non-normal control (safety control) by the safety control unit 19, the non-normal control by the safety control unit 19 Control is continuously performed according to the automatic operation control information output from the automatic operation control unit 12 until the preparation of the second control is completed, and the control by the safety control unit 19 is performed at the stage when the preparation of the non-normal control by the safety control unit 19 is completed By shifting, the control can be switched smoothly.
 また、自動運転制御部12と安全制御部19とを並列に設けているので、それぞれの制御部で、車両100を適切に運動させるための機能を分担することで、所定の切り替え期間(例えば、500msec)以内に切り替えることができ、故障時の切り換えを迅速、かつ安全に行うことができる。 In addition, since the automatic driving control unit 12 and the safety control unit 19 are provided in parallel, the respective control units share functions for causing the vehicle 100 to properly exercise, and thus a predetermined switching period (for example, It is possible to switch within 500 msec) and to perform switching in case of failure quickly and safely.
 制御システム1には、通信装置5、検知装置80、駆動装置90、外部出力装置7、入力装置8又は報知装置9の一部又は全部が含まれる場合がある。また、運動制御部18、出力管理部14、通知管理部15を含むVMC-ECU3は、制御システム1の一部の機能を有する場合を例示して説明したが、全ての機能を有するものとしてもよい。 The control system 1 may include part or all of the communication device 5, the detection device 80, the drive device 90, the external output device 7, the input device 8 or the notification device 9. Further, although the VMC-ECU 3 including the motion control unit 18, the output management unit 14, and the notification management unit 15 has been described as an example having a part of the functions of the control system 1, the VMC-ECU 3 may have all the functions. Good.
 前述したように、制御システム1は、複数の機能から構成されており、図4に示すECU3の内部構成への機能配置は、複数のパターンが考えられる。 As described above, the control system 1 is composed of a plurality of functions, and the function arrangement to the internal configuration of the ECU 3 shown in FIG. 4 may be a plurality of patterns.
 図7に示すように、実施の形態では、複数のECU3に、制御システム1の各機能がそれぞれ分けて設けられている。実施の形態では、ECU3に設けられている場合の一例として、統合認識部11と自動運転制御部12、異常検出部16と安全制御部19、切替部17と運動制御部18、ユーザ入力部13と出力管理部14、通知管理部15、がそれぞれ並列の設けられた別々のECU3に配置されている。 As shown in FIG. 7, in the embodiment, each function of the control system 1 is separately provided in the plurality of ECUs 3. In the embodiment, the integrated recognition unit 11 and the automatic driving control unit 12, the abnormality detection unit 16 and the safety control unit 19, the switching unit 17 and the motion control unit 18, and the user input unit 13 are provided as an example in the case of being provided in the ECU 3. And the output management unit 14 and the notification management unit 15 are disposed in separate ECUs 3 provided in parallel.
 なお、前述した制御システム1の機能配置の例は、これに限定されず、所定の機能を別のECUに配置してもよい。 In addition, the example of a function arrangement | positioning of the control system 1 mentioned above is not limited to this, You may arrange | position a predetermined | prescribed function in another ECU.
[制御システムによる車両制御]
 次に、制御システム1による車両100の制御の一例を説明する。
 図8は、制御システム1による車両100の制御の一例を説明する図である。 [Vehicle control by control system]
Next, an example of control of the vehicle 100 by the control system 1 will be described.
FIG. 8 is a diagram for explaining an example of control of the vehicle 100 by the control system 1.
 図8に示すように、以下の説明では、自車(車両100)の制御システム1(自動運転制御部12)は、片側2車線の道路において、自車(車両100)が左車線を走行しており、前方に先行車101がいるため右車線から追い越すように自車の軌道801(自動運転制御情報L4)を生成した場合の自車の運動制御を例示して説明する。 As shown in FIG. 8, in the following description, the control system 1 (the automatic driving control unit 12) of the own vehicle (vehicle 100) is such that the own vehicle (vehicle 100) travels in the left lane on a road of two lanes on one side. Since the preceding vehicle 101 is ahead, the motion control of the own vehicle will be described by way of example when the trajectory 801 (automatic driving control information L4) of the own vehicle is generated so as to overtake from the right lane.
 自動運転制御部12の主機能により生成されたこの軌道801は、自車が安全に走行可能(例えば、他車両や障害物に衝突する可能性が低い状態)である安全性制約、自車が実現可能な加速度、減速度、ヨーレート等の運動制約を満たしているものとする。 The trajectory 801 generated by the main function of the autonomous driving control unit 12 is a safety constraint that the vehicle can travel safely (for example, a state where the possibility of collision with another vehicle or an obstacle is low). It is assumed that the motion constraints such as achievable acceleration, deceleration, and yaw rate are satisfied.
 図8に示すように、自動運転制御部12が生成した軌道801において、時刻t0(現在の時刻)における自車の位置が(X0、Y0)、t1における自車の位置が(X1、Y1)、t2における自車の位置が(X2、Y2)であるとする。また、軌道801では、以降も位置情報(例えば、t3(x3、Y3)~tn(Xn、Yn))が同様に生成されているものとする。 As shown in FIG. 8, on the track 801 generated by the automatic driving control unit 12, the position of the vehicle at time t0 (the current time) is (X0, Y0) and the position of the vehicle at t1 is (X1, Y1) The position of the vehicle at time t2 is (X2, Y2). In the trajectory 801, position information (for example, t3 (x3, Y3) to tn (Xn, Yn)) is assumed to be generated similarly.
 自動運転制御部12では、軌道801に沿って自車が移動するように、現在の自車の運動状態(現在の速度、現在の加速度、現在のヨーレート)等を取得するすると共に、取得した運動状態に基づいて、自車の目標速度、目標加速度、目標ヨーレート等を算出する。 The automatic driving control unit 12 acquires the current motion state (current speed, current acceleration, current yaw rate) and the like of the current vehicle so that the vehicle moves along the track 801, and the acquired motion Based on the state, the target velocity, the target acceleration, the target yaw rate, etc. of the vehicle are calculated.
 自動運転制御部12では、目標速度等を達成するために、エンジントルクの出力を増加させる、ブレーキを制御して制動力を増加させる、ステアリングを転舵させる、また、各車輪が不均等になるように車輪ごとに制動、加速を行う。
 なお、自動運転制御部12が生成する情報が、自車の軌道801ではなく、駆動装置90の制御値である場合、この制御値を用いて駆動装置90の制御を行うことで、目標の運動制御を行うことができる。 In order to achieve the target speed, etc., the automatic driving control unit 12 increases the output of the engine torque, controls the brake to increase the braking force, steers the steering, and makes the wheels uneven. Make braking and acceleration for each wheel.
In addition, when the information which the automatic driving | operation control part 12 produces | generates is not the track | truck 801 of the own vehicle but the control value of the drive device 90, the target exercise is performed by controlling the drive device 90 using this control value. Control can be performed.
[異常検出部における異常検出方法]
 次に、異常検出部16における異常検出方法を説明する。
 実施の形態では、「異常」とは、制御システム1のハードウェアの故障やソフトウェアの不具合、想定外の入力等を原因として発生する通常時想定している状態と異なる状態を言う。 [Abnormality detection method in anomaly detection section]
Next, an abnormality detection method in the abnormality detection unit 16 will be described.
In the embodiment, “abnormal” refers to a state different from a state assumed under normal conditions that occurs due to a hardware failure or software failure of the control system 1, an unexpected input, or the like.
 制御システム1の各構装置は、車載ネットワーク(CAN99)又は専用線等の通信を介して通信を行っている。よって、制御システム1では、通常の異常では、通信が行えない(通信処理がエラー応答、信号線の電位が異常)、通信の信号値の異常等が発生する。
これらの通信異常は、電気回路での異常検出(電位検出等)、定期的な生存確認(ハートビートの送受信によるエラー検出)、巡回冗長検査(Cyclic Redundancy Check:CRC)等の異常検出符号によるエラー検出を行うことにより検出可能である。 Each component device of the control system 1 performs communication via communication such as an in-vehicle network (CAN 99) or a dedicated line. Therefore, in the control system 1, in the case of a normal abnormality, communication can not be performed (the communication processing is an error response, the potential of the signal line is abnormal), an abnormality of the signal value of communication, and the like occur.
These communication abnormalities are errors by abnormality detection code such as abnormality detection in electric circuit (potential detection etc.), periodic survival confirmation (error detection by transmission and reception of heartbeat), cyclic redundancy check (CRC), etc. It is detectable by performing detection.
 また、CPUなどの演算装置の故障については、同じ演算を行った結果の検算(演算結果の比較)により異常検出可能であり、メモリの故障については、ROMやRAMにアクセスした場合の誤り検出等により検出可能である。 Further, with regard to the failure of the arithmetic device such as the CPU, the abnormality can be detected by checking the result of the same operation (comparison of the operation result), and the memory failure can be detected when the ROM or RAM is accessed, etc. Can be detected.
 ソフトウェアの不具合については、同じ演算を行った結果の検算の比較以外にも、出力結果が所定の範囲以外(閾値以上又は閾値以下)であることにより検出することが可能である。 The software defect can be detected by the output result being out of the predetermined range (above the threshold or below the threshold), in addition to comparison of checking results of the same operation.
 これらの異常については、永続的に発生する永続故障と、過渡的に発生する過渡故障とがある。例えば、出力値が不安定に変位しながら発生する場合には、過渡故障である可能性が高く、出力値が0(ゼロ)や1の値に固定されている場合には、永続故障の可能性が高いと判定できる。 For these abnormalities, there are permanent failures that occur permanently and transient failures that occur transiently. For example, if the output value is generated while being displaced unstably, the possibility of a transient failure is high, and if the output value is fixed at 0 (zero) or 1 value, permanent failure is possible. It can be determined that the sex is high.
 制御システム1の異常検出部16は、これらの異常情報を受信することにより制御システム1の異常を検出する。また、他の装置が異常を検出し、他の装置からの異常情報を異常検出部16が受信することにより異常の検知を行ってもよい。 The abnormality detection unit 16 of the control system 1 detects an abnormality of the control system 1 by receiving the abnormality information. In addition, another apparatus may detect an abnormality, and the abnormality detection unit 16 may detect abnormality by receiving abnormality information from the other apparatus.
 例えば、自動運転制御部12は、検知装置80、通信装置5、統合認識部11、及びそれらの間の通信の何れかの部分で異常が発生していることを自動運転制御情報L4に付加して送信し、異常検出部16は、この異常情報を検出することで、制御システム1の異常を検出する。 For example, the automatic driving control unit 12 adds, to the automatic driving control information L4, that an abnormality has occurred in any part of the detection device 80, the communication device 5, the integrated recognition unit 11, and the communication between them. The abnormality detection unit 16 detects this abnormality information to detect an abnormality in the control system 1.
 切替部17は、異常検出部16による異常検出結果(異常検出情報L5の受信)に基づいて、後述する制御情報切替処理を実行する。 The switching unit 17 executes control information switching processing described later based on the abnormality detection result (reception of the abnormality detection information L5) by the abnormality detection unit 16.
[切替部における制御情報切替処理]
 次に、切替部17における制御情報切替処理を説明する。
 図9は、切替部17における制御情報切替処理のフローチャートである。
 異常検出部16により異常の検出がされた場合、切替部17は、以下の制御信号切替処理を実行する。 [Control information switching process in switching unit]
Next, control information switching processing in the switching unit 17 will be described.
FIG. 9 is a flowchart of control information switching processing in the switching unit 17.
When the abnormality detection unit 16 detects an abnormality, the switching unit 17 executes the following control signal switching process.
 初めに、ステップS101において、切替部17は、自動運転制御部12から取得した自動運転制御情報L4(第1制御の出力)と、安全制御部19から取得した安全運転制御情報L8(第2制御の出力)とを、時系列で比較する。 First, in step S101, the switching unit 17 controls the automatic operation control information L4 (output of the first control) acquired from the automatic operation control unit 12 and the safe operation control information L8 (second control) acquired from the safety control unit 19. And the output of the) in time series.
 ステップS102において、切替部17は、自動運転制御情報L4(第1制御の出力)と安全運転制御情報L8(第2制御の出力)とを比較した結果、差分dが所定の規定値(所定の閾値dth)以下でないと判定した場合(ステップS102:No)、ステップS103に進み、自動運転制御情報L4(第1制御の出力)を運動制御部18に出力する。 In step S102, the switching unit 17 compares the automatic driving control information L4 (output of the first control) with the safe driving control information L8 (output of the second control), and as a result, the difference d has a predetermined prescribed value (predetermined value If it is determined that the value is not less than the threshold dth (step S102: No), the process proceeds to step S103, and the automatic driving control information L4 (output of the first control) is output to the motion control unit 18.
 よって、自動運転制御情報L4と安全運転制御情報L8との差分dが所定の閾値dthよりも大きい場合(d>dth)、切替部17は、車両100の自動運転制御情報L4に基づく制御から安全運転制御情報L8に基づく制御に切り替えると、制御の切り替え時の衝撃(制御段差)が大きくなる結果、運転者の違和感が大きくなると判断し、そのまま自動運転制御情報L4に基づく制御を行うことで、制御情報の切り替えによる運転者の違和感を少なくし、車両100を安心、安全に運転することができる。 Therefore, when the difference d between the autonomous driving control information L4 and the safe driving control information L8 is larger than the predetermined threshold dth (d> dth), the switching unit 17 performs safety based on control based on the autonomous driving control information L4 of the vehicle 100. When switching to control based on the driving control information L8, the impact (control step) at the switching of the control becomes large, and it is determined that the driver's discomfort increases, and control based on the automatic driving control information L4 is performed as it is. The driver's discomfort due to the switching of the control information can be reduced, and the vehicle 100 can be driven safely and safely.
 一方、切替部17は、自動運転制御情報L4(第1制御の出力)と安全運転制御情報L8(第2制御の出力)とを比較した結果、差分dが所定の規定値(所定の閾値dth)以下であると判定した場合(ステップS102:Yes)、ステップS104に進み、安全運転制御情報L8(第2制御の出力)を運動制御部18に出力する。 On the other hand, as a result of comparing the automatic driving control information L4 (output of the first control) with the safe driving control information L8 (output of the second control), the switching unit 17 determines that the difference d has a predetermined prescribed value (predetermined threshold dth). If it is determined that the following is true (step S102: Yes), the process proceeds to step S104, and the safe driving control information L8 (output of the second control) is output to the exercise control unit 18.
 よって、自動運転制御情報L4と安全運転制御情報L8との差分dが所定の閾値dth以下の場合(d≦dth)、切替部17は、車両100の自動運転制御情報L4に基づく制御から安全運転制御情報L8に基づく制御に切り替えても、運転者に対する切り替え時の違和感が少ないと判断し、安全運転制御情報L8に基づく制御に切り替えることで、縮退機能による運動制御により車両100の安全性を確保しつつ、運転者に違和感を与えない車両100の運動制御を行うことができる。 Therefore, when the difference d between the automatic driving control information L4 and the safe driving control information L8 is equal to or less than the predetermined threshold dth (d ≦ dth), the switching unit 17 performs the safe driving from the control based on the automatic driving control information L4 of the vehicle 100. Even when switching to control based on control information L8, it is determined that there is less discomfort for the driver when switching, and switching to control based on safe driving control information L8 ensures safety of the vehicle 100 by motion control by the degeneration function. It is possible to perform motion control of the vehicle 100 without giving the driver a sense of discomfort.
 ここで、自動運転制御部12では、異常検出部16による異常検出後も、自動運転制御情報L4による制御から安全運転制御情報L8による制御への切り替えが完了するまでの一定時間は、自動運転制御部12で生成した自動運転制御情報L4による制御を継続する必要があるため、異常が発生していないと検証済みの自動運転制御情報L4を所定時間分保持し、一定時間出力を行う。 Here, in the automatic driving control unit 12, even after abnormality detection by the abnormality detecting unit 16, the automatic driving control is performed for a predetermined period of time until the switching from control by the automatic driving control information L4 to control by the safe driving control information L8 is completed. Since it is necessary to continue the control based on the automatic driving control information L4 generated by the unit 12, the automatic driving control information L4 which has been verified if no abnormality has occurred is held for a predetermined time, and output is performed for a predetermined time.
