WO2021038826A1

WO2021038826A1 - State transition model constructing device and autonomous system

Info

Publication number: WO2021038826A1
Application number: PCT/JP2019/034098
Authority: WO
Inventors: 昌能西
Original assignee: 株式会社日立製作所
Priority date: 2019-08-30
Filing date: 2019-08-30
Publication date: 2021-03-04

Abstract

Provided are a state transition model constructing device and an autonomous system in which safety is ensured by design and with which it is possible to achieve ease of operation. A state transition model constructing device 02 comprises a spatial division processing unit 0202 which: with respect to a state space in which domains of a system state and an operation environment state are combined, performs spatial division without an overlap on the basis of whether a separation criterion expressing state-to-state homology and heterogeneity is satisfied; allocates, to each state partial closed space obtained by spatial division, binary vector-form symbolized state values combining the truth values of the separation criterion; and associates the transition probability of a pair of state partial closed spaces with a transition relationship between the symbolized state values.

Description

State transition model construction device and autonomous system

The present invention relates to a state transition model construction device and an autonomous system.

An automatic control system passively operates according to pre-programmed control rules in a closed environment designed or envisioned to meet the operating assumptions established at the time of design, in order to achieve the specified operating instructions. is there. On the other hand, an autonomous system is classified by having a function of adapting to an operating environment that changes over time and reconstructing a control method corresponding to a method of achieving its own operating purpose.

The operator of this autonomous system sets operation instructions as appropriate, but in an open operating environment, the operation instructions may not be achieved due to conflicts caused by excessive restrictions. An automatic control system that has fallen into a situation that deviates from the above assumptions of operation cannot detect this conflict by itself, which causes an unintended operation, and the operator has no means to know the cause, so that the operation is incorrect in such a situation. Orders can make things worse.

On the other hand, the autonomous system must at least correctly detect the conflict and reset the operation instruction appropriately so as to resolve the detected conflict. In order to adapt to the changing external environment, the state of the operating environment and the model of the operating environment are dynamically constructed, and the autonomous function of judging and modifying the feasibility of the operating instruction itself is independent of the designer. An automatic control system and an autonomous system are distinguished from each other in terms of whether or not they are performed at runtime.

When realizing the four main functions of the autonomous system represented by the external world recognition system, state estimation of the operating environment, motion determination, and behavior control, not only the internal model of the autonomous system itself, but also the operating environment acquired by the external world recognition system. From the state of, an external model that contributes to subsequent motion determination and behavior control is required.

For example, there is known an automatic control system that classifies work tasks using an image recognition function, selects and executes predetermined operation commands. The operator of this system is responsible for making the necessary assumptions for the performance of subsequent work tasks. For example, there are constraints on the arrangement of external objects to be recognized and the specific execution method of work tasks. These work properly as long as they operate in a closed environment, but if the environment is not prepared to match the assumed assumptions, they will analyze the cause on their own, despite unintended behavior. It cannot be corrected.

Information to be described in the internal and external models used for system control is also unevenly distributed. In particular, while the internal model that describes the dynamics of the internal state of the system and the causal relationship over time regarding the means of action (actuator) that causes it is well known, the external state that characterizes the autonomous system in the operating environment and the autonomous system for the operating environment The means of systematically constructing an external model that describes the causal relationship over time with respect to the action from and the resulting changes in the external state have not been studied.

The external state that characterizes the external environment is predictable in the sense that it changes only within a bounded range in a short period of time, but it has potential indeterminacy in the sense that it cannot deterministically predict changes over time with high accuracy. doing.

Various methods of model-based control have been studied, but the fact that a defect in the model itself, whether internal or external, is a single point of failure at the system level is taken for granted, but this model Specific measures to deal with the error have not been fully considered. If you follow the standard procedure to realize the fault tolerance function, not only FDIR (Fault Detection, Identification, and Recovery) until model error detection, error location identification, and model reconstruction, but also post-reconstruction model verification, In other words, at least a means to confirm that another defect was not mixed in the model that should have been reconstructed is necessary.

However, we are using the model not only for these FDIR functions to deal with the deficiencies of the model itself, but also for the FDIR processing related to normal exception handling. For example, an event in which the measured value of the internal state becomes an abnormal value occurs at a reasonable frequency, but we use a model-based anomaly detection method when it cannot be dealt with by multiplexing / redundancy.

According to the standard state estimation method, a Kalman filter based on the internal model is designed based on the assumption that the bounded disturbance to the measured value follows the assumed stationary process of probability, and the statistical frequency of the degree of deviation is statistical. The internal model and the reference model are used in the form of detecting an abnormality using the threshold value related to the above and describing the threshold value in the reference model as the boundary between the normal / abnormal state. Therefore, if the possibility of a model error cannot be ruled out, it is not possible to distinguish between a measured value abnormality and a model error in principle.

The premise that it is not a model error is considered to be correct, and to that extent, the model error is a single point of failure in the sense that the FDIR process for dealing with the measured value abnormality functions correctly. It is not well known that the FDIR function of a high safety system is built on such a hidden premise.

The internal model, external model, and reference model have been manually designed separately. This is because the internal model and the external model are used for the normal control function to calculate the planned operation that realizes the predetermined operation instruction, and the reference model is used to judge the safety / normality of the planned operation itself. When the inconsistency of the three types of models is latent, the cause cannot be uniquely identified. This point is also not well known. Originally, a given functional requirement should represent the transition between normal states of this model, and a safety requirement should represent the boundary between normal and abnormal states.

Model errors and inconsistencies between models also cause operational mistakes by the operator. The operator who is informed that the operation instruction set in the autonomous system is not feasible due to some conflict can only know the operation instruction or the inconsistency between the three models. It is difficult to uniquely determine the correction of the model error or the alternative operation instruction unless the part considered to be correct and the part with the error are selected from the three types of models.

Engineers who practice model-based control design consider model errors that are latent inside and outside the system to be problems of accuracy (lack of precision), model structure (mismatched model structure), and unsteady disturbance (non-stationary stochastic factor), and parameter. We have dealt with the problem of model conformance, mainly optimization. Therefore, the risk of hazards as described above due to model incompleteness is still latent.

Also, it is not well known that the correctness of the model itself cannot be judged only by the consistency of the model itself. That is, the model error can be correctly determined only by generating an input / output data string using the model and comparing the event predicted based on the model with the event actually observed. However, this point is not well known.

For example, Patent Document 1 discloses a method of constructing a model for model checking by lowering the dimension and assigning an index based on a formal method, but with respect to the deficiency in the process of constructing the model checking model. , The execution result of the model checking is fragile, and it is necessary to comprehensively execute the computer program to be actually checked to ensure the consistency.

Also, it is not well known that not all functional requirements and safety conditions used to judge the correctness of a model are correctly described, and it is difficult to find all deficiencies in a model at the time of design. Those skilled in the art will empirically correct the design by discovering deficiencies and deficiencies in the functional requirements and safety requirements in the process of actually collecting input / output data strings and manually determining normality or abnormality.

Patent Document 2 discloses a method in which the specification of a program that generates an input / output data string is set as a precondition, and the problem of back-estimating the specification from a postcondition that defines correct behavior is reduced to a satisfiability determination problem and solved. ing. Even in this disclosure content, the deficiencies in the functional requirements and safety conditions cannot be found based on the input / output data strings. If the post-condition is inadequate, the pre-condition may not exist, but this cannot be dealt with.

In particular, autonomous systems operating in an open operating environment cannot modify the data collected by the measurement system, so the control system must deal with input values that violate prior conditions, which are considered abnormal inputs at the time of operation. .. Those skilled in the art manually improve the preconditions by checking some input values, but from a practical point of view, this correctly reverses the preconditions only from the given incomplete postconditions. It suggests that it is difficult to do.

In the first place, the above-mentioned three types of models merely arbitrarily reduce the dimension of the operating environment that changes over time, and these cannot be reliably removed by increasing the dimension and refining the model. On the contrary, it causes a polynomial increase in the amount of data required for model representation. Also, internal and external models that contribute to control are essential to infer the future state caused by the planned operation and to argue that it meets certain safety requirements.

