WO2021038826A1 - Dispositif de construction de modèle de transition d'état et système autonome - Google Patents

Dispositif de construction de modèle de transition d'état et système autonome Download PDF

Info

Publication number
WO2021038826A1
WO2021038826A1 PCT/JP2019/034098 JP2019034098W WO2021038826A1 WO 2021038826 A1 WO2021038826 A1 WO 2021038826A1 JP 2019034098 W JP2019034098 W JP 2019034098W WO 2021038826 A1 WO2021038826 A1 WO 2021038826A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
symbolized
state value
transition
model
Prior art date
Application number
PCT/JP2019/034098
Other languages
English (en)
Japanese (ja)
Inventor
昌能 西
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2019/034098 priority Critical patent/WO2021038826A1/fr
Publication of WO2021038826A1 publication Critical patent/WO2021038826A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B13/00Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion
    • G05B13/02Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric
    • G05B13/04Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05DSYSTEMS FOR CONTROLLING OR REGULATING NON-ELECTRIC VARIABLES
    • G05D1/00Control of position, course, altitude or attitude of land, water, air or space vehicles, e.g. using automatic pilots
    • G05D1/02Control of position or course in two dimensions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models

Definitions

  • the present invention relates to a state transition model construction device and an autonomous system.
  • An automatic control system passively operates according to pre-programmed control rules in a closed environment designed or envisioned to meet the operating assumptions established at the time of design, in order to achieve the specified operating instructions. is there.
  • an autonomous system is classified by having a function of adapting to an operating environment that changes over time and reconstructing a control method corresponding to a method of achieving its own operating purpose.
  • the operator of this autonomous system sets operation instructions as appropriate, but in an open operating environment, the operation instructions may not be achieved due to conflicts caused by excessive restrictions.
  • An automatic control system that has fallen into a situation that deviates from the above assumptions of operation cannot detect this conflict by itself, which causes an unintended operation, and the operator has no means to know the cause, so that the operation is incorrect in such a situation. Orders can make things worse.
  • the autonomous system must at least correctly detect the conflict and reset the operation instruction appropriately so as to resolve the detected conflict.
  • the state of the operating environment and the model of the operating environment are dynamically constructed, and the autonomous function of judging and modifying the feasibility of the operating instruction itself is independent of the designer.
  • An automatic control system and an autonomous system are distinguished from each other in terms of whether or not they are performed at runtime.
  • an automatic control system that classifies work tasks using an image recognition function, selects and executes predetermined operation commands.
  • the operator of this system is responsible for making the necessary assumptions for the performance of subsequent work tasks. For example, there are constraints on the arrangement of external objects to be recognized and the specific execution method of work tasks. These work properly as long as they operate in a closed environment, but if the environment is not prepared to match the assumed assumptions, they will analyze the cause on their own, despite unintended behavior. It cannot be corrected.
  • Information to be described in the internal and external models used for system control is also unevenly distributed.
  • the internal model that describes the dynamics of the internal state of the system and the causal relationship over time regarding the means of action (actuator) that causes it is well known
  • the external state that characterizes the autonomous system in the operating environment and the autonomous system for the operating environment The means of systematically constructing an external model that describes the causal relationship over time with respect to the action from and the resulting changes in the external state have not been studied.
  • the external state that characterizes the external environment is predictable in the sense that it changes only within a bounded range in a short period of time, but it has potential indeterminacy in the sense that it cannot deterministically predict changes over time with high accuracy. doing.
  • a Kalman filter based on the internal model is designed based on the assumption that the bounded disturbance to the measured value follows the assumed stationary process of probability, and the statistical frequency of the degree of deviation is statistical.
  • the internal model and the reference model are used in the form of detecting an abnormality using the threshold value related to the above and describing the threshold value in the reference model as the boundary between the normal / abnormal state. Therefore, if the possibility of a model error cannot be ruled out, it is not possible to distinguish between a measured value abnormality and a model error in principle.
  • model error is a single point of failure in the sense that the FDIR process for dealing with the measured value abnormality functions correctly. It is not well known that the FDIR function of a high safety system is built on such a hidden premise.
  • the internal model, external model, and reference model have been manually designed separately. This is because the internal model and the external model are used for the normal control function to calculate the planned operation that realizes the predetermined operation instruction, and the reference model is used to judge the safety / normality of the planned operation itself. When the inconsistency of the three types of models is latent, the cause cannot be uniquely identified. This point is also not well known. Originally, a given functional requirement should represent the transition between normal states of this model, and a safety requirement should represent the boundary between normal and abnormal states.
  • Model errors and inconsistencies between models also cause operational mistakes by the operator.
  • the operator who is informed that the operation instruction set in the autonomous system is not feasible due to some conflict can only know the operation instruction or the inconsistency between the three models. It is difficult to uniquely determine the correction of the model error or the alternative operation instruction unless the part considered to be correct and the part with the error are selected from the three types of models.
  • Patent Document 1 discloses a method of constructing a model for model checking by lowering the dimension and assigning an index based on a formal method, but with respect to the deficiency in the process of constructing the model checking model.
  • the execution result of the model checking is fragile, and it is necessary to comprehensively execute the computer program to be actually checked to ensure the consistency.
  • Patent Document 2 discloses a method in which the specification of a program that generates an input / output data string is set as a precondition, and the problem of back-estimating the specification from a postcondition that defines correct behavior is reduced to a satisfiability determination problem and solved. ing. Even in this disclosure content, the deficiencies in the functional requirements and safety conditions cannot be found based on the input / output data strings. If the post-condition is inadequate, the pre-condition may not exist, but this cannot be dealt with.
  • the above-mentioned three types of models merely arbitrarily reduce the dimension of the operating environment that changes over time, and these cannot be reliably removed by increasing the dimension and refining the model. On the contrary, it causes a polynomial increase in the amount of data required for model representation. Also, internal and external models that contribute to control are essential to infer the future state caused by the planned operation and to argue that it meets certain safety requirements.
  • the boundedness that includes changes over time and indefiniteness is the information that the model should describe in just proportion. At the same time, it is possible to improve the accuracy of the model in the bounded range and respond to the change over time by using the information that can be collected at the time of operation and confirmed to be time-invariant in the short and medium term. It is reasonable.
  • a model construction means that can naturally perform the FDIR processing.
  • control rules for autonomous systems have also been designed separately from these three patchwork relationships, so defects due to imperfections in each model and the correctly designed control rules are not between models. It is not possible to distinguish it from a defect caused by matching. This inconsistency is detected as a conflict when determining the feasibility of an operation instruction.
  • control function of the autonomous system itself is a control means that handles the complexity related to hazard risk, that is, is consistent with the FDIR function of detecting the conflict and dealing with the model deficiency, particularly the inter-model inconsistency. is necessary.
  • the present invention has been made in view of the above problems, and an object of the present invention is to provide a state transition model construction device and an autonomous system that can realize operability while ensuring safety by design.
  • the state transition model construction device provides homogeneity and heterogeneity between states with respect to the state space in which the definition areas of the state of the system and the state of the operating environment are merged.
  • Spatial division is performed without duplication based on whether the expressed separation criteria are satisfied, and the symbolized state values in binary vector format are obtained by merging the truth values of the separation criteria for each state partially closed space obtained by the spatial division.
  • It has a space division processing unit that associates the transition possibility of a pair of allocation and state partial closed spaces with the transition relationship between symbolized state values.