 前述した実施の形態では、自動運転制御情報L4を、自動運転制御部12が保持する場合を例示して説明したが、これに限定されるものではなく、自動運転制御情報L4を、自動運転制御部12以外の装置が保持する構成としてもよい。
 以下、自動運転制御情報L4を、自動運転制御部12以外の制御情報保持部40が保持するようにした制御システム1Aを説明する。 In the embodiment described above, the case where the automatic driving control information L4 is held by the automatic driving control unit 12 is described as an example, but the present invention is not limited to this. The automatic driving control information L4 is not limited to the automatic driving control It is good also as composition which devices other than part 12 hold.
Hereinafter, a control system 1A in which the automatic driving control information L4 is held by the control information holding unit 40 other than the automatic driving control unit 12 will be described.
[制御情報保持部]
 図10は、変形例にかかる制御システム1A全体の機能構成を説明する機能ブロック図である。 [Control information storage unit]
FIG. 10 is a functional block diagram for explaining the functional configuration of the entire control system 1A according to the modification.
 制御システム1Aの制御情報保持部40は、切替部17に接続されている。制御情報保持部40は、切替部17を介して、自動運転制御部12で生成した自動運転制御情報L4を所定時間分取得すると共に、その所定時間分の自動運転制御情報L4を保持する。 The control information holding unit 40 of the control system 1A is connected to the switching unit 17. The control information holding unit 40 acquires the automatic driving control information L4 generated by the automatic driving control unit 12 for a predetermined time via the switching unit 17, and holds the automatic driving control information L4 for the predetermined time.
 具体的には、制御情報保持部40は、制御システム1A等に何らかの異常が発生した場合、車両100の安全な走行を最低限保証可能であると検証された自動運転制御情報L4を、所定時間分保持しておき、異常が発生した時に、保持していた自動運転制御情報L4(以下、保持制御情報L11と言う)を切替部17に出力する。 Specifically, when an abnormality occurs in control system 1A or the like, control information holding unit 40 determines, for a predetermined time, automatic operation control information L4 verified to be able to guarantee safe traveling of vehicle 100 as a minimum. A minute is held, and when an abnormality occurs, the automatic operation control information L4 (hereinafter referred to as holding control information L11) held is output to the switching unit 17.
 これにより、切替部17は、異常検出部16により制御システム1Aに異常が発生したことが検出された場合、制御情報保持部40に保持された保持制御情報L11を運動制御部18に出力することで、運動制御部18では、この保持制御情報L11に基づく車両100(駆動装置90)の制御を行うことができる。よって、車両100は、安全走行が最低限保証された保持制御情報L11に基づく運動制御が行われるので、異常発生時でも安全に走行することができる。 Thereby, the switching unit 17 outputs the holding control information L11 held by the control information holding unit 40 to the motion control unit 18 when the abnormality detecting unit 16 detects that an abnormality has occurred in the control system 1A. The motion control unit 18 can control the vehicle 100 (drive device 90) based on the holding control information L11. Therefore, since movement control based on the holding control information L11 in which safe traveling is minimum guaranteed is performed, the vehicle 100 can travel safely even when an abnormality occurs.
 ここで、制御情報保持部40で保持する保持制御情報L11は、自動運転制御部12で生成された一定時刻先(将来)までの自動運転制御情報であり、例えば、現在の車線に沿う走行、車線に沿って走行しつつ緩やかに減速、路肩に退避して停止等の制御を車両100に行わせるための情報などである。 Here, the holding control information L11 held by the control information holding unit 40 is automatic driving control information up to a predetermined time (future) generated by the automatic driving control unit 12, for example, traveling along the current lane, The information is, for example, information for causing the vehicle 100 to perform control such as deceleration slowly while traveling along the lane, and retraction to the road shoulder and stop.
 前述したように、自動運転制御部12以外の制御情報保持部40が、保持制御情報L11(自動運転制御情報L4)を保持する場合、図9で説明した制御情報切替処理において、制御情報保持部40から出力された保持制御情報L11を第1制御の出力、安全制御部19から出力された安全運転制御情報L8を第2制御の出力として処理を行う。 As described above, when the control information holding unit 40 other than the automatic driving control unit 12 holds the holding control information L11 (automatic driving control information L4), in the control information switching process described in FIG. Processing is performed with the holding control information L11 output from 40 as the output of the first control, and the safe driving control information L8 output from the safety control unit 19 as the output of the second control.
 このように構成すると、自動運転制御部12及びその出力経路に何らかの障害が発生した場合でも、車両100は、制御情報保持部40から出力された保持制御情報L11に基づく主機能により、所定の軌道801に沿った自動走行が可能となり、また、安全制御部19から出力された安全運転制御情報L8に基づく縮退機能により、最低限の運動により所定の軌道801に沿った自動走行が可能となる。 With this configuration, even if a fault occurs in the automatic driving control unit 12 and the output route thereof, the vehicle 100 can maintain a predetermined trajectory by the main function based on the holding control information L11 output from the control information holding unit 40. The automatic traveling along the line 801 can be performed, and the degeneration function based on the safe driving control information L8 output from the safety control unit 19 enables the automatic traveling along the predetermined track 801 with the minimum movement.
 なお、制御情報保持部40は、安全制御部19で生成された安全運転制御情報L8を保持してもよく、保持制御情報L11と、安全運転制御情報L8のうち、何れか一方又は両方を保持するようにしてもよい。
 このように構成すると、安全制御部19を配置したECU3で何らかの不具合が発生した場合、制御情報保持部40で保持していた安全運転制御情報L8を用いて、車両100の運動を安全に制御することができる。 The control information holding unit 40 may hold the safe driving control information L8 generated by the safety control unit 19, and holds either or both of the holding control information L11 and the safe driving control information L8. You may do it.
According to this configuration, when any failure occurs in the ECU 3 in which the safety control unit 19 is disposed, the motion of the vehicle 100 is safely controlled using the safe driving control information L8 held by the control information holding unit 40. be able to.
[制御出力の比較方法]
 次に、制御情報保持部40を有する制御システム1Aによる車両100の制御方法の一例を説明する。
 図11は、制御システム1Aによる車両100の制御方法の一例を説明する図である。 [Control output comparison method]
Next, an example of a control method of the vehicle 100 by the control system 1A having the control information holding unit 40 will be described.
FIG. 11 is a diagram for explaining an example of a control method of the vehicle 100 by the control system 1A.
 図11において、第1制御の出力(例えば、保持制御情報L11)に基づく主機能の軌道が軌道1001であり、第2制御の出力(例えば、安全運転制御情報L8)に基づく縮退機能の軌道が軌道1002である。主機能に基づく軌道1001と縮退機能に基づく軌道1002の何れも、時系列の一定時刻先(将来)までの自車(車両100)の位置情報を有している。 In FIG. 11, the trajectory of the main function based on the output of the first control (for example, the holding control information L11) is the trajectory 1001, and the trajectory of the degeneration function based on the output of the second control (for example, the safe operation control information L8) is It is a trajectory 1002. Each of the trajectory 1001 based on the main function and the trajectory 1002 based on the degeneracy function has position information of the own vehicle (vehicle 100) up to a predetermined time point (future) in time series.
 実施の形態では、時刻t0は現在の時刻を表しており、現在の時刻t0から一定時刻先までの時刻t1、t2における保持制御情報L11に基づく位置と、安全運転制御情報L8に基づく位置は、それぞれ(xa0、ya0)と(xb0、yb0)、(xa1、ya1)と(xb1、yb1)、(xa2、ya2)と(xb2、yb2)となる。 In the embodiment, the time t0 represents the current time, and the position based on the holding control information L11 at the time t1 from the current time t0 to the predetermined time ahead and the position based on the safe driving control information L8 are They are (xa0, ya0) and (xb0, yb0), (xa1, ya1) and (xb1, yb1), (xa2, ya2) and (xb2, yb2), respectively.
 現在の時刻t0において、(xa0、ya0)と(xb0、yb0)とは等しくなる。そして、時刻t1の時に、自車が、位置(xa1、ya1)、(xb1、yb1)にそれぞれ移動したとすると、この場合の位置の差分dは、以下の数式1で表すことができる。
Figure JPOXMLDOC01-appb-M000001
 At the current time t0, (xa0, ya0) and (xb0, yb0) become equal. Then, assuming that the vehicle has moved to the positions (xa1, ya1) and (xb1, yb1) at time t1, the difference d of the position in this case can be expressed by Equation 1 below.
Figure JPOXMLDOC01-appb-M000001
 例えば、切替部17では、数式1による算出結果から、時刻t1における保持制御情報L11に基づく位置(xa1、ya1)と、安全運転制御情報L8に基づく位置(xb1、yb1)との差分が、一定の閾値dth(例えば、0.5m)以上になると判断した場合、保持制御情報L11から安全運転制御情報L8への切り替えに伴う自車の運動制御が大きくなると判断し、安全運転制御情報L8(第2制御の出力)による制御に切り替えず、保持制御情報L11(第1制御の出力)による制御を行う。 For example, in the switching unit 17, the difference between the position (xa1, ya1) based on the holding control information L11 at time t1 and the position (xb1, yb1) based on the safe driving control information L8 is constant. If it is determined that the threshold dth (for example, 0.5 m) or more of the vehicle is exceeded, it is determined that the motion control of the vehicle accompanying switching from the holding control information L11 to the safe driving control information L8 becomes large. 2) The control based on the holding control information L11 (the output of the first control) is performed without switching to the control based on the output of (2) control.
 つまり、差分dが所定の閾値dthよりも大きい場合、制御システム1に何らかの異常があった場合でも、車両100は、安全運転制御情報L8(縮退機能)に基づく軌道1002には進まず、保持制御情報L11(主機能)に基づく軌道1001を走行することとなる。 That is, when the difference d is larger than the predetermined threshold value dth, the vehicle 100 does not advance to the trajectory 1002 based on the safe driving control information L8 (degeneration function) even if there is some abnormality in the control system 1, It will travel on the track 1001 based on the information L11 (main function).
 そして、所定の周期で、差分dと所定の閾値dthとの比較を行い、差分dが閾値dth以下となった時点で、安全運転制御情報L8(縮退機能)に基づく軌道1002に進むこととなる。実施の形態では、車両100が、主機能に基づく軌道1001に進み、右車線に入った後、差分dが閾値dth以下になった時点で、縮退機能に基づく軌道1002で走行する(例えば、右車線に沿って走行しつつ緩やかに減速するなど)。 Then, the difference d is compared with the predetermined threshold dth at a predetermined cycle, and when the difference d becomes equal to or less than the threshold dth, the process proceeds to the trajectory 1002 based on the safe driving control information L8 (degeneration function) . In the embodiment, the vehicle 100 travels on the trajectory 1002 based on the degeneration function when the difference d becomes equal to or less than the threshold dth after the vehicle 100 proceeds to the trajectory 1001 based on the main function and enters the right lane (for example, right Slow down while traveling along the lane etc.)
 前述した実施の形態では、時刻t1における絶対距離での比較を行ったが、例えばx軸(車両100の進行方向)またはy軸方向(車両100の進行方向と直交方向)の位置関係のみで判断してもよい。例えば車両100のx軸方向の位置のみで判定することで、車両100の車線上の位置が異なる場合にのみ出力値が乖離すると判定することができる。
また、車両100のy軸方向の位置のみで判定することにより、加減速度が大きく異なる場合にのみ制御出力値が乖離すると判定することができる。 In the embodiment described above, the comparison is made with the absolute distance at time t1, but for example, determination is made only by the positional relationship in the x-axis (traveling direction of the vehicle 100) or y-axis direction (perpendicular to traveling direction of the vehicle 100). You may For example, by determining only the position of the vehicle 100 in the x-axis direction, it is possible to determine that the output value deviates only when the position of the vehicle 100 on the lane is different.
Further, by determining only the position of the vehicle 100 in the y-axis direction, it is possible to determine that the control output value deviates only when the acceleration / deceleration largely differs.
 また、前述した実施の形態では、制御システム1(1A)では、切替部17が、車両100の位置情報による差分dにより制御出力の切り替え判定を行う場合を例示して説明したが、これに限定されるものではなく、例えば、切替部17は、速度情報、加速度情報に基づいて判定してもよい。それぞれの情報を比較することで、例えば、速度情報が大きく乖離する場合にのみ第1制御の出力(自動運転制御情報L4又は保持制御情報L11)を使用することで、大きな速度変化(縦方向、横方向、または回転方向)が発生することを抑制することができる。同様に、加速度情報が大きく乖離する場合にのみ第1制御の出力(自動運転制御情報L4又は保持制御情報L11)を使用することで、大きな加速度変化(縦方向、横方向、または絶対値)が発生することを抑制することができる。 In the embodiment described above, in the control system 1 (1A), the switching unit 17 exemplifies the case where the switching output of the control output is determined based on the difference d based on the position information of the vehicle 100. For example, the switching unit 17 may make the determination based on the speed information and the acceleration information. By comparing the respective information, for example, by using the output of the first control (the automatic operation control information L4 or the holding control information L11) only when the speed information largely deviates, a large speed change (vertical direction, It is possible to suppress the occurrence of the lateral direction or the rotational direction). Similarly, by using the output of the first control (the automatic driving control information L4 or the holding control information L11) only when the acceleration information largely deviates, the large acceleration change (longitudinal direction, lateral direction, or absolute value) It can suppress that it occurs.
 前述した制御システム1(1A)において、車両100の速度や加速度に基づいて比較判定する場合、それぞれのX成分、Y成分、または角速度方向の符号が異なる場合を閾値としても良い。速度や加速度のX成分、Y成分、または角速度方向の符号が異なる場合、一般的に車両100の運動制御が大きく異なることを意味し、これを判定として用いることは有効であり、また判定が容易となる。 In the control system 1 (1A) described above, when the comparison determination is made based on the speed or acceleration of the vehicle 100, the case where the signs of the respective X component, Y component or angular velocity direction are different may be used as the threshold. If the velocity or acceleration X component, Y component, or sign of the angular velocity direction is different, this generally means that the motion control of the vehicle 100 is significantly different, and it is effective to use this as the determination, and the determination is easy It becomes.
 制御システム1(1A)において、前述した以外の閾値の設定方法としては、例えば、車両100の速度変化がそれぞれで大きく、車両100の運動制御が不安定(例えば、スピン、スリップ)となることが想定される運動の限界値を閾値として設定してもよい。これにより、車両100の運動制御の安全性を確実に確保することができる。 In the control system 1 (1A), for example, the speed change of the vehicle 100 is large and the motion control of the vehicle 100 becomes unstable (for example, spin, slip) as a method of setting a threshold other than the above. An estimated limit value of movement may be set as a threshold. Thereby, the safety of the motion control of the vehicle 100 can be reliably ensured.
 また、切替部17の出力方式として、ここではスイッチの様に切り替える方式について説明したが、例えば、時刻情報に合わせて徐々に出力を切り替えてもよい。例えば、第1制御の出力(自動運転制御情報L4又は保持制御情報L11)から第2制御の出力(安全運転制御情報L8)へ切り替える際に、切り替えが終了する途中では中間値(平均値等)を出力し、その後、第2制御の出力へ切り替える。このようにすることにより、制御出力の切替時の大きな変動を抑制させることが可能となる。 Moreover, although the switching method like a switch was demonstrated as an output method of the switching part 17 here, you may switch an output gradually according to time information, for example. For example, when switching from the output of the first control (the automatic driving control information L4 or the holding control information L11) to the output of the second control (the safe driving control information L8), an intermediate value (average value etc.) And then switch to the output of the second control. By doing this, it becomes possible to suppress large fluctuations at the time of switching of the control output.
 また、それぞれの時刻情報は、厳密に一致している必要は無く、例えば、時刻t0とt1の中間の値は平均を取る(例えば、(xa0+xa1)/2)など補正して比較してもよい。これにより生成した時刻情報にずれや軌道情報に不足があった場合でも、適切に判定を行うことができる。 Also, the respective time information need not exactly match, and for example, the middle value between time t0 and t1 may be averaged and taken (for example, (xa0 + xa1) / 2) and compared . Even when there is a gap in the generated time information or a shortage in the track information, the determination can be appropriately performed.