At least, the boundedness that includes changes over time and indefiniteness is the information that the model should describe in just proportion. At the same time, it is possible to improve the accuracy of the model in the bounded range and respond to the change over time by using the information that can be collected at the time of operation and confirmed to be time-invariant in the short and medium term. It is reasonable.

Japanese Unexamined Patent Publication No. 2013-45269 JP-A-2015-114988

A means for constructing the internal model of the autonomous system, the external model, and the reference model that characterizes the normal / safe state of the system, and is a normal control function, that is, a control process that realizes a predetermined operation command, and an abnormality occurs. There is a need for a model construction means that can naturally perform the FDIR processing.

The control rules for autonomous systems have also been designed separately from these three patchwork relationships, so defects due to imperfections in each model and the correctly designed control rules are not between models. It is not possible to distinguish it from a defect caused by matching. This inconsistency is detected as a conflict when determining the feasibility of an operation instruction.

Operators involved in the operation of this autonomous system must reset the correct control instructions in the face of these imperfections, but it is difficult to maintain the ease of operation that can cope with the complex and large scale of the system. .. Therefore, the control function of the autonomous system itself is a control means that handles the complexity related to hazard risk, that is, is consistent with the FDIR function of detecting the conflict and dealing with the model deficiency, particularly the inter-model inconsistency. is necessary.

The present invention has been made in view of the above problems, and an object of the present invention is to provide a state transition model construction device and an autonomous system that can realize operability while ensuring safety by design.

In order to solve the above problem, the state transition model construction device according to one viewpoint of the present invention provides homogeneity and heterogeneity between states with respect to the state space in which the definition areas of the state of the system and the state of the operating environment are merged. Spatial division is performed without duplication based on whether the expressed separation criteria are satisfied, and the symbolized state values in binary vector format are obtained by merging the truth values of the separation criteria for each state partially closed space obtained by the spatial division. It has a space division processing unit that associates the transition possibility of a pair of allocation and state partial closed spaces with the transition relationship between symbolized state values.

According to the present invention, it is possible to realize a state transition model construction device and an autonomous system that can realize operability while ensuring safety by design.

It is a figure which shows an example of the state space which was space-divided by the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows the schematic structure of the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows an example of the transition source symbol state value, the transition destination symbol state value, the constraint condition about the transition relation, and the separation standard generated by the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows an example of the symbolized state value conversion part of the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows an example of the symbolized state value list used for the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows an example of the function used in the state transition model construction apparatus which concerns on Example 1. FIG. It is a figure which shows another example of the function used in the state transition model construction apparatus which concerns on Example 1. FIG. It is a flowchart which shows an example of the operation of the symbolization state value conversion part which concerns on Example 1. FIG. It is a figure which shows the schematic structure of the planned operation train generation part which constitutes the autonomous system which concerns on Example 1. FIG. It is a figure which shows an example of the operation of the planned operation sequence calculation part which constitutes the autonomous system which concerns on Example 1. FIG. It is a figure which shows the schematic structure of the model consistency monitoring part which comprises the autonomous system which concerns on Example 1. FIG. It is a figure which shows an example of the operation of the symbolized state value collation part which constitutes the autonomous system which concerns on Example 1. FIG. It is a figure which shows the schematic structure of the autonomous system which concerns on Example 1. FIG. It is a figure which shows an example of the model to which the state transition model construction apparatus which concerns on Example 2 is applied. It is a figure which shows an example of the space division by the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows an example of the binary vector conversion part of the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows another example of space division by the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows another example of the binary vector conversion part of the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows another example of space division by the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows the model building part for the lidar data string which is another example of the state transition model building apparatus which concerns on Example 2. FIG. It is a flowchart which shows an example of the operation of the model construction part for lidar data string of the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure for demonstrating the operation procedure of the space division processing part of the model construction part for lidar data string which concerns on Example 2. FIG. It is a figure which shows still another example of space division by the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows the model building part for a camera data string which is still another example of the state transition model building apparatus which concerns on Example 2. FIG. It is a figure which showed the space division by the state transition model construction apparatus which concerns on Example 2 collectively. It is a figure which shows the correspondence relation of each component of the symbolized state value by the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows an example of the symbolized state value conversion part of the state transition model construction apparatus which concerns on Example 2. FIG. It is a figure which shows the schematic structure of the planned operation train generation part which comprises the autonomous system which concerns on Example 2. FIG. It is a figure which shows an example of the undecided variable group received by the constraint expression solver of the autonomous system which concerns on Example 2, and the list of the constraint expression for it. It is a figure which shows another example of the model to which the state transition model construction apparatus which concerns on Example 2 is applied.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. It should be noted that the embodiments described below do not limit the invention according to the claims, and all of the elements and combinations thereof described in the embodiments are indispensable for the means for solving the invention. Is not always.

The state transition model construction device and the autonomous system of this embodiment have the following configurations as an example.

The state transition model construction device of this embodiment spatially divides the state space to which the state value vector that merges the internal state and the external state of the autonomous system belongs, and determines the homogeneity and heterogeneity between the state value vectors. A method is used in which the reference is decomposed into a state partial closed space group so as to be a separation surface that characterizes each state partial closed space. It is preferable to use operating assumptions, safety requirements, and functional requirements as separation criteria for distinguishing homogeneity and heterogeneity between the state vectors. A symbolized state value, which is a binary vector, is calculated based on whether or not each requirement is satisfied so that two state partially closed spaces having different symbolized state values are separated. If there is a sample list of state value vectors, a space division method is used in which label values are assigned and state partially closed spaces with different label values are separated.

Furthermore, a model is constructed by a discrete state transition model representation that limits the transition relationship, using the criteria for the transition possibility of the partially closed space. Similarly, operating assumptions, safety requirements, and functional requirements should be used as the criteria.

When the space is divided into N state partially closed spaces, the transition relationship is N * (N-1) path. The classification of this transition relationship conforms to the division standard of the state partially closed space.

First, register the transition relationship of the state partially closed space pair specified by the functional requirements. When the number N of the state partially closed spaces becomes large, manual registration is difficult, so it is better to collect the actual operation log and automatically register the route in which the transition relationship is observed. Note that this spatial division must be done during operation if the separation criterion takes a dynamically acquired external state value as an argument.

The transition between the state partially closed space that does not satisfy the operating premise and the state partially closed space that satisfies the operating premise is a violation of the operating premise, and it is excluded because it is considered that it will not actually occur.

When this transition is actually observed, the system must be stopped or recovered. This determination process is an FDIR function for violations of operating assumptions.

After the occurrence, by updating the spatial division standard corresponding to the premise at the time of operation, it corresponds to the FDIR function for the defect of the model itself. This may be done at runtime, but it is uncertain due to the lack of legitimacy of the control action of pulling back to a partially closed space that meets the assumptions.

The transition from a partially closed space that meets the safety requirements to a partially closed space that does not meet the safety requirements is regarded as an unsafe control operation and excluded.

When this transition is actually observed, it can be detected correctly if it is an operator operation error. When the operator sets the control instructions to meet the safety requirements, it appears that unintended unsafe control has been performed. Switching from the state partially closed space of the transition destination to the recovery control command for returning to the state partially closed space satisfying the safety requirement corresponds to the FDIR function.

After the occurrence, the log of the actual state value vector and the state value vector string belonging to the internal transition source state partially closed space of the existing operation log are spatially divided. This corresponds to the FDIR function that addresses the deficiencies in the spatial division of the model.

At this time, it is determined whether or not there is at least one recovery processing path corresponding to the transition from the state subspace that satisfies the operating premise but does not satisfy the safety requirement to the state subspace that satisfies the safety requirement. Transition source state partially closed spaces that do not exist are excluded from the state partially closed space group that meets the safety requirements.

The accuracy of the model can be further improved by classifying the operation data of the actual system for each state partially closed space and identifying the bounded partially closed space when the localization of the state vector is found. In many cases. This corresponds to the same problem as normal system identification, but it is a low-dimensional method that guarantees the boundedness of the operating environment that changes over time, and can be dynamically updated.

