JP3866536B2 - Vehicle automatic driving system - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to an automatic driving system for a vehicle.
[0002]
[Prior art]
The automatic driving system for vehicles controls the vehicle based on signals received from the road by the in-vehicle information processing device using road-to-vehicle communication between roads and vehicles and vehicle-to-vehicle communication between cars using communication infrastructure and on-vehicle equipment. Automatic operation by controlling the actuator. At this time, in-vehicle information processing apparatuses that process sensor signals are multiplexed for the purpose of ensuring safety. To fully multiplex information processing devices is to prepare all the parts in a multiple number, so that even if a failure occurs in any of the parts, it is possible to perform a save-and-run and make it possible to make it safe However, on the other hand, the number of parts becomes enormous and the function is satisfactory, but there is a problem that it is not preferable in terms of cost and physique. Moreover, if it is going to avoid it, some components will not be multiplexed and safety | security will be impaired.
[0003]
[Problems to be solved by the invention]
The present invention has been made under such a background, and an object of the present invention is to provide an automatic driving system for a vehicle capable of ensuring safety while avoiding an increase in cost and size of an in-vehicle device. .
[0004]
[Means for Solving the Problems]
According to the first aspect of the present invention, on the vehicle-mounted side, the signals from the sensors are taken into the multiplexed processing system, and the arithmetic processing is performed by the plurality of processing devices in each processing system. Are compared by a single comparison device in each processing system, and if they do not match, the driving control actuator is controlled based on the calculation result in the processing system in which the calculation results match, and the road The vehicle is automatically driven along.
[0005]
At this time, different dummy data is sent to the comparison device every predetermined check cycle or every other time as normal data as a result of each calculation in a plurality of processing devices, and compared with the transmission of such dummy data. When a coincidence signal is output from the apparatus, it is determined that there is an abnormality. Therefore, the comparison device monitoring the processing device is not multiplexed, but a failure of the comparison device can be detected. As a result, safety can be ensured by providing a diagnosis function even in a portion that is not multiplexed.
[0006]
In this way, safety can be ensured while avoiding cost increase and size increase of the in-vehicle device.
Further, signals related to the operation result by the processing apparatus in the processing system is sent to the output signal selector, the output signal selection device, a running control signals regarding operation result from the processing system match signal from the comparison device is delivered This signal is output as a signal for controlling the actuator, and the processing device in each processing system stops its own system with respect to the output signal selection device in the event of an abnormality in which a coincidence signal is output from the comparison device as dummy data is sent. by sending a signal you do not used as a signal for controlling the travel controlling actuator operation results in the processing system.
[0007]
In addition, the output signal selecting apparatus for performing the first abnormality due to input mismatch signal processing upon receipt of a match signal twice consecutively from the comparison device, a malfunction due to the transmission of the dummy data prevents can do.
[0008]
DETAILED DESCRIPTION OF THE INVENTION
Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 shows the overall configuration of an automatic driving system for a vehicle in the present embodiment. A large number of magnetic lane markers 11 are embedded in the traveling road 10 at a predetermined interval in the center in the width direction. A magnetic signal is emitted from the magnetic lane marker 11. On the other hand, a magnetic nail sensor 21 is mounted on the side of the vehicle 20 traveling on the traveling road 10, and a magnetic signal emitted from the magnetic lane marker 11 can be detected by the magnetic nail sensor 21.
[0009]
A large number of loop antennas 12 are embedded in the traveling road 10 at a predetermined interval, and each loop antenna 12 is connected to a control device 14 through a road-to-vehicle communication roadside device 13. On the other hand, on the vehicle 20 side, a road-to-vehicle communication device 22 is mounted, and the road-to-vehicle communication device 22 can communicate with the control device 14 via the loop antenna 12 and the road-to-vehicle communication roadside device 13.