 また、第1制御の出力が、例えば、保持制御情報L11である場合、時系列で保持制御情報L11と第2制御の出力(安全運転制御情報L8)との比較を行った結果、車両100の位置や速度などの差分が、保持している保持制御情報L11の期間内で所定値以下とならないと判断された場合には、保持制御情報L11の範囲内で、差分が最小値となった時点で制御出力の切り替え(安全運転制御情報L8への切り替え)を行う。これにより、制御システム1Aでは、保持制御情報L11の範囲内で最も運動制御への影響が小さくなる時点での制御出力の切り替えが可能となり、運転者の違和感を極力少なくすることができる。 In addition, when the output of the first control is, for example, the holding control information L11, as a result of comparing the holding control information L11 with the output of the second control (safety driving control information L8) in time series, When it is determined that the difference such as the position or the speed does not fall below the predetermined value within the held holding control information L11, the time when the difference becomes the minimum value within the range of the holding control information L11 Switching of the control output (switching to the safe driving control information L8) is performed. As a result, in the control system 1A, switching of the control output can be performed at the time when the influence on the motion control becomes the smallest within the range of the holding control information L11, and the driver's discomfort can be minimized.
 また、前述した異常検出部16による異常検出の結果、異常検出部16が、当該異常が過渡的なものであると判定した場合、過渡的な異常から復帰すると予想される時間(例えば、部分的な再起動の所用時間)以内であれば、前述した制御出力の判定方法による判定の結果、差分が所定値以下であった場合でも、切り替えを実施せず第1制御の出力(自動運転制御情報L4又は保持制御情報L11)に基づいて処理を継続してもよい。これにより、過渡的な異常の場合の不要な切り替えを防ぐことができる。 Further, as a result of the abnormality detection by the abnormality detection unit 16 described above, when the abnormality detection unit 16 determines that the abnormality is a transient, a time (for example, partial time) which is expected to recover from the transient abnormality If it is within the required time required for restart, the result of the judgment by the judgment method of the control output mentioned above, even if the difference is less than the predetermined value, the switching is not performed and the output of the first control (automatic operation control information The processing may be continued based on L4 or the holding control information L11). This can prevent unnecessary switching in the case of a transient abnormality.
 また、さらに過渡的な異常等により、第2制御の出力(安全運転制御情報L8)に切り替えた後に、元の第1制御の出力(自動運転制御情報L4又は保持制御情報L11)へ再度切り替える場合、前述と同様の制御出力の判定方法による判定を行って元の制御出力に切り替えることにより、同様に過渡的な第2制御の出力(安全運転制御情報L8)から第1制御の出力(自動運転制御情報L4又は保持制御情報L11)に切り替える際の運動制御の安定性を確保することができる。 Furthermore, when switching to the output of the second control (safety operation control information L8) due to a transient abnormality or the like, and then switching again to the original first control output (the automatic operation control information L4 or the holding control information L11) Similarly, the output of the second control (safety operation control information L8) is output from the first control (automatic operation) by switching to the original control output by performing the determination by the control output determination method similar to that described above. The stability of the motion control when switching to the control information L4 or the holding control information L11) can be secured.
 また、前述した実施の形態では、制御システム1(1A)において、安全制御部19が1つの場合を例示して説明したが、多重系などで安全制御部19を並列に複数有していてもよい。例えば、制御システムでは、安全制御部19Aと安全制御部19Bの2個の安全制御部を有し、主機能に障害が発生した場合は、優先度に従い安全制御部19Aを使用し、安全制御部19Aにも異常が発生した場合には安全制御部19Bにさらに切り替えることにより信頼性を向上させることができる。 In the embodiment described above, the control system 1 (1A) has been described by exemplifying the case where there is one safety control unit 19. However, even if a plurality of safety control units 19 are provided in parallel in a multiplex system or the like. Good. For example, the control system has two safety control units, that is, the safety control unit 19A and the safety control unit 19B, and when a failure occurs in the main function, the safety control unit 19A is used according to the priority and the safety control unit The reliability can be improved by further switching to the safety control unit 19B when an abnormality occurs in 19A.
 このように構成すると、例えば、第1制御の出力と、第2制御の出力である安全制御部19Aの制御出力(安全運転制御情報L8A)について、前述した制御出力の比較方法で判定を行った結果、差分が所定値以下とならなかった場合、次に、第1制御の出力と、第2制御の出力である安全制御部19Bの制御出力(安全運転制御情報L8B)について、前述した制御出力の比較方法で判定を行った結果、差分が所定値以下となった場合、当該制御出力を使用することができる。 When configured in this way, for example, the determination of the control output comparison method described above is performed for the output of the first control and the control output of the safety control unit 19A (safety operation control information L8A) that is the output of the second control. As a result, when the difference does not fall below the predetermined value, the control output described above for the output of the first control and the control output (safety operation control information L8B) of the safety control unit 19B which is the output of the second control When the difference is less than or equal to a predetermined value as a result of the determination by the comparison method of the above, the control output can be used.
 これにより、安全を考慮して多重系とした複数の制御出力の中から、より運動制御の差分が小さく、運動制御の観点で安全性が高い出力を選択することも可能となる。
 よって、自動運転の制御出力を切り替える際に、自動運転制御情報による運動制御の結果が時系列で大きく変動する場合の出力を抑制し、運動制御等の観点から安全に、縮退系等の異なる制御出力へ切り替えることができる。 This makes it possible to select an output having a smaller difference in motion control and higher safety in terms of motion control from among a plurality of control outputs in a multiplex system in consideration of safety.
Therefore, when switching the control output of the automatic driving, the output when the result of the motion control by the automatic driving control information fluctuates largely in time series is suppressed, and from the viewpoint of the motion control etc., different control such as degeneration system etc. safely It can be switched to output.
 以上説明した通り、実施の形態では、
(1)車両100(移動体)の運動を通常制御するための自動運転制御情報L4(第1制御情報)を生成する自動運転制御部12(第1の制御部)と、車両100の運動を非通常制御するための安全運転制御情報L8(第2制御情報)を生成する安全制御部19(第2の制御部)と、自動運転制御情報L4と安全運転制御情報L8の何れか一方を出力する切替部17とを有し、切替部17は、自動運転制御情報L4と安全運転制御情報L8との差分dが所定の閾値dth以下である場合(d≦dth)、安全運転制御情報L8を出力する構成とした。 As described above, in the embodiment,
(1) The automatic driving control unit 12 (first control unit) that generates automatic driving control information L4 (first control information) for normally controlling the motion of the vehicle 100 (moving object), and the motion of the vehicle 100 A safety control unit 19 (second control unit) that generates safe driving control information L8 (second control information) for non-ordinary control and one of automatic driving control information L4 and safe driving control information L8 is output. The switching unit 17 has the safe driving control information L8 when the difference d between the automatic driving control information L4 and the safe driving control information L8 is equal to or less than a predetermined threshold dth (d ≦ dth). It was set as the structure to output.
 このように構成すると、切替部17は、自動運転制御情報L4と安全運転制御情報L8との差分dが十分に小さい場合に、非通常制御のための安全運転制御情報L8を出力する。よって、例えば、切替部17は、車両100の制御システム1の一部に不具合が発生した場合に、複数の機能(自動運転制御部12、安全制御部19)から出力された複数の制御出力(自動運転制御情報L4、安全運転制御情報L8)の中から、より安全性が保たれる制御出力を選択できる。 If comprised in this way, the switching part 17 will output the safe driving control information L8 for abnormal control, when the difference d of the automatic driving control information L4 and the safe driving control information L8 is small enough. Therefore, for example, when a failure occurs in a part of the control system 1 of the vehicle 100, the switching unit 17 outputs a plurality of control outputs (a plurality of functions (automatic driving control unit 12, safety control unit 19)) From the automatic driving control information L4 and the safe driving control information L8), it is possible to select a control output that can further maintain the safety.
 また、切替部17は、自動運転制御情報L4と安全運転制御情報L8との差分dが十分に小さい場合に、安全運転制御情報L8を出力するので、車両100の運動を安全運転制御情報L8に基づいて制御しても、運転者に切り替え時の衝撃等の違和感を与えず、安心、安全に車両100の運動を制御できる。 Further, when the difference d between the automatic driving control information L4 and the safe driving control information L8 is sufficiently small, the switching unit 17 outputs the safe driving control information L8, so the motion of the vehicle 100 can be converted to the safe driving control information L8. Even based on the control, the motion of the vehicle 100 can be controlled safely and safely without giving the driver a sense of incongruity such as an impact at the time of switching.
(2)また、自動運転制御情報L4と安全運転制御情報L8は、経時的な時刻情報(例えば、t0、t1、t2、・・・、tn)を含み、切替部17は、同じ時刻情報(例えば、t1)における自動運転制御情報L4と安全運転制御情報L8との差分d(例えば、距離、速度、加速度、ヨーレート等の差分)が所定の閾値dth以下である場合(d≦dth)、安全運転制御情報L8を出力する構成とした。 (2) Further, the automatic driving control information L4 and the safe driving control information L8 include time information (for example, t0, t1, t2, ..., tn) with time, and the switching unit 17 uses the same time information ((2) For example, when the difference d between the automatic driving control information L4 and the safe driving control information L8 at t1) (for example, the difference between distance, speed, acceleration, and yaw rate) is less than or equal to a predetermined threshold dth (d ≦ dth), safety The operation control information L8 is output.
 このように構成すると、切替部17は、同じ時刻における自動運転制御情報L4と安全運転制御情報L8との差分に基づいて判断することで、同じ基準で判断でき、自動運転制御情報L4と安全運転制御情報L8のどちらを出力するかの判断を適切に行うことができる。 With this configuration, the switching unit 17 can make the determination based on the same reference by judging based on the difference between the automatic driving control information L4 and the safe driving control information L8 at the same time, and the automatic driving control information L4 and the safe driving can be determined. It is possible to appropriately determine which of the control information L8 is to be output.
(3)また、切替部17による差分dとの判断に用いる閾値dthは、差分dの符号の逆転(プラス、マイナス)、又は車両100の運動の限界値(例えば、車両100がスピン、スリップしてしまう運動の限界値)である構成とした。 (3) Further, the threshold dth used to determine the difference d by the switching unit 17 is the reverse (plus or minus) sign of the difference d or the limit value of the motion of the vehicle 100 (for example, the vehicle 100 spins or slips) Limit value of the exercise to be
 このように構成すると、閾値dthを差分dの符号の逆転や、車両100の運動の限界値としても、切替部17による自動運転制御情報L4と安全運転制御情報L8との差分dと閾値dthとの比較を適切に行うことができる結果、車両100の運動の安全性を維持しつつ、運転者への切り替え時の衝撃等の違和感を少なくすることができる。 With this configuration, even if the threshold dth is the reverse of the sign of the difference d or the limit value of the motion of the vehicle 100, the difference d between the automatic driving control information L4 by the switching unit 17 and the safe driving control information L8 and the threshold dth As a result of appropriately performing the comparison of the above, it is possible to reduce the uncomfortable feeling such as the impact at the time of switching to the driver while maintaining the safety of the motion of the vehicle 100.
(4)また、切替部17は、経時的に取得された差分dの全てが所定の閾値dth以下でない場合、差分dが最も小さくなる時刻情報以降では、安全運転制御情報L8を出力する構成とした。 (4) Further, the switching unit 17 is configured to output the safe driving control information L8 after the time information in which the difference d becomes the smallest when all the differences d acquired over time are not less than or equal to the predetermined threshold dth. did.
 このように構成すると、切替部17は、差分dが所定の閾値dth以下とならない場合でも、差分dが最小となる時点で、安全運転制御情報L8を出力するので、運転者の切り替え時の違和感を最小限に抑えつつ、安全運転制御情報L8に基づく車両100の安全運転を確実に行うことができる。 According to this configuration, the switching unit 17 outputs the safe driving control information L8 when the difference d becomes the minimum even when the difference d does not become equal to or smaller than the predetermined threshold dth. Can be reliably performed based on the safe driving control information L8.
(5)また、車両100の運動を制御するための安全運転制御情報L8B(第3制御情報)を生成する安全制御部19B(第3に制御部)を有し、切替部17は、保持制御情報L11(第1制御情報)と安全運転制御情報L8A(第2制御情報)との差分と、保持制御情報L11(第1制御情報)と安全運転制御情報L8B(第3制御情報)との差分とを比較し、保持制御情報L11との差分がより小さくなる方の安全運転制御情報L8Aまたは安全運転制御情報8Bを出力する構成とした。 (5) In addition, the safety control unit 19B (third control unit) that generates safe driving control information L8B (third control information) for controlling the movement of the vehicle 100 is included, and the switching unit 17 holds Difference between information L11 (first control information) and safe driving control information L8A (second control information), difference between holding control information L11 (first control information) and safe driving control information L8B (third control information) And the safe driving control information L8A or the safe driving control information 8B of which the difference with the holding control information L11 is smaller.
 このように構成すると、安全制御部19(所定の制御部)を多重化した場合、最も、差分の小さくなる安全制御部19の制御出力に基づいて、車両100の運動制御を行うことができる。よって、制御部を多重化して安全性を向上させつつ、制御の切り替え時の衝撃(切替段差)をより少なくすることができる結果、運転者への違和感もより少なくすることができる。 According to this configuration, when the safety control unit 19 (predetermined control unit) is multiplexed, motion control of the vehicle 100 can be performed based on the control output of the safety control unit 19 which minimizes the difference. As a result, it is possible to further reduce the impact (switching step) at the time of switching the control while multiplexing the control units to improve the safety, and as a result, it is possible to further reduce the sense of discomfort to the driver.
[第2の実施の形態]
 前述した実施の形態では、制御システム1(1A)は、運動制御部18への制御出力を自動運転制御部12又は安全制御部19で生成する場合を例示して説明したが、制御出力の生成はこれに限定されるものではない。例えば、何れかの制御部の車両100を主機能で運動させる本来の制御プログラムを、縮退機能で運動させる代替プログラムに置き替えても(再配置しても)よい。 Second Embodiment
In the embodiment described above, the control system 1 (1A) exemplifies the case where the control output to the motion control unit 18 is generated by the automatic operation control unit 12 or the safety control unit 19; Is not limited to this. For example, the original control program for moving the vehicle 100 of any control unit with the main function may be replaced (replaced) with an alternative program for moving with the degeneration function.
 以下の第2の実施の形態では、安全制御部19が有する制御プログラムを、代替プログラムで置き替える(再配置する)場合を例示して説明する。この場合、安全制御部19では、置き替えられた代替プログラムに従って、車両100を縮退機能で運動させる制御出力を生成する。 In the following second embodiment, a control program possessed by the safety control unit 19 will be described by exemplifying a case where it is replaced (replaced) with an alternative program. In this case, the safety control unit 19 generates a control output that causes the vehicle 100 to move with the degeneracy function according to the replaced alternative program.
 図12は、第2の実施の形態にかかる制御システム1B全体の機能構成を説明するブロック図である。
 図13は、再構成管理部41の機能構成を説明するブロック図である。
 図14は、再構成実行部42の機能構成を説明するブロック図である。 FIG. 12 is a block diagram for explaining the functional configuration of the entire control system 1B according to the second embodiment.
FIG. 13 is a block diagram for explaining the functional configuration of the reconfiguration management unit 41. As shown in FIG.
FIG. 14 is a block diagram for explaining the functional configuration of the reconfiguration execution unit 42. As shown in FIG.
 図12に示すように、制御システム1Bでは、前述した実施の形態の制御システム1Aの構成に加えて、再構成管理部41と再構成実行部42とを有し、再構成実行部42が、制御システム1Bの故障発生時に制御プログラムを代替プログラムに置き替える(再構成)する点が、前述した実施の形態の制御システム1Aと異なる。
 第2の実施の形態では、再構成された代替プログラムに基づく、縮退機能での車両100の運動制御が、非通常制御に相当する。 As shown in FIG. 12, in addition to the configuration of the control system 1A of the above-described embodiment, the control system 1B includes a reconfiguration management unit 41 and a reconfiguration execution unit 42, and the reconfiguration execution unit 42 It differs from the control system 1A of the embodiment described above in that the control program is replaced with an alternative program (reconfiguration) when a failure occurs in the control system 1B.
In the second embodiment, the motion control of the vehicle 100 with the degeneracy function based on the reconstructed alternative program corresponds to the non-ordinary control.