The above state transition model construction procedure by the state transition model construction device is understood as a forward conversion process for constructing a discrete state transition model from operation assumptions, functional requirements, safety requirements, and operation data groups. Autonomous system control function This is equivalent to back-calculating the control input that performs this inverse conversion and generates operating data that meets the operating assumptions, functional requirements, and safety requirements.

The state value vector is reduced in dimension from the viewpoint of which state partially closed space it belongs to, and the representation of the dynamic behavior of the system is reduced in the transition sequence between the state partially closed spaces. Therefore, the operator may express the operation instruction by setting the constraint condition for this transition sequence. A satisfiability problem (SAT: satisfiability problem) or a constraint satisfaction problem (CSP: CSP:) with the original state value vector sequence as an undecided variable and the separation surface of the state partially closed space that is a component of the transition sequence as a constraint condition. It is reduced to Constraint satisfaction problem), and the satisfied solution of the control input value which is a part of the internal state value in the state value vector becomes the inverse calculation solution.

If this SAT / CSP is unsatisfactory, there are two.

First, there is no transition sequence between state partially closed spaces that satisfies the operation instruction. Detecting this as an illegal command is an FDIR function for operator setting mistakes.

The second is the case where the SAT / CSP satisfying solution does not exist even though the transition sequence exists. If the operation instruction is complete, this is a model error. When there is no satisfying solution, the matching constraint pair can be analyzed, so that the factors that cause the model error can be limited, and this is the FDIR function for the model error.

FIG. 1 is a diagram showing an example of a state space spatially divided by the state transition model construction device according to the first embodiment. More specifically, FIG. 1 shows an example in which state space division is performed using operating assumptions, safety requirements, and functional requirements as separation criteria.

For convenience of notation, the state value vector is described as being two-dimensional, but in reality, the state value vector that combines the internal state and the external state is generally high-dimensional and cannot be visualized by lowering the dimension. However, the function of lowering the high-dimensional state value vector to the low-dimensional symbolized state value by dividing it into partially closed spaces that do not overlap each other and specifying the partially closed space to which the obtained state value vector belongs. In other words, the state value expression in the model is realized.

Also, in such a high-dimensional state vector value space, it may be difficult to explicitly describe all separation criteria analytically. Therefore, it is useful to use a method of spatially dividing using only the simplified criteria of homogeneity and heterogeneity of sampled state value vector pairs, and a method of automatically calculating the separation criteria.

FIG. 2A is a diagram showing a schematic configuration of the state transition model construction device according to the first embodiment.

The state transition model construction device (hereinafter, may be referred to as a model construction unit) 02 of this embodiment is composed of a device capable of various information processing, for example, an information processing device such as a computer. The information processing device has an arithmetic element, a storage medium, and a communication interface, and further has an input device such as a mouse and a keyboard, and a display device such as a display.

The arithmetic element is, for example, a CPU (Central Processing Unit), an FPGA (Field-Programmable Gate Array), or the like. The storage medium includes, for example, a magnetic storage medium such as an HDD (Hard Disk Drive), a semiconductor storage medium such as a RAM (Random Access Memory), a ROM (Read Only Memory), and an SSD (Solid State Drive). Further, a combination of an optical disk such as a DVD (Digital Versatile Disk) and an optical disk drive is also used as a storage medium. In addition, a known storage medium such as a magnetic tape medium is also used as the storage medium.

Programs such as firmware are stored in the storage medium. At the start of operation of the model building unit 02 (for example, when the power is turned on), a program such as firmware is read from this storage medium and executed to perform overall control of the model building unit 02. In addition to the program, the storage medium stores data and the like required for each process of the model construction unit 02.

Alternatively, the model construction unit 02 of this embodiment may be configured by a so-called cloud in which the information processing device is configured to be able to communicate via a communication network.

The model construction unit 02 of this embodiment has a binary vector conversion unit 0201 and a space division processing unit 0202. The separation reference and the state value vector group are input to the binary vector conversion unit 0201. The binary vector conversion unit 0201 converts these into binary vectors and outputs them to the space division processing unit 0202. The space division processing unit 0202 generates and outputs a symbolized state value list (LISTSymbol) and a symbolized state transition list (ListTrans) from the input binary vector based on the spatially divided state space.

The process of converting into a binary vector by the binary vector conversion unit 0201 using the separation standard is natural, but the method of spatial division by the spatial division processing unit 0202 is various. Since we cannot collect all state value vectors densely, a spatial partitioning method that preserves the global structure from a small number of sample state value vector sequences is desirable.

In the field of computer geometry, there are methods such as Voronoi division, which divides into two parts with the nearest neighbor, and automatic space division, such as KD (k-dimensional) tree and BSP (Binary Space Partitioning). The method is known. Although many spatial division methods applicable to high-dimensional objects are known, the method using the Euclidean coordinate system as the basis of the state value vector causes an exponential increase in the amount of representation data. This is known as a phenomenon called curse of high dimensionity. It is also known that a method of defining a global coordinate system and a distance function in a high-dimensional space, for example, the Euclidean coordinate system and a distance function such as an L1 or L2 norm, also causes complication of a divided partially closed space. This problem is also known as the fact that k-d trees are not suitable for spatial division for high-dimensional data.

The state value vectors of different symbolized state values do not have to be limited to a specific method as long as the requirements for space division that they belong to different state subspaces are satisfied, but the amount of calculation required for the space division method is different. .. What is expected from the implementation point of view regarding the above spatial division method is that the accuracy of the model is improved by gradually adding more separation criteria. Since the initial separation criteria are incomplete, it is desirable to reduce the amount of data representing the model and the amount of calculation associated with the update process during the addition process.

However, the BSP tree has a problem of lacking flexibility in the sense that a large amount of data structure update occurs for local spatial division.

On the other hand, a spatial division method that calculates a binary vectorized symbolized state value from a sample state value and uses it, such as Voronoi division, overcomes this problem. In particular, the dimension becomes higher and the nearest neighbor point increases in proportion to the number of dimensions of the state value vector, but it is limited to updating the local data structure. In addition, thanks to the locality of this update range, there is a great effect that a parallel computer can handle a large number of state value vectors that are not close to each other and a plurality of separation criteria that do not overlap with each other.

As shown in FIG. 1, a symbolized state value (ListSymbol) is assigned to each state partially closed space. For example, in FIG. 1, a symbolized state value 1 is assigned to the state partially closed space S1. Furthermore, by adding the transition relationship (ListTrans) between the symbolized state values, the constraint conditions related to the transition source symbol state value, the transition destination symbol state value, and the transition relationship, and their rationale, as shown in FIG. 2B, can be obtained. It is possible to obtain a discrete state state machine representation associated with the separation criteria. In FIG. 1, the transition relationship between the symbolized state values is indicated by arrows, for example, that the symbolized state value 1 can transition to the symbolized state value 3. The transition relationship between the symbolized state value and the symbolized state value shown in FIG. 1 is an example, and not all the symbolized state values and transition relationships shown in FIG. 2B are shown in FIG.

Note that a higher dimensional state value vector is originally assigned to the symbol value of the binary vector based on whether or not the constraint condition for the state value vector is satisfied.

Functional requirements can also be formalized by binarizing the constraint equations described as separation criteria B0 to B4 as the separation criteria between the state value vectors. For example, the symbolized state value 1 and the symbolized state value 3 are divided according to the separation criterion B3. The functional requirement associated with the separation standard B3 is formalized as a function of transitioning from the separation standard B3 (state value vector) = FALSE to the separation standard B3 (state value vector) = TRUE.

Generally, LTL (Linear Temporal Logic) and other formal description methods are known for the transition relationship between discrete state values. A method for formalizing an operation and control problem using LTL or the like with a constraint format as an argument is disclosed in, for example, Japanese Patent No. 6435351 and Japanese Patent No. 61419664.

The features of this data-driven gradual model construction / update method are not only the encoding method itself, but also the consistency check between the initial stage of model construction and the actual data, and the assumption of whether or not the symbolized state value list can be generated. This is a good point for measuring coverage when measuring validity.

In particular, it is possible to comprehensively identify the partially closed space in a state where the actual operation data is not supported even though it can be satisfied on the model and can occur. In addition, since the sample state vector value of the state partially closed space can be automatically calculated using a SAT / CSP solver or the like, the validity of each separation standard can be understood by the engineer in charge of the model validity test. Gender can be confirmed individually. Spatial division processing can be performed in the same way using a new state value vector backed by an operation log, and the model can be refined by adding a new separation standard. Since the operation log cannot be supported for all transition paths, the limit of the model validity test using the operation log can be dealt with.

