The present disclosure relates to the field of automated vehicular navigation and in particular to a safety system allowing an autonomous vehicle to be navigated for limited time with high integrity.
In the patent application published as US20200239012A1, an agricultural machine with an automatic operation mode is disclosed. In the automatic operation mode, the machine moves along a specified path across farmland while it is controlled in such manner as to stay outside obstacle areas where an operator has identified trees, larges stones etc. The agricultural machine has a positioning system comprising an inertial measurement unit (IMU) and a satellite positioning unit. When a control system determines that the agricultural machine is in an abnormal state, an emergency stop is triggered. Such abnormal state may include that the agricultural machine is straying from its specified path, or that a communication link of any component in the machine has been disconnected for more than 60 seconds.
It would not be advisable to apply the teachings of US20200239012A1 straightforwardly to autonomous vehicles that are to operate in populated environments, nor to utilize the obstacle areas for the protection of people or other vehicles. A possible though most likely very costly way to render the vehicle according to US20200239012A1 fit for missions with higher safety stakes would be to replace its positioning and control systems with high-integrity equipment and run validated software only.
US2018004215A1 discloses a method for controlling an autonomous vehicle to pick up a passenger at a requested pickup location. The vehicle is controlled based on data from an internal positioning system.
WO2016100796A1 discloses a method where an unmanned aerial system (UAS) is positioned relative to a flight boundary which delimits a prohibited flight area. If the UAS is found to be too close to the flight boundary, a flight limitation (e.g., 180° turn, parachuting) is triggered. The flight limitation may also be triggered in the event of a failure in a Global Positioning System (GPS) receiver in the UAS.
One objective of the present disclosure is to make available a method and a system for controlling an autonomous vehicle (AV) which, up to a predetermined confidence level, shall stay outside a prohibited area. It is a further objective to propose such methods and systems that achieve this goal in a cost-efficient fashion, with particular attention to the expenditure on high-integrity equipment and software.
These and other objectives are achieved by the invention defined in the independent claims. The dependent claims relate to advantageous embodiments.
In a first aspect of the invention, there is provided a method of controlling an AV, which is navigable in an environment with at least one prohibited area and at least one calibration station. The AV comprises a state estimation system configured to output an estimated state including an estimated position of the AV, wherein the estimated state has a guaranteed accuracy while the AV is visiting the calibration station. According to an embodiment, the method comprises an assessment, on the basis of the AV's estimated state and on the basis of the time elapsed since the AV's latest visit at one of the calibration stations, whether the AV is staying outside the prohibited area with a predetermined confidence level γ. If the assessment produces a negative result, a safety-oriented action is taken.
The method according to the first aspect is able to ensure that the AV is staying outside the prohibited area with confidence level γ. On the one hand, the AV has access to at least one calibration station in the environment, which it can visit to calibrate its state with a guaranteed accuracy. On the other hand, the accuracy which the AV has acquired during a calibration event is purposefully discounted as a function of the time elapsed since that event. The combination of these technical features allows calibration data to be supplied to the AV without a significant risk that the AV overestimates the resulting accuracy and/or relies on outdated calibration data in its decision-making. None of the two proposed technical features is particularly cost-driving; rather, the method retains its high integrity even when implemented in a system that may contain non-specialized equipment or non-validated software to some extent.
In a second aspect of the invention, there is provided an AV which is navigable in an environment with at least one prohibited area and at least one calibration station. The AV comprises an autonomous driving system (ADS) configured to generate control signals, a state system configured to output an estimated state of the AV, and a safety system. The estimated state has a guaranteed accuracy while the AV is visiting the calibration station. The safety system is configured to assess, on the basis of the state estimated by the positioning system and the time elapsed since a latest visit at a calibration station, whether the AV is staying outside the prohibited area with a predetermined confidence level γ, and, in case of a negative result of the assessment, to cause the ADS to take a safety-oriented action.