 実施の形態では、再構成管理部41と再構成実行部42とは、それぞれ異なるECU3(図7参照)に配置されている。例えば、再構成管理部41は、統合認識部11と自動運転制御部12と同じECU3に配置されており(図7参照)、再構成実行部42は、切替部17と運動制御部18と同じECU3に配置されている(図7参照)。 In the embodiment, the reconfiguration management unit 41 and the reconfiguration execution unit 42 are arranged in different ECUs 3 (see FIG. 7). For example, the reconfiguration management unit 41 is disposed in the same ECU 3 as the integrated recognition unit 11 and the automatic driving control unit 12 (see FIG. 7), and the reconfiguration execution unit 42 is the same as the switching unit 17 and the motion control unit 18 It is arrange | positioned at ECU3 (refer FIG. 7).
 これにより、例えば、自動運転制御部12が配置されているECU3に何らかの故障が発生した場合、再構成管理部41が、再構成実行部42の配置されているECU3に代替プログラムを配置することで、故障の発生していないECU3(再構成実行部42の配置されたECU3)において、再構成実行部42による代替プログラムの実行が可能となる。 Thereby, for example, when some failure occurs in the ECU 3 in which the automatic operation control unit 12 is disposed, the reconfiguration management unit 41 arranges the alternative program in the ECU 3 in which the reconfiguration execution unit 42 is disposed. In the ECU 3 in which no failure occurs (the ECU 3 in which the reconfiguration execution unit 42 is disposed), execution of the alternative program by the reconfiguration execution unit 42 becomes possible.
 再構成管理部41は、異常検出部16に接続されており、異常検出部16で検出された異常検出情報L5に基づいて、代替プログラム(縮退機能を実現するプログラム)を準備する。 The reconfiguration management unit 41 is connected to the abnormality detection unit 16, and prepares an alternative program (a program for realizing the degeneration function) based on the abnormality detection information L5 detected by the abnormality detection unit 16.
 図13に示すように、再構成管理部41は、制御状態監視部411と、制御状態判定部412と、情報通知部413と、代替プログラム取得部414と、代替プログラム送信部415と、異常時制御決定部416とを有している。 As shown in FIG. 13, the reconfiguration management unit 41 has a control state monitoring unit 411, a control state determination unit 412, an information notification unit 413, an alternative program acquisition unit 414, an alternative program transmission unit 415, and an abnormality. And a control determination unit 416.
 制御状態監視部411は、自動運転制御部12等から現在の車両100の制御状態を取得し、取得した車両100の制御状態を制御状態判定部412に送信する。 The control state monitoring unit 411 acquires the current control state of the vehicle 100 from the automatic driving control unit 12 or the like, and transmits the acquired control state of the vehicle 100 to the control state determination unit 412.
 制御状態判定部412は、制御状態監視部411から取得した車両100の制御状態に基づいて、何れの制御部(ECU3)にどの代替プログラムを配置するかという再構成の方針を決定する。 Based on the control state of the vehicle 100 acquired from the control state monitoring unit 411, the control state determination unit 412 determines a policy of reconfiguration as to which alternative program is to be arranged in which control unit (ECU 3).
 情報通知部413は、制御状態判定部412で決定された再構成に関する情報を、出力管理部14又は通知管理部15の何れか一方又は両方に通知する。 The information notification unit 413 notifies one or both of the output management unit 14 and the notification management unit 15 of the information related to the reconfiguration determined by the control state determination unit 412.
 代替プログラム取得部414は、代替プログラムを再構成管理部41が配置された何れかのECU3、又はCAN99等の車載ネットワークや通信装置5等を介し、異なる場所の記憶領域(クラウドネットワーク、ROM、HDD、RAMなど)から取得する。 The alternative program acquisition unit 414 is a storage area (cloud network, ROM, HDD) of different places via any ECU 3 in which the reconfiguration management unit 41 is arranged, an in-vehicle network such as CAN 99 or the communication device 5 etc. , RAM, etc.).
 代替プログラム送信部415は、代替プログラム取得部414で取得した代替プログラムを、再構成実行部42に送信する。 The alternative program transmission unit 415 transmits the alternative program acquired by the alternative program acquisition unit 414 to the reconfiguration execution unit 42.
 異常時制御決定部416は、制御システム1Bに何らかの異常が発生した場合、制御出力を後述する異常時制御決定方法に従い決定する。 When a certain abnormality occurs in the control system 1B, the abnormality control determination unit 416 determines the control output according to an abnormality control determination method described later.
 次に、図14に示すように、再構成実行部42は、代替プログラム受信部421と、代替プログラム配置部422と、配置完了通知部423と、再構成指示受信部424と、代替プログラム実行部425とを有する。 Next, as shown in FIG. 14, the reconfiguration execution unit 42 includes an alternative program reception unit 421, an alternative program allocation unit 422, an arrangement completion notification unit 423, a reconfiguration instruction reception unit 424, and an alternative program execution unit. And 425.
 代替プログラム受信部421は、再構成管理部41の代替プログラム送信部415から送信された代替プログラムを受信する。 The alternative program reception unit 421 receives the alternative program transmitted from the alternative program transmission unit 415 of the reconfiguration management unit 41.
 代替プログラム配置部422は、受信した代替プログラムを、再構成実行部42が配置された何れかのECU3の所定の記憶領域(ROM、RAMなど)に配置する。 The alternative program placement unit 422 places the received alternative program in a predetermined storage area (ROM, RAM, etc.) of any one of the ECUs 3 in which the reconfiguration execution unit 42 is placed.
 配置完了通知部423は、代替プログラム配置部422による代替プログラムの所定の記憶領域への配置が完了したことを、再構成管理部41に通知する。 The arrangement completion notifying unit 423 notifies the reconfiguration management unit 41 that the arrangement of the alternative program to the predetermined storage area by the alternative program arranging unit 422 is completed.
 再構成指示受信部424は、再構成管理部41から代替プログラムの受信指示又は実行指示を受け付ける。 The reconfiguration instruction reception unit 424 receives a reception instruction or an execution instruction of the alternative program from the reconfiguration management unit 41.
 代替プログラム実行部425は、所定の記憶領域に配置された代替プログラムを実行する。 The alternative program execution unit 425 executes an alternative program arranged in a predetermined storage area.
 前述した再構成管理部41及び再構成実行部42の内部の各部はそれぞれに通信を行い、必要な情報や指示をやり取りする。また再構成管理部41と再構成実行部42の機能分担については、前述した実施の形態に限ることはなく、例えば、代替プログラムの取得は再構成管理部41でなく再構成実行部42が直接実行してもよい。その場合、再構成管理部41による代替プログラムの送受信処理が不要となり、処理負荷を低減できる。 The respective units in the above-mentioned reconfiguration management unit 41 and reconfiguration execution unit 42 communicate with each other to exchange necessary information and instructions. The allocation of functions between the reconfiguration management unit 41 and the reconfiguration execution unit 42 is not limited to the above embodiment, and, for example, acquisition of an alternative program is not directly performed by the reconfiguration management unit 41 but by the reconfiguration execution unit 42 directly. It may be executed. In that case, the processing of transmitting and receiving the alternative program by the reconfiguration management unit 41 becomes unnecessary, and the processing load can be reduced.
[車両制御状態]
 次に、車両制御状態について説明する。
 車両制御状態とは、車両100の制御システム1Bの制御の状態を示す。例えば、自動運転状態のON/OFF(OFFでは運転者が操作し、システムがアシストを行う、もしくはシステムは制御を行わない)、一般道または高速道を走行、自動駐車中のON/OFF、走行速度(低速、中速、高速)、運転者の状態(運転操作可能または困難)、天候など自動運転が困難な状況(強雨、霧、逆光、地図に無い道等)、などを表す。 [Vehicle control status]
Next, the vehicle control state will be described.
The vehicle control state indicates a control state of the control system 1B of the vehicle 100. For example, ON / OFF of the automatic operation state (when OFF, the driver operates and the system assists or the system does not control), travel on a general road or a highway, ON / OFF during automatic parking, travel Speed (low speed, medium speed, high speed), driver's condition (operable or difficult to drive), situations where automatic driving is difficult such as weather (strong rain, fog, back light, roads not on the map, etc.), etc. are shown.
 制御システム1Bでは、これら車両制御状態に応じて、代替機能が必要なECU3、または機能代替が可能なECU3が変更となる。例えば、自動駐車を行っていない場合には、自動駐車がその機能を実現するために必要となるCPU、ROM、RAM等のリソースが一時的に不要となり、その領域に代替プログラムを配置しておく。また、他の例では、一般道を自動運転中では使用しない統合認識部11や自動運転制御部12のリソースに配置をしておく。 In the control system 1B, the ECU 3 requiring an alternative function or the ECU 3 capable of performing an alternative function is changed according to the vehicle control state. For example, when automatic parking is not performed, resources such as CPU, ROM, and RAM, which are necessary for realizing the function, are temporarily unnecessary, and an alternative program is arranged in that area. . Further, in another example, the general road is allocated to resources of the integrated recognition unit 11 and the automatic operation control unit 12 which are not used during automatic driving.
 車両制御状態及び/又は要求安全レベルに応じて前記代替プログラムや配置ECUを変更することにより、車両制御状態に合わせた最適な代替制御を実行することができる。 By changing the alternative program and the placement ECU according to the vehicle control state and / or the required safety level, it is possible to execute the optimum alternative control in accordance with the vehicle control state.
[再構成処理シーケンス]
 次に、前述した第2の実施の形態における制御システム1Bにおける、再構成処理のシーケンスを説明する。
 図15は、前述した第2の実施の形態における制御システム1Bにおける、再構成処理のシーケンスを説明する図である。 [Reconfiguration processing sequence]
Next, the sequence of the reconfiguration process in the control system 1B in the second embodiment described above will be described.
FIG. 15 is a diagram for explaining the sequence of the reconfiguration process in the control system 1B in the second embodiment described above.
 第2の実施の形態では、ECU3A(例えば、図1に示すCPU3Aに相当)が、代替プログラムによる再構成指示を行う再構成管理部41と、故障が発生する制御部(例:自動運転制御部12)とを有する場合を例示して説明する。
 また、ECU3B(例えば、図1に示すCPU3Bに相当)は、再構成管理部41で再構成された代替プログラムを実行する再構成実行部42を有し、代替制御を実施するECU3B、ECU3Cが通常時にECU3Aから制御を受けている場合を例示して説明する。 In the second embodiment, the ECU 3A (for example, equivalent to the CPU 3A shown in FIG. 1) performs a reconfiguration instruction by the alternative program, a reconfiguration management unit 41, and a control unit where a failure occurs (eg: automatic operation control unit 12) will be described as an example.
Further, the ECU 3B (for example, corresponding to the CPU 3B shown in FIG. 1) has a reconfiguration execution unit 42 that executes the alternative program reconfigured by the reconfiguration management unit 41, and the ECU 3B and ECU 3C that execute alternative control are normally The case where control is received from the ECU 3A will be described as an example.
 通常時の車両100の走行において、ECU3Aは、通常制御を実行するための制御出力をECU3Cに対して出力する(S1301)。またECU3Bも通常時にECU3Cに対して通常制御を実行するための制御出力を出力している(S1302)。 In traveling of the vehicle 100 at the normal time, the ECU 3A outputs a control output for executing the normal control to the ECU 3C (S1301). The ECU 3B also outputs a control output for executing the normal control to the ECU 3C at normal times (S1302).
 その後、車両100が走行を続け、車両制御状態が変更になるなど代替プログラムが変更となった場合、ここではECU3Aの自動運転制御部12がそれを判断し、再構成管理部41に対して、車両制御状態の変更を通知する(S1303)。 After that, when the vehicle 100 continues traveling and the alternative program is changed such that the vehicle control state is changed, here, the automatic driving control unit 12 of the ECU 3A determines that, and instructs the reconfiguration management unit 41 A change of the vehicle control state is notified (S1303).
 ECU3Aにおいて、通知を受けた再構成管理部41は、代替プログラムを自ら取得する。又は、再構成管理部41は、何れかの他のECU3B、3C又はストレージ(HDD等)に対して、代替プログラムを出力するように指示を行う(S1304)。 In the ECU 3A, the reconfiguration management unit 41 notified of itself acquires the alternative program by itself. Alternatively, the reconfiguration management unit 41 instructs the other ECU 3B, 3C or storage (HDD or the like) to output a substitute program (S1304).
 この場合、再構成管理部41による代替プログラムの取得先は、車両100の制御システム1B内部の何れかのECU、もしくはストレージ(HDD等)、又は通信装置5やGW97を介して制御システム1Bの外部装置から取得する。もしくはECU3A内など、機能代行を依頼するECUにあらかじめ保持しておく。 In this case, the acquisition destination of the alternative program by the reconfiguration management unit 41 is any ECU inside the control system 1B of the vehicle 100, or storage (HDD etc.), or the outside of the control system 1B via the communication device 5 or GW97. Acquire from the device. Alternatively, it is held in advance in an ECU that requests functional substitution, such as in the ECU 3A.
 代替プログラムを取得した(S1305)ECU3Aは、故障時に機能代行を行うECU3Bに、再構成管理部41が取得した代替プログラムを送信する(S1306)。代替プログラムを受信したECU3Bは、再構成実行部42により代替プログラムを配置する。また、ECU3Bは、全ての代替プログラムを受信および配置が完了した時点で配置完了の通知を行う(S1307)。ECU3Aは、再構成の管理を行いながら、通常時の制御を継続して実施する(S1308)。 The ECU 3A that has acquired the alternative program (S1305) transmits the alternative program acquired by the reconfiguration management unit 41 to the ECU 3B that performs functional substitution at the time of failure (S1306). The ECU 3B having received the alternative program arranges the alternative program by the reconstruction execution unit 42. In addition, the ECU 3B notifies the completion of the placement when receiving all the substitute programs and completing the placement (S1307). The ECU 3A continues the control at the normal time while managing the reconfiguration (S1308).
 その後、ECU3Aで故障が発生した場合(S1309)、例えば、制御システム1の異常検出部16により当該故障を検出し、ECU3Bに対して故障発生の通知を行う。又は、ECU3Bは通信が途絶したことを契機として、異常を検出する(S1310)。 Thereafter, when a failure occurs in the ECU 3A (S1309), for example, the failure detection unit 16 of the control system 1 detects the failure and notifies the ECU 3B of the occurrence of the failure. Alternatively, the ECU 3B detects an abnormality in response to the interruption of communication (S1310).
 故障を認識したECU3Bは、再構成実行部42で保持していた代替プログラムの実行を開始する(S1311)。その時点で制御を引き継ぎ、ECU3BからECU3Cに対して代替プログラムに基づく制御(非通常制御)を実施する(S1312)。このようにして機能の代替を実施する。 The ECU 3B recognizing the failure starts the execution of the alternative program held by the reconfiguration execution unit 42 (S1311). At that time, the control is taken over, and control (unusual control) based on the alternative program is performed from the ECU 3B to the ECU 3C (S1312). In this way, alternative functions are implemented.
 一方、故障が発生する前に車両制御状態が変更になった場合(S1313)、前記と同様に再構成管理部41が自動運転制御部12などから通知を受け、ECU3Bに対して代替プログラムが不要である情報を含む状態変更通知を行う(S1314)。 On the other hand, if the vehicle control state is changed before the failure occurs (S1313), the reconstruction management unit 41 receives a notification from the automatic driving control unit 12 or the like as described above, and the alternative program is not necessary for the ECU 3B. A state change notification including the information of (1) is issued (S1314).
 ECU3Bは、状態変更通知を受けたことを契機として、再構成実行部42で保持していた代替プログラムを破棄する(S1315)。その後、必要に応じてECU3Bは、通常の制御プログラムに基づく通常時の制御を実施する(S1316)。 The ECU 3B discards the alternative program held by the reconfiguration execution unit 42 in response to receiving the state change notification (S1315). Thereafter, as necessary, the ECU 3B performs control at normal times based on a normal control program (S1316).
 このようにして車両制御状態に応じて代替処理用の代替プログラムをあらかじめECU3Bに配置し、故障が発生した場合には代替プログラムに切り替える。 Thus, the alternative program for alternative processing is arranged in advance in the ECU 3B according to the vehicle control state, and when a failure occurs, the program is switched to the alternative program.
 これら再構成については、例えば安全制御部19の再構成について実施される。これにより、例えば、図9の切替部17による制御フローにおいて、第1制御の出力を自動運転制御情報L4、第2制御の出力を再構成した安全制御部19の安全運転制御情報L8とすることにより、自動運転制御情報L1から安全制御部19の安全運転制御情報L8への切り替えについて、運動情報の差分が小さくなる時点で切り替え、安全性を向上させることができる。 These reconfigurations are implemented, for example, for the reconfiguration of the safety control unit 19. Thus, for example, in the control flow by the switching unit 17 in FIG. 9, the output of the first control is the automatic driving control information L4, and the output of the second control is the safe driving control information L8 of the safety control unit 19 that has been reconfigured. Thereby, the switching from the automatic driving control information L1 to the safe driving control information L8 of the safety control unit 19 can be switched at the time when the difference of the motion information becomes small, and the safety can be improved.