It is especially important for the test engineer to identify the characteristics of the modeled object, the validity of the operating assumptions, and the transition path that does not actually occur based on them. Constrained conditions related to time series continuity, such as one component of the state value vector acquired from a specific sensor measurement value changing only continuously, also form part of the operating premise. For the abnormal value output due to sensor failure, the failure mode is added to the state value vector as a truth value, and the constraint condition that multiple failures do not occur is used as a premise during operation.

This section exemplifies the separation criteria and model construction method used for space division by the space division processing unit 0202.

The operating premise is formalized as a constraint condition for the state value vector. This defines the maximum partially closed space A in the state space in FIG. 1, which is a state partially closed space and is considered to actually occur including an abnormal time.

The safety requirement is also formalized as a constraint condition for the state value vector. This is the partially closed space B of the maximum partially closed space A in FIG. 1, and defines the separation surface from the complement. That is, it is an abnormal state vector that can actually occur, and is used to distinguish the normal / safe state of the reference model from the other state subspaces. This corresponds to the reference model.

Normally, the partially closed space B is designed to be a subset of the partially closed space A. However, the operating premise is used only to specify the assumed operating conditions of the system, and a situation that does not satisfy this can occur in the real world. Therefore, NOT (partially closed space A) && (partially closed space B) ) Is not always an empty set. FIG. 1 is described to emphasize this point.

Similarly, functional requirements are formalized as constraint conditions for state value vectors. In particular, it is a criterion used when the partially closed space A that satisfies the safety requirement is spatially divided, and defines a separation surface that is functionally different and is divided into the state partially closed space group C. Since the safety requirement includes a process of returning to the safe / normal state when the normal / safe state is deviated, the partially closed space C becomes a subset of the partially closed space B.

Formatting in this way eliminates the need to distinguish between the internal state and the external state that make up the state value vector. Of the internal states, only the control variables are undecided variables that can be set arbitrarily by themselves, and the other undecided variables transition according to the dynamics designed by the system. The external state is passively set.

Similarly, there is no need to distinguish between the internal model and the external model in terms of expression format. The internal model and the external model are unified into a model representation in which the state partially closed space A is spatially divided with the safety requirement and the functional requirement as separation criteria. This can be understood as a discrete state transition model that constrains the transition relationship between the subsets of the spatially divided state partially closed space C.

If the state subspace C is spatially divided as described above, it is natural that the dynamics of the internal state is formalized as a constraint condition regarding the transition path of the time-series state value vector. Since each state partially closed space is bounded, the state partially closed space to which it belongs is uniquely determined even if the state value vector at each time point has some indefiniteness or changes over time. This corresponds to a kind of model lowering.

The dynamics of the external state can also be formalized as a constraint condition regarding the transition path of the time-series state value vector if some assumption premise that contributes to the bounded setting of the change over time of the external state can be given.

Note that the processing by the model construction unit 02 of this embodiment can be either offline processing or runtime processing.

It is easy to understand that the process of lowering the dimension of such a state value vector is associated with the encoding process in signal processing. When a non-fixed-length, time-series, high-dimensional state value vector belongs to one state partially closed space, the encoding process, which assigns a symbol with a smaller number of bits as an information representation, corresponds to the model construction process. ..

FIG. 3 is a diagram showing an example of the symbolized state value conversion unit 03 of the state transition model construction device 02 according to the first embodiment. The symbolized state value conversion unit 03 shown in FIG. 3 forms a part of the state transition model construction device 02.

In FIG. 3, the state value vector sequences 0300 and Y = {y [k] | 0 <= k <T} sampled in real time are associated with the state partially closed space group obtained by the above-mentioned space division. The symbolization state value conversion unit 03 that performs the encoding process for converting to the symbolization state value string 0305 and Z = {z [k] | 0 <k <T} is shown. Further, the processing in the symbolization state value conversion unit 03 shown in FIG. 3 is summarized in FIG.

The symbolized state value list (ListSymbol) 0302 and the transition relationship list (ListTrans) 0305 between the symbolized state values are composed of the transition source / transition destination symbolized state values in FIG. 2B.

The symbolized state value calculation unit 0301 decomposes the state value vector sequence Y into the partial state value vector sequence w [k]. This corresponds to step S0601 in FIG.

This w [k] = {{y [t] | p [k] <= t <p [k + 1]} | 0 <= p [k] <p [k + 1] <T} is an individual Divide so that it belongs to the single state partially closed space indicated by the symbolized state value pointed by the binary vectorized based on whether the separation criterion is satisfied, and assign the corresponding symbolized state value, Z [k = 0] = s0. ..

This time-series data division process is performed by the symbolization state value registration determination unit 0303, but the fact that the symbolization state value list ListSymbol is constructed on the premise that all the separation criteria are completely aligned is especially in the initial stage of model construction. It is rare. Therefore, this happens when the corresponding state partially closed space is not registered due to the incomplete initial separation criteria.

At this time, the symbolization state value registration determination unit 0303 notifies the symbolization state value list generation unit 0304 of the new symbolization state value v. The symbolized state value list generation unit 0304 acquires the symbolized state value list ListSymbol by reference and performs an update process (step S0603). After that, the registration notification is sent to the symbolization state value registration determination unit 0303. This new symbolization state value v is added to the new symbolization state value z [k]. This registration determination / new symbol value vector generation process is performed for all the state value vector columns Y until the determination conditions in step S0604 are no longer satisfied, and the symbolized state value sequence z [k] is symbolized in step S0605. After passing it to the state value conversion unit 03, it is output from the symbolized state value conversion unit 03.

There are other sources of imperfections in the early separation criteria. For example, when it is found in the process of high load test that the operating assumptions are set too conservatively and cannot be satisfied in the real world to be modeled. In this case, the symbolization state value list generation unit 0304 takes the state value vector shown in FIG. 2A as an argument, determines the truth value of each separation criterion, and converts it into a binary vector to obtain a new symbolization. The state value v is calculated (step S0602). When it is determined that there is no corresponding entry in the symbolized state place list ListSymbol, the process of registering this new symbolized state value v (step S0603) is performed.

At the time of design, the separation standard may not be set. In the case of an autonomous mobile that operates in an open environment, new separation criteria must be dynamically added / deleted with the external state value as an argument. In this case, a separation criterion for cutting out an inaccessible prohibited area occupied by an obstacle or a field object is dynamically generated using an external state value obtained from the outside world recognition unit. Spatial division and symbolization state value allocation using the dynamically generated separation criteria must be performed during operation.

Also, if there are X separation criteria, theoretically there can be 2 ^ X symbolized state values, but it is not necessary to explicitly store these as a table in memory. This problem arises as long as the ListSymbol data representation is implemented by a simple list, or a binary tree for ease of retrieval, or any other means that explicitly preserves the data structure.

In order not to cause an exponential increase in the amount of memory required for such data representation, it is preferable to use a contracted representation in the CNF format used as input data to the SAT solver. When there is a list of four symbolized state values having a length of 3 bits as shown in FIG. 4, a binary function called ListSymbocFunc is constructed by using the logical sum of the registered symbolized state values as shown in FIG. 5A. The satisfiability determination problem of the logical expression ListSymbolFunc (v) with the symbolized state value v as an argument is solved, and the presence or absence of registration is determined. If the symbolized state value v has already been registered, it can be satisfied and becomes the evaluation value TRUE of ListSymbolFunc (v), and if it is not registered, it becomes FALSE.

As shown in FIG. 5B, similarly, regarding the symbolization state transition relationship, the satisfiability determination problem of ListTransFunc (transition source symbolization state value, transition destination symbolization state value) is solved, and the presence or absence of registration is determined. The logical product of the pair of the transition source symbolized state value and the transition destination symbolized state value that are in a transitionable relationship is taken, and the logical sum of these pairs is taken to construct ListTrans (p, q). Similarly, the problem of acquiring the transition destination symbolization state value q when the transition source symbolization state value p is set may be solved by solving the satisfiability determination problem of calculating the satisfiability solution of q given p.