  • FIG. It is a figure which shows an example of the state space which was space-divided by the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a figure which shows the schematic structure of the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a figure which shows an example of the transition source symbol state value, the transition destination symbol state value, the constraint condition about the transition relation, and the separation standard generated by the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a figure which shows an example of the symbolized state value conversion part of the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a figure which shows an example of the symbolized state value list used for the state transition model construction apparatus which concerns on Example 1.
  • FIG. 1 It is a figure which shows an example of the function used in the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a figure which shows another example of the function used in the state transition model construction apparatus which concerns on Example 1.
  • FIG. It is a flowchart which shows an example of the operation of the symbolization state value conversion part which concerns on Example 1.
  • FIG. It is a figure which shows the schematic structure of the planned operation train generation part which constitutes the autonomous system which concerns on Example 1.
  • FIG. It is a figure which shows an example of the operation of the planned operation sequence calculation part which constitutes the autonomous system which concerns on Example 1.
  • FIG. It is a figure which shows the schematic structure of the model consistency monitoring part which comprises the autonomous system which concerns on Example 1.
  • FIG. It is a figure which shows an example of the operation of the symbolized state value collation part which constitutes the autonomous system which concerns on Example 1.
  • FIG. It is a figure which shows the schematic structure of the autonomous system which concerns on Example 1.
  • FIG. It is a figure which shows an example of the model to which the state transition model construction apparatus which concerns on Example 2 is applied.
  • FIG. It is a figure which shows an example of the binary vector conversion part of the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows another example of space division by the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows another example of the binary vector conversion part of the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows another example of space division by the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows the model building part for the lidar data string which is another example of the state transition model building apparatus which concerns on Example 2.
  • FIG. It is a flowchart which shows an example of the operation of the model construction part for lidar data string of the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure for demonstrating the operation procedure of the space division processing part of the model construction part for lidar data string which concerns on Example 2.
  • FIG. It is a figure which shows still another example of space division by the state transition model construction apparatus which concerns on Example 2.
  • FIG. 2 It is a figure which shows the model building part for a camera data string which is still another example of the state transition model building apparatus which concerns on Example 2.
  • FIG. It is a figure which showed the space division by the state transition model construction apparatus which concerns on Example 2 collectively. It is a figure which shows the correspondence relation of each component of the symbolized state value by the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows an example of the symbolized state value conversion part of the state transition model construction apparatus which concerns on Example 2.
  • FIG. It is a figure which shows the schematic structure of the planned operation train generation part which comprises the autonomous system which concerns on Example 2.
  • the state transition model construction device and the autonomous system of this embodiment have the following configurations as an example.
  • the state transition model construction device of this embodiment spatially divides the state space to which the state value vector that merges the internal state and the external state of the autonomous system belongs, and determines the homogeneity and heterogeneity between the state value vectors.
  • a method is used in which the reference is decomposed into a state partial closed space group so as to be a separation surface that characterizes each state partial closed space. It is preferable to use operating assumptions, safety requirements, and functional requirements as separation criteria for distinguishing homogeneity and heterogeneity between the state vectors.
  • a symbolized state value which is a binary vector, is calculated based on whether or not each requirement is satisfied so that two state partially closed spaces having different symbolized state values are separated. If there is a sample list of state value vectors, a space division method is used in which label values are assigned and state partially closed spaces with different label values are separated.
  • a model is constructed by a discrete state transition model representation that limits the transition relationship, using the criteria for the transition possibility of the partially closed space. Similarly, operating assumptions, safety requirements, and functional requirements should be used as the criteria.
  • the transition relationship is N * (N-1) path.
  • the classification of this transition relationship conforms to the division standard of the state partially closed space.
  • the transition between the state partially closed space that does not satisfy the operating premise and the state partially closed space that satisfies the operating premise is a violation of the operating premise, and it is excluded because it is considered that it will not actually occur.
  • the spatial division standard corresponding to the premise at the time of operation After the occurrence, by updating the spatial division standard corresponding to the premise at the time of operation, it corresponds to the FDIR function for the defect of the model itself. This may be done at runtime, but it is uncertain due to the lack of legitimacy of the control action of pulling back to a partially closed space that meets the assumptions.
  • the log of the actual state value vector and the state value vector string belonging to the internal transition source state partially closed space of the existing operation log are spatially divided. This corresponds to the FDIR function that addresses the deficiencies in the spatial division of the model.
  • the accuracy of the model can be further improved by classifying the operation data of the actual system for each state partially closed space and identifying the bounded partially closed space when the localization of the state vector is found. In many cases. This corresponds to the same problem as normal system identification, but it is a low-dimensional method that guarantees the boundedness of the operating environment that changes over time, and can be dynamically updated.
  • the above state transition model construction procedure by the state transition model construction device is understood as a forward conversion process for constructing a discrete state transition model from operation assumptions, functional requirements, safety requirements, and operation data groups.
  • Autonomous system control function This is equivalent to back-calculating the control input that performs this inverse conversion and generates operating data that meets the operating assumptions, functional requirements, and safety requirements.
  • the state value vector is reduced in dimension from the viewpoint of which state partially closed space it belongs to, and the representation of the dynamic behavior of the system is reduced in the transition sequence between the state partially closed spaces. Therefore, the operator may express the operation instruction by setting the constraint condition for this transition sequence.
  • a satisfiability problem (SAT: satisfiability problem) or a constraint satisfaction problem (CSP: CSP:) with the original state value vector sequence as an undecided variable and the separation surface of the state partially closed space that is a component of the transition sequence as a constraint condition. It is reduced to Constraint satisfaction problem), and the satisfied solution of the control input value which is a part of the internal state value in the state value vector becomes the inverse calculation solution.
  • the second is the case where the SAT / CSP satisfying solution does not exist even though the transition sequence exists. If the operation instruction is complete, this is a model error. When there is no satisfying solution, the matching constraint pair can be analyzed, so that the factors that cause the model error can be limited, and this is the FDIR function for the model error.
  • FIG. 1 is a diagram showing an example of a state space spatially divided by the state transition model construction device according to the first embodiment. More specifically, FIG. 1 shows an example in which state space division is performed using operating assumptions, safety requirements, and functional requirements as separation criteria.
  • the state value vector is described as being two-dimensional, but in reality, the state value vector that combines the internal state and the external state is generally high-dimensional and cannot be visualized by lowering the dimension.
  • the function of lowering the high-dimensional state value vector to the low-dimensional symbolized state value by dividing it into partially closed spaces that do not overlap each other and specifying the partially closed space to which the obtained state value vector belongs. In other words, the state value expression in the model is realized.
  • FIG. 2A is a diagram showing a schematic configuration of the state transition model construction device according to the first embodiment.
  • the state transition model construction device (hereinafter, may be referred to as a model construction unit) 02 of this embodiment is composed of a device capable of various information processing, for example, an information processing device such as a computer.
  • the information processing device has an arithmetic element, a storage medium, and a communication interface, and further has an input device such as a mouse and a keyboard, and a display device such as a display.