[切替部における制御情報切替処理]
 次に、第2の実施の形態の切替部17の制御情報切替処理を説明する。
 図16は、第2の実施の形態の切替部17の制御情報切替処理のフローチャートである。 [Control information switching process in switching unit]
Next, control information switching processing of the switching unit 17 according to the second embodiment will be described.
FIG. 16 is a flowchart of control information switching processing of the switching unit 17 according to the second embodiment.
 第2の実施の形態の切替部17の制御情報切替処理では、再構成が完了したか否かを判定する再構成完了判定処理(ステップS1401)を有している点が、前述した制御情報切替処理(図6参照)と主に異なる点である。 In the control information switching process of the switching unit 17 according to the second embodiment, the control information switching process described above has a reconfiguration completion determining process (step S1401) for determining whether or not the reconfiguration is completed. This is mainly different from the processing (see FIG. 6).
 ステップS1401において、制御システム1Bの切替部17は、異常検出部16から異常検出の通知を取得した後、再構成(再構成管理部41による代替プログラムの置き替え)が完了しているか否かを判定し、再構成が完了していないと判定した場合(ステップS1401:No)、ステップS1405に進み、再構成した制御出力を使用することができないため、制御情報保持部40から取得した保持制御情報L11を、運動制御部18に出力する。 In step S1401, after the switching unit 17 of the control system 1B acquires the notification of abnormality detection from the abnormality detection unit 16, whether or not reconfiguration (replacement of the alternative program by the reconfiguration management unit 41) is completed or not If it is determined that the reconfiguration is not completed (step S1401: NO), the process proceeds to step S1405, and the reconfigured control output can not be used, and therefore the retention control information acquired from the control information retention unit 40 L11 is output to the motion control unit 18.
 切替部17は、再構成が完了しいると判定した場合(ステップS1401:Yes)、ステップS1402に進み、再構成実行部42から取得した再構成した制御出力と、制御情報保持部40から取得した保持制御情報L11との比較を行い、ステップS1403において、比較結果の差分dが所定の規定値(閾値dth)以下か否かの判定を行う。 If the switching unit 17 determines that the reconfiguration is completed (Yes at Step S1401), the process proceeds to Step S1402, and the reconfigured control output acquired from the reconfiguration execution unit 42 and the acquired control information storage unit 40 The comparison with the holding control information L11 is performed, and in step S1403, it is determined whether the difference d of the comparison result is less than or equal to a predetermined specified value (threshold dth).
 切替部17は、差分dが所定の閾値dth以下であると判定した場合(ステップS1403:Yes)、ステップS1404に進み、再構成された制御出力(車両100の運動を縮退機能で制御するための安全運転制御情報L8)を運動制御部18に出力し、差分dが所定の閾値dth以下でないと判定した場合(ステップS1403:No)、ステップS1405に進み、保持制御情報L11を、運動制御部18に出力する。 If the switching unit 17 determines that the difference d is equal to or less than the predetermined threshold dth (step S1403: YES), the process proceeds to step S1404 and the reconfigured control output (for controlling the motion of the vehicle 100 with the degeneration function) When it is determined that the safe driving control information L8) is output to the motion control unit 18 and the difference d is not less than the predetermined threshold dth (step S1403: No), the process proceeds to step S1405 and the holding control information L11 is transferred to the motion control unit 18 Output to
 以上説明した通り、第2の実施の形態では、
(5)車両100の運動を制御するための代替プログラムを有する再構成管理部41と、再構成実行部42(再構成管理部41と再構成実行部42とを合わせて、本発明の再構成部を構成する)とを有し、安全制御部19は、主機能を発揮する制御プログラムに代えて、再構成実行部42が有する代替プログラムに基づいて、車両100を制御する構成とした。 As described above, in the second embodiment,
(5) The reconstruction management unit 41 having an alternative program for controlling the motion of the vehicle 100, and the reconstruction execution unit 42 (the reconstruction management unit 41 and the reconstruction execution unit 42 are combined to reconstruct the present invention And the safety control unit 19 controls the vehicle 100 based on an alternative program that the reconstruction execution unit 42 has, instead of the control program that exhibits the main function.
 このように構成すると、安全制御部19は、通常の主機能を発揮する制御プログラムに代えて、縮退機能を発揮する代替プログラムで車両100を制御することができるので、自動運転制御部12に何らかの不具合(故障)が発生した場合でも、代替プログラムに基づいて、車両100の安全制御を適切に行うことができる。 With such a configuration, safety control unit 19 can control vehicle 100 with an alternative program that exhibits a degeneracy function instead of the control program that exhibits a normal main function. Even when a failure (failure) occurs, the safety control of the vehicle 100 can be appropriately performed based on the alternative program.
(6)また、切替部17は、安全制御部19が、通常の主機能を発揮する制御プログラムに代えて、代替プログラムを用いて安全制御情報L8(制御出力)を生成する準備が完了していない場合、制御情報保持部40で保持された保持制御情報L11を出力する構成とした。 (6) Further, the switching unit 17 is ready to generate the safety control information L8 (control output) using the alternative program instead of the control program that exerts the normal main function by the safety control unit 19 If not, the holding control information L11 held by the control information holding unit 40 is output.
 このように構成すると、切替部17は、代替プログラムによる制御の準備が完了する前であっても、車両100の制御を停止することなく、適切に行うことができる。 With this configuration, the switching unit 17 can appropriately perform the control of the vehicle 100 without stopping the control even before the preparation of the control by the alternative program is completed.
[第3の実施の形態]
 なお、前述した制御システムにおいて、車両100が緊急状態か否かを判定し、その判定結果に基づいて、切替部17による制御情報切替処理を実行してもよい。 Third Embodiment
In the control system described above, it may be determined whether or not the vehicle 100 is in an emergency state, and the control information switching process by the switching unit 17 may be executed based on the determination result.
 次に、第3の実施の形態にかかる制御システム1Cを説明する。
 図17は、第3の実施の形態にかかる制御システム1C全体の機能構成を説明するブロック図である。
 図18は、第3の実施の形態の制御システム1Cによる車両制御の一例を説明する図である。 Next, a control system 1C according to a third embodiment will be described.
FIG. 17 is a block diagram for explaining the functional configuration of the entire control system 1C according to the third embodiment.
FIG. 18 is a diagram for explaining an example of vehicle control by the control system 1C of the third embodiment.
 制御システム1Cでは、前述した制御システム1Bの構成に加え、車両100の緊急状態を判定する緊急制御部43をさらに有している点が、前述した制御システム1Bと異なる。 The control system 1C differs from the control system 1B described above in that the control system 1C further includes an emergency control unit 43 that determines an emergency state of the vehicle 100 in addition to the configuration of the control system 1B described above.
 緊急制御部43は、複数の検知装置80に接続されており、この検知装置80で検知した車両100の周囲状況L1に基づいて、車両100が緊急状態であるか否かの判定を行う。そして、緊急制御部43は、緊急状態であると判定した場合、車両100の緊急状態を回避するための緊急制御情報L12(例えば、車両100を路肩に寄せながら減速して、路肩で停止させる制御情報)を、切替部17に出力する。 The emergency control unit 43 is connected to a plurality of detection devices 80, and determines whether the vehicle 100 is in an emergency state based on the surrounding situation L1 of the vehicle 100 detected by the detection devices 80. When the emergency control unit 43 determines that the vehicle 100 is in the emergency state, the emergency control information L12 for avoiding the emergency state of the vehicle 100 (for example, control to decelerate the vehicle 100 toward the road shoulder and stop it at the road shoulder) Information) is output to the switching unit 17.
 実施の形態では、緊急制御部43は、360°カメラ87やソナー84等で検知した車両100の周囲状況L1から相対情報を取得し、この相対情報に基づいて車両100が緊急状態か否かを判定する。 In the embodiment, the emergency control unit 43 acquires relative information from the surrounding situation L1 of the vehicle 100 detected by the 360 ° camera 87, the sonar 84 or the like, and based on the relative information, whether the vehicle 100 is in an emergency state or not judge.
 ここで、相対情報とは、外界認識情報のうち、特に検知装置80から取得可能な情報であり、周辺オブジェクトと自車両との相対位置および相対速度、相対加速度、およびそれら値から演算可能な値の何れかの情報の組み合わせである。 Here, relative information is information that can be acquired from the external world recognition information, particularly from the detection device 80, and can be calculated from the relative position and relative velocity between the surrounding object and the vehicle, relative acceleration, and their values. Is any combination of information.
 相対情報の例を図18に示す。ここでは、検知装置80により先行車101を認識している例を示している。 An example of the relative information is shown in FIG. Here, an example in which the preceding vehicle 101 is recognized by the detection device 80 is shown.
 図18の(a)では、前方に先行車101が存在しており、相対位置として距離をla、自車(車両100)の水平右方向を0度とした角度をθa、相対速度をdvaとする。 In (a) of FIG. 18, the preceding vehicle 101 exists in the front, the distance is la as the relative position, the angle with the horizontal right direction of the own vehicle (vehicle 100) as 0 degree is θa, and the relative velocity is dva Do.
 相対速度は、自車(車両100)と先行車101(オブジェクト)が近づく、又は離れる速度を示している。図18の(a)では、自車(車両100)から先行車101への方向と双方の進行方向が同一のため、先行車101と自車の速度の差分で表せる。 The relative speed indicates the speed at which the own vehicle (vehicle 100) and the preceding vehicle 101 (object) approach or leave. In FIG. 18A, since the direction from the host vehicle (vehicle 100) to the leading vehicle 101 and the traveling direction of both are the same, it can be represented by the difference between the speeds of the leading vehicle 101 and the host vehicle.
 図18の(b)では、自車から先行車101への方向と双方の進行方向が同一で無い場合、それぞれの速度を自車から先行車101への方向の直線に射影し、差分を計算することにより、相対速度dvbを求めることができる。ここでは、相対速度が正の場合には自車から先行車101が遠ざかっていることを示し、負の場合には自車に先行車101が近づいていることを示す。図示しないが、相対加速度については相対速度の時間変化であるため、観測した速度の変化から計算することができる。 In (b) of FIG. 18, when the direction from the host vehicle to the leading vehicle 101 and the traveling direction of both are not the same, the respective speeds are projected onto a straight line from the host vehicle to the leading vehicle 101 and the difference is calculated. By doing this, the relative velocity dvb can be determined. Here, when the relative speed is positive, it indicates that the preceding vehicle 101 is moving away from the host vehicle, and when the relative speed is negative, it indicates that the preceding vehicle 101 is approaching the host vehicle. Although not shown, the relative acceleration is a time change of the relative velocity, so it can be calculated from the change of the observed velocity.
 相対位置の表現方法は、相対距離と角度の他に、自車を原点とした座標系で表してもよい。例えば、図18において、自車を原点とし、自車の前後方向をy座標かつ前方を正、左右方向をx座標かつ右を正とし、(rxa、rxy)で表すことができる。 The method of expressing the relative position may be expressed by a coordinate system with the vehicle at the origin as well as the relative distance and angle. For example, in FIG. 18, the vehicle can be represented by (rxa, rxy), with the vehicle as the origin, y-coordinate in the front-rear direction of the vehicle, positive in the forward direction, and x-coordinate in the left-right direction with the right.
[緊急制御]
 次に、相対情報に基づく緊急制御の一例を説明する。
 制御システム1Cの緊急制御部43は、検知装置80から取得する自車(車両100)の状態に基づいて駆動制御情報を作成する。 Emergency control
Next, an example of emergency control based on relative information will be described.
The emergency control unit 43 of the control system 1C creates drive control information based on the state of the host vehicle (vehicle 100) acquired from the detection device 80.
 図18に示すように、自車(車両100)の前方にオブジェクト(先行車101)が存在し、相対情報における相対位置(距離)が一定値を下回った場合には自車に対して減速する制御を行う。そのため、緊急制御部43は、相対情報及び検知装置80から取得した自車の状態を判定し、減速を行うための駆動制御情報を切替部17に対して出力する。 As shown in FIG. 18, when there is an object (preceding vehicle 101) ahead of the own vehicle (vehicle 100) and the relative position (distance) in the relative information falls below a certain value, the vehicle decelerates with respect to the own vehicle Take control. Therefore, the emergency control unit 43 determines the relative information and the state of the vehicle acquired from the detection device 80, and outputs drive control information for performing deceleration to the switching unit 17.
 また、自車と先行車101との相対位置が一定値を上回る場合には、同様にして自車に対して加速の制御を行うための駆動制御情報を出力する。このように、緊急制御部23は、前方の先行車101に対して相対位置が一定量を上回る又は一定量を下回ることの無いように、加速又は減速の制御を行う。 When the relative position between the host vehicle and the preceding vehicle 101 exceeds a certain value, drive control information for controlling acceleration is output to the host vehicle in the same manner. Thus, the emergency control unit 23 controls acceleration or deceleration so that the relative position of the preceding vehicle 101 ahead does not exceed a predetermined amount or falls below a predetermined amount.
 自車の後方に先行車101が存在している場合にも同様に、緊急制御部43は、相対位置が一定量を上回る、又は一定量を下回ることの無いように制御を行う。 Even when the preceding vehicle 101 exists behind the own vehicle, the emergency control unit 43 similarly performs control so that the relative position does not exceed a predetermined amount or falls below a predetermined amount.
 また、相対位置のみでなく、相対速度および相対加速度に基づき判定を行ってもよい。
例えば、前方に先行車101が存在しており、相対位置が同様でも相対速度又は相対加速度により自車に接近する可能性が高い場合には減速の制御を行う。 Also, the determination may be performed based on not only the relative position but also the relative velocity and the relative acceleration.
For example, if there is a preceding vehicle 101 ahead and there is a high possibility of approaching the vehicle due to relative speed or relative acceleration even if the relative position is the same, deceleration control is performed.
 上記判断のためのリスク値の計算式は、リスク値をR、相対距離をdl、相対速度をdv、相対加速度をda、として以下の数式2で表せる。ここでA、B、Cは定数である。 The equation for calculating the risk value for the above judgment can be expressed by the following equation 2 with the risk value R, the relative distance dl, the relative velocity dv, and the relative acceleration da. Here, A, B and C are constants.
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 リスク値Rを用いた計算でも相対位置による判定と同様に、リスク値Rが一定量を上回ることの無いように加速又は減速の制御を行う。このように相対速度と相対加速度を用いて判定を行うことにより、同一相対位置でもよりリスクが高い状況(先行車101が自車に接近等)を発生することを抑制し、安全を確保することができる。前述した緊急制御部23による判定及び加減速の制御により、相対情報に基づいた制御が可能となる。 In the calculation using the risk value R, acceleration or deceleration is controlled so that the risk value R does not exceed a certain amount, as in the determination based on the relative position. As described above, by performing determination using relative velocity and relative acceleration, it is possible to suppress the occurrence of a situation (such as the preceding vehicle 101 approaching the host vehicle) having a higher risk even at the same relative position, and secure safety. Can. The control based on the relative information can be performed by the determination by the emergency control unit 23 described above and the control of acceleration / deceleration.
 また、前後に同時に他車両が存在する場合には、相対位置が近い方から離れるように制御を行う。例えば、前方の他車両の方が近接している場合には減速、または後方の他車両の方が近接している場合には加速の制御を行う。
 また、前後方向のみでなく、左右方向についても、相対位置から認識し、他車両が存在していない方向に操舵を行い、例えば、前後方向への衝突を回避する制御を行う。そのための目標ヨーレートについても上記駆動制御情報を含み、緊急制御部43が切替部17に対して出力を行う。 In addition, when another vehicle is present simultaneously at the front and back, control is performed so that the relative position is separated from the near one. For example, deceleration is controlled when another vehicle ahead is closer, or acceleration is controlled when another vehicle behind is closer.
Further, not only in the front-rear direction but also in the left-right direction, it is recognized from the relative position, and steering is performed in the direction in which other vehicles are not present, for example, control to avoid a collision in the front-rear direction. The target yaw rate for that purpose also includes the drive control information, and the emergency control unit 43 outputs the switching unit 17.
<緊急制御を含む切替部の制御情報切替処理>
 次に、第3の実施の形態の切替部17の制御情報切替処理を説明する。