According to FIG. 4, since the symbolized state value v is a binary vector, the logical sum of the binary vector representations P [0] to P [3] of the components of each symbolized state value list ListSymbol is taken, and this is logically reduced. Use the contracted logical expression. If the SymbolList is held with such a structure, the exponential increase as described above can be avoided although the calculation amount at the time of determination is used as a consideration.

When updating to a new symbolized state value by the symbolized state value list generation unit 0304, it may be replaced with the one obtained by ORing with the existing ListSymbolFunc (step S0603).

Next, an autonomous system using the state transition model constructed by the state transition model construction device 02 shown in FIGS. 1 to 6 will be described.

FIG. 7 is a diagram showing a schematic configuration of the planned operation sequence generation unit 07 constituting the autonomous system 11 according to the first embodiment, and FIG. 8 is an operation of the planned operation sequence calculation unit 0701 constituting the autonomous system 11 according to the first embodiment. It is a figure which shows an example.

The normal control function and the operation instruction that is its argument may be specified as a constraint condition regarding the transition path between the symbolized state values. The symbolization control instruction sequence C in FIG. 7 is used.

In the symbolized state value list ListSymbol, a group of symbolized state values described in the model that are supposed to actually occur is registered. Therefore, at least one of the transition source symbolization state value c [k] and the transition destination symbolization state value c [k + 1] of the transition path c [k]-> c [k] specified by the symbolization control instruction is ListSymbol. If it is not registered in, it turns out that the control command is invalid.

For this, the truth value of ListSymbol (c [k]) or ListSymbol (c [k + 1]) may be determined (step S0801). If it is FALSE and it is not registered, the error information that the control instruction is invalid is registered in the error factor E (step S0802), this is output, and the process ends.

Similarly, in the symbolized state transition list ListTrans, the state transition path that is described in the model and that actually occurs is registered. The truth value of ListTransFunc (c [k]-> c [k + 1]) is determined (step S0803), and if it is FALSE, the error information that the control instruction is invalid is registered in the error factor E (step). S0804), this is output and the process ends.

The planning operation column calculation unit 0701 refers to the symbolization state value list ListSymbol0302, and sets each separation criterion B [x] that makes the symbolization control instruction meaningful as a constraint condition for the state value vector sequence YY as an undecided variable. Constraint expression C (YY) is constructed. The state subspace c [k] (y) pointed to by each symbolized state value is with the adjacent state subspace group according to the operating assumptions, functional requirements and safety requirements, and the separation criteria automatically generated by the space division. The separation surface is characterized. Therefore, the operator can set the operation instruction more easily than setting the constraint condition for the original high-dimensional state value vector sequence YY precisely. The logical product with the safety constraint SF (YY) described as a constraint condition for the symbolized state value is taken (step S0805), and the constraint expression solver 0702 determines whether or not there is a satisfied solution of C (YY) & & SF (YY) (step S0805). Step S0806).

If there is a satisfying solution for the undecided variable YY, it means that the symbolization control instruction can be executed, so this is output and the process ends.

Conversely, if there is no satisfied solution for the undetermined variable YY, the error factor is specified for each separation criterion B [x] that has fallen into unsatisfiable (step S0807).

Despite step S0801 and step S0803, the separation criterion that cannot be satisfied may be a part of the symbolization control instruction c [j]-> c [j + 1]. This is either due to a model error, that is, a deficiency in ListTrans, or a conflict between safety constraints and symbolization control instructions that makes them unsatisfiable. Therefore, it is regarded as a symbolization control violation, and the unsatisfiable allocation value YY_UNSAT calculated by the constraint solver 0702 is added to the error factor E.

Similarly, the separation criteria constituting the safety constraint SF (YY) may become unsatisfactory (step S0809). Even if the symbolization control instruction itself is correct, this situation occurs when the safety constraint setting itself is inadequate.

In this case, the error information that violates the safety requirement and the unsatisfiable allocation value YY_UNSAT calculated by the constraint formula solver 0702 are added to the error factor E.

Output the collected error factor E and exit.

FIG. 9 is a diagram showing a schematic configuration of a model consistency monitoring unit 09 constituting the autonomous system 11 according to the first embodiment.

In the model consistency monitoring unit 09, the state value vector sequence Y actually acquired from the measurement system, the symbolization control instruction used by the planned operation sequence generation unit 07, and the model information, that is, ListSymbol and ListTrans are not matched. , If there is a defect in the model, it is used to detect it correctly.

Using the symbolized state value conversion unit 03, the state value vector sequence Y = {y [k] | 0 <= k <= T} actually acquired from the measurement system is symbolized. The state value sequence SY = {sy [k]. ] | 0 <= k <= T}, and the satisfied solution of the planned operation sequence YY = {yy [k] | 0 <= k <= T} calculated by the planned operation column generator 07 in step S0806. The symbolized state value collation unit 091 compares the symbolized state value sequence SYY = {syy [k] | 0 <= k <= T}, and if they do not match, the error factor EM is output as a model error. ..

FIG. 10 is a diagram showing an example of the operation of the symbolized state value collating unit 091 constituting the autonomous system 11 according to the first embodiment.

Collation is performed at each time point k of sy [k] constituting SY and syy [k] constituting SY (step S1001).

If SY and SY do not match, the error information as a model error, the state value vector y [k] at the time point k, and the planned operation yy [k] are registered in the error factor EM (step S1002). Transition relationship between symbolized state values sy [k]-> sy [k + 1] is not registered in ListTrans, or either sy [k] or sy [k + 1] is registered in ListSymbol. Classified if not.

Similarly, when SY does not satisfy the safety constraint SF (step S1003), the error information that violates the safety constraint, the state value vector y [k] at the time point k, and the planned operation yy [k] are set as the error factor EM. to register.

If the transition relationship between the symbolized state values sy [k]-> sy [k + 1] does not match the symbolization control instruction (step S1004), error information that violates the control instruction and the state at the time point k Register the value vector y [k] and the planned operation yy [k] in the error factor EM.

Finally, the registered error factor EM is output and the process ends.

Although there are various factors that cause model errors, it should be noted that bounded model indefiniteness can be dealt with by using the symbolized state value 0302 in the planned operation column generation unit 07.

Even if the bounded noise of the measured value and the indefiniteness caused by the model incompleteness are added to the state value vector, SY and SYY as long as they remain in the bounded range of the state partially closed space indicated by the symbolized state value. Match. On the contrary, when there is a large indefiniteness to the extent that it transitions to a different state partially closed space in light of the functional requirements, sy [k] and syy [k] affected by the indefiniteness are separated. , It is correctly detected by the FDIR process (step S1002).

FIG. 11 is a diagram showing a schematic configuration of the autonomous system 11 according to the first embodiment, and is a diagram showing the configuration of the autonomous system 11 equipped with the autonomous control device 1102 that realizes the method shown in the present embodiment. Like the state transition model construction device 02, the autonomous system 11 is also composed of a device capable of various information processing, for example, an information processing device such as a computer.

The internal state that expresses the state of the system and the external state that expresses the state of the operating environment acquired from the measurement system 1101 are integrated into a state value vector. The operation determination unit 1104 has a function of determining the operation of the autonomous control device 1102, and operates according to a processing procedure such as a program as an example. The operation determination unit 1104 acquires a state value vector, sets a predetermined safety constraint, passes a symbolization control instruction to the planned operation column generation unit 07, and receives an error factor E. The model consistency monitoring unit 09 shown in FIG. 8 receives various information and passes the error factor EM to the operation determination unit 1104.

When the operation determination unit 1104 receives the error factor E (step S0808) and the error factor EM (step S1004) that the control instruction is violated, the operation determination unit 1104 refers to the error information and falls into an unsatisfactory symbolization state value c [ Calculate another symbolization control instruction that avoids j] and pass it to the planned operation sequence generation unit 07.

When the operation determination unit 1104 receives the error factor E (step S0809) and the error factor EM (step S1003) that the safety requirement is violated, the planned operation column yy [that does not satisfy the safety requirement SF with reference to the error information. Another symbolization control instruction that avoids the symbolization state value syy [k] of [k] is calculated and passed to the planned operation column generation unit 07.

When the operation determination unit 1104 receives the error factor EM (step S1002) called a model error, the symbolized state value sy [k] of the state value vector y [k] at the time point k and the planned operation yy [k]. ], A symbolization control instruction that avoids the symbolization state value syy [k] is calculated and passed to the planned operation column generation unit 07.

If the operation determination unit cannot calculate the symbolization control instruction, the system does not set the symbolization control instruction and passes only the safety constraint SF to the planned operation sequence generation unit 07 to realize the minimum FailSafe operation.

If this safety constraint SF also becomes unsatisfactory, the autonomous control device 1102 including the operation determination unit must be stopped correctly.

According to the present embodiment configured in this way, the state transition model construction device 02 determines the homogeneity and heterogeneity between the states with respect to the state space in which the definition areas of the state of the system and the state of the operating environment are merged. Spatial division is performed without duplication based on whether or not the expressed separation standard is satisfied, and the truth value of the separation standard is merged with each state partially closed space obtained by the space division to symbolize the binary vector format. It has a space division processing unit 0202 that assigns values and associates the transition possibility of a pair of the state partially closed spaces with the transition relationship between the symbolized state values.

Therefore, according to this embodiment, it is possible to realize the state transition model construction device 02 and the autonomous system 11 that can realize operability while ensuring safety by design.

More specifically, the state transition model construction device 02 of this embodiment is a model of the operating environment that contributes to the control of the autonomous system 11, and has an existing FDIR function when an abnormality occurs using the model and a defect of the model itself. It is a model construction device that integrates the FDIR function to deal with.

By regarding the state transition model construction device 02 as a forward conversion from safety requirements, functional requirements, and actual operation data, the control function of the autonomous system can be changed from operation instructions to actual operation data that satisfies the safety requirements and functional requirements. Can be realized as an inverse conversion function to generate.

The operator of the autonomous system 11 can transfer the determination of whether or not to cause a hazard due to a violation of safety requirements or an illegal operation command to the control function of the autonomous system 11 using the model constructed as described above. It is only necessary to focus on the realization of the desired function. When it comes to a complicated and large-scale high-safety system, it becomes possible to realize operability while ensuring safety by design.

Hereinafter, in the second embodiment, a detailed example of the spatial division of the state space shown in the first embodiment will be described. The second embodiment is applied when dealing with an operation planning problem in ADAS (Advanced driver-assistance systems) that automatically drives a moving body in a low-dimensional space (2D / 3D) at level 4. .. Therefore, the autonomous system corresponds to ADAS.

In the following description, the same components as the components in the above-described embodiment are designated by the same reference numerals, and the description thereof will be simplified.

FIG. 12 is a diagram showing an example of a model to which the state transition model construction device 02 according to the second embodiment is applied.

More specifically, FIG. 12 shows an attempt to advance an autonomous vehicle in a forward direction in a situation where there is a vehicle that seems to be parked on the left side and a vehicle is approaching from the front right side in a two-way lane. Show the process.

The vehicle uses LIDAR (Laser Imaging Detection and Ringing: a means of identifying the position of the reflector using a laser), a camera, a vehicle speed sensor, GPS information, etc. to estimate the vehicle position and speed, and external world recognition processing and a map. -Dynamic construction of this operating environment model by using traffic rule information together.

In this model, the state space that can take the spatial position and speed of the own vehicle is spatially divided, and the symbolized state value ListSymbol is set for each bounded closed area that is spatially divided based on various separation criteria. It is composed of the defined one and the constraint condition ListTrans regarding the transition relationship between the symbolized state values, and is one implementation form of FIG. 2A.

In this embodiment, there are cases where the spatial division is performed offline and only the process of converting to the symbolized state value is performed at the runtime, and there are cases where both the spatial division and the conversion to the symbolized state value are performed at the runtime.

As in the spatial division model represented by the wide area map information database shown in FIG. 13 or 15, the spatial division is performed offline, and as shown in FIG. 14 or 16, GPS information is used as an argument for binary vector conversion. On the other hand, as shown in FIG. 17, the lidar data group collected at runtime is used to dynamically perform spatial division and conversion to symbolized state values as shown in FIG.

FIG. 13 is a diagram showing an example of space division by the state transition model construction device 02 according to the second embodiment, and FIG. 14 is a diagram showing an example of the binary vector conversion unit 0201 of the state transition model construction apparatus 02 according to the second embodiment. Is.

That is, FIG. 13 shows an example in which a wide area road traffic network is spatially divided, and area divisions, R1 and R2 in the figure, and travel road divisions, part1 and part2 in the figure are used as separation criteria. Is. In this case, a 4-bit symbolized state value ListSymbol can be constructed. Each bit value is uniquely determined by the binary vector conversion unit 0201 in FIG. 14 depending on whether or not it belongs to a specific partitioned bounded closed space.

In addition, FIG. 12 shows an example in the case of one lane on each side, but if there are two lanes, forward movement between lanes is permitted, but entry into the oncoming lane is not permitted. The symbolized state transition list ListTrans can be constructed from the spatial connection relationship between the roads and the separation criteria based on the traffic rules.

Furthermore, the traffic rules include not only spatial restrictions on new routes, but also speed limit instructions by traffic signs and restrictions on speed components such as one-way streets, and multiple transition destination symbols are used at intersections with route branches. There is a state value. By adding to the wide area map information database that has been spatially divided, it becomes possible to elaborate the separation criteria for spatial division and easily describe complicated traffic rules as constraints on symbols or state values.

FIG. 15 is a diagram showing another example of space division by the state transition model construction device 02 according to the second embodiment, and FIG. 16 is another diagram of the binary vector conversion unit 0201 of the state transition model construction device 02 according to the second embodiment. It is a figure which shows an example.

FIG. 15 is a representation of the detailed map / traffic rule information inside the area R2 in FIG. There are two partially closed spaces, part1 which is the route and part2 which is the opposite route, and each of them introduces a constraint condition for the velocity velocity [k] related to the traveling path, and the symbolized state value component B [4] of the fifth bit. Correspond. Since intrusion into the oncoming lane and reverse driving in the same lane are prohibited by traffic rules, the symbolized state transition list stores only a list of valid symbolized state values, not a directed graph with a transition destination. Please note that it has become a thing.

The conversion to the symbolized state value component B [4] is performed by the binary vector conversion unit 0201 as shown in FIG. That is, the position information position from GPS and the speed information velocity from the vehicle speed sensor are used as arguments, and the judgment result of the traffic rule corresponding to the corresponding driving road, in this case, the constraint condition regarding the traveling direction is symbolized as the state value component B [ Output as 4].

FIG. 17 is a diagram showing another example of space division by the state transition model construction device 02 according to the second embodiment, and FIG. 18 is a lidar which is another example of the state transition model construction device 02 according to the second embodiment. It is a figure which shows the model building part 240102 (see FIG. 25) for a data string.

FIG. 17 shows a group of bounded convex / closed regions in which a large number of rays [k, i] are bundled as a result of measuring the orientation and distance of the reflector around the operating environment collected by LIDAR. is there.

Although LIDAR can perform precise measurement, minute reflections and refractors, such as rain and snow, cause false detections. Therefore, a long-wavelength radar or an ultrasonic sensor that is inferior in accuracy but can deal with the above-mentioned false detection factor of LIDAR may be used in combination. These devices should be understood as a means to realize the purpose of identifying the position ray_dst [i] of the reflector in the outside world, which is the operating environment, and the function of identifying the region without the reflector. In particular, it is a means for physically confirming that there are no running obstacles between the vehicle position and the reflector, that is, near the line segment between ray_src [i] and ray_dst [i].

LIDAR can collect more than 100,000 LIDAR data strings per second in all directions, has a fast data collection cycle, and data near the line segment even if a high-speed moving object is near or far from the own vehicle. Is remeasured. Therefore, by discarding the old LIDAR data value and continuing to spatially divide the accessible area during runtime using the latest collected data, the distribution of surrounding obstacles can be distributed with high reliability that cannot be achieved by other in-vehicle sensors. It can be incorporated into the model and updated.

