Summary of the invention
In view of the above technical problems, the object of the present invention is to provide a kind of redundancy control system towards L3 automatic Pilot,It can operating status cannot be introduced into failure when solving the problems, such as that single point failure occurs in current automated driving system.
The technical solution adopted by the present invention are as follows:
The embodiment of the invention provides a kind of redundancy control systems towards L3 automatic Pilot, comprising: master controller, backupController turns to redundancy control system, braking redundancy control system, main communication network and backup communication network, the main controlDevice, the backup controller, the main communication network and the backup communication network constitute top level control system;The main controlDevice, for executing the control of the complete automatic Pilot of L1~L3 rank, by main communication network and backup communication network to described turnMain crosswise joint instruction and main longitudinally controlled instruction are sent to redundancy control system and braking redundancy control system;The backup controlDevice processed is used for the master controller information exchange when the master controller is in malfunction, executes L1~L3 rank portionThe control of point automatic Pilot, comprising: by main communication network and the backup communication network to the steering redundancy control systemThe instruction of backup crosswise joint is sent with the braking redundancy control system and backs up longitudinally controlled instruction, is realized and is driven degradation and peaceFull cut-off vehicle;The steering redundancy control system, including the identical steering actuator of two structures, respectively with the main communication networkIt is connected to the network with the backup communication, when two steering actuators are all in normal condition, is based on received main crosswise jointInstruction or the instruction of backup crosswise joint, cooperate the steering operation for completing corresponding control instruction;The braking Redundant ControlSystem, including two different brake actuators of structure connect with the main communication network and the backup communication network respectivelyIt connects, when two brake actuators are all in normal condition, based on the longitudinally controlled instruction of received master or backs up longitudinally controlledInstruction, cooperates the brake operating for completing corresponding control instruction.
Optionally, the master controller is performed the following operations when determining that the backup controller is in malfunction: being prohibitedOnly enter automatic driving mode;If coming into automatic driving mode, prompts driver to take over and drive or be downgraded to substantiallyL2 grades of auxiliary of type drive, and do not take over such as driver or do not confirm degraded functionality, then enter safe mode and stop.
Optionally, the backup controller is performed the following operations when determining that the master controller is in malfunction: being prohibitedOnly enter automatic driving mode;If coming into automatic driving mode, prompts driver to take over and drive or be downgraded to substantiallyL2 grades of auxiliary of type drive, and do not take over such as driver or do not confirm degraded functionality, then enter safe mode and stop.
Optionally, the backup controller is superfluous to the steering redundancy control system and the braking by main communication networkRemaining control system sends the instruction of backup crosswise joint and backs up longitudinally controlled instruction, realizes and drives degradation and secure parking, comprising:It is superfluous to the steering redundancy control system and the braking when the master controller is in malfunction and driver does not take overRemaining control system sends the instruction of backup crosswise joint and backs up the L3 rank automatic Pilot that preset time is completed in longitudinally controlled instruction,And stop at safety zone;And
When the master controller is in malfunction and driver and takes over, to the steering redundancy control system and describedBraking redundancy control system sends the instruction of backup crosswise joint and backs up longitudinally controlled instruction, realizes that L1~L2 rank drives functionEnergy.
Optionally, the steering actuator includes the first steering actuator and second turns to actuator, and described first turns toActuator is connect with the main communication network, and described second turns to actuator and backup communication network connection, wherein twoWhen a steering actuator is all in normal condition, based on received main crosswise joint instruction or the instruction of backup crosswise joint, phaseThe steering operation that mutually corresponding control instruction is completed in cooperation specifically includes:
When the top level control system is in normal condition, in the main crosswise joint instruction of main communication network transmittingWhen consistent with the main crosswise joint instruction of backup communication network transmitting, described first, which turns to actuator and described second, is turned toActuator cooperates the steering operation executed in response to the main crosswise joint instruction;
When the master controller is in malfunction, the main communication network transmitting backup crosswise joint instruction andWhen the backup crosswise joint instruction of the backup communication network transmitting is consistent, described first, which turns to actuator and described second, is turned toActuator cooperates the steering operation for executing and instructing in response to the backup crosswise joint;And
When in the main communication network and the backup communication network, any one is in malfunction, described first turns to and holdsRow device and the second steering actuator execute response and refer to from received main crosswise joint from the communication network in normal conditionThe steering operation of order.