  • the arithmetic element is, for example, a CPU (Central Processing Unit), an FPGA (Field-Programmable Gate Array), or the like.
  • the storage medium includes, for example, a magnetic storage medium such as an HDD (Hard Disk Drive), a semiconductor storage medium such as a RAM (Random Access Memory), a ROM (Read Only Memory), and an SSD (Solid State Drive). Further, a combination of an optical disk such as a DVD (Digital Versatile Disk) and an optical disk drive is also used as a storage medium. In addition, a known storage medium such as a magnetic tape medium is also used as the storage medium.
  • Programs such as firmware are stored in the storage medium.
  • a program such as firmware is read from this storage medium and executed to perform overall control of the model building unit 02.
  • the storage medium stores data and the like required for each process of the model construction unit 02.
  • model construction unit 02 of this embodiment may be configured by a so-called cloud in which the information processing device is configured to be able to communicate via a communication network.
  • the model construction unit 02 of this embodiment has a binary vector conversion unit 0201 and a space division processing unit 0202.
  • the separation reference and the state value vector group are input to the binary vector conversion unit 0201.
  • the binary vector conversion unit 0201 converts these into binary vectors and outputs them to the space division processing unit 0202.
  • the space division processing unit 0202 generates and outputs a symbolized state value list (LISTSymbol) and a symbolized state transition list (ListTrans) from the input binary vector based on the spatially divided state space.
  • the process of converting into a binary vector by the binary vector conversion unit 0201 using the separation standard is natural, but the method of spatial division by the spatial division processing unit 0202 is various. Since we cannot collect all state value vectors densely, a spatial partitioning method that preserves the global structure from a small number of sample state value vector sequences is desirable.
  • Voronoi division which divides into two parts with the nearest neighbor
  • automatic space division such as KD (k-dimensional) tree and BSP (Binary Space Partitioning).
  • KD k-dimensional
  • BSP Binary Space Partitioning
  • the state value vectors of different symbolized state values do not have to be limited to a specific method as long as the requirements for space division that they belong to different state subspaces are satisfied, but the amount of calculation required for the space division method is different. .. What is expected from the implementation point of view regarding the above spatial division method is that the accuracy of the model is improved by gradually adding more separation criteria. Since the initial separation criteria are incomplete, it is desirable to reduce the amount of data representing the model and the amount of calculation associated with the update process during the addition process.
  • the BSP tree has a problem of lacking flexibility in the sense that a large amount of data structure update occurs for local spatial division.
  • a spatial division method that calculates a binary vectorized symbolized state value from a sample state value and uses it, such as Voronoi division, overcomes this problem.
  • the dimension becomes higher and the nearest neighbor point increases in proportion to the number of dimensions of the state value vector, but it is limited to updating the local data structure.
  • this update range there is a great effect that a parallel computer can handle a large number of state value vectors that are not close to each other and a plurality of separation criteria that do not overlap with each other.
  • a symbolized state value (ListSymbol) is assigned to each state partially closed space.
  • a symbolized state value 1 is assigned to the state partially closed space S1.
  • the transition relationship (ListTrans) between the symbolized state values the constraint conditions related to the transition source symbol state value, the transition destination symbol state value, and the transition relationship, and their rationale, as shown in FIG. 2B, can be obtained. It is possible to obtain a discrete state state machine representation associated with the separation criteria.
  • the transition relationship between the symbolized state values is indicated by arrows, for example, that the symbolized state value 1 can transition to the symbolized state value 3.
  • the transition relationship between the symbolized state value and the symbolized state value shown in FIG. 1 is an example, and not all the symbolized state values and transition relationships shown in FIG. 2B are shown in FIG.
  • Functional requirements can also be formalized by binarizing the constraint equations described as separation criteria B0 to B4 as the separation criteria between the state value vectors. For example, the symbolized state value 1 and the symbolized state value 3 are divided according to the separation criterion B3.
  • LTL Linear Temporal Logic
  • other formal description methods are known for the transition relationship between discrete state values.
  • a method for formalizing an operation and control problem using LTL or the like with a constraint format as an argument is disclosed in, for example, Japanese Patent No. 6435351 and Japanese Patent No. 61419664.
  • the sample state vector value of the state partially closed space can be automatically calculated using a SAT / CSP solver or the like, the validity of each separation standard can be understood by the engineer in charge of the model validity test. Gender can be confirmed individually. Spatial division processing can be performed in the same way using a new state value vector backed by an operation log, and the model can be refined by adding a new separation standard. Since the operation log cannot be supported for all transition paths, the limit of the model validity test using the operation log can be dealt with.
  • Constrained conditions related to time series continuity such as one component of the state value vector acquired from a specific sensor measurement value changing only continuously, also form part of the operating premise.
  • the failure mode is added to the state value vector as a truth value, and the constraint condition that multiple failures do not occur is used as a premise during operation.
  • This section exemplifies the separation criteria and model construction method used for space division by the space division processing unit 0202.
  • the operating premise is formalized as a constraint condition for the state value vector. This defines the maximum partially closed space A in the state space in FIG. 1, which is a state partially closed space and is considered to actually occur including an abnormal time.
  • the safety requirement is also formalized as a constraint condition for the state value vector.
  • This is the partially closed space B of the maximum partially closed space A in FIG. 1, and defines the separation surface from the complement. That is, it is an abnormal state vector that can actually occur, and is used to distinguish the normal / safe state of the reference model from the other state subspaces. This corresponds to the reference model.
  • the partially closed space B is designed to be a subset of the partially closed space A.
  • the operating premise is used only to specify the assumed operating conditions of the system, and a situation that does not satisfy this can occur in the real world. Therefore, NOT (partially closed space A) && (partially closed space B) ) Is not always an empty set.
  • FIG. 1 is described to emphasize this point.
  • functional requirements are formalized as constraint conditions for state value vectors.
  • it is a criterion used when the partially closed space A that satisfies the safety requirement is spatially divided, and defines a separation surface that is functionally different and is divided into the state partially closed space group C. Since the safety requirement includes a process of returning to the safe / normal state when the normal / safe state is deviated, the partially closed space C becomes a subset of the partially closed space B.
  • the internal model and the external model are unified into a model representation in which the state partially closed space A is spatially divided with the safety requirement and the functional requirement as separation criteria.
  • This can be understood as a discrete state transition model that constrains the transition relationship between the subsets of the spatially divided state partially closed space C.
  • the state subspace C is spatially divided as described above, it is natural that the dynamics of the internal state is formalized as a constraint condition regarding the transition path of the time-series state value vector. Since each state partially closed space is bounded, the state partially closed space to which it belongs is uniquely determined even if the state value vector at each time point has some indefiniteness or changes over time. This corresponds to a kind of model lowering.
  • the dynamics of the external state can also be formalized as a constraint condition regarding the transition path of the time-series state value vector if some assumption premise that contributes to the bounded setting of the change over time of the external state can be given.
  • processing by the model construction unit 02 of this embodiment can be either offline processing or runtime processing.
  • FIG. 3 is a diagram showing an example of the symbolized state value conversion unit 03 of the state transition model construction device 02 according to the first embodiment.
  • the symbolized state value conversion unit 03 shown in FIG. 3 forms a part of the state transition model construction device 02.
  • the state value vector sequences 0300 and Y ⁇ y [k]
  • the symbolized state value list (ListSymbol) 0302 and the transition relationship list (ListTrans) 0305 between the symbolized state values are composed of the transition source / transition destination symbolized state values in FIG. 2B.
  • the symbolized state value calculation unit 0301 decomposes the state value vector sequence Y into the partial state value vector sequence w [k]. This corresponds to step S0601 in FIG.
  • This time-series data division process is performed by the symbolization state value registration determination unit 0303, but the fact that the symbolization state value list ListSymbol is constructed on the premise that all the separation criteria are completely aligned is especially in the initial stage of model construction. It is rare. Therefore, this happens when the corresponding state partially closed space is not registered due to the incomplete initial separation criteria.