 図19は、第3の実施の形態の切替部17の制御情報切替処理のフローチャートである。 <Control Information Switching Process of Switching Unit Including Emergency Control>
Next, control information switching processing of the switching unit 17 according to the third embodiment will be described.
FIG. 19 is a flowchart of control information switching processing of the switching unit 17 according to the third embodiment.
 ステップS1701において、制御システム1Cの切替部17は、緊急制御部43からの緊急制御情報L12(制御出力)を受信したか否かを判定し、緊急制御部43からの緊急制御情報L12を受信したと判定した場合(ステップS1701:Yes)、ステップS1706に進み、緊急制御部43から受信した緊急制御情報L12を、運動制御部18に出力する。 In step S1701, the switching unit 17 of the control system 1C determines whether or not the emergency control information L12 (control output) from the emergency control unit 43 is received, and receives the emergency control information L12 from the emergency control unit 43. If it is determined (step S1701: YES), the process proceeds to step S1706, and the emergency control information L12 received from the emergency control unit 43 is output to the exercise control unit 18.
 切替部17は、受信した制御出力が、緊急制御部43からの緊急制御情報L12でないと判定した場合には(ステップS1701:No)、ステップS1702に進み、以下第1の実施例の場合と同様に、第1の制御出力と、第2の制御出力を比較する。 If the switching unit 17 determines that the received control output is not the emergency control information L12 from the emergency control unit 43 (step S1701: No), the process proceeds to step S1702, and the same as in the first embodiment. , The first control output and the second control output are compared.
 そして、ステップS1703において、切替部17は、ステップS1702での比較の結果の差分dが、所定の規定値(閾値dth)以下か否かを判定し、所定の規定値(閾値dth)以下であると判定した場合(ステップS1703:Yes)、ステップS1705に進み、第2制御の出力(例えば、安全運転制御情報L8)を、運動制御部18に出力する。 Then, in step S1703, the switching unit 17 determines whether the difference d of the comparison result in step S1702 is less than or equal to a predetermined specified value (threshold dth), and is equal to or less than the predetermined specified value (threshold dth). (Step S1703: Yes), the process proceeds to step S1705, and the output of the second control (for example, safe driving control information L8) is output to the motion control unit 18.
 一方、切替部17は、差分dが所定の規定値(閾値dth)以下でないと判定した場合(ステップS1703:No)、そのままでは、制御の切り替え時の衝撃が大きくなり、制御の切り替えができないので、ステップS1704に進み、第1制御の出力(例えば、保持制御情報L11)を、運動制御部18に出力する。 On the other hand, when the switching unit 17 determines that the difference d is not less than or equal to the predetermined specified value (threshold dth) (step S1703: No), the impact at the switching of the control is increased as it is, and the switching of the control can not be performed. In step S1704, the output of the first control (for example, the holding control information L11) is output to the motion control unit 18.
 このように、制御出力の切り替え時に運動制御の出力を比較して判定する場合でも、周囲の状況が変更になったなど緊急性の高い処理が必要な場合には優先して制御を実施することができる。 As described above, even in the case of comparing and judging the output of the motion control at the time of switching the control output, the control should be preferentially implemented when a highly urgent process is required, such as a change in surrounding conditions. Can.
 なお、前述した実施の形態では、安全制御部19と緊急制御部43を異なる機能ブロックとした場合を例示して説明したが、これらを同じ機能ブロックとし、例えば、安全制御部19の制御出力に、緊急制御である旨の情報を追加しても良い。このように構成すると、機能ブロックの削減と、判定の容易化が可能となる。 In the embodiment described above, the safety control unit 19 and the emergency control unit 43 are illustrated as different functional blocks, but they may be the same functional block, for example, the control output of the safety control unit 19. And information indicating that it is emergency control may be added. With this configuration, it is possible to reduce functional blocks and facilitate determination.
 以上説明した通り、第3の実施の形態では、
(7)車両100の緊急制御を行う緊急制御部43を有し、切替部17は、緊急制御部43で生成された緊急制御情報L12を取得した場合、自動運転制御部12で生成された自動運転制御情報L4、安全制御部19で生成された安全運転制御情報L8、又は制御情報保持部40で保持された保持制御情報L11に代えて、緊急制御情報L12を優先的に出力する構成とした。 As described above, in the third embodiment,
(7) The emergency control unit 43 that performs emergency control of the vehicle 100 is provided, and when the switching unit 17 acquires the emergency control information L12 generated by the emergency control unit 43, the automatic control generated by the automatic operation control unit 12 Instead of the operation control information L4, the safe operation control information L8 generated by the safety control unit 19, or the holding control information L11 held by the control information holding unit 40, the emergency control information L12 is preferentially output. .
 このように構成すると、切替部17は、車両100が緊急状態となった場合、他の制御情報に代えて、車両100の緊急状態を回避するための緊急制御情報L12を出力するので、この緊急制御情報L12に基づいて、車両100の緊急状態の回避を迅速かつ確実に行うことができる。 In this configuration, when the vehicle 100 is in an emergency state, the switching unit 17 outputs emergency control information L12 for avoiding the emergency state of the vehicle 100 instead of the other control information. The emergency state of the vehicle 100 can be avoided quickly and reliably based on the control information L12.
[第4の実施の形態]
 次に、前述した実施の形態の自動運転制御情報に基づく制御、または相対情報に基づく制御から、ユーザによる制御について切り替える(オーバーライドする)場合の一例を説明する。 Fourth Embodiment
Next, an example of switching (overriding) the control by the user from the control based on the automatic driving control information of the above-described embodiment or the control based on the relative information will be described.
 この第4の実施の形態にかかるユーザ入力部13は、ユーザの運転操作の開始動作(例えばペダルを踏む、ステアリングを操作する、自動運転終了のボタンを押す、等)を、入力装置8を介して検出し、切替部17に通知する。切替部17は、ユーザの運転操作の開始動作の通知を受け、後述するユーザ制御切り替え判定処理を行う。 The user input unit 13 according to the fourth embodiment uses the input device 8 to start the driving operation of the user (for example, stepping on a pedal, operating a steering, pushing an automatic driving end button, etc.) Detection, and notifies the switching unit 17 of this. The switching unit 17 receives the notification of the start operation of the driving operation by the user, and performs user control switching determination processing described later.
[ユーザ制御切り替え判定処理]
 次に、第4の実施の形態の切替部17のユーザ制御切り替え判定処理を説明する。
 図20は、第4の実施の形態の切替部17のユーザ制御切り替え判定処理のフローチャートである。 [User control switching judgment processing]
Next, user control switching determination processing of the switching unit 17 according to the fourth embodiment will be described.
FIG. 20 is a flowchart of user control switching determination processing of the switching unit 17 according to the fourth embodiment.
 ステップS1801において、切替部17は、前述した第1の実施の形態の切替部17での制御情報切替処理(ステップS101)と同様に、制御システムによる制御出力(例えば、保持制御情報L11)と、ユーザ操作による制御出力(例えば、ユーザ操作入力)を比較する。
 実施の形態では、制御システムによる制御出力が第1制御の出力に相当し、ユーザ操作による制御出力が第2制御の出力に相当する。 In step S1801, the switching unit 17 outputs the control output (for example, the holding control information L11) by the control system as in the control information switching process (step S101) in the switching unit 17 of the first embodiment described above, The control output (for example, user operation input) by user operation is compared.
In the embodiment, the control output by the control system corresponds to the output of the first control, and the control output by the user operation corresponds to the output of the second control.
 ステップS1802において、切替部17は、ステップS1801での比較の結果の差分dが、所定の規定値(閾値dth)以下であるか否かを判定し、所定の規定値(閾値dth)以下であると判定した場合(ステップS1802:Yes)、制御を安全に切り替えられるため、ステップS1804に進み、ユーザ操作による制御出力を、運動制御部18に出力する。 In step S1802, the switching unit 17 determines whether the difference d of the comparison result in step S1801 is less than or equal to a predetermined specified value (threshold dth), and is equal to or less than the predetermined specified value (threshold dth) When it is determined that (step S1802: Yes), the control can be switched safely, so the process proceeds to step S1804 and the control output by the user operation is output to the exercise control unit 18.
 一方、切替部17は、ステップS1801での比較の結果の差分dが、所定の規定値(閾値dth)以下でないと判定した場合(ステップS1802:No)、そのままでは、制御の切り替え時の衝撃が大きくなる結果、制御を安全に切り替えられないため、ステップS1803に進み、ユーザ操作に切り替えず、そのまま制御システムによる制御出力を、運動制御部18に出力する。 On the other hand, when the switching unit 17 determines that the difference d of the comparison result in step S1801 is not less than or equal to the predetermined specified value (threshold dth) (step S1802: No), the shock at the time of switching the control remains unchanged. As a result, since the control can not be switched safely, the process proceeds to step S1803, and the control output by the control system is output to the motion control unit 18 without switching to the user operation.
 前述したように、ユーザ操作の入力があり制御を切り替える場合、車両100の制御システムによる時系列の操作と、ユーザ操作の入力で運動制御の大幅な違いがあった場合には制御を切り替えないため、不安全な運動制御状態を避け、安全に制御を切り替えることが可能となる。 As described above, when there is a user operation input and control is switched, control is not switched when there is a significant difference between motion control by the time-series operation by the control system of the vehicle 100 and the user operation. It is possible to switch control safely, avoiding an unsafe motion control state.
 また、前述した第4の実施の形態の制御システムにおいても、第3の実施の形態の制御システムと同様に、緊急制御の入力があった場合には、図19に示す通り、第1制御の出力又は第2制御の出力より優先的に緊急制御の出力を優先して実施する。このように構成すると、危険な状況に対しては第1制御の出力又はユーザ操作より優先して緊急制御を実施することが可能となる。 Also in the control system of the fourth embodiment described above, as in the control system of the third embodiment, when there is an input for emergency control, as shown in FIG. Priority is given to the output of emergency control over the output or the output of the second control. With this configuration, it is possible to implement emergency control prior to the output of the first control or user operation for dangerous situations.
 前述したように、車両100の制御システム1において、自動運転の制御出力を切り替える際に、自動運転制御情報による運動制御の結果が時系列で大きく変動する場合の出力を抑制し、運動制御等の観点から安全に、縮退系等の異なる制御出力へ切り替えることが可能となる。 As described above, in the control system 1 of the vehicle 100, when switching the control output of the automatic driving, the output in the case where the result of the motion control by the automatic driving control information fluctuates largely in time series is suppressed. From the viewpoint, it is possible to switch to a different control output such as a degeneration system safely.
 特に、保持制御情報L11から安全運転制御情報L8の出力に切り替える際に、時系列で比較し、安全に制御を切り替えることができる。 In particular, when switching from the holding control information L11 to the output of the safe driving control information L8, the control can be switched safely by comparing in time series.
 また、安全制御出力が再構成された制御出力の場合でも安全に制御を切り替えることができる。 Further, even in the case of the control output in which the safety control output is reconfigured, the control can be switched safely.
 また、安全制御出力として緊急制御の出力があった場合には、緊急制御の出力に対応し、周囲の環境の変化に合わせて安全に制御を切り替えることができる。 In addition, when there is an emergency control output as a safety control output, it is possible to respond to the emergency control output and switch the control safely in accordance with a change in the surrounding environment.
 さらに、運転者の操作入力があった場合でも、故障の発生時など、運動制御が安定している範囲での切り替えを行うことができる。 Furthermore, even when there is a driver's operation input, it is possible to switch within a stable range of motion control, such as when a failure occurs.
 以上説明した通り、第4の実施の形態では、
(8)安全運転制御情報L8は、ユーザ操作による操作制御情報である構成とした。 As described above, in the fourth embodiment,
(8) The safe driving control information L8 is configured to be operation control information by user operation.
 このように構成すると、切替部17は、自動運転制御情報L4に基づく車両100の自動運転中に、ユーザ操作による操作制御情報を受信した場合(オーバーライドした場合)、自動運転制御情報L4とユーザ操作による操作制御情報との差分dが所定の閾値dth以下である場合には、ユーザ操作による操作制御情報を出力するので、オーバーライド時のユーザ操作への切り替えを、スムーズに行うことができる。 With such a configuration, when the switching unit 17 receives operation control information by user operation during automatic driving of the vehicle 100 based on the automatic driving control information L4 (when it is overridden), the automatic driving control information L4 and the user operation are Since the operation control information by the user operation is output when the difference d with the operation control information by the user is equal to or less than the predetermined threshold value dth, the switching to the user operation at the time of overriding can be smoothly performed.
 以上、本発明の実施の形態の一例を説明したが、本発明は、前述した実施の形態を全て組み合わせてもよく、何れか2つ以上の実施の形態を任意に組み合わせても好適である。 As mentioned above, although an example of an embodiment of the present invention was explained, all the embodiments mentioned above may be combined and any two or more embodiments may be combined arbitrarily.
 また、前述した実施の形態では、制御システム1を車両100に適用した場合を例示して説明したが、車両100に限定されるものではなく、前述した制御システム1は、例えば、建設機械、エスカレータ、エレベータ、鉄道、船舶、航空機、ドローンなどの移動体全般に好適に適用することができる。
 特に、有人の移動体(例えば、建設機械、エスカレータ、エレベータ、鉄道、船舶、航空機)の場合には、制御の切り替え時の衝撃が大きくなる場合には、制御の切り替えを行わず、規定値以下となる場合にのみ、制御の切り替えをおこなうようにしたので、運転者や乗員の制御切り替え時の違和感を小さくすることができ、安心、安全に運転することができる。 Moreover, although the case where the control system 1 was applied to the vehicle 100 was illustrated and demonstrated in embodiment mentioned above, it is not limited to the vehicle 100, For example, the control system 1 mentioned above is a construction machine, an escalator, The present invention can be suitably applied to all types of mobile objects such as elevators, railways, ships, aircraft, and drone.
In particular, in the case of a manned mobile body (for example, a construction machine, an escalator, an elevator, a railway, a ship, or an aircraft), the control switching is not performed when the shock at the control switching becomes large, and the specified value or less Since the control switching is performed only in the case of the above, it is possible to reduce the sense of discomfort when switching the control between the driver and the occupant, and it is possible to drive safely and safely.
 また、本発明は、前述した実施の形態の全ての構成を備えているものに限定されるものではなく、前述した実施の形態の構成の一部を、他の実施の形態の構成に置き換えてもよく、また、前述した実施の形態の構成を、他の実施の形態の構成に置き換えてもよい。 Further, the present invention is not limited to the one provided with all the configurations of the above-described embodiment, and a part of the configuration of the above-described embodiment is replaced with the configuration of the other embodiments. Alternatively, the configuration of the above-described embodiment may be replaced with the configuration of another embodiment.
 また、前述した実施の形態の一部の構成について、他の実施の形態の構成に追加、削除、置換をしてもよい。 Further, some configurations of the embodiment described above may be added to, deleted from, or replaced with configurations of other embodiments.
 1:制御システム、11:統合認識部、12:自動運転制御部、13:ユーザ入力部、14:出力管理部、15:通知管理部、16:異常検出部、17:切替部、18:運動制御部、19:安全制御部、2:AD1-ECU、3:VMC-ECU、31:CPU、32:CPU、33:メモリ、4:GW、40:制御情報保持部、41:再構成管理部、42:再構成実行部、43:緊急制御部、5:通信装置、6:他の車両制御システム、7:外部出力装置、8:入力装置、9:報知装置、80:検知装置、81、85:コーナライダ、82:コーナレーダ、83:フロントカメラ、84:ソナー、86:フロントレーダ、87:360°カメラ、90:駆動装置、91:ブレーキ、92:ステアリング、93:ECU、94:EMC、95:ATCU、971:ボディ、972:HMI、973:接続装置、974:情報提供装置 1: control system 11: integrated recognition unit 12: automatic operation control unit 13: user input unit 14: output management unit 15: notification management unit 16: abnormality detection unit 17: switching unit 18: exercise Control unit, 19: Safety control unit, 2: AD1-ECU, 3: VMC-ECU, 31: CPU, 32: CPU, 33: Memory, 4: GW, 40: Control information holding unit, 41: Reconfiguration management unit , 42: reconfiguration execution unit, 43: emergency control unit, 5: communication device, 6: other vehicle control system, 7: external output device, 8: input device, 9: notification device, 80: detection device, 81, 85: corner rider, 82: corner radar, 83: front camera, 84: sonar, 86: front radar, 87: 360 ° camera, 90: drive device, 91: brake, 92: steering, 93: ECU, 94: EMC, 9 : ATCU, 971: Body, 972: HMI, 973: connection device, 974: information providing apparatus