Optionally, when any of two steering actuators are in malfunction, the actuator in normal conditionBased on received main crosswise joint instruction or the instruction of backup crosswise joint, the steering operation of corresponding control instruction is completed.
Optionally, the brake actuator includes the first brake actuator and the second brake actuator, first brakingActuator is connect with the main communication network, and second brake actuator and the backup communication are connected to the network, wherein twoWhen a brake actuator is all in normal condition, based on the longitudinally controlled instruction of received master or longitudinally controlled instruction, phase are backed upThe brake operating that mutually corresponding control instruction is completed in cooperation specifically includes:
When the top level control system is in normal condition, in the longitudinally controlled instruction of master of main communication network transmittingWhen consistent with the longitudinally controlled instruction of master of backup communication network transmitting, first brake actuator and second brakingActuator cooperates the brake operating executed in response to the longitudinally controlled instruction of the master;
When the master controller is in malfunction, the main communication network transmitting backup it is longitudinally controlled instruction andWhen the longitudinally controlled instruction of backup of the backup communication network transmitting is consistent, first brake actuator and second brakingActuator cooperates the brake operating executed in response to the longitudinally controlled instruction of backup;And
When in the main communication network and the backup communication network, any one is in malfunction, first braking is heldRow device and second brake actuator execute response from the received longitudinally controlled finger of master from the communication network in normal conditionThe brake operating of order.
Optionally, when any of two brake actuators are in malfunction, the actuator in normal conditionBased on the longitudinally controlled instruction of received master or longitudinally controlled instruction is backed up, completes the brake operating of corresponding control instruction.
It optionally, further include gateway, the gateway connects the backup controller and the backup communication network, and being used for willThe instruction that the backup controller is sent is sent to the backup communication network.
Redundancy control system provided in an embodiment of the present invention towards L3 automatic Pilot sends control instruction and uses master controlDevice and backup controller processed, the network for transmitting instruction use main communication network and backup communication network, and execute instructionIt turns to redundancy control system and braking redundancy control system also uses two and has the actuator independently executed, in this way, makingIn the Single Point of Faliure for most serious occur, the transmitting and execution of instruction also can guarantee, to guarantee traffic safety.
Specific embodiment
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and toolBody embodiment is described in detail.
Fig. 1 is the structural schematic diagram of the redundancy control system provided in an embodiment of the present invention towards L3 automatic Pilot.Such as Fig. 1It is shown, the redundancy control system provided in an embodiment of the present invention towards L3 automatic Pilot, comprising: master controller 1, backup controller2, redundancy control system 3, braking redundancy control system 4, main communication network 5 and backup communication network 6 are turned to, it is master controller 1, standbyPart controller 2, main communication network 5 and backup communication network 6 constitute top level control system.Wherein, the master controller 1, is used forThe control for executing the complete automatic Pilot of L1~L3 rank, by main communication network 5 and backup communication network 6 to the steering redundancyControl system 3 and braking redundancy control system 4 send main crosswise joint instruction and main longitudinally controlled instruction;The backup controller2, it with 1 information exchange of master controller, is used for when the master controller 1 is in malfunction, executes L1~L3 rank portionThe control of point automatic Pilot, comprising: by main communication network 5 and backup communication network 6 to 3 He of steering redundancy control systemThe braking redundancy control system 4 sends the instruction of backup crosswise joint and backs up longitudinally controlled instruction, realizes and drives degradation and peaceFull cut-off vehicle;The steering redundancy control system 3, including the identical steering actuator of two structures, respectively with the principal communication netNetwork 5 and the backup communication network 6 connection are based on received main transverse direction when two steering actuators are all in normal conditionControl instruction or the instruction of backup crosswise joint, cooperate the steering operation for completing corresponding control instruction;The braking redundancyControl system 4, including two different brake actuators of structure, respectively with the main communication network 5 and the backup communicationNetwork 6 connects, vertical based on the longitudinally controlled instruction of received master or backup when two brake actuators are all in normal conditionTo control instruction, the brake operating for completing corresponding control instruction is cooperated.
In embodiments of the present invention, the master controller 1 connects the related sensor that all intelligent drivings need, and passes through masterCommunication network and backup communication are connected to the network the associated actuator that all intelligent drivings need, under the conditions of system worked well intoRow perception fusion, path planning, Decision Control send lateral control to turning to redundancy control system 3 and braking redundancy control system 4System and longitudinally controlled instruction complete transverse and longitudinal comprehensively control, the complete Function for Automatic Pilot of L1~L3 can be supported, for example, L3 gradesHighway automatic Pilot (HWP) function, traffic congestion automatic Pilot (TJP) function, the highway auxiliary of other automatic PilotDrive (HWA), traffic congestion auxiliary drives (TJA), adaptive cruise (ACC) etc..The inside of master controller 1 is by performance core SoCWith control core MCU composition, have powerful and complete computing capability, it, can be by 2 eyeq4,1 as one embodimentS32V234 and 2 TC297 composition.Sense and perceive level, master controller connect forward sight camera, forward sight millimetre-wave radar,Anterior angle millimetre-wave radar, relief angle millimetre-wave radar, rearview camera, preceding laser radar, high-precision map and alignment sensor are looked aroundWith all automatic Pilot sensors such as ultrasonic system, and carry out most adequately sensing fusion, generation environment model, as oneEmbodiment, detection coverage area can reach the coverage area of front 200m, rear 150m, side rear 100m, side 5m or more,And each overlay area includes the sensor of at least two or more different testing principles, and has over the horizon priori perception energyPower;In programmed decision-making level, master controller 1 can carry out complete path planning ability, as one embodiment, achievable list(the autonomous lane-change and instruction lane-change etc.) path planning such as lane automatic Pilot, multilane automatic Pilot and obstacle avoidance ability;It is controllingLevel sends phase to two actuators for turning to redundancy control system 3 by main communication network and backup communication network simultaneouslySame corner and direct torque instruction are held by two of main communication network and backup communication network to braking redundancy control systemRow device sends identical acceleration-deceleration instruction simultaneously.As an example, main communication network can be CAN network, backup communication netNetwork is also CAN network, and master controller 1 meets functional safety ASIL D grade.
In embodiments of the present invention, to related sensor before the backup controller 2 connects, connected by two communication networksActuator is connect, one is main communication network, and another is the network being made of gateway and backup communication network.Gateway is separately connectedBackup controller and backup communication network, for the execution of backup controller to be transmitted to backup communication network.In master controller 1When failure, perception fusion, path planning, Decision Control are carried out, to steering redundancy control system 3 and braking redundancy control system 4Crosswise joint and longitudinally controlled instruction are sent, transverse and longitudinal comprehensively control is completed, realizes secure parking function.Master controller 1 notWhen failure, backup controller 2 is silent, and the course changing control that real-time monitoring master controller is issued to bus during silence is instructed, madeDynamic control instruction and faults itself state, are prepared for adapter tube.When master controller 1 fails, it is responsible for the smooth of control instructionSwitching avoids control transition bring from impacting, avoids that comfort is caused to decline.Specifically, backup controller 2 can support L1The part~L3 Function for Automatic Pilot, the highway auxiliary driving (HWA) including limited performance, the traffic congestion of limited performance are auxiliaryHelp driving (TJA), adaptive cruise (ACC) of limited performance etc..It is internal comprising having the SoC and MCU of certain calculated performance,It as one embodiment, is made of 1 eyeq3 and 1 TC234, is the mature scheme of L2 automatic Pilot forward sight, had higherCost performance and reliability.Level is being sensed and is perceiving, it is not connected to all the sensors to Standby control, and only connection drives strong correlationForward-looking sensors, as one embodiment, backup controller 2 connects forward sight camera and forward sight millimetre-wave radar, and carries outSensing fusion, generation environment model, as one embodiment, detecting coverage area can reach the covering model of front 150m or moreIt encloses;In programmed decision-making level, backup controller 2 has the path planning and avoidance energy of the bicycle road automatic Pilot of limited performancePower can send corner and direct torque instruction to redundancy control system 3 is turned to, send plus-minus to braking redundancy control system 4Speed command.In embodiments of the present invention, there are two the main functions of backup controller 2: (1) being in the master controller 1Malfunction and when driver does not take over, sends backup to the steering redundancy control system and the braking redundancy control systemCrosswise joint instructs and backs up longitudinally controlled instruction and completes the L3 rank automatic Pilot of preset time such as 8~10s, and stops atSafety zone;(2) when the master controller 1 is in malfunction and driver takes over, to the steering redundancy control systemThe instruction of backup crosswise joint is sent with the braking redundancy control system and backs up longitudinally controlled instruction, realizes the list for reducing performanceLane automatic Pilot (L1~L2 rank) function.Wherein, safety zone situation difference different from according to locating for vehicle, if vehicleNot in rightmost side runway, safety zone is straight way region recently in front of this lane;If vehicle in rightmost side runway andThere is Emergency Vehicle Lane on right side, and safety zone is right-hand lane;If vehicle is on the right side of rightmost side runway and its without Emergency Vehicle Lane, peaceEntire area is nearest straight way region in front of this lane.In control plane, backup controller 2 is to turning to the two of redundancy control system 3A steering actuator sends corner and direct torque instruction, sends plus-minus to two brake actuators of braking redundancy control systemSpeed command;Backup controller 2 connects main communication network (CAN network 1) and gateway, meets functional safety ASIL D grade.
Master controller 1 and backup controller 2 are monitored other side by privately owned CAN all the way, and monitoring signal includes other sideMalfunction, direct torque instruction, the instruction of corner control instruction, Acceleration Control, deceleration-based controller instruction of controller etc. are closedKey control signal and status signal.If master controller 1 find backup controller failure, perform the following operations: do not allow intoEnter automatic driving mode;If coming into automatic driving mode, prompts driver to take over and drive or be downgraded to enhanced L2Grade auxiliary drives, and does not take over such as driver or does not confirm degraded functionality, then enters safe mode and stop.If backup controller 2It was found that 1 failure of master controller, then perform the following operations: not allowing access into automatic driving mode;If coming into automatic PilotMode then prompts driver to take over and drives or be downgraded to L2 grades of auxiliary driving of basic model, function is not taken over or do not confirmed such as driverIt can degrade, then enter safe mode and stop.In addition, if backup controller 2 finds 1 failure of master controller, then control is carried outSwitching, backup controller is responsible for ensuring smoothly switching for control instruction at this time, avoid control transition bring impact, avoidComfort is caused to decline
In embodiments of the present invention, the actuator for independently executing turning function can be had by two by turning to redundancy control systemComposition can determine the object of response, including first by judging the fault-signal state of master controller 1 and backup controller 2It turning to actuator and second and turns to actuator, the first steering actuator is connect with the main communication network, and described second turnIt is connected to the network to actuator and the backup communication, and private can be passed through between the first steering actuator and the second steering actuatorThere is CAN to carry out information exchange.The two turn to the concrete operations of actuator are as follows: (1) in the main cross of main communication network transmittingWhen consistent with the main crosswise joint instruction that the backup communication network transmits to control instruction, described first turns to actuator and instituteIt states the second steering actuator and cooperates the steering operation executed in response to the main crosswise joint instruction, that is to say, that upperWhen layer control system is in normal condition, first, which turns to actuator and second, turns to actuator for received main crosswise joint instructionMutually verified, when verifying consistent, characterization is consistent by the received instruction of main communication network and backup communication network,At this moment, it turns to redundancy control system and is completed at the same time steering operation, in one example, Mei Gezhuan by two steering controllersThe steering operation that main crosswise joint instructs corresponding half respectively can be performed to actuator, i.e. output order corresponds to the one of steering forceHalf.(2) when the master controller 1 is in malfunction, the main communication network 5 transmitting backup crosswise joint instruction andWhen the backup crosswise joint instruction that the backup communication network 6 transmits is consistent, described first turns to actuator and second turn describedThe steering operation for executing and instructing in response to the backup crosswise joint is cooperated to actuator, that is, be in event in master controller 1When barrier state and top level control system other members are in normal condition, the first steering actuator and the second steering actuator can lead toThe backup crosswise joint for crossing response backup controller 2 instructs to execute steering operation.(3) in the main communication network 5 and describedBackup communication network 6 any one when being in malfunction, described first, which turns to actuator and described second, turns to actuator and executesRespond the steering operation that received main crosswise joint instructs from the communication network in normal condition, enable in this way even ifOne communication network breaks down, and can also receive instruction, completes steering operation.In addition, turning to appointing in actuator at twoOne when being in malfunction, the actuator in normal condition is based on received main crosswise joint instruction or backup laterally controlSystem instruction, completes the steering operation of corresponding control instruction, that is, will be by another when a steering actuator breaks down whereinA steering actuator executes steering operation, this, which normally turns to actuator, will compare from two received instructions of communication networkIt is right, when comparing consistent, execute and steering operation identical when cooperating, i.e. complete independently steering operation.At of the invention oneIn example, each steering actuator work independently when, can complete independently 50% steering force.As one embodiment, turn to superfluousThe composition of two actuators of remaining control system can be the EPS of two automorphis, for example, the first steering actuator can beEPS1, second to turn to actuator can be EPS2, they have the classification to failure and degrade strategy, as one embodiment, theyWhen the Single Point of Faliure of most serious occurs, steering force can also support the 50% of maximum capacity to export, in addition to extreme urgentExcept turning avoidance operating condition, can meet the needs of L1-L3 automated driving system is to steering capability, meet the requirement of ECE-R79.
In addition, turning to redundancy control system in responding different Object Process, instruct the ride comfort of handoff procedure by upperLayer control system guarantees that is, top level control system will not generate the step of course changing control instruction during switching, guarantees vehicleComfort.Also, the steering actuator (EPS1+ currently to work can be fed back to upper-level system by turning to redundancy control systemEPS2, EPS1, EPS2) and response upper-level system controller (master controller, backup controller).
In embodiments of the present invention, braking redundancy control system 4 is made of two isomery actuators, can be by judging master controlThe fault-signal state of device 1 and backup controller 2 processed come determine response object, including the first brake actuator and second brakingActuator, first brake actuator are connect with the main communication network, and second brake actuator and the backup are logicalCommunication network connection, and between the first brake actuator and the second brake actuator information exchange can be carried out by privately owned CAN.ThisThe concrete operations of two brake actuators are as follows: (1) in the longitudinally controlled instruction of master of main communication network transmitting and the backupWhen the longitudinally controlled instruction of the master of communication network transmitting is consistent, first brake actuator and second brake actuator are mutualCooperation executes the brake operating in response to the longitudinally controlled instruction of the master, that is to say, that is in normal shape in top level control systemWhen state, the first brake actuator and the second brake actuator are mutually verified the longitudinally controlled instruction of received master, are being verifiedWhen consistent, characterization is consistent by the received instruction of main communication network and backup communication network, at this moment, brakes Redundant Control systemSystem is completed at the same time brake operating by two brake monitors, in one example, makes in the first brake actuator and secondWhen dynamic actuator is all in normal condition, the first brake actuator can be used as brake monitor, execute for controlling the second brakingDevice executes brake operating.(2) vertical in the backup of the main communication network 5 transmitting when the master controller 1 is in malfunctionWhen consistent with the longitudinally controlled instruction of the backup that the backup communication network 6 transmits to control instruction, first brake actuatorThe brake operating executed in response to the longitudinally controlled instruction of backup is cooperated with second brake actuator, that is, in masterController 1 is in malfunction and when other members of top level control system is in normal condition, the first brake actuator and secondBrake actuator can execute brake operating by the longitudinally controlled instruction that responds the backup of backup controller 2.(3) logical in the masterCommunication network 5 and the backup communication network 6 any one when being in malfunction, first brake actuator and second systemDynamic actuator executes brake operating of the response from the received longitudinally controlled instruction of master from the communication network in normal condition, in this wayIt enables to break down even if a communication network, can also receive instruction, complete brake operating.In addition, being braked at twoWhen any of actuator is in malfunction, the actuator in normal condition be based on received master it is longitudinally controlled instruction orPerson backs up longitudinally controlled instruction, completes the brake operating of corresponding control instruction, that is, a brake actuator breaks down whereinWhen, brake operating will be executed by another brake actuator, which can will receive from two communication networksInstruction be compared, compare it is consistent when, execute and brake operating identical when cooperating, i.e. complete independently brake operating.MakeFor one embodiment, the composition for braking two actuators of redundancy control system 4 can be ESC+eBooster, for example, the first systemDynamic actuator is ESC, and the second brake actuator is eBooster.Braking redundancy control system 4 has the degradation of the classification to failureStrategy, as one embodiment, when the second brake actuator eBooster failure, braking redundancy control system 4 is relied onFirst brake actuator ESC can support to accelerate and slow down control, when supporting vehicle stabilization control, maximum deceleration and responseBetween performance decline 30%, the basic drive assistance function of L2 and ramp to stop can be supported to safety zone;In the first brake actuatorWhen ESC fails, braking system can support deceleration control by the second brake actuator eBooster, can support to slow down and stopVehicle can support ramp to stop to safety zone, meet to safety zone, maximum deceleration and response time performance decline 30%The regulations demand such as ECE-R13.In addition, braking redundancy control system instructs handoff procedure in responding different Object ProcessRide comfort is guaranteed that is, top level control system will not generate the rank of control for brake instruction during switching by top level control systemJump guarantees vehicle comfort.Also, it brakes redundancy control system and feeds back the brake actuator (ESC+ currently to workIBooster, ESC, iBooster) and response upper-level system controller (master controller, backup controller).
In embodiments of the present invention, the object that main communication network 5 connects mainly includes master controller, backup controller, netIt closes, turn to the controllers such as redundancy control system, braking redundancy control system, mainly cover automatic Pilot domain and chassis control domain,Meanwhile related controller needed for all Function for Automatic Pilot such as main communication network connection drive system domain, comfort system domain.AsOne embodiment, main communication network are selected at present using the extensive and higher CAN network of safety coefficient.System have counter,The security mechanisms such as verification and cyclic redundancy check, bus node fault detection, bus-off detection, support entire control systemReach ASIL D grade.Main control unit is undertaken in system worked well and turns to redundancy control unit, braking Redundant ControlInformation communication work between unit, transmitting information are to support whole signals of the complete Function for Automatic Pilot of L1-L3, including instituteThere are status signal related with drive safety, ride comfort, comfort, control instruction etc..
In embodiments of the present invention, backup communication network 6 connect object mainly include master controller, backup controller,Gateway turns to the controllers such as redundancy control system, braking redundancy control system, only covers automatic Pilot domain and chassis control domain,It is not connected to driving domain and comfortable domain, does not have acceleration control function.As one embodiment, the selection of backup communication network makes at presentWith the higher CAN network of extensive and safety coefficient.System has counter, verification and cyclic redundancy check, bus node failureThe security mechanisms such as detection, bus-off detection, support entire control system to reach ASIL D grade.In main communication network failure itemUnder part carry out controller between information interaction, transmitting information be support L3 rank automatic Pilot minimum signal set, partThe relevant signal of the comfort of non-safety-related is not retransmited for the angle of total inorganic nitrogen.It is logical in main control unit and masterWhen communication network works normally, backup communication network equally sends signal and instruction, carries out school for steering system and braking systemIt tests.
To sum up, the redundancy control system provided in an embodiment of the present invention towards L3 automatic Pilot, due to sending the control of instructionDevice processed uses master controller and backup controller, and the network for transmitting instruction uses main communication network and backup communication network,And the steering redundancy control system executed instruction and braking redundancy control system also use two and have holding of independently executingRow device also can guarantee the transmitting and execution of instruction in this way, making in the Single Point of Faliure for most serious occur, to guarantee to drive a vehicleSafety.Further, since the function of backup controller is less than the function of master controller, the object of backup communication network connection and transmissionInstruction be less than main communication network connection object and transmission instruction, can be in the premise for ensuring traffic safety, so that systemOptimization collocation reduces system cost.
Embodiment described above, only a specific embodiment of the invention, to illustrate technical solution of the present invention, rather thanIt is limited, scope of protection of the present invention is not limited thereto, although having carried out with reference to the foregoing embodiments to the present invention detailedIllustrate, those skilled in the art should understand that: anyone skilled in the art the invention disclosesIn technical scope, it can still modify to technical solution documented by previous embodiment or variation can be readily occurred in, orPerson's equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make corresponding technical solutionEssence is detached from the spirit and scope of technical solution of the embodiment of the present invention, should be covered by the protection scope of the present invention.Therefore,The protection scope of the present invention shall be subject to the protection scope of the claims.