In a third aspect, the invention further relates to a computer program containing instructions for causing a computer, or the AV or its safety system in particular, to carry out the above method. The computer program may be stored or distributed on a data carrier. As used herein, a “data carrier” may be a transitory data carrier, such as modulated electromagnetic or optical waves, or a non-transitory data carrier. Non-transitory data carriers include volatile and nonvolatile memories, such as permanent and non-permanent storage media of magnetic, optical or solid-state type. Still within the scope of “data carrier”, such memories may be fixedly mounted or portable.
The second and third aspects generally share the advantages of the first aspect and they can, like the first aspect, be embodied in a multitude of ways.
In the present disclosure, the term “guaranteed accuracy” is used synonymous to verified accuracy, specified accuracy or similar expressions. The guaranteed accuracy may be quantified by means of empirical estimations, or it may be derivable from specifications for the hardware or software that are deployed in the calibration station and/or the AV. Different calibration stations in an environment may be associated with different values of the guaranteed accuracy. By contrast, when the AV leaves the calibration station and starts estimating its state independently, the accuracy of the estimation will gradually decrease unless corrective or calibrating action is taken. The guaranteed accuracy may be expressed as a confidence interval on the state (e.g., position deviation) with a confidence level γ′ that need not coincide with the confidence level γ. A guaranteed accuracy in this sense is entirely decoupled from the legal concept of a guarantee.
As used herein, a “confidence level γ” may be connected to the notion of a confidence interval, i.e., if the assessment was repeated, the fraction of outcomes where the vehicle stays outside the prohibited area would tend towards at least γ. Alternatively or additionally, a confidence level of γ may refer to a probability distribution of the AV's location, to mean that the probability of the AV entering the prohibited area is at most 1-γ. Such a probability distribution may be only partially known or merely estimated. In safety-critical AV control systems, it is not uncommon to require γ=99% or higher. The acceptancy for critical errors is very low, and the confidence level may be set accordingly.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to “a/an/the element, apparatus, component, means, step, etc.” are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
Aspects and embodiments are now described, by way of example, with reference to the accompanying drawings, on which:
The aspects of the present disclosure will now be described more fully hereinafter with reference to the accompanying drawings, on which certain embodiments of the invention are shown. These aspects may, however, be embodied in many different forms and should not be construed as limiting; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and to fully convey the scope of all aspects of the invention to those skilled in the art. Like numbers refer to like elements throughout the description.
Alternatively, a set of prohibited areas is defined for each AV 130 independently. Then, if a zone around a first AV 130-1, or a zone around its planned trajectory, is included in the set of prohibited areas which is to apply in respect of a second AV 130-2, the second AV 130-2 will be controlled to avoid collisions with the first AV 130-1. It the AVs 130 move fast or often, it is advantageous to implement this collision avoidance approach in applications where the AVs 130 maintain fast and reliable wireless communication links to a traffic coordinating entity (e.g., fleet management system), so that the respective sets of prohibited areas 110 can be reconfigured frequently.
Further alternatively, prohibited areas are used to safely guide traffic past intersections, into loading zones or generally through road segments where vehicles cannot coexist, or where they can coexist only if their paths fulfil certain conditions. This is illustrated in
In a further development of this embodiment, the traffic coordinating entity may grant an AV 130 a temporary exception from the duty to observe a prohibited area 110, wherein an indication of the exception's duration may assist an autonomous driving system (ADS) in the AV 130 in estimating whether it will have enough time to pass before the exception expires.
It is furthermore envisioned to implement controlled sharing of a prohibited area 110 that represents an intersection or similar constrained road segment also in the absence of a central traffic coordinating entity. This may be achieved by means of electronic keys, blockchains or similar techniques allowing an AV 130 to request permission to use the prohibited area 110 and hand the permission back afterwards, in a manner traceable and/or inspectable by the other AVs 130, preferably in real time.