Claims (11)

  1.  移動体の運動を通常制御するための第1制御情報を生成する第1の制御部と、
     前記移動体の運動を非通常制御するための第2制御情報を生成する第2の制御部と、
     前記第1制御情報と前記第2制御情報の何れか一方を出力する切替部とを有し、
     前記切替部は、
     前記第1制御情報と前記第2制御情報との差分が所定の閾値以下である場合、前記第2制御情報を出力する移動体の制御システム。     A first control unit that generates first control information for usually controlling the movement of the moving body;
    A second control unit that generates second control information for unusually controlling the movement of the moving body;
    And a switching unit configured to output one of the first control information and the second control information.
    The switching unit is
    The control system of the mobile which outputs said 2nd control information, when the difference of said 1st control information and said 2nd control information is below a predetermined threshold.
  2.  前記第1制御情報と前記第2制御情報は、経時的な時刻情報を含み、
     前記切替部は、同じ時刻情報における前記第1制御情報と前記第2制御情報との差分が所定の閾値以下である場合、前記第2制御情報を出力する請求項1に記載の移動体の制御システム。     The first control information and the second control information include time information over time.
    The mobile unit control according to claim 1, wherein the switching unit outputs the second control information when a difference between the first control information and the second control information in the same time information is equal to or less than a predetermined threshold. system.
  3.  前記移動体の運動を制御するための代替プログラムを有する再構成部を有し、
     前記第1の制御部と前記第2の制御部とのうち、少なくとも何れか一方は、前記第1の制御部と前記第2の制御部を制御する主機能プログラムに代えて、前記再構成部が有する前記代替プログラムを用いて前記移動体を制御する請求項2に記載の移動体の制御システム。     It has a reconstruction unit having an alternative program for controlling the movement of the moving body,
    At least one of the first control unit and the second control unit is replaced with the main function program for controlling the first control unit and the second control unit, the reconstruction unit The control system of the mobile according to claim 2, wherein the mobile is controlled by using the alternative program that the computer has.
  4.  前記第1の制御部で生成された前記第1制御情報と前記第2の制御部で生成された第2制御情報とのうち、少なくとも何れか一方の制御情報を保持する制御情報保持部を有し、
     前記切替部は、
     前記制御情報保持部で保持された制御情報と、前記代替プログラムに基づいて、前記第1の制御部と前記第2の制御部との少なくとも何れか一方で生成された制御情報との差分が所定の閾値以下である場合、前記代替プログラムに基づいて生成された制御情報を出力する請求項3に記載の移動体の制御システム。     Among the first control information generated by the first control unit and the second control information generated by the second control unit, there is provided a control information holding unit for holding at least one of the control information. And
    The switching unit is
    The difference between the control information held by the control information holding unit and the control information generated by at least one of the first control unit and the second control unit based on the alternative program is predetermined The control system according to claim 3, wherein the control information generated based on the alternative program is output if the threshold value is less than or equal to a threshold value of.
  5.  前記切替部は、前記第1の制御部と前記第2の制御部とのうち、少なくとも何れか一方が、前記主機能プログラムに代えて、前記代替プログラムを用いて前記代替制御情報を生成する準備が完了していない場合、前記制御情報保持部で保持された制御情報を出力する請求項4に記載の移動体の制御システム。 In the switching unit, at least one of the first control unit and the second control unit prepares to generate the substitute control information using the substitute program instead of the main function program. 5. The control system of a mobile unit according to claim 4, wherein the control information held by the control information holding unit is output when the control information is not completed.
  6.  前記移動体の緊急制御を行う緊急制御部を有し、
     前記切替部は、前記緊急制御部で生成された緊急制御情報を取得した場合、前記第1の制御部で生成された第1制御情報、前記第2の制御部で生成された第2制御情報、または前記制御情報保持部で保持された制御情報に代えて、前記緊急制御情報を優先的に出力する請求項5に記載の移動体の制御システム。     It has an emergency control unit that performs emergency control of the mobile unit,
    When the switching unit acquires the emergency control information generated by the emergency control unit, the first control information generated by the first control unit and the second control information generated by the second control unit The control system according to claim 5, wherein the emergency control information is preferentially output instead of the control information held by the control information holding unit.
  7.  前記切替部による差分との判断に用いる前記閾値は、前記差分の符号の逆転、または前記移動体の運動の限界値である請求項4に記載の移動体の制御システム。 The control system according to claim 4, wherein the threshold used to determine the difference by the switching unit is a reversal of a sign of the difference or a limit value of the movement of the moving body.
  8.  前記切替部は、経時的に取得された前記差分の全てが前記所定の閾値以下でない場合、前記差分が最も小さくなる時刻情報以降では、前記第2制御情報を出力する請求項2に記載の移動体の制御システム。 The movement according to claim 2, wherein the switching unit outputs the second control information after time information in which the difference is the smallest, when all of the differences acquired over time are not less than or equal to the predetermined threshold. Body control system.
  9.  前記移動体の運動を制御するための第3制御情報を生成する第3の制御部を有し、
     前記切替部は、
     前記第1制御情報と前記第2制御情報との差分と、前記第1制御情報と前記第3制御情報との差分とを比較し、
     前記第1制御情報との差分がより小さくなる方の前記第2制御情報または前記第3制御情報を出力する請求項8に記載の移動体の制御システム。     It has a third control unit that generates third control information for controlling the movement of the moving body,
    The switching unit is
    Comparing a difference between the first control information and the second control information with a difference between the first control information and the third control information;
    The control system of a mobile according to claim 8, which outputs the second control information or the third control information of which the difference with the first control information is smaller.
  10.  前記第2制御情報は、ユーザ操作による操作制御情報である請求項1に記載の移動体の制御システム。 The control system of a mobile according to claim 1, wherein the second control information is operation control information by user operation.
  11.  移動体の運動を通常制御するための第1制御情報と、前記移動体の運動を非通常制御するための第2制御情報とを取得する制御情報取得ステップと、
     同時刻における前記第1制御情報と前記第2制御情報との差分を算出する差分算出ステップと、
     前記第1制御情報と前記第2制御情報との差分が所定の閾値以下である場合、前記第2制御情報を出力する制御情報出力ステップとを有する移動体の制御方法。     A control information acquisition step of acquiring first control information for usually controlling movement of the moving body, and second control information for unusually controlling movement of the moving body;
    A difference calculating step of calculating a difference between the first control information and the second control information at the same time;
    And a control information output step of outputting the second control information when the difference between the first control information and the second control information is equal to or less than a predetermined threshold value.
PCT/JP2018/032806 2017-09-21 2018-09-05 Control system for mobile body and control method for mobile body WO2019058962A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017180904A JP6875240B2 (en) 2017-09-21 2017-09-21 Mobile control system and mobile control method
JP2017-180904 2017-09-21