  • the symbolization state value registration determination unit 0303 notifies the symbolization state value list generation unit 0304 of the new symbolization state value v.
  • the symbolized state value list generation unit 0304 acquires the symbolized state value list ListSymbol by reference and performs an update process (step S0603). After that, the registration notification is sent to the symbolization state value registration determination unit 0303.
  • This new symbolization state value v is added to the new symbolization state value z [k].
  • This registration determination / new symbol value vector generation process is performed for all the state value vector columns Y until the determination conditions in step S0604 are no longer satisfied, and the symbolized state value sequence z [k] is symbolized in step S0605. After passing it to the state value conversion unit 03, it is output from the symbolized state value conversion unit 03.
  • the symbolization state value list generation unit 0304 takes the state value vector shown in FIG. 2A as an argument, determines the truth value of each separation criterion, and converts it into a binary vector to obtain a new symbolization.
  • the state value v is calculated (step S0602).
  • the process of registering this new symbolized state value v (step S0603) is performed.
  • the separation standard may not be set.
  • new separation criteria must be dynamically added / deleted with the external state value as an argument.
  • a separation criterion for cutting out an inaccessible prohibited area occupied by an obstacle or a field object is dynamically generated using an external state value obtained from the outside world recognition unit. Spatial division and symbolization state value allocation using the dynamically generated separation criteria must be performed during operation.
  • a contracted representation in the CNF format used as input data to the SAT solver In order not to cause an exponential increase in the amount of memory required for such data representation, it is preferable to use a contracted representation in the CNF format used as input data to the SAT solver.
  • a binary function called ListSymbocFunc is constructed by using the logical sum of the registered symbolized state values as shown in FIG. 5A.
  • the satisfiability determination problem of the logical expression ListSymbolFunc (v) with the symbolized state value v as an argument is solved, and the presence or absence of registration is determined. If the symbolized state value v has already been registered, it can be satisfied and becomes the evaluation value TRUE of ListSymbolFunc (v), and if it is not registered, it becomes FALSE.
  • the satisfiability determination problem of ListTransFunc (transition source symbolization state value, transition destination symbolization state value) is solved, and the presence or absence of registration is determined.
  • the logical product of the pair of the transition source symbolized state value and the transition destination symbolized state value that are in a transitionable relationship is taken, and the logical sum of these pairs is taken to construct ListTrans (p, q).
  • the problem of acquiring the transition destination symbolization state value q when the transition source symbolization state value p is set may be solved by solving the satisfiability determination problem of calculating the satisfiability solution of q given p.
  • symbolized state value v is a binary vector
  • the logical sum of the binary vector representations P [0] to P [3] of the components of each symbolized state value list ListSymbol is taken, and this is logically reduced. Use the contracted logical expression. If the SymbolList is held with such a structure, the exponential increase as described above can be avoided although the calculation amount at the time of determination is used as a consideration.
  • FIG. 7 is a diagram showing a schematic configuration of the planned operation sequence generation unit 07 constituting the autonomous system 11 according to the first embodiment
  • FIG. 8 is an operation of the planned operation sequence calculation unit 0701 constituting the autonomous system 11 according to the first embodiment. It is a figure which shows an example.
  • the normal control function and the operation instruction that is its argument may be specified as a constraint condition regarding the transition path between the symbolized state values.
  • the symbolization control instruction sequence C in FIG. 7 is used.
  • symbolized state value list ListSymbol a group of symbolized state values described in the model that are supposed to actually occur is registered. Therefore, at least one of the transition source symbolization state value c [k] and the transition destination symbolization state value c [k + 1] of the transition path c [k]-> c [k] specified by the symbolization control instruction is ListSymbol. If it is not registered in, it turns out that the control command is invalid.
  • the truth value of ListSymbol (c [k]) or ListSymbol (c [k + 1]) may be determined (step S0801). If it is FALSE and it is not registered, the error information that the control instruction is invalid is registered in the error factor E (step S0802), this is output, and the process ends.
  • the planning operation column calculation unit 0701 refers to the symbolization state value list ListSymbol0302, and sets each separation criterion B [x] that makes the symbolization control instruction meaningful as a constraint condition for the state value vector sequence YY as an undecided variable.
  • Constraint expression C (YY) is constructed.
  • the state subspace c [k] (y) pointed to by each symbolized state value is with the adjacent state subspace group according to the operating assumptions, functional requirements and safety requirements, and the separation criteria automatically generated by the space division.
  • the separation surface is characterized. Therefore, the operator can set the operation instruction more easily than setting the constraint condition for the original high-dimensional state value vector sequence YY precisely.
  • step S0805 The logical product with the safety constraint SF (YY) described as a constraint condition for the symbolized state value is taken (step S0805), and the constraint expression solver 0702 determines whether or not there is a satisfied solution of C (YY) & & SF (YY) (step S0805). Step S0806).
  • the separation criterion that cannot be satisfied may be a part of the symbolization control instruction c [j]-> c [j + 1]. This is either due to a model error, that is, a deficiency in ListTrans, or a conflict between safety constraints and symbolization control instructions that makes them unsatisfiable. Therefore, it is regarded as a symbolization control violation, and the unsatisfiable allocation value YY_UNSAT calculated by the constraint solver 0702 is added to the error factor E.
  • the separation criteria constituting the safety constraint SF may become unsatisfactory (step S0809). Even if the symbolization control instruction itself is correct, this situation occurs when the safety constraint setting itself is inadequate.
  • FIG. 9 is a diagram showing a schematic configuration of a model consistency monitoring unit 09 constituting the autonomous system 11 according to the first embodiment.
  • the model consistency monitoring unit 09 the state value vector sequence Y actually acquired from the measurement system, the symbolization control instruction used by the planned operation sequence generation unit 07, and the model information, that is, ListSymbol and ListTrans are not matched. , If there is a defect in the model, it is used to detect it correctly.
  • the state value vector sequence Y ⁇ y [k]
  • the state value sequence SY ⁇ sy [k]. ]
  • FIG. 10 is a diagram showing an example of the operation of the symbolized state value collating unit 091 constituting the autonomous system 11 according to the first embodiment.
  • step S1002 the error information as a model error, the state value vector y [k] at the time point k, and the planned operation yy [k] are registered in the error factor EM (step S1002). Transition relationship between symbolized state values sy [k]-> sy [k + 1] is not registered in ListTrans, or either sy [k] or sy [k + 1] is registered in ListSymbol. Classified if not.
  • step S1003 when SY does not satisfy the safety constraint SF (step S1003), the error information that violates the safety constraint, the state value vector y [k] at the time point k, and the planned operation yy [k] are set as the error factor EM. to register.
  • step S1004 If the transition relationship between the symbolized state values sy [k]-> sy [k + 1] does not match the symbolization control instruction (step S1004), error information that violates the control instruction and the state at the time point k Register the value vector y [k] and the planned operation yy [k] in the error factor EM.
  • FIG. 11 is a diagram showing a schematic configuration of the autonomous system 11 according to the first embodiment, and is a diagram showing the configuration of the autonomous system 11 equipped with the autonomous control device 1102 that realizes the method shown in the present embodiment.
  • the autonomous system 11 is also composed of a device capable of various information processing, for example, an information processing device such as a computer.
  • the operation determination unit 1104 has a function of determining the operation of the autonomous control device 1102, and operates according to a processing procedure such as a program as an example.
  • the operation determination unit 1104 acquires a state value vector, sets a predetermined safety constraint, passes a symbolization control instruction to the planned operation column generation unit 07, and receives an error factor E.
  • the model consistency monitoring unit 09 shown in FIG. 8 receives various information and passes the error factor EM to the operation determination unit 1104.
  • the operation determination unit 1104 When the operation determination unit 1104 receives the error factor E (step S0808) and the error factor EM (step S1004) that the control instruction is violated, the operation determination unit 1104 refers to the error information and falls into an unsatisfactory symbolization state value c [ Calculate another symbolization control instruction that avoids j] and pass it to the planned operation sequence generation unit 07.