A calibration station 120 may be a device or arrangement configured to confirm a predefined position of an AV 130. A calibration station 120 may be adapted to serve a moving or stationary AV 130, or both. The confirmable predefined position may be referred to as a home position of the calibration station 130. Calibration stations 120 of this type may include fixed mechanical sensors (e.g., scales, weighbridges), buried inductive or capacitive sensors arranged to sense passing vehicles. Alternatively, a calibration station 120 may be configured to determine an actual position of a nearby AV 130 or to assist a nearby AV 130 which attempts to determine its own position. Calibration stations 120 of this second type may comprise active or passive optical fiducials (or landmarks), RF transponders (e.g., RFID tags), RF transmitters for providing precisely timed time reference signals, RF transceivers configured for measurements of round-trip time. To interact with such calibration stations 120, the AV 130 may use an optical sensor 133 (
Since each added calibration station 120 incurs a cost for installation and maintenance, it is a relevant question how a given number of calibration stations 120 are best placed to support smooth operation of the AVs 130 (e.g., maximize joint performance of the AVs 130, or maximize the total useful traffic flow) while maintaining the desired high integrity of the system. The placement of the calibration stations 120 in an environment 100 may follow one or more heuristics. One embodiment includes a heuristic that the calibration stations 120 are to be located close to the (non-moving) prohibited areas 110. If the prohibited areas 110 are defined on a vehicle-by-vehicle basis, the calibration stations 120 are preferably located close to those prohibited areas 110 that are common to all AVs 130 operating in the environment 100. With this placement, when an AV 130 approaches the prohibited area 110 along a path that includes a visit to a calibration station 120, the accuracy of the estimated state of the AV 130 improves; this way, the ensuing decrease in position uncertainty partially offsets the decrease in distance to the prohibited area 110, and driving may be disturbed to a lesser degree. In some embodiments, the term “close” may have a relative meaning and refer to the total extent of the environment 100, e.g., a calibration station 120 may be separated from the prohibited area 110 by at most 1% of a diameter of the environment 100. In other embodiments, “close” may be an absolute distance, such as the distance covered in a predefined time at normal operating speed, e.g., 15 seconds, 30 seconds, 60 seconds, or another time that allows the AV 130 sufficient time to visit the calibration station 120, assess whether the AV 130 is staying outside the prohibited area 110 and take a safety-oriented action if needed.
A second possible heuristic is to arrange calibration stations 120 in areas of the environment 100 where a single AV 130 would operate at relatively high speed. As used herein, “relatively high speed” may correspond to full operating speed of the AV 130 or to a maximum permitted speed in the environment 100. One effect to be expected from such placement is that the relatively greater braking distance which applies at high vehicle speed is offset by the availability or relatively more recent calibration data, i.e., the state system's 132 estimated vehicle state has not had time to drop substantially below the guaranteed accuracy. This placement provides a similar benefit in connection with two-way streets, where AVs 130 may be expected to meet frequently at relatively small lateral separation. If each or both oncoming AVs' 130 estimated states have been calibrated recently, then the assessment may have a positive outcome (no safety-oriented action needed) despite the small lateral separation at the meeting point without a need to slow down the oncoming AVs 130.
The calibration station(s) 120 typically occupy a minor fraction of the environment 100. For example, the calibration station(s) 120 may correspond to less than 10% of the area of the environment 100, such as less than 1% of the area of the environment 100, less than 0.1% of the area of the environment 100. Accordingly, access to accurate position estimation that an AV 130 moving in the environment 110 will experience is deterministic but intermittent. As is clear from the above examples, the term “calibration station” in the present disclosure primarily refers to a device, an arrangement, installation or artefact. The term normally does not refer to the absence of certain artefacts: an unobscured area where the natural conditions for radio communication and/or satellite navigation are good is not a “calibration station” in this sense.
Away from a calibration station 120, state system 132 of the AV 130 is left to keep track of its position by dead reckoning on the basis of IMU data, encoder signals, sensor signals or the like. The AV 130 may furthermore perform localization with respect to a predefined map of the environment 100 on the basis of data from an onboard lidar or optical sensor. As long as the AV 130 keeps track of its position in these or similar ways without visiting a calibration station 120, the accuracy of the state system's 132 estimated state will decrease gradually. Theoretically, there are many factors that may influence the rate of this accuracy decrease, including the AV's 130 average speed, the number of stops, the occurrence of strong acceleration or deceleration or sharp turning maneuvers, as well as meteorological and visibility conditions. The inventors have realized, however, that the time elapsed since the latest visit at a calibration station 120 is a key factor, which may be sufficient on its own to judge the accuracy of the state system's 132 estimated state. This realization distinguishes the invention from such prior art emergency techniques that have been conceived for handling sudden (or seemingly random) positioning outages, such as GPS failures.
It is pointed out for completeness that, in some embodiments of the invention, the time elapsed since a latest visit at one of the calibration stations 120 may be used in combination with other criteria. For example, the fact that the AV 130 receives calibration or correction data without visiting one of the calibration stations 120 may override the time-based criterion or trigger an exception. The effect of such an exception may be that the accuracy of the state system's 132 estimated state is increased by an amount reflecting the improvement to be expected from the calibration or correction data.
The safety system 134 is configured to ensure that the AV 130 stays outside the prohibited area 110 with a predetermined confidence level γ. The confidence level γ may be pre-programmed by a manufacturer of the AV 130 or stipulated by a road authority in charge of the safety in the environment 100. The safety system 134 receives the state estimated by the positioning system 132 and reads the time elapsed since a latest visit at a calibration station 120. On the basis of this information and the definition of the prohibited area 110, the safety system 134 may estimate the total probability that the AV 130 enters the prohibited area 110. For this purpose, the safety system 134 may integrate an estimated probability density function over the prohibited area 110. The estimation of the probability may refer to a current time or to a forward interval beginning at the current time, such as the next seconds, next tens of seconds, next minute or couple of minutes. The safety system 134 then assesses whether the estimated total probability is less than 1-γ, in which case normal operation is continued; if the estimated total probability that the AV 130 enters the prohibited area 110 is greater than 1-γ, a safety-oriented action is taken. The safety-oriented action may include halting the AV 130 (emergency stop), limiting the AV's 130 speed, or initiating a lateral or longitudinal avoidance maneuver. It is recalled that the probability 1-γ may in practice be a fairly small value; accordingly, the safety-oriented action can be more correctly characterized as an early corrective measure, such as a gentle deflection of the AV's 130 movement, to keep it from approaching the prohibited area further, or a slowdown.
Alternatively, the safety system 134 attempts to position the vehicle with confidence level γ on the basis of this information. If no such positioning is possible with the desired confidence level or the positioning returns a position in the prohibited area 110, the safety-oriented action is taken. One reason why a positioning with the desired confidence level is impossible could be that the accuracy of the state estimated by the positioning system 132 may have decreased too much from the guaranteed accuracy, which is the accuracy it had during the latest visit at one of the calibration stations 120. Further alternatively, the safety system 134 may cause the state system 132 to estimate the vehicle's state with a granularity that grows with time, e.g., estimate the position with reference to a spatial grid with increasing cell size.
Alternatively or additionally, the approach illustrated in
With access to a γ-level confidence interval for the position, the assessment whether the AV is staying outside the prohibited area 110 with a predetermined confidence level γ can take the form of an evaluation whether any portion of the confidence interval overlaps with the prohibited area 110. This is not the case for any of the AVs 130 in
The precise statistical modeling of the position uncertainty is not an essential feature of the invention, particularly as different assumptions can be made about the probability distribution of the AV's 130 position in different use cases. Likewise, different theoretical results can be relied upon to approximate the infinitesimal and/or asymptotic growth with time of the radius of the confidence interval. In some embodiments, it is assumed that the radius r of a circular position confidence interval grows as a pth power of time t, that is, r(t)∝tp for small t, where 0<p<1. In some embodiments, it is assumed that
or that
It is emphasized in this connection that the time-dependent radius represents a bound on the growth of the localization uncertainty, which is not necessarily a bound on the absolute error.
In some embodiments, the position uncertainty relates not only to the position of the AV 130 but also to the heading (yaw angle), speed and/or acceleration. The time evolution of these quantities may be modeled in a similar or different fashion as the position itself. The availability of the AV's 130 velocity (i.e., heading and speed) makes it possible to determine a γ-level confidence interval for the position in a manner that reflects the non-isotropic nature of the AV's 130 imminent movements. One possible outcome may be that the greater part of such a confidence interval may be located ahead of the vehicle 130, in the direction it is moving. Forming confidence intervals of this type allows the safety system 134 to distinguish between the (probably unsafe) case where the AV 130 is located close to the boundary of a prohibited area 110 and driving towards it, and the case (probably safe for the time being) where the AV 130 is equally close but headed away from the prohibited area 110 or driving along its boundary. An illustration of these contrasting cases is found in
In further embodiments, where the safety-oriented action may be an avoidance maneuver, the assessment whether the AV is staying outside the prohibited area with a predetermined confidence level γ takes the effect of this potential avoidance maneuver into account. Avoidance maneuvers may be controlled or uncontrolled. An example uncontrolled avoidance maneuver is where the brakes are applied until the AV 130 comes to a full stop; a controlled avoidance maneuver usually includes a continuing ability to monitor and adjust the vehicle's trajectory during the maneuver. Avoidance maneuvers may furthermore be categorized as lateral or longitudinal, and combinations of these are possible.
A longitudinal avoidance maneuver may include one or more decelerating actions, such as inactivating a driving torque, activating a service brake or a parking brake, applying engine braking or regenerative braking etc. The braking distance (or stopping distance) depends on the current speed of the AV 130, and may be influenced by further factors such as road conditions, road inclination etc. As mentioned, the speed can be included in the (higher-dimensional) position uncertainty, in which case a brake distance s can be estimated with confidence level γ. In a simpler embodiment, the safety system 134 may add a constant worst-case braking distance s=s0 corresponding to maximum speed of the AV 130. This is illustrated in
A lateral avoidance maneuver includes a change of steering angle and/or of relative wheel speeds so as to deflect the AV 130 from an unsafe path that leads towards and potentially into a prohibited area 110. The lateral avoidance maneuver may optionally include a decelerating action, e.g., to prepare a turn, to brake during a turn (if this is possible within the friction budget) or to bring the vehicle to a halt after the completed maneuver to allow time to replan the AV's 130 path.
The method begins at point 510. In a first step 512, the AV 130 visits a calibration station 120, whereby the accuracy of the state estimated by the state system 132 rises to the guaranteed accuracy associated with the calibration station 120.
When the AV 130 leaves the calibration station 120, in a second step 514, it resets an internal clock, which thereby measures the time elapsed since the latest visit at one of the calibration stations in the environment 100. Equivalent to the clock, the AV 130 may use a variable whose value is incremented in a way that represents the growth of the absolute error with time, starting from the guaranteed accuracy.
In a third step 516, the AV 130 reads the clock and estimates its current state, including its current position. Optionally, in a substep 516.1, the AV 130 may receive a vehicle-specific definition of the prohibited area 110. Information representing this definition may be transmitted wirelessly by a traffic coordination entity which, as discussed above, may do so for the purpose of safely guiding AVs 130 through intersections, along road segments without meeting zones or other areas of the environment 100 where an increased collision risk exists.
In a fourth step 518 of the method 500, the AV 130 assesses whether it is staying outside the prohibited area with a predetermined confidence level γ. The assessment may be based on the output of step 516, that is, the AV's 130 estimated state and the time elapsed since a latest visit at one of the calibration stations 120. If the outcome of the assessment is positive (Y branch from step 518), the execution of the method loops back to the beginning, with a further visit 512 to a calibration station 120. Alternatively, the execution loops back to the third step 516. If the outcome is negative (N branch from step 518), a safety-oriented action is taken in step 520. The safety-oriented action may include safety system 134 sending a command to the ADS 131 of the AV 130 to initiate braking, an avoidance maneuver or the like. If a high confidence level value γ is used, rather little will be needed to trigger the safety-oriented action, and in this case it may suffice to adjust the AV's 130 bearing slightly so that it steers clear of the prohibited area.
Depending on the nature of the safety-oriented action, the method 500 may end in point 522 as illustrated, or the execution may be resumed from an earlier point of the flowchart.
The aspects of the present disclosure have mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims.
Number | Date | Country | Kind |
---|---|---|---|
21158796.9 | Feb 2021 | EP | regional |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2021/084182 | 12/3/2021 | WO |