FIG. 18 is a model construction unit 240102 for a lidar data string, which is merged with a space division processing unit 0202 that determines each element of the symbolized state value list ListSymbol referred to by the binary vector conversion unit 0201. ..

As a separation criterion used for spatial division, make sure that any inner point up to all beam paths ray_src [i]-> ray_dst [i] and the neighborhood from the beam path to the distance Δ stay within one of the convex closed regions. It is to become a space division. A list of convex / closed regions in which each convex / closed region ch [p] after spatial division is bundled is expressed as CH.

The convex / closed region has the property that the internal points of any two internal points always belong to the same convex / closed region. Therefore, ch [p] may be sequentially constructed and updated by bundling nearby beam paths, connecting and expanding them so as to maintain the properties of the convex closed region. The spatial connection relationship between adjacent convex and closed regions calculated in this process is stored in ListTrans.

In addition, since the own vehicle occupies a finite volume, the ray_dst [i] on the end point side of the beam path is partially shortened so that it becomes an intrudable region at the geometric center position considering the length and width of the vehicle. It may be. The route generation process first specifies the movement locus of the geometric center position of the vehicle. Therefore, if the size of the own vehicle is taken into consideration at the stage of constructing the accessible area from the LIDAR data, it is possible to avoid complication of calculation in the route generation process.

FIG. 19 is a flowchart showing an example of the operation of the lidar data string model construction unit 240102, which is the state transition model construction device according to the second embodiment, and FIG. 20 is a flowchart of the lidar data string model construction unit 240102 according to the second embodiment. It is a figure for demonstrating the operation procedure of the space division processing part 0202.

The space division process shown above is performed according to the procedure shown in FIG. In FIG. 20, in the process of sequentially adding ray [k, i = 13] from the beam path ray [k, i = 0] clockwise according to this procedure, the convex closed regions ch [0] and ch [1] are formed. It illustrates the process of being constructed.

In step S1901, the latest beam path list Ray [t-t0] to Ray [t] are merged, and the processing target list Ray [k] is set.

In step S1902, the convex / closed region ch [0] including the first entry ray [k, 0] is registered in the list CH of the convex / closed region that specifies the bit value component of each symbolization state value.

In step S1903, both the start point ray_src [i] and the end point ray_dst [i] of the beam path indicated by the first entry ray [k, i] of Ray [k] are from any of the convex closed regions registered in CH. Determine if the distance is greater than the distance Δ.

In this case, the process proceeds to step S1904, a convex hull including ray [k, i] is generated and registered in CH.

Then, the process proceeds to step 1905, when either of the both end points of the beam path ray [k, i] is in either of the convex closed regions ch [p] registered in CH or in the vicinity of the distance Δ. , The convex hull ch [p + 1] generated in S1904 and the corresponding ch [p] are registered as transitionable adjacent convex closed region pairs in the symbolized state transition list ListTrans.

In step S1903, if both end points of the beam path ray [k, i] belong to any of the convex closed regions ch [p] registered in CH, the process proceeds to step S1906 and the convex closure is performed. The region ch [p] is extended to include the beam path ray [k, i].

If one of the endpoints of the beam path ray [k, i] does not belong to any of the convex closed regions ch [p] registered in CH, the process proceeds to step S1904, and a new beam path ray [k, i] is obtained. A convex closed region ch [p + 1] including [k, i] is generated.

When the above processing is executed for all the beam paths registered in the beam path list Ray [k], convex closed regions ch [0] to ch [3] are obtained as shown in FIG. As long as you follow a track that stays within this area, you can be assured that this self-driving vehicle will not collide.

FIG. 21 is a diagram showing still another example of space division by the state transition model construction device 02 according to the second embodiment, and FIG. 22 is a camera data which is still another example of the state transition model construction device according to the second embodiment. It is a figure which shows the model building part 240103 (see FIG. 25) for a column.

FIG. 21 shows an example in which the inaccessible area and the other areas related to the planned trajectory of the own vehicle are spatially divided based on the recognition result obj [k] of the surrounding object by the camera. It is decomposed into three types of convex closed regions, ccdom [0] to ccdom [2].

Similar to FIG. 18, this spatial division process is dynamically performed inside the camera model construction unit 240103 configured in FIG. 22 for the recognition result obj [k] that changes with timekeeping, and the convex portion closed region after the division is performed. The symbolized state values B [6], B [6, p] and the partially convex closed region group CCD = {ccdom [p], 0 <= p <3} that serves as the criterion for the symbolization state values are calculated, and the adjacent convex closed regions are calculated. Register the interval in ListTrans.

FIG. 23 is a diagram showing the spatial division by the state transition model construction device 02 according to the second embodiment, and FIG. 24 is a correspondence of each component of the symbolized state value by the state transition model construction device 02 according to the second embodiment. It is a figure which shows the relationship.

That is, FIG. 23 shows a state partially closed space dynamically generated through the above procedure using the external state collected when the own vehicle is in the illustrated position, and FIG. 24 shows the symbolized state value. This is a summary of the correspondence between each component of.

The vehicle's trajectory refers to the map / traffic information database, and while satisfying the restraint conditions regarding the driving route and direction, the camera stays in the free space without obstacles, which is supported by the beam route collection from LIDAR. The own vehicle may calculate the planned track so as to avoid the inaccessible area set by using the object information from.

In this example, instead of expressing the complex and time-varying external environment while maintaining geometric accuracy, the inside / outside judgment of the convex / closed region group with respect to the position position [k] of the own vehicle and the velocity vector velocity [k] is used. It is converted to the symbolized state value of the value vector, and the subsequent route planning problem is replaced with the problem of calculating the transition sequence between the symbolized state values within the range limited by this symbolized state transition list ListTrans.

FIG. 25 is a diagram showing an example of the symbolized state value conversion unit 2401 of the state transition model construction device 02 according to the second embodiment.

The symbolized state value conversion unit 2401 shown in FIG. 25 integrates FIGS. 13 to 23 and corresponds to the symbolized state value conversion unit 03 of FIG. 3, and is a sensor group for an autonomous driving vehicle. It is equipped with a model construction unit corresponding to it. The function corresponding to the symbolized state value list generation unit 0304 in FIG. 3 corresponds to the space division process of determining each component of the symbolized state value list at runtime by using the data of the lidar and the camera.

The conversion process to the symbolized state value shown in FIG. 6 was divided for each sensor. That is, the GPS data string model building unit 240101, the LIDAR data string model building unit 240102, and the camera data string model building unit 240103, which include a wide area map information database 1401 and a part that converts into a binary vector using GPS information, From, the symbolized state value list and the symbolized state transition list ListTrans are constructed, and the processing of the symbolized state value calculation unit in FIG. 3 is inherited, and the state value vector sequence y [k] is sequentially symbolized. Convert to column Z [k].

With reference to FIG. 24, each component of the symbolized state value is B [0] = 0, B [1] = 1, B [2] = 1, B [3] = 0, B [4] = 1. , B [5] = 1, B [5,0 / 1/2/3] = (1,0,0,0), B [6] = 1, B [6,0 / 1/2] = ( It is 1,0,0).

FIG. 26 is a diagram showing a schematic configuration of a planned operation sequence generation unit 07 constituting the autonomous system 11 according to the second embodiment. That is, FIG. 26 embodies the function of the planned operation sequence generation unit 07 of FIG. 7 so as to correspond to the configuration of the autonomous driving vehicle in this embodiment.

In this example, the state value vector y [k] is y [k, 0]: position position [k], y [k, 1]: velocity velocity [k], y [k, 2]: LIDAR beam path sequence. Not only Ray [k], but also the components of the control command u [k], that is, u [k, 0]: The control command to the actuator that is the steering value and affects the turning angular velocity, u [k, 1]: Accelerator It includes a control command to the actuator that acts in the increasing direction of the velocity vector, u [k, 2]: a control input to the actuator that acts in the phenomenon direction of the velocity vector, which is a brake.

The transfer function vehicle_dynamics is a function that constrains the estimated value of the post-transition state value vector y [k + 1] after the time Δt with respect to the control input u [k] and the current state value vector y [k].

In this example, the following is set as the symbolization control instruction.
C [j] (y) = {B [1,2,3,4]} = {1,1,0,1}, 1 <= j <= T

Over the calculation period k = 1 to T of the planned operation, the symbolized state value sequence of the state value vector y [k + j] is B [1] = 1, B [2] = 1, B [3] = 0, It indicates that B [4] = 1 should be maintained. It travels forward (B [4] = 1) along (B [1] = 1) lane part2 in area R2 (B [2] = 1, B [3] = 0). Means.

We are a sufficiency solution that satisfies the constraint condition for the time-series state value vector sequence y [k] to y [k + T] supported by this symbolized state value sequence, and is a concrete control input value sequence. I want to solve a control problem that calculates u [k] to u [k + T]. This can be obtained by calculating the numerical solution of the control input value sequence that specifically realizes the specified symbolization control instruction in the SAT / CSP solver.

FIG. 27 is a diagram showing an example of a group of undecided variables received by the constraint formula solver 0702 of the autonomous system 11 according to the second embodiment and a list of constraint formulas for the undetermined variables.

More specifically, FIG. 27 is a list of undecided variables received by the constraint expression solver 0702, which is a SAT / CSP solver, and the constraint expressions for them. That is, the time-series state value vector sequences y [k] to y [k + T] corresponding to the planned operation are set as the undetermined variable YY = {yy [k] | 0 <= k <= T}, and the symbolization is performed. Set the constraint conditions supported by the state value sequence. As a safety constraint, a symbolized state value component B [5] = 1 that supports staying in the accessible region confirmed by lidar to be absent is specified, and a constraint on the transfer function vehicle_dynamics is added.

Determine if there is a specific satisfied solution for the undecided variable YY, and if it exists, obtain the assigned value for YY. The control input value components u [k] to u [k + T] are actually input to actuators such as steering, accelerator, and brake. This processing procedure follows FIG.

As the own vehicle continues to operate, the state value vector y [k] progresses over time, so the LIDAR and camera data also change over time, and therefore the spatial division result also changes. Therefore, it is preferable to re-execute a series of processes in a short cycle of about a constant multiple of the time Δt. In the example of FIG. 12, since there is a vehicle parked in the forward lane on the left side, the forward travel path toward the area R1 is not completely visible. In fact, since the LIDAR data is obstructed by the stopped vehicle, the own vehicle can move to the right to secure the line-of-sight and set the planned track following the area R1 for the first time.

FIG. 28 is a diagram showing another example of the model to which the state transition model construction device 02 according to the second embodiment is applied.

Fig. 28 shows the situation in which the vehicle in front is moving instead of being stopped. In this case, since the vehicle on the forward traveling path ahead is moving at a very low speed in front of the pedestrian crossing, the data in the sky of the camera is received and the inaccessible area is set. As a result, according to the model obtained as a result of spatial division using LIDAR data, there is a route that crosses the vehicle in front, but the planned operation train generation unit cannot calculate such a route, so the own vehicle decelerates. Stop. It should be noted that even with such behavior, the constraint conditions specified by the symbolization control instruction are satisfied.

Therefore, the same effect as that of the above-described embodiment can be obtained by this embodiment as well.

Note that the above-described embodiment describes the configuration in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations. Further, it is possible to add, delete, or replace a part of the configuration of each embodiment with other configurations.

Further, each of the above configurations, functions, processing units, processing means, etc. may be realized by hardware by designing a part or all of them by, for example, an integrated circuit. The present invention can also be realized by a program code of software that realizes the functions of the examples. In this case, a storage medium in which the program code is recorded is provided to the computer, and the processor included in the computer reads the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiment, and the program code itself and the storage medium storing the program code itself constitute the present invention. Examples of the storage medium for supplying such a program code include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, an SSD (Solid State Drive), an optical disk, a magneto-optical disk, a CD-R, and a magnetic tape. Non-volatile memory cards, ROMs, etc. are used.

Further, the program code that realizes the functions described in this embodiment can be implemented in a wide range of programs or script languages such as assembler, C / C ++, perl, Shell, PHP, and Java (registered trademark).

Further, by distributing the program code of the software that realizes the functions of the examples via the network, it is stored in a storage means such as a hard disk or memory of a computer or a storage medium such as a CD-RW or a CD-R. , The processor provided in the computer may read and execute the program code stored in the storage means or the storage medium.

In the above-described embodiment, the control lines and information lines indicate those considered necessary for explanation, and do not necessarily indicate all the control lines and information lines in the product. All configurations may be interconnected.

02 Model construction unit 0201 Binary vector conversion unit 0202 Spatial division processing unit 03 Symbolization state value conversion unit 0300 State value vector string 0301 Symbolization state value calculation unit 0302 Symbolization state value list 0303 Symbolization state value registration judgment unit 0304 Symbol Symbolized state value list generation unit 0305 Symbolized state value string 07 Planned operation column generation unit 0701 Planned operation column calculation unit 0702 Constraint expression solver 09 Model consistency monitoring unit 091 Symbolized state value collation unit 11 Autonomous system 1101 Measurement system 1102 Autonomous control Device 1103 Drive system 1104 Operation determination unit

Claims

A state space in which the definition areas of the state of the system and the state of the operating environment are merged is divided into spaces without duplication based on whether or not the separation criteria expressing the homogeneity and heterogeneity between the states are satisfied, and the space division is performed. A binary vector format symbolized state value obtained by merging the truth values of the separation criteria is assigned to each of the obtained state partially closed spaces, and the transition possibility of a pair of the state partially closed spaces is determined by the symbolized state. A state transition model construction device characterized by having a spatial division processing unit associated with a transition relationship between values.
The state transition model construction device according to claim 1.
The state space is a subset of the first state partially closed space and the first state partially closed space classified according to the operating premise of the system, and is a second state part classified according to safety requirements. A state transition model construction device characterized by being defined by a closed space.
The state transition model construction device according to claim 2.
The state transition model construction device is characterized in that the state space is spatially divided by using the functional requirements of the system as a separation reference used when the first state partially closed space is spatially divided.
The state transition model construction device according to claim 3.
The separation reference and the state value vector group of the system are input, and the separation reference and the state value vector group have a binary vector conversion unit for converting into a binary vector.
The space division processing unit is a state transition model construction device characterized in that the binary vector and the state value vector group are input.
The state transition model construction device according to claim 4.
The spatial division processing unit generates a valid symbolized state value list as a logical sum of the symbolized state values in a binary vector format, and merges the pairs of the symbolized state values which are valid transition relationships. A state transition model construction device characterized by generating a valid symbolized transition relation list as a vector-format OR.
It is an autonomous system equipped with an external measurement system, a drive system, and an autonomous control device.
The autonomous control device has an operation determination unit, a planned operation sequence generation unit, and a model consistency monitoring unit.
The planned operation sequence generation unit refers to the symbolization state value list and the symbolization transition relation list according to claim 5, and is consistent with the symbolization control instruction sequence specified by the operation determination unit, and the safety requirement. Has a function to determine the presence or absence of a planned operation sequence that satisfies
The model consistency monitoring unit refers to the symbolized state value list and the symbolized transition relation list according to claim 5, and based on the consistency between the planned operation sequence and the symbolized control command sequence, the symbol It has a function of detecting deficiencies in the symbolization state value list and the symbolization transition relation list, a function of monitoring and notifying the deficiency of the symbolization control command sequence, and a function of monitoring and notifying whether or not the safety requirements are satisfied. An autonomous system characterized by that.
The autonomous system according to claim 6.
The autonomous system is used for vehicles that drive autonomously.
The external world measurement system has an active measurement function for acquiring the presence / absence and position of a reflector in a three-dimensional space.
A function of spatially dividing a travelable region by a convex closed region group including a beam path connecting the vehicle position and the reflector and an adjacent relationship thereof, and constructing a state transition model in the binary vector format according to claim 1. An autonomous system characterized by having.
The autonomous system according to claim 7.
The autonomous control device is
A function of calculating a state transition path from the convex closed region including the position of the vehicle to the convex closed region including the target position in the convex closed region group including the beam path.
An autonomous system characterized by having a function of calculating the presence or absence of the planned operation sequence with a separation criterion of a three-dimensional space that characterizes the adjacent convex / closed region as a constraint condition.