  • the operation determination unit 1104 When the operation determination unit 1104 receives the error factor E (step S0809) and the error factor EM (step S1003) that the safety requirement is violated, the planned operation column yy [that does not satisfy the safety requirement SF with reference to the error information.
  • Another symbolization control instruction that avoids the symbolization state value syy [k] of [k] is calculated and passed to the planned operation column generation unit 07.
  • step S1002 When the operation determination unit 1104 receives the error factor EM (step S1002) called a model error, the symbolized state value sy [k] of the state value vector y [k] at the time point k and the planned operation yy [k]. ], A symbolization control instruction that avoids the symbolization state value syy [k] is calculated and passed to the planned operation column generation unit 07.
  • the system does not set the symbolization control instruction and passes only the safety constraint SF to the planned operation sequence generation unit 07 to realize the minimum FailSafe operation.
  • the state transition model construction device 02 determines the homogeneity and heterogeneity between the states with respect to the state space in which the definition areas of the state of the system and the state of the operating environment are merged. Spatial division is performed without duplication based on whether or not the expressed separation standard is satisfied, and the truth value of the separation standard is merged with each state partially closed space obtained by the space division to symbolize the binary vector format. It has a space division processing unit 0202 that assigns values and associates the transition possibility of a pair of the state partially closed spaces with the transition relationship between the symbolized state values.
  • the state transition model construction device 02 of this embodiment is a model of the operating environment that contributes to the control of the autonomous system 11, and has an existing FDIR function when an abnormality occurs using the model and a defect of the model itself. It is a model construction device that integrates the FDIR function to deal with.
  • the control function of the autonomous system can be changed from operation instructions to actual operation data that satisfies the safety requirements and functional requirements. Can be realized as an inverse conversion function to generate.
  • the operator of the autonomous system 11 can transfer the determination of whether or not to cause a hazard due to a violation of safety requirements or an illegal operation command to the control function of the autonomous system 11 using the model constructed as described above. It is only necessary to focus on the realization of the desired function. When it comes to a complicated and large-scale high-safety system, it becomes possible to realize operability while ensuring safety by design.
  • the second embodiment a detailed example of the spatial division of the state space shown in the first embodiment will be described.
  • the second embodiment is applied when dealing with an operation planning problem in ADAS (Advanced driver-assistance systems) that automatically drives a moving body in a low-dimensional space (2D / 3D) at level 4. .. Therefore, the autonomous system corresponds to ADAS.
  • ADAS Advanced driver-assistance systems
  • FIG. 12 is a diagram showing an example of a model to which the state transition model construction device 02 according to the second embodiment is applied.
  • FIG. 12 shows an attempt to advance an autonomous vehicle in a forward direction in a situation where there is a vehicle that seems to be parked on the left side and a vehicle is approaching from the front right side in a two-way lane. Show the process.
  • the vehicle uses LIDAR (Laser Imaging Detection and Ringing: a means of identifying the position of the reflector using a laser), a camera, a vehicle speed sensor, GPS information, etc. to estimate the vehicle position and speed, and external world recognition processing and a map. -Dynamic construction of this operating environment model by using traffic rule information together.
  • LIDAR Laser Imaging Detection and Ringing: a means of identifying the position of the reflector using a laser
  • a camera a camera
  • GPS information GPS information
  • the state space that can take the spatial position and speed of the own vehicle is spatially divided, and the symbolized state value ListSymbol is set for each bounded closed area that is spatially divided based on various separation criteria. It is composed of the defined one and the constraint condition ListTrans regarding the transition relationship between the symbolized state values, and is one implementation form of FIG. 2A.
  • the spatial division model represented by the wide area map information database shown in FIG. 13 or 15 the spatial division is performed offline, and as shown in FIG. 14 or 16, GPS information is used as an argument for binary vector conversion.
  • the lidar data group collected at runtime is used to dynamically perform spatial division and conversion to symbolized state values as shown in FIG.
  • FIG. 13 is a diagram showing an example of space division by the state transition model construction device 02 according to the second embodiment
  • FIG. 14 is a diagram showing an example of the binary vector conversion unit 0201 of the state transition model construction apparatus 02 according to the second embodiment. Is.
  • FIG. 13 shows an example in which a wide area road traffic network is spatially divided, and area divisions, R1 and R2 in the figure, and travel road divisions, part1 and part2 in the figure are used as separation criteria. Is.
  • a 4-bit symbolized state value ListSymbol can be constructed. Each bit value is uniquely determined by the binary vector conversion unit 0201 in FIG. 14 depending on whether or not it belongs to a specific partitioned bounded closed space.
  • FIG. 12 shows an example in the case of one lane on each side, but if there are two lanes, forward movement between lanes is permitted, but entry into the oncoming lane is not permitted.
  • the symbolized state transition list ListTrans can be constructed from the spatial connection relationship between the roads and the separation criteria based on the traffic rules.
  • the traffic rules include not only spatial restrictions on new routes, but also speed limit instructions by traffic signs and restrictions on speed components such as one-way streets, and multiple transition destination symbols are used at intersections with route branches. There is a state value.
  • FIG. 15 is a diagram showing another example of space division by the state transition model construction device 02 according to the second embodiment
  • FIG. 16 is another diagram of the binary vector conversion unit 0201 of the state transition model construction device 02 according to the second embodiment. It is a figure which shows an example.
  • FIG. 15 is a representation of the detailed map / traffic rule information inside the area R2 in FIG.
  • the symbolized state transition list stores only a list of valid symbolized state values, not a directed graph with a transition destination. Please note that it has become a thing.
  • the conversion to the symbolized state value component B [4] is performed by the binary vector conversion unit 0201 as shown in FIG. That is, the position information position from GPS and the speed information velocity from the vehicle speed sensor are used as arguments, and the judgment result of the traffic rule corresponding to the corresponding driving road, in this case, the constraint condition regarding the traveling direction is symbolized as the state value component B [ Output as 4].
  • FIG. 17 is a diagram showing another example of space division by the state transition model construction device 02 according to the second embodiment
  • FIG. 18 is a lidar which is another example of the state transition model construction device 02 according to the second embodiment. It is a figure which shows the model building part 240102 (see FIG. 25) for a data string.
  • FIG. 17 shows a group of bounded convex / closed regions in which a large number of rays [k, i] are bundled as a result of measuring the orientation and distance of the reflector around the operating environment collected by LIDAR. is there.
  • LIDAR can perform precise measurement, minute reflections and refractors, such as rain and snow, cause false detections. Therefore, a long-wavelength radar or an ultrasonic sensor that is inferior in accuracy but can deal with the above-mentioned false detection factor of LIDAR may be used in combination.
  • These devices should be understood as a means to realize the purpose of identifying the position ray_dst [i] of the reflector in the outside world, which is the operating environment, and the function of identifying the region without the reflector. In particular, it is a means for physically confirming that there are no running obstacles between the vehicle position and the reflector, that is, near the line segment between ray_src [i] and ray_dst [i].
  • LIDAR can collect more than 100,000 LIDAR data strings per second in all directions, has a fast data collection cycle, and data near the line segment even if a high-speed moving object is near or far from the own vehicle. Is remeasured. Therefore, by discarding the old LIDAR data value and continuing to spatially divide the accessible area during runtime using the latest collected data, the distribution of surrounding obstacles can be distributed with high reliability that cannot be achieved by other in-vehicle sensors. It can be incorporated into the model and updated.
  • FIG. 18 is a model construction unit 240102 for a lidar data string, which is merged with a space division processing unit 0202 that determines each element of the symbolized state value list ListSymbol referred to by the binary vector conversion unit 0201. ..
  • the convex / closed region has the property that the internal points of any two internal points always belong to the same convex / closed region. Therefore, ch [p] may be sequentially constructed and updated by bundling nearby beam paths, connecting and expanding them so as to maintain the properties of the convex closed region.
  • the spatial connection relationship between adjacent convex and closed regions calculated in this process is stored in ListTrans.