[0010]
Further, on the vehicle 20 side, a collision prevention radar 23, an inter-vehicle communication device 24, and an inter-vehicle distance sensor 25 are mounted. The collision prevention radar 23 outputs a vehicle stop signal when the distance to the collision target is closer than a predetermined value. Further, communication between vehicles can be performed by the vehicle-to-vehicle communication device 24. Further, the inter-vehicle distance sensor 25 measures the inter-vehicle distance.
[0011]
The vehicle 20 includes a controller (vehicle control ECU) 26, a driver 27, an accelerator actuator 28, a brake actuator 29, and a steering actuator 30. The controller 26 takes in signals from various sensors and executes predetermined arithmetic processing, and operates the accelerator actuator 28, the brake actuator 29, and the steering actuator 30 via the driver 27 on the basis of the arithmetic results, and performs a desired operation. Let the automatic operation of. The controller 26 operates an emergency brake actuator (not shown) via a driver 27 when an emergency stop is required.
[0012]
As described above, the present system detects the magnetic lane marker 11 embedded in the traveling road 10 by the magnetic nail sensor 21 mounted on the vehicle, and the controller 26 detects the accelerator 28, 29, and 30 actuators. This is a system that guides the vehicle 20 to travel along the center of the road while being controlled.
[0013]
Details of the controller 26 in FIG. 1 are shown in FIG.
In FIG. 2, the controller 26 includes a main CPU 41 and a sub CPU 42, and the CPU is multiplexed (doubled). Each sensor is connected to the main CPU 41, and the main CPU 41 executes various calculations based on sensor input data.
[0014]
In addition, input data (sensor data) captured by the main CPU 41 is sent from the main CPU 41 to the sub CPU 42 as calculation data. Based on this data, the sub CPU 42 executes the same processing as the calculation in the main CPU 41.
[0015]
A comparison device 43 is connected to the main CPU 41 and the sub CPU 42, and processing data (calculation results) in the main CPU 41 and processing data (calculation results) in the sub CPU 42 are sent to the comparison device 43. The comparison device 43 compares both data (both calculation results) and outputs a coincidence signal when they coincide with each other and outputs a mismatch signal when they do not coincide.
[0016]
Another computer 40 having such a configuration is prepared. That is, a computer 1 system 40 and a computer 2 system 50 having the same configuration as this are provided.
[0017]
An output signal selection device 60 is connected to the computer 1 system 40 and the computer 2 system 50. Explaining the exchange of signals between the output signal selection device 60 and the computer using the computer 1 system 40, a match / mismatch signal from the comparison device 43 is sent to the output signal selection device 60. In addition, calculation result data is sent from the main CPU 41 to the output signal selection device 60, and calculation result data is also sent from the sub CPU 42 to the output signal selection device 60. Then, the output signal selection device 60 sends one of the data of the CPUs 41 and 42 to the external driver 27 (see FIG. 1). In this example, when the main CPU 41 and the sub CPU 42 are compared, the priority of the main CPU 41 is set high, and initially, output data from the main CPU 41 is sent to the driver 27.
[0018]
For example, if the comparison device 43 compares the operation output results of the main CPU 41 and the sub CPU 42 and the outputs of both the CPUs 41 and 42 coincide with each other, the computer 1 system 40 is regarded as normal and the coincidence signal is output as the output signal selection device. 60, the output signal selection device 60 selects the data from the main CPU 41 in the computer 1 system 40 and sends it to the next stage (driver 27 in FIG. 1). On the other hand, if the comparison results in the comparison device 43 indicate that there is a mismatch, the computer 1 system 40 sends a mismatch signal to the output signal selection device 60 as a failure, and the data sent from the output signal selection device 60 is sent from the computer 2 system 50. Switch to data.
[0019]
In addition, a main system stop signal is sent from the main CPU 41 to the output signal selection device 60, and a self system stop signal is also sent from the sub CPU 42 to the output signal selection device 60. Then, in the output signal selection device 60, the CPU to which the own system stop signal has been sent as the data to be sent to the driver 27 (the CPU in which an abnormality has occurred) is switched to the normal CPU.