Publications (1)

Publication Number Publication Date
WO2019058962A1 true WO2019058962A1 (en) 2019-03-28

Family

ID=65809714

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/032806 WO2019058962A1 (en) 2017-09-21 2018-09-05 Control system for mobile body and control method for mobile body

Country Status (2)

Country Link
JP (1) JP6875240B2 (en)
WO (1) WO2019058962A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113264063A (en) * 2020-01-30 2021-08-17 本田技研工业株式会社 Vehicle control device, vehicle control method, and computer-readable storage medium storing program

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020008515A1 (en) * 2018-07-03 2020-01-09 三菱電機株式会社 Vehicle control apparatus
JP7057328B2 (en) * 2019-08-28 2022-04-19 本田技研工業株式会社 Vehicle control device and vehicle control method
JP2023028829A (en) * 2021-08-20 2023-03-03 株式会社日立製作所 Controller and method of controlling controller

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012111286A (en) * 2010-11-22 2012-06-14 Toyota Motor Corp Vehicle behavior controller
JP2013071549A (en) * 2011-09-27 2013-04-22 Honda Motor Co Ltd Vehicle stability assist
JP2015002634A (en) * 2013-06-17 2015-01-05 日本精工株式会社 Motor control device, electric power steering apparatus using the same, and vehicle
JP2016037149A (en) * 2014-08-07 2016-03-22 日立オートモティブシステムズ株式会社 Vehicle control system, and action plan system equipped with the same

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4399987B2 (en) * 2001-01-25 2010-01-20 株式会社デンソー Fail-safe system for vehicle integrated control
JP2017119505A (en) * 2015-12-25 2017-07-06 株式会社デンソー Vehicle control device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012111286A (en) * 2010-11-22 2012-06-14 Toyota Motor Corp Vehicle behavior controller
JP2013071549A (en) * 2011-09-27 2013-04-22 Honda Motor Co Ltd Vehicle stability assist
JP2015002634A (en) * 2013-06-17 2015-01-05 日本精工株式会社 Motor control device, electric power steering apparatus using the same, and vehicle
JP2016037149A (en) * 2014-08-07 2016-03-22 日立オートモティブシステムズ株式会社 Vehicle control system, and action plan system equipped with the same

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113264063A (en) * 2020-01-30 2021-08-17 本田技研工业株式会社 Vehicle control device, vehicle control method, and computer-readable storage medium storing program

Also Published As

Publication number Publication date
JP6875240B2 (en) 2021-05-19
JP2019055673A (en) 2019-04-11

Similar Documents

Publication Publication Date Title
US11644831B2 (en) Multi-stage operation of autonomous vehicles
US10946867B2 (en) Processing device and vehicle control system
WO2019058962A1 (en) Control system for mobile body and control method for mobile body
US20200017114A1 (en) Independent safety monitoring of an automated driving system
US10890908B2 (en) Vehicle control system and action plan system provided with same
KR101470190B1 (en) Apparatus for processing trouble of autonomous driving system and method thereof
EP4235333A2 (en) Fault-tolerant control of an autonomous vehicle with multiple control lanes
WO2017038289A1 (en) Vehicle control device and vehicle control system
US10571910B2 (en) Vehicle control device
JP6713064B2 (en) Vehicle control device
WO2020066304A1 (en) Vehicle-mounted electronic control system
CN114348020B (en) 5G remote and automatic driving safety redundancy system and control method
US11396301B2 (en) Vehicle control apparatus, vehicle control method, and non-transitory computer-readable storage medium storing program
CN109153393B (en) Vehicle control system
WO2020021859A1 (en) Electronic control device
CN112180911A (en) Method for monitoring a control system of an autonomous vehicle
WO2020158342A1 (en) Vehicle control device and vehicle control system
WO2023201563A1 (en) Control method and apparatus, and means of transportation
WO2016186175A1 (en) Collision avoidance assistance device provided with braking release means, and collision avoidance assistance method
CN111766866A (en) Information processing device and automatic travel control system including the same
JP2019059477A (en) Vehicle control system, and action plan system equipped with the same
WO2022080018A1 (en) Autonomous travel control system
WO2023004759A1 (en) Fault detection method, fault detection apparatus, server, and vehicle
Bijlsma et al. In-vehicle architectures for truck platooning: The challenges to reach SAE automation level 3
WO2020044891A1 (en) Vehicle control device and vehicle control system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18859040

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18859040

Country of ref document: EP

Kind code of ref document: A1