  • the route generation process first specifies the movement locus of the geometric center position of the vehicle. Therefore, if the size of the own vehicle is taken into consideration at the stage of constructing the accessible area from the LIDAR data, it is possible to avoid complication of calculation in the route generation process.
  • FIG. 19 is a flowchart showing an example of the operation of the lidar data string model construction unit 240102, which is the state transition model construction device according to the second embodiment
  • FIG. 20 is a flowchart of the lidar data string model construction unit 240102 according to the second embodiment. It is a figure for demonstrating the operation procedure of the space division processing part 0202.
  • step S1901 the latest beam path list Ray [t-t0] to Ray [t] are merged, and the processing target list Ray [k] is set.
  • step S1902 the convex / closed region ch [0] including the first entry ray [k, 0] is registered in the list CH of the convex / closed region that specifies the bit value component of each symbolization state value.
  • both the start point ray_src [i] and the end point ray_dst [i] of the beam path indicated by the first entry ray [k, i] of Ray [k] are from any of the convex closed regions registered in CH. Determine if the distance is greater than the distance ⁇ .
  • step S1904 a convex hull including ray [k, i] is generated and registered in CH.
  • step 1905 when either of the both end points of the beam path ray [k, i] is in either of the convex closed regions ch [p] registered in CH or in the vicinity of the distance ⁇ .
  • the convex hull ch [p + 1] generated in S1904 and the corresponding ch [p] are registered as transitionable adjacent convex closed region pairs in the symbolized state transition list ListTrans.
  • step S1903 if both end points of the beam path ray [k, i] belong to any of the convex closed regions ch [p] registered in CH, the process proceeds to step S1906 and the convex closure is performed.
  • the region ch [p] is extended to include the beam path ray [k, i].
  • step S1904 If one of the endpoints of the beam path ray [k, i] does not belong to any of the convex closed regions ch [p] registered in CH, the process proceeds to step S1904, and a new beam path ray [k, i] is obtained. A convex closed region ch [p + 1] including [k, i] is generated.
  • FIG. 21 is a diagram showing still another example of space division by the state transition model construction device 02 according to the second embodiment
  • FIG. 22 is a camera data which is still another example of the state transition model construction device according to the second embodiment. It is a figure which shows the model building part 240103 (see FIG. 25) for a column.
  • FIG. 21 shows an example in which the inaccessible area and the other areas related to the planned trajectory of the own vehicle are spatially divided based on the recognition result obj [k] of the surrounding object by the camera. It is decomposed into three types of convex closed regions, ccdom [0] to ccdom [2].
  • this spatial division process is dynamically performed inside the camera model construction unit 240103 configured in FIG. 22 for the recognition result obj [k] that changes with timekeeping, and the convex portion closed region after the division is performed.
  • FIG. 23 is a diagram showing the spatial division by the state transition model construction device 02 according to the second embodiment
  • FIG. 24 is a correspondence of each component of the symbolized state value by the state transition model construction device 02 according to the second embodiment. It is a figure which shows the relationship.
  • FIG. 23 shows a state partially closed space dynamically generated through the above procedure using the external state collected when the own vehicle is in the illustrated position
  • FIG. 24 shows the symbolized state value.
  • the vehicle's trajectory refers to the map / traffic information database, and while satisfying the restraint conditions regarding the driving route and direction, the camera stays in the free space without obstacles, which is supported by the beam route collection from LIDAR.
  • the own vehicle may calculate the planned track so as to avoid the inaccessible area set by using the object information from.
  • the inside / outside judgment of the convex / closed region group with respect to the position position [k] of the own vehicle and the velocity vector velocity [k] is used. It is converted to the symbolized state value of the value vector, and the subsequent route planning problem is replaced with the problem of calculating the transition sequence between the symbolized state values within the range limited by this symbolized state transition list ListTrans.
  • FIG. 25 is a diagram showing an example of the symbolized state value conversion unit 2401 of the state transition model construction device 02 according to the second embodiment.
  • the symbolized state value conversion unit 2401 shown in FIG. 25 integrates FIGS. 13 to 23 and corresponds to the symbolized state value conversion unit 03 of FIG. 3, and is a sensor group for an autonomous driving vehicle. It is equipped with a model construction unit corresponding to it.
  • the function corresponding to the symbolized state value list generation unit 0304 in FIG. 3 corresponds to the space division process of determining each component of the symbolized state value list at runtime by using the data of the lidar and the camera.
  • the conversion process to the symbolized state value shown in FIG. 6 was divided for each sensor. That is, the GPS data string model building unit 240101, the LIDAR data string model building unit 240102, and the camera data string model building unit 240103, which include a wide area map information database 1401 and a part that converts into a binary vector using GPS information, From, the symbolized state value list and the symbolized state transition list ListTrans are constructed, and the processing of the symbolized state value calculation unit in FIG. 3 is inherited, and the state value vector sequence y [k] is sequentially symbolized. Convert to column Z [k].
  • FIG. 26 is a diagram showing a schematic configuration of a planned operation sequence generation unit 07 constituting the autonomous system 11 according to the second embodiment. That is, FIG. 26 embodies the function of the planned operation sequence generation unit 07 of FIG. 7 so as to correspond to the configuration of the autonomous driving vehicle in this embodiment.
  • the state value vector y [k] is y [k, 0]: position position [k], y [k, 1]: velocity velocity [k], y [k, 2]: LIDAR beam path sequence.
  • u [k] The control command to the actuator that is the steering value and affects the turning angular velocity
  • u [k, 1] Accelerator
  • u [k, 2] a control input to the actuator that acts in the phenomenon direction of the velocity vector, which is a brake.
  • the transfer function vehicle_dynamics is a function that constrains the estimated value of the post-transition state value vector y [k + 1] after the time ⁇ t with respect to the control input u [k] and the current state value vector y [k].
  • FIG. 27 is a diagram showing an example of a group of undecided variables received by the constraint formula solver 0702 of the autonomous system 11 according to the second embodiment and a list of constraint formulas for the undetermined variables.
  • the state value vector y [k] progresses over time, so the LIDAR and camera data also change over time, and therefore the spatial division result also changes. Therefore, it is preferable to re-execute a series of processes in a short cycle of about a constant multiple of the time ⁇ t.
  • the forward travel path toward the area R1 is not completely visible.
  • the own vehicle can move to the right to secure the line-of-sight and set the planned track following the area R1 for the first time.
  • FIG. 28 is a diagram showing another example of the model to which the state transition model construction device 02 according to the second embodiment is applied.
  • Fig. 28 shows the situation in which the vehicle in front is moving instead of being stopped.
  • the vehicle on the forward traveling path ahead is moving at a very low speed in front of the pedestrian crossing
  • the data in the sky of the camera is received and the inaccessible area is set.
  • the model obtained as a result of spatial division using LIDAR data there is a route that crosses the vehicle in front, but the planned operation train generation unit cannot calculate such a route, so the own vehicle decelerates. Stop. It should be noted that even with such behavior, the constraint conditions specified by the symbolization control instruction are satisfied.
  • each of the above configurations, functions, processing units, processing means, etc. may be realized by hardware by designing a part or all of them by, for example, an integrated circuit.
  • the present invention can also be realized by a program code of software that realizes the functions of the examples.
  • a storage medium in which the program code is recorded is provided to the computer, and the processor included in the computer reads the program code stored in the storage medium.
  • the program code itself read from the storage medium realizes the functions of the above-described embodiment, and the program code itself and the storage medium storing the program code itself constitute the present invention.
  • Examples of the storage medium for supplying such a program code include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, an SSD (Solid State Drive), an optical disk, a magneto-optical disk, a CD-R, and a magnetic tape.
  • Non-volatile memory cards, ROMs, etc. are used.
  • program code that realizes the functions described in this embodiment can be implemented in a wide range of programs or script languages such as assembler, C / C ++, perl, Shell, PHP, and Java (registered trademark).
  • the program code of the software that realizes the functions of the examples via the network it is stored in a storage means such as a hard disk or memory of a computer or a storage medium such as a CD-RW or a CD-R.
  • the processor provided in the computer may read and execute the program code stored in the storage means or the storage medium.
  • control lines and information lines indicate those considered necessary for explanation, and do not necessarily indicate all the control lines and information lines in the product. All configurations may be interconnected.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Theoretical Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Evolutionary Computation (AREA)
  • Computational Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Remote Sensing (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