[0020]
Although the computer 1 system 40 has been described, the computer 2 system 50 has the same configuration and operation.
Here, the necessity of the main CPU and the sub CPU will be described with reference to FIG.
[0021]
In automatic (unmanned) driving, the ultimate danger avoidance measures (emergency brakes, etc.) cannot be taken by humans, so each device is required to have very high reliability. Therefore, it is necessary to reliably prevent miscalculations due to noise or the like, program runaway, miscalculations due to component failure, or program runaway. Conventionally, a watchdog generally used cannot detect an abnormality when one bit of a memory is inverted due to noise or a failure. That is, the operation value becomes abnormal, but the program does not run away. Therefore, as shown in FIG. 3, a configuration is required in which the same calculation is performed by both the main and sub CPUs 41 and 42 and the results are compared in hardware. With this configuration, even if one bit in the memory is inverted due to the noise or failure described above, it is possible to detect an abnormality because the calculation results on the main side and the sub side are different, and fail-safe. Can be secured.
[0022]
Next, the necessity of a redundant system will be described with reference to FIG.
In this system, two systems of “dual system by main / sub CPU” for realizing the fail-safe are prepared as shown in FIG. Since this system is intended for use in public transportation such as buses that are operated automatically (unattended), it is necessary to improve the operating rate as much as possible while realizing fail-safe. For this purpose, the above-mentioned fail-safe “duplex system with main and sub CPUs” is prepared as shown in FIG. 4 to improve the operating rate. In this case, operation is possible as usual as long as either one of the systems is operating.
[0023]
As described above, the CPU is duplicated so that it can detect a failure and is made fail-safe. Furthermore, a two-redundant system is built in which another system is used at the time of failure.
[0024]
In the description so far, the vehicle automatic driving system of the present example takes in signals from sensors into a multiplexed processing system on the vehicle-mounted side, and performs calculation by a plurality of processing devices (main CPU 41, sub CPU 42) in each processing system. Processing is performed, and each calculation result in a plurality of processing devices (main CPU 41, sub CPU 42) is compared by a single comparison device 43 in each processing system. The vehicle 20 is automatically driven along the road 10 by controlling the travel control actuators 28, 29, and 30 based on the calculation result in the system. As described above, in this system, safe driving is the first because of automatic driving and unmanned driving, and it is important to stop on the safe side in the event of a failure, and a traveling function for temporary saving by a redundant system, etc. It becomes. For this purpose, a safe traveling control system is constructed by collision prevention radar for preventing rear-end collisions, inter-vehicle distance sensors, inter-vehicle communication, road-to-vehicle communication via a loop antenna, and the like. That is, in the vehicle control ECU, in order to enable safe and avoidance travel even in the event of an important failure, a dual CPU system and a multi-redundant system (two redundant systems in this example) are configured.
[0025]
Here, although the CPU is multiplexed, there is only one comparison device 43, and when this fails, it causes a defective operation. Of course, it is only necessary to multiplex by using two comparison devices 43. However, if everything is multiplexed, the computer becomes larger and more expensive and becomes impractical.
[0026]
Therefore, in this embodiment, a circuit is configured in such a manner that important parts such as CPU and sensor inputs are multiplexed, and only one part may be detected as a failure. In particular, the failure detection of the comparison device 43 is performed as follows.
[0027]
If each of the CPUs 41 and 42 is normal, the data from the CPUs 41 and 42 will be matched, but data that does not match is sent at a predetermined timing, and at that time, whether or not the mismatch signal returns correctly from the comparator 43 Is checked by the CPU 41 (or 42). At this time, if a mismatch signal is returned from the comparison device 43, the CPU determines that the comparison device 43 is normal. However, if a match signal is returned, the CPU determines that the comparison device 43 is faulty, and the own system stop signal. Is output to the output signal selection device 60. The output signal selection device 60 determines that the computer 1 system has failed and switches to the 2 system side.
[0028]
This will be described in detail below.
FIG. 5 shows processing contents performed by the main CPU 41, the sub CPU 42, and the comparison device 43. FIG. 6 is a time chart showing various signals. 6, the N value changes from the top, the output timing of the comparison data from the main CPU 41, the output timing of the data determination signal from the main CPU 41, the output timing of the comparison data from the sub CPU 42, and the data determination signal from the sub CPU 42 Output timing, comparison processing timing in the comparison device 43, output timing of the coincidence / non-coincidence signal from the comparison device 43, content of the comparison result, and failure determination content in the output signal selection device 60 are shown.
[0029]
FIG. 7 is a flowchart for comparison with FIG. 5, and shows the contents of processing performed by the main CPU 41, the sub CPU 42, and the comparison device 43 when no countermeasure is taken for failure detection of the comparison device 43.
[0030]
In FIG. 5, the main CPU 41 starts a loop process of 5 msec. At this time, the count value N = 0. The main CPU 41 reads data at step 100 and sends a synchronization signal to the sub CPU 42 at step 101. When the sub CPU 42 confirms the input of the synchronization signal in step 200, a preparation completion signal is sent to the main CPU 41 in step 201.
[0031]
When the main CPU 41 confirms the input of the preparation completion signal in step 102, it determines in step 103 whether the count value N is a predetermined value K (“5” in the case of FIG. 6), and the count value N is less than the predetermined value K. If so, the process proceeds to step 105. In step 105, the main CPU 41 sends calculation data to the sub CPU 42, and further performs calculation processing in step 106 and sends the result to the comparison device 43. On the other hand, the sub CPU 42 inputs calculation data in step 202, performs calculation processing in step 203, and sends the result to the comparison device 43.
[0032]
In the comparison device 43, the calculation result from the main CPU 41 and the calculation result from the sub CPU 42 are compared in step 300, and it is determined in step 301 whether or not they match. If they match, a match signal is sent to the CPUs 41 and 42 and the output signal selection device 60 in step 303 if they do not match.
[0033]
In step 107, the main CPU 41 determines whether the count value N is the predetermined value K ("5" in FIG. 6). If the count value N is less than the predetermined value K, the process proceeds to step 108. In step 108, the main CPU 41 determines whether or not they match, and if they do not match, sends the own system stop signal to the output signal selection device 60. On the other hand, if they match at step 108, the N value is incremented by 1 at step 109 and the processing returns to step 100. The increment operation of the N value is performed at timings t101 and 102 in FIG. Further, the sub CPU 42 checks for coincidence / mismatch in step 204.
[0034]
On the other hand, as indicated by the timing of t200 in FIG. 6, the count value N is a predetermined value K (“5” in FIG. 6), and the main CPU 41 proceeds from step 103 to step 104 in FIG. In step 104, the main CPU 41 generates different dummy data, sends one data to the sub CPU 42, and performs an operation using the other data. Thereafter, the process proceeds to step 106. The sub CPU 42 performs the same calculation using the aforementioned dummy data. As a result, the calculation result in the main CPU 41 is different from the calculation result in the sub CPU 42, and different dummy data is output to the comparison device 43 as the calculation results in the CPUs 41 and 42 in steps 106 and 203. Become.
[0035]
Then, since the count value N is the predetermined value K in step 107 in the main CPU 41, the process proceeds to step 110. In step 110, the main CPU 41 determines whether or not a mismatch signal is input from the comparison device 43. If the match signal is output from the comparison device 43, the main CPU 41 determines that it is abnormal and selects the own system stop signal as an output signal. Send to device 60.
[0036]
In addition, when data that intentionally does not match (dummy data) is intentionally output, a mismatch signal is sent to the output signal selection device 60 even when the comparison device 43 is normal, but the output signal selection device 60 Then, as shown in FIG. 6, when a mismatch signal is received twice consecutively, it is determined that a failure has occurred, and abnormal processing (system switching) is executed. As a result, even if a mismatch signal as one test signal is received from the comparison device 43, it is invalidated and is not involved in the overall basic operation.
[0037]
Therefore, as the timing of sending data (dummy data) that becomes a test mismatch, it may be sent as test data at every predetermined check cycle as in this example, or normal data every other time. And data that intentionally does not match may be sent from each CPU alternately. In short, it is not necessary to provide test data twice in a row.
[0038]
In this way, by adding the processes of steps 103, 104, 107, 109, and 110 to the comparative example shown in FIG. 7 as shown in FIG. 5, each calculation in a plurality of processing devices (main CPU 41 and sub CPU 42) is performed. As a result, different dummy data is sent to the comparison device 43, and when a coincidence signal is output from the comparison device 43, it can be determined that there is an abnormality. Therefore, although the comparison device 43 monitoring the CPUs 41 and 42 is not multiplexed, a failure of the comparison device 43 can be detected. As a result, safety can be ensured by providing a diagnosis function even in a portion that is not multiplexed. In this way, safety can be ensured while avoiding cost increase and size increase of the in-vehicle device.
[0039]
In particular, a signal related to the calculation result by the CPUs 41 and 42 in each processing system is sent to the output signal selection device 60, and the output signal selection device 60 is a signal related to the calculation result from the processing system to which the coincidence signal is sent from the comparison device 43. Is output as a signal for controlling the actuator for traveling control, and the CPUs 41 and 42 in each processing system select an output signal at the time of an abnormality in which a coincidence signal is output from the comparator 43 with the transmission of dummy data. The own system stop signal is sent to the device 60, and the calculation result in the processing system is not used as a signal for controlling the travel control actuator. Further, the output signal selection device 60 executes the process at the time of abnormality associated with the input of the mismatch signal for the first time when the mismatch signal is received twice from the comparison device 43, and prevents the malfunction caused by sending the dummy data. can do. In this way, a practically preferable system can be obtained.
[Brief description of the drawings]
FIG. 1 is an overall configuration diagram of an automatic driving system for a vehicle in an embodiment.
FIG. 2 is a diagram showing details of a controller.
FIG. 3 is a diagram for explaining multiplexing of CPUs;
FIG. 4 is a diagram for explaining a redundant system;
FIG. 5 is a flowchart showing processing contents performed by a main CPU, a sub CPU, and a comparison device;
FIG. 6 is a time chart showing various signals.
FIG. 7 is a flowchart for comparison.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 26 ... Controller, 28 ... Accelerator actuator, 29 ... Brake actuator, 30 ... Steering actuator, 40 ... Computer 1 system, 41 ... Main CPU, 42 ... Sub CPU, 43 ... Comparison apparatus, 50 ... Computer 2 system, 60 ... Output signal selection device.

Claims (1)

On the in-vehicle side, the signals from the sensors are taken into the multiplexed processing systems, and each processing system performs arithmetic processing by a plurality of processing devices, and each arithmetic processing result in the plurality of processing devices is single-ended in each processing system. Vehicle that automatically drives the vehicle along the road by controlling the travel control actuator based on the calculation result in the processing system in which the calculation results match when the comparison results in Automatic driving system of
Different dummy data as a result of each calculation in the plurality of processing devices is sent to the comparison device every predetermined check cycle or alternately with normal data every other time, and a coincidence signal is sent from the comparison device along with the sending of the dummy signal. When it is output, it is determined that it is abnormal ,
A signal related to the calculation result by the processing device in each processing system is sent to the output signal selection device, and the output signal selection device sends a signal related to the calculation result from the processing system to which the coincidence signal is sent from the comparison device. The processing device in each processing system outputs its own signal to the output signal selection device in the event of an abnormality in which a coincidence signal is output from the comparison device with the transmission of the dummy data. Sending a stop signal so that the calculation result in the processing system is not used as a signal for controlling the travel control actuator,
In addition, the output signal selection device executes the process when there is an abnormality associated with the input of the mismatch signal only when the mismatch signal is received twice consecutively from the comparison device.
A vehicle automatic driving system characterized by the above .

Images