阅读说明：本技术 汽车驾驶冗余控制系统及其方法 (Automobile driving redundancy control system and method thereof ) 是由 张兴华 李梦妮 李学兵 刘金汉 孙志刚 于 2019-11-20 设计创作，主要内容包括：本发明公开了一种汽车驾驶冗余控制系统,它包括车辆传感器、控制器、冗余控制器、被控系统、执行器、主干网络和冗余网络,其中,控制器包括控制模块和状态监控模块,控制模块用于在车辆正常工作时,不间断的接收车辆传感器的传感信号,并根据该传感信号生成对应的车辆控制指令,同时,通过主干网络将上述车辆控制指令发送至被控系统,被控系统根据车辆控制指令操作执行器执行相应的车辆控制动作；状态监控模块用于检测控制模块是否发生故障；本发明在保障控制器成本的同时,能够更好的保障控制系统的完整性及通信可靠性。(The invention discloses an automobile driving redundancy control system, which comprises a vehicle sensor, a controller, a redundancy controller, a controlled system, an actuator, a backbone network and a redundancy network, wherein the controller comprises a control module and a state monitoring module, the control module is used for uninterruptedly receiving a sensing signal of the vehicle sensor when a vehicle normally works, generating a corresponding vehicle control instruction according to the sensing signal, simultaneously sending the vehicle control instruction to the controlled system through the backbone network, the controlled system operates the actuator to execute a corresponding vehicle control action according to the vehicle control instruction, and the state monitoring module is used for detecting whether the control module fails.)

The automobile driving redundancy control system is characterized by comprising an automobile sensor (1), a controller (2), a redundancy controller (3), a controlled system (4), an actuator (5), a main network (6) and a redundancy network (7), wherein the controller (2) comprises a control module (2.1) and a state monitoring module (2.2), the control module (2.1) is used for uninterruptedly receiving a sensing signal of the automobile sensor (1) when an automobile normally works, generating a corresponding automobile control instruction according to the sensing signal, meanwhile, sending the automobile control instruction to the controlled system (4) through the main network (6), and the controlled system (4) operates the actuator (5) to execute a corresponding automobile control action according to the automobile control instruction;

the redundancy controller (3) is used for being in a dormant state when the vehicle normally works, and continuously sending heartbeat messages to the main network (6) and the redundancy network (7) through a heartbeat module (3.1) in the redundancy controller (3);

when the state monitoring module (2.2) detects that the control module (2.1) has a fault, the state monitoring module (2.2) generates a fault instruction according to the fault condition of the control module (2.1) and sends the fault instruction to the redundant controller (3);

the redundant controller (3) is awakened from a dormant state after receiving the fault instruction, the redundant controller (3) starts to receive the sensing signal of the vehicle sensor (1) and generates a redundant vehicle control instruction according to the sensing signal and a prestored lowest safety control strategy, then the redundant vehicle control instruction is sent to the controlled system (4), and the controlled system (4) executes corresponding safety control operation through the actuator (5) after receiving the redundant vehicle control instruction.

2. The automotive driving redundancy control system according to claim 1, characterized in that: the redundant controller (3) sends redundant vehicle control commands to the controlled system (4) through the redundant network (7).

3. The automotive driving redundancy control system according to claim 1, characterized in that: when the actuator (5) executes the corresponding safety control operation, the redundancy controller (3) uninterruptedly sends an alarm signal to the whole vehicle network to remind a driver that the whole vehicle is in a fault and minimum safety mode state.

4. The automotive driving redundancy control system according to claim 1, characterized in that: when the controlled system (4) receives the vehicle control command sent by the controller (2) and the redundant vehicle control command sent by the redundant controller (3) at the same time, the redundant vehicle control command sent by the redundant controller (3) is executed.

5. The automotive driving redundancy control system according to claim 1, characterized in that: and the fault instruction uploaded to the backbone network (6) is sent to a controlled system.

6. The automotive driving redundancy control system according to claim 1, characterized in that: and the state monitoring module (2.2) sends the fault instruction to the redundant controller (3) through the subnet (8).

7. The automotive driving redundancy control system according to claim 1, characterized in that: the state monitoring module (2.2) is used for uploading a fault instruction to the backbone network (6).

8, automobile driving redundancy control method, characterized by that, it includes the following steps:

step 1: the control module (2.1) receives sensing signals of the vehicle sensor (1) uninterruptedly when the vehicle works normally, generates corresponding vehicle control instructions according to the sensing signals, simultaneously sends the vehicle control instructions to the controlled system (4) through the backbone network (6), and the controlled system (4) operates the actuator (5) to execute corresponding vehicle control actions according to the vehicle control instructions; the state monitoring module (2.2) detects whether the control module (2.1) has a fault;

when the vehicle normally works, the redundancy controller (3) is in a dormant state, and continuously sends heartbeat messages to the main network (6) and the redundancy network (7) through a heartbeat module (3.1) in the redundancy controller (3);

step 2: when the state monitoring module (2.2) detects that the control module (2.1) has a fault, the state monitoring module (2.2) generates a fault instruction according to the fault condition of the control module (2.1) and sends the fault instruction to the redundant controller (3);

and step 3: the redundant controller (3) is awakened from a dormant state after receiving the fault instruction, the redundant controller (3) starts to receive the sensing signal of the vehicle sensor (1) and generates a redundant vehicle control instruction according to the sensing signal and a prestored lowest safety control strategy, then the redundant vehicle control instruction is sent to the controlled system (4), and the controlled system (4) executes corresponding safety control operation through the actuator (5) after receiving the redundant vehicle control instruction.

Technical Field

The invention relates to the technical field of automobile electronic control systems, in particular to automobile driving redundancy control systems and methods thereof.

Background

The vehicle driving control system plays a decisive role in ensuring the driving safety and reliability of the vehicle, in particular to a key control system including an intelligent driving system, and when the systems guarantee the normal operation of the systems, redundant control of the systems must be considered to guarantee that the redundant control system is effective to guarantee the safety of the vehicle and passengers in the case of the failure of a single control system.

Aiming at the redundant control of an automobile driving system, the existing method mainly comprises the following two design forms:

the redundant control scheme is to adopt two sets of identical control systems to control the vehicle, as shown in fig. 1, the two controllers are identical and have different source addresses, they receive the signals sent by the sensors at the same time and synchronously send the control signals to the controlled system to the backbone network according to the signal conditions of the sensors and their own algorithms, the controlled system and its actuator receive and respond preferentially to the signals of the th controller at the same time, when the th controller fails, the controlled system judges and switches to respond to the signals sent by the second controller according to the fault signals of the th controller, thereby ensuring that the controlled system can still operate normally before the vehicle control system is maintained.

A second redundant control scheme, for example, Chinese patent CN201910435840.3 discloses automatic driving control systems and methods including redundant control, in which a th controller is used for receiving th sensing data sent by a 0 th sensor, generating th control commands according to th sensing data, sending th control commands to a th actuator, and executing a preset th safety operation when the second controller fails, and a second controller is used for receiving second sensing data sent by a second sensor, generating second control commands according to the second sensing data, sending the second control commands to the second actuator, and executing a preset second safety operation when the th controller fails, that is, the two controllers are redundant with each other, and respectively execute an emergency operation when another controller fails.

The two existing control strategies described above have the following disadvantages:

for the prior art scheme , since the scheme uses two identical controllers to send control messages to the backbone network at the same time for control, this will result in significant load increase of the backbone network and affect the accuracy of control signal transmission, meanwhile, the cost of the control system is 2 times that of a non-redundant control system.

In the case of a failure of the controller, the preset safety operation executed by another controller does not ensure that the complexity of the driving situation can be fully met, which may cause driving risks, and meanwhile, two controllers are still transmitted to the actuator through the network of the system , and a problem that signal transmission failure between the controller and the actuator may be caused due to high load of the backbone network exists.

These drawbacks may cause an increase in cost, network load, and even , which may affect the safety of the vehicle.

Disclosure of Invention

The invention aims to provide automobile driving redundancy control systems and methods, and the control systems can better guarantee the integrity and the communication reliability of the control systems while ensuring the cost of a controller.

The automobile driving redundancy control system is characterized by comprising a vehicle sensor, a controller, a redundancy controller, a controlled system, an actuator, a backbone network and a redundancy network, wherein the controller comprises a control module and a state monitoring module, the control module is used for uninterruptedly receiving a sensing signal of the vehicle sensor when a vehicle normally works, generating a corresponding vehicle control instruction according to the sensing signal, and simultaneously sending the vehicle control instruction to the controlled system through the backbone network, and the controlled system operates the actuator to execute a corresponding vehicle control action according to the vehicle control instruction;

the redundancy controller is used for being in a dormant state when the vehicle normally works, and continuously sending heartbeat messages to the main network and the redundancy network through a heartbeat module in the redundancy controller;

when the state monitoring module detects that the control module has a fault, the state monitoring module generates a fault instruction according to the fault condition of the control module and sends the fault instruction to the redundancy controller;

and the redundant controller is awakened from a dormant state after receiving the fault instruction, the redundant controller starts to receive the sensing signal of the vehicle sensor and generates a redundant vehicle control instruction according to the sensing signal and a prestored lowest safety control strategy, then the redundant vehicle control instruction is sent to the controlled system, and the controlled system executes corresponding safety control operation through the actuator after receiving the redundant vehicle control instruction.

In the technical scheme, the redundant controller sends the redundant vehicle control command to the controlled system through the redundant network.

The invention has the advantages that:

the invention adopts 1 complete function controller and 1 lowest function controller, because the function of the redundant controller is reduced, the peripheral wire harness, the computing power and the memory requirement are all reduced compared with the main controller, and the cost is between the background technical proposal 1 and the proposal 2;

under the condition of main controller failure, the main network load is main controller failure message/error message + redundancy controller command message, the redundancy controller command message can be sent in the redundancy network to share the main network load, and the possible crash out-of-control in the background technical scheme 2 is avoided (all messages in the scheme 2 are transmitted through networks, no redundancy network exists, denier failure happens, the main network is easy to crash and cause out-of-control due to overhigh load);

because the redundant controller generates the redundant vehicle control instruction according to the sensing signal and the prestored minimum safety control strategy, and the redundant controller is in the dormant state under the normal working state, compared with the prior art, the redundant controller saves more energy, and can better reduce the load on a trunk network. Under the condition of a fault, the redundancy controller sends a control instruction through the redundancy network, and compared with the second technical scheme in the background art, the redundancy controller can better avoid accidents caused by overhigh load of the main network during the fault, and the safety is better.

Drawings

FIG. 1 is a schematic block diagram of the structure of the present invention;

the system comprises a vehicle sensor 1, a controller 2, a control module 2.1, a state monitoring module 2.2, a redundant controller 3, a controlled system 4, an actuator 5, a backbone network 6, a redundant network 7 and a subnet 8.

Detailed Description

The invention is further described in detail in connection with the following figures and examples:

the kinds of automobile driving redundancy control systems shown in fig. 1, the embodiment is exemplified by an intelligent driving controller (ADCU) as a control core, and comprises a vehicle sensor 1, a controller 2, a redundancy controller 3, a controlled system 4, an actuator 5, a backbone network 6 and a redundancy network 7,

the vehicle sensor 1 comprises sensors for identifying the surrounding environment and the vehicle running state, such as a radar, a camera, a vehicle speed sensor, an angular velocity sensor, a course angle sensor and the like;

the controller 2 is a control unit for controlling the intelligent driving behavior of the whole vehicle, namely the ADCU, and is an ECU for receiving sensor information and judging subsequent operations to be executed by the whole vehicle through calculation;

the redundant controller 3 can be regarded as a simplified version controller which reduces fixed calculation and functional quantity, and only ensures algorithms such as braking, steering and the like so as to ensure the running safety of the whole vehicle;

a system in which the controlled system 4 is influenced by the control decision of the master controller and controls the behavior of the actuator 5, such as a brake system controller; specific examples of the operation are: if the ADCU calculates and finishes the deceleration of the vehicle according to the surrounding environment and sends a braking deceleration requirement, the braking system controller calculates a braking pedal opening degree instruction (or a braking force value) according to the required braking deceleration and sends the requirement to an actuator (a brake) to execute operation;

the actuator 5 is a specific member or mechanism for realizing acceleration and deceleration, such as a steering gear, a brake, and oil , which specifically execute a driving operation;

both the backbone network 6 and the redundant network 7 go through control or fault signaling. The redundant network 7 is mainly used for transmitting control information in a failure mode to share the load of a backbone network;

the controller 2 comprises a control module 2.1 and a state monitoring module 2.2, wherein the control module 2.1 is used for receiving the sensing signal of the vehicle sensor 1 uninterruptedly and generating a corresponding vehicle control instruction according to the sensing signal when the vehicle works normally (in an actual vehicle, the sensor and the controller are provided with fault diagnosis modules and can judge whether the sensor works normally or not through series mechanisms, if the fault alarm signal of the sensor and the main controller is not received, the vehicle is in a normal working state, the sensing signal of the vehicle sensor 1 is received uninterruptedly, meanwhile, the vehicle control instruction is sent to a controlled system 4 through a backbone network 6, the controlled system 4 operates an actuator 5 to execute corresponding vehicle control action according to the vehicle control instruction, and the state monitoring module 2.2 is used for detecting whether the control module 2.1 fails (common faults comprise various states such as short circuit of the sensor/controller, software version, open circuit, signal loss and the like, and the states can be detected through a detection mechanism and send corresponding alarm signals);

the redundant controller 3 is used for being in a dormant state when a vehicle normally works, and continuously sending heartbeat messages to the main network 6 and the redundant network 7 through a heartbeat module 3.1 in the redundant controller 3 so as to ensure that the vehicle is in a normal working state under the condition of reducing the influence of the heartbeat message on the power consumption of the whole vehicle and the network load, wherein the heartbeat messages are received by a controlled system or other controllers on the vehicle for bearing the heartbeat message check, the heartbeat messages have a specific format and a specific period, if the format message has a wrong period or wrong content, the fault of the controller 3 (redundant controller) is explained, and the mode cannot be used for repairing the controller 3 but is used for reminding a driver whether the redundant system can operate to ensure safety, the probability of simultaneous failure of the two controllers is extremely, is generally used for reminding the driver of early maintenance if the controller fails, so as to avoid the failure of the two controllers.

When the state monitoring module 2.2 detects that the control module 2.1 has a fault, the state monitoring module 2.2 generates a fault instruction according to the fault condition of the control module 2.1 and sends the fault instruction to the redundant controller 3;

the redundant controller 3 receives a fault instruction of the control module 2.1 and then wakes up from a sleep state, the redundant controller 3 starts to receive a sensing signal of the vehicle sensor 1 and generates a redundant vehicle control instruction according to the sensing signal and a prestored lowest safety control strategy, then the redundant vehicle control instruction is sent to the controlled system 4 through the redundant network 7, the controlled system 4 receives the redundant vehicle control instruction and then executes corresponding safety control operation through the actuator 5, for example, the ADCU judges deceleration, the operation which can be executed here is that the controlled system receives the deceleration instruction, then the deceleration instruction is converted into braking force, and braking action is completed through the brake (actuator).

In the above technical solution, when the actuator 5 executes the corresponding safety control operation, the redundant controller 3 continuously sends an alarm signal to the entire vehicle network to remind a driver that the entire vehicle is in a fault and minimum safety mode state and needs to be maintained as soon as possible.

In the above technical solution, when the controlled system 4 receives the vehicle control command sent by the controller 2 and the redundant vehicle control command sent by the redundant controller 3 at the same time, the redundant vehicle control command sent by the redundant controller 3 should be executed to ensure that the actuator can execute the correct control command.

In the above technical solution, the fault instruction uploaded to the backbone network 6 is sent to the controlled system.

In the above technical solution, the state monitoring module 2.2 sends the fault instruction to the redundant controller 3 through the subnet 8.

In the above technical solution, the state monitoring module 2.2 is configured to upload the fault instruction to the backbone network 6.

In the technical scheme, the controller 2 has a complete vehicle control function, and the redundant controller 3 has a control function of ensuring the lowest safety control strategy for the whole vehicle running. Taking the intelligent driving system as an example, the complete control functions may include: automatically controlling the vehicle to perform actions such as route planning, overtaking, lane changing, automatic steering and obstacle avoidance and the like; the minimum safety strategy function may not be able to perform route planning and overtaking acceleration, and is limited to planning and controlling actions such as automatic braking, automatic steering obstacle avoidance, and limited acceleration, that is: the behaviors such as acceleration limitation and the like which possibly have risks ensure the behaviors of deceleration, obstacle avoidance, alarming to a driver and the like to improve the safety of the vehicle.

A redundancy control method for automobile driving, which is characterized in that it comprises the following steps:

step 1: the control module 2.1 receives the sensing signal of the vehicle sensor 1 uninterruptedly when the vehicle works normally, and generates a corresponding vehicle control instruction according to the sensing signal, and at the same time, the vehicle control instruction is sent to the controlled system 4 through the backbone network 6, and the controlled system 4 operates the actuator 5 to execute a corresponding vehicle control action according to the vehicle control instruction; the state monitoring module 2.2 detects whether the control module 2.1 has a fault;

when the vehicle normally works, the redundancy controller 3 is in a dormant state, and continuously sends heartbeat messages to the main network 6 and the redundancy network 7 through a heartbeat module 3.1 in the redundancy controller 3;

step 2: when the state monitoring module 2.2 detects that the control module 2.1 has a fault, the state monitoring module 2.2 generates a fault instruction according to the fault condition of the control module 2.1 and sends the fault instruction to the redundant controller 3;

and step 3: the redundant controller 3 is awakened from a dormant state after receiving the fault instruction, the redundant controller 3 starts to receive the sensing signal of the vehicle sensor 1 and generates a redundant vehicle control instruction according to the sensing signal and a pre-stored minimum safety control strategy, then the redundant vehicle control instruction is sent to the controlled system 4, and the controlled system 4 executes corresponding safety control operation through the actuator 5 after receiving the redundant vehicle control instruction;

when the controller 2 is cleared from the trouble by the maintenance operation, the redundant controller 3 is restored to the sleep mode, and the system is controlled by the controller 2 in accordance with the normal operation state mode.

Details not described in this specification are within the skill of the art that are well known to those skilled in the art.