L'invention concerne un dispositif de construction de modèle de transition d'état et un système autonome dans lequel la sécurité est assurée par la conception et avec lequel il est possible d'obtenir une facilité d'utilisation. Un dispositif de construction de modèle de transition d'état 02 comprend une unité de traitement de division spatiale 0202 qui : par rapport à un espace d'état dans lequel des domaines d'un état de système et d'un état d'environnement de fonctionnement sont combinés, effectue une division spatiale sans chevauchement sur la base du fait qu'un critère de séparation exprimant une homologie d'état à état et une hétérogénéité sont satisfaites ; attribue, à chaque espace fermé partiel d'état obtenu par division spatiale, des valeurs d'état symbolisées par un vecteur binaire combinant les valeurs de vérité du critère de séparation ; et associe la probabilité de transition d'une paire d'espaces fermés partiels d'état avec une relation de transition entre les valeurs d'état symbolisées.
PCT/JP2019/034098 2019-08-30 2019-08-30 Dispositif de construction de modèle de transition d'état et système autonome WO2021038826A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/034098 WO2021038826A1 (fr) 2019-08-30 2019-08-30 Dispositif de construction de modèle de transition d'état et système autonome

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/034098 WO2021038826A1 (fr) 2019-08-30 2019-08-30 Dispositif de construction de modèle de transition d'état et système autonome

Publications (1)

Publication Number Publication Date
WO2021038826A1 true WO2021038826A1 (fr) 2021-03-04

Family

ID=74684680

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/034098 WO2021038826A1 (fr) 2019-08-30 2019-08-30 Dispositif de construction de modèle de transition d'état et système autonome

Country Status (1)

Country Link
WO (1) WO2021038826A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014141351A1 (fr) * 2013-03-11 2014-09-18 株式会社 日立製作所 Dispositif de commande autonome
WO2015111142A1 (fr) * 2014-01-22 2015-07-30 株式会社日立製作所 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014141351A1 (fr) * 2013-03-11 2014-09-18 株式会社 日立製作所 Dispositif de commande autonome
WO2015111142A1 (fr) * 2014-01-22 2015-07-30 株式会社日立製作所 Dispositif d'analyse de système, dispositif d'analyse de vice de conception, dispositif d'analyse de mode de défaillance, dispositif d'analyse par arbre de défaillances, dispositif d'action autonome et système de commande d'action autonome

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YAMANE, SATOSHI: "Formal method using hybrid automata in embedded systems", JOURNAL OF THE SOCIETY OF INSTRUMENT AND CONTROL ENGINEERS, vol. 48, no. 11, 10 November 2009 (2009-11-10), pages 810 - 815, ISSN: 0453-4662 *

Similar Documents

Publication Publication Date Title
Garcia et al. A comprehensive study of autonomous vehicle bugs
Könighofer et al. Shield synthesis
CN113272743B (zh) 使用有通道结构的动态环境进行基于规则的自动化控制
Ghazel Formalizing a subset of ERTMS/ETCS specifications for verification purposes
Zhong et al. A survey on scenario-based testing for automated driving systems in high-fidelity simulation
Fantechi Twenty-five years of formal methods and railways: what next?
Vu et al. Formal modelling and verification of interlocking systems featuring sequential release
Damm et al. A formal semantics for traffic sequence charts
Majzik et al. Towards system-level testing with coverage guarantees for autonomous vehicles
Vu et al. Formal modeling and verification of interlocking systems featuring sequential release
Flammini et al. A vision of intelligent train control
Colwell Runtime restriction of the operational design domain: A safety concept for automated vehicles
Macedo et al. Compositional model checking of interlocking systems for lines with multiple stations
AU2018202873B2 (en) Method for checking safety requirements of SSI-based data used in an interlocking control system
WO2021038826A1 (fr) Dispositif de construction de modèle de transition d'état et système autonome
Emzivat et al. A formal approach for the design of a dependable perception system for autonomous vehicles
Luteberget Automated reasoning for planning railway infrastructure
Gruteser et al. A formal model of train control with AI-based obstacle detection
Maierhofer et al. Map verification and repairing using formalized map specifications
US10146888B2 (en) Systems and methods for criteria analysis prototyping
Basile et al. Statistical model checking of hazards in an autonomous tramway positioning system
US20230027577A1 (en) Safe Path Planning Method for Mechatronic Systems
Zafar Formal dynamic operational model of RIS components
US20220204003A1 (en) Formal Verification for the Development and Real-Time Application of Autonomous Systems
Dirnfeld Digital Twins in Railways: state of the art, opportunities, and guidelines

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19943652

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19943652

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP