COMPUTER-IMPLEMENTED METHOD AND SYSTEM FOR PROVIDING SAFE CONTROL INPUTS U(K) FOR ACTUATOR COMPONENTS OF A VEHICLE

Abstract

A computer-implemented method for providing safe control inputs for actuator components of a vehicle for implementing a specified trajectory. A vehicle state is determined at a first time, and a first set of control inputs for the first time is provided. It is then checked whether the first set of control inputs is safe by checking whether the vehicle state predicted based on the vehicle state and the first set of control inputs for a later second time is safe. The predicted vehicle state is considered safe if it is within a predetermined maximum controlled invariant state set. If the vehicle state is not considered safe, a safe set of control inputs is determined, by modifying the first set of control inputs such that the vehicle state predicted based on the vehicle state and the modified set of control inputs is considered safe.

Description

CROSS REFERENCE

The present application claims the benefit under 35 U.S.C. § 119 of German Patent Application No. DE 10 2023 202 096.3 filed on Mar. 9, 2023, which is expressly incorporated herein by reference in its entirety.

FIELD

The present invention relates to a computer-implemented method and to a system designed therefor for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory.

For this purpose, a vehicle state x(k) is determined at a first time k. In addition, a first set of control inputs u_per(k) for the first time k is provided. When checking whether this first set of control inputs u_per(k) is safe, it is checked whether the vehicle state x(k+1), which is predicted on the basis of the vehicle state x(k) and the first set of control inputs u_per(k) for a later second time k+1, is safe.

The vehicle state x(k) at time k is determined by ascertaining at least position and movement data and possibly also further state data of the vehicle at time k. The first set of control inputs u_per(k) describes a desired intended vehicle control for implementing the specified trajectory. This set of control inputs u_per(k) can, for example, be simply provided by the driver of the vehicle. If the vehicle is a vehicle that drives in an at least partially automated manner, the first set of control inputs u_per(k) can also be determined by comparing the vehicle state x(k), ascertained at time k, to the trajectory data of the specified trajectory. In this case, further parameters are generally also taken into account, such as ambient conditions, traffic rules, driving style specifications, etc. Before controlling the actuator components with the provided set of control inputs u_per(k), an indirect safety check takes place. For this purpose, starting from the vehicle state x(k) at time k and the first set of control inputs u_per(k), a vehicle state x(k+1) at a subsequent second time k+1 is predicted in order to check whether this predicted vehicle state x(k+1) is safe. Only if this is the case is the first set of control inputs u_per(k) also considered safe.

Furthermore, the present invention relates to a computer-implemented system for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory.

BACKGROUND INFORMATION

Ensuring the functional safety in the vehicle dynamics control is a central task during autonomous driving in SAE classification levels 2+ to 5. German Patent Application No. DE 10 2019 134 258 A1 describes an approach in which it is checked with the aid of a safety controller in a safety path whether the control signal generated by a given performance controller can be applied to the system. A simple PID controller is used for the safety path in order to have formal proof for ending in a safe state. The safety controller is activated if the control signals generated by the performance controller would lead to a violation of predefined thresholds. The thresholds are designed strictly mathematically in order to ensure that the vehicle is operated safely. These thresholds exclusively form physical boundary conditions or limitations of the vehicle state. Further uncertainty factors of the underlying system are not taken into account here.

SUMMARY

The present invention provides a check of the provided control inputs u_per(k) and measures for determining safe control inputs u(k) in the event that the provided control inputs u_per(k) cannot be considered safe, because their application would lead to an unsafe vehicle state. These measures allow for a steady transition from the desired intended vehicle control to a safe vehicle control.

This may be achieved according to the present invention in that the predicted vehicle state x(k+1) is considered safe if it is within a predetermined maximum controlled invariant MCI state set C_∞. If the vehicle state x(k+1) is not considered safe, a safe set of control inputs u(k) is determined by modifying the first set of control inputs u_per(k) such that the vehicle state x(k+1) predicted on the basis of the vehicle state x(k) and the modified set of control inputs u(k) is considered safe or is within the MCI state set C_∞.

The present invention assumes that the vehicle state x(k+1) at a later second time k+1 can be predicted on the basis of a functional relationship of the form

$\begin{array}{cc}x\left(k+1\right)=f\left(x\left(k\right),u\left(k\right),w\left(k\right)\right)& \left(1\right)\end{array}$

In this case, x∈Rⁿ applies and, for u, u∈R^m applies. For w, w(k)∈W⊂R^q applies, where W denotes the set of all possible sets of disruptive influences and uncertainties within specified boundary conditions. Advantageously, infrastructure-related and environmental-influence-related disturbances and uncertainties and/or system-model-related errors, in particular linearization errors, and/or errors in the determination of the vehicle state are taken into account as disruptive influences with the set W. When checking whether the provided control inputs can be considered safe, further uncertainty factors of the system are thus systematically taken into account in addition to the vehicle-related physical boundary conditions.

The safety conditions of the system (1) are mathematically defined with the aid of limited sets X⊂Rⁿ and U⊂R^m, where X denotes the set of all possible vehicle states within specified boundary conditions for the vehicle states, and U denotes the set of all possible sets of control inputs within specified boundary conditions for the control inputs. Examples of boundary conditions that limit the set X of the possible vehicle states include roadway boundaries, a limitation of the maximum speed, or a limitation of the slip angle. The set U of the possible sets of control inputs is typically limited by actuator-related boundary conditions, such as maximum acceleration, maximum braking effect, maximum control speed, maximum steering angle, etc.

The safety conditions defined with the aid of the sets X and U must be maintained during the entire temporal development of the system described by (1), i.e.,

$\begin{array}{cc}x\left(k\right)\in X& \left(2\right)\end{array}$ $\mathrm{and}$ $u\left(k\right)\in U$ $\mathrm{for}\mathrm{all}$ $k\in N$

The present invention uses the concept of a maximum controlled invariant MCI state set C_∞, which is parameterized as follows:

$C_{\infty }\widehat{=}\left\{x\in R^n❘h\left(x\right)\le 0\right\},$

where h(x(k))≤0 describes the condition that C_∞ comprises all permissible vehicle states x(k)∈X for which a set of control inputs u(k)∈U exists which transfers the vehicle into a safe state for a next time k+1, namely, for all possible sets of disruptive influences w(k)∈W.

According to an example embodiment of the present invention, a vehicle state x(k+1), which has been predicted on the basis of the vehicle state x(k) and a provided set of control inputs u_per(k), is considered safe if it is within the predetermined MCI state set C_∞. For this purpose, it is checked whether the following condition is fulfilled for all possible disruptive influences and uncertainties w∈W:

$\begin{array}{cc}h(f(x\left(k\right),& \left(3a\right)\end{array}$ $u_{\mathrm{per}}\left(k\right),$ $w\left(k\right)))\le 0$ $\mathrm{for}\mathrm{all}$ $w\left(k\right)\in W$

In a first variant of the present invention, only the condition (3a) is checked in order to decide whether the provided set of control inputs u_per(k) can be used without modification to control the actuator components of the vehicle.

In a preferred embodiment of the method according to the present invention, the decision about a modification of the provided set of control inputs u_per(k) is based on a stricter condition (3b) in comparison to (3a) in order to allow for an early modification of the provided control inputs u_per and thus a steady transition from the desired intended vehicle control to a safe vehicle control. In this variant, a predicted vehicle state x(k+1) is considered safe and u_per(k) is not modified only if the condition:

$h\left(f\left(x\left(k\right),u_{\mathrm{per}}\left(k\right),w\left(k\right)\right)\right)\le \left(1-\gamma \right)h\left(x\left(k\right)\right)\mathrm{for}\mathrm{all}w\left(k\right)\in W$

is fulfilled. For γ, any value greater than 0 and less than/equal to 1 can be selected, γ∈(0, 1]. The “aggressiveness” of a safety intervention can thus be specified or adjusted. If γ=1, the condition (3b) corresponds to the safety condition (3a). In this case, the safety intervention to be expected is maximally aggressive if the provided set of control inputs u_per(k) is not considered safe. This is because an abrupt switchover between the intended desired vehicle control and a vehicle control in safety mode then takes place. If a value between 0 and 1 is selected for γ, the provided control inputs u_per are then already modified at an early stage, whereby a steady transition from the desired intended vehicle control to a safe vehicle control can be realized.

As mentioned above, a safe set of control inputs u_per(k) must fulfill the following condition:

$f\left(x\left(k\right),u\left(k\right),w\left(k\right)\right)\in c_{\infty }\mathrm{for}\mathrm{all}w\left(k\right)\in w$

In an advantageous embodiment of the method according to the present invention, a safe set of control inputs u(k) is ascertained as a result of an optimization problem. The optimization problem has the quadratic target function

$\begin{array}{cc}u\left(k\right)=\arg {\min }_{u\in U}{u-u_{\mathrm{per}}\left(k\right)}^2& \left(4a\right)\end{array}$

and secondary conditions of the form

$\begin{array}{cc}h\left(f\left(x\left(k\right),u,w\left(k\right)\right)\right)\le \left(1-\gamma \right)h\left(x\left(k\right)\right)& \left(4b\right)\end{array}$ $\begin{array}{cc}\mathrm{for}\mathrm{all}w\left(k\right)\in w& \left(4c\right)\end{array}$

The quadratic target function (4a) ensures that the safe set of control inputs u(k), and thus the resulting safe vehicle control, deviates as little as possible from the provided set of control inputs u_per(k) and thus from the intended desired vehicle control.

The secondary condition (4b) corresponds to the condition (3b), wherein any value greater than 0 and less than/equal to 1 can again be selected for γ, γ∈(0, 1], in order to specify the “aggressiveness” of the safety intervention.

In a preferred variant of the method according to the present invention, the prediction of the vehicle state x(k+1) is based on a time-invariant linear system model which can be described by

$\begin{array}{cc}x\left(k+1\right)=\mathrm{Ax}\left(k\right)+\mathrm{Bu}\left(k\right)+\mathrm{Ew}\left(k\right)& \left(5\right)\end{array}$

where x∈X, u∈U and w∈W, and where A, B and E denote the constant factor sets of the linear system model. In this case, the MCI set C_∞ is a polytopic set of the form

$c_{\infty }=\left\{x\in R^n❘A_{c}x\le b_c\right\},$

The secondary conditions (4b) and (4c) of the optimization problem can be combined with the aid of conventional methods from convex optimization and robust model predictive control to form a sequence of affine conditions for the set of control inputs u sought.

In this case, a safe set of control inputs u(k) can be determined as a result of a parametric quadratic optimization problem, which is particularly advantageous since such optimization problems can be solved at least partially in advance with conventional techniques of parametric optimization. In this case, the optimization problem thus does not have to be solved entirely during the driving operation of the vehicle.

The optimization problem has the quadratic target function

$\begin{array}{cc}u\left(k\right)=\arg {\min }_{u\in R^m}{u-u_{\mathrm{per}}\left(k\right)}^2& \left(6\right)\end{array}$

and linear secondary conditions of the form

$\begin{array}{cc}\mathrm{Mu}\le b+\mathrm{Hx}\left(k\right),& \left(7\right)\end{array}$

where the matrices M and H and the vector b are selected such that the predicted vehicle state x(k+1)=f(x(k), u(k), w(k)) is within the predetermined maximum controlled invariant MCI state set C_∞ for all w(k)∈W while maintaining the input limits U.

Advantageously, according to an example embodiment of the present invention, the matrices M and H and the vector b are selected such that the predicted vehicle state x(k+1) f(x(k), u(k), w(k)) fulfills the conditions (4b) and (4c):

$h\left(f\left(x\left(k\right),u\left(k\right),w\left(k\right)\right)\right)\le \left(1-\gamma \right)h\left(x\left(k\right)\right)\mathrm{for}\mathrm{all}w\left(k\right)\in W$

As indicated above, in a preferred variant of the method according to the present invention, solutions u* for the parametric quadratic optimization problem with the linear secondary conditions are predetermined, namely, as

$\begin{array}{c}{u}^{*}{C}_i+{D_i\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\text{}\mathrm{for}{R}_i\subset \mathrm{XxU}\\ \mathrm{with}i\mathrm{so}{\mathrm{that}\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\\ \in R_i\end{array}$

where C_i and D_i describe the solution of the quadratic optimization problem as an affine function of the parameters x(k) and u_per(k) within a range R_i and R_i denotes different ranges of the space spanned by X and U.

During driving operation, one of the predetermined ranges R_i is then first identified on the basis of the vehicle state x(k) and the provided set of control inputs u_per(k) by checking the following condition:

$\begin{array}{cc}{\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\in R_i& \left(8\right)\end{array}$

A safe set of control inputs u(k) is then determined as

$\begin{array}{cc}u\left(k\right)=C_1+{D_1\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T.& \left(9\right)\end{array}$

It should be noted at this point that a provided set of control inputs u_per(k) is not modified after mapping according to (8) and by applying equation (9) if this set of control inputs u_per(k) is considered safe according to (3a) or (3b).

BRIEF DESCRIPTION OF THE DRAWINGS

The measures according to the present invention and preferred implementation options are explained in more detail below with reference to the figures.

FIG. 1 illustrates the mode of operation of a computer-implemented method according to an example embodiment the present invention for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory using a block diagram.

FIG. 2 shows a flow chart of a first example embodiment of the computer-implemented method according to the present invention for providing safe control inputs u(k) for actuator components of a vehicle.

FIG. 3 shows a flow chart of a preferred example embodiment of the method according to the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

The block diagram of FIG. 1 shows a vehicle system 100 together with components of a computer-implemented system according to the present invention for carrying out a method according to the present invention for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory. The actuator components are not shown here. These actuator components are, for example, the speed control, the brake system, the steering system, etc. The trajectory to be implemented can, for example, be derived from a route ascertained by a navigation system on the basis of a specified place of departure and a specified destination for the vehicle.

The method according to the present invention assumes that the current vehicle state x(k) or the state variables describing the vehicle state, such as location, speed, orientation, etc., either can be detected directly or can be determined on the basis of measurement variables. Accordingly, the system according to the present invention (not shown here) comprises perception means for determining a vehicle state x(k) at a first time k. Furthermore, the system according to the present invention comprises a performance controller 11 for providing a first set of control inputs u_per(k). This first set of control inputs u_per(k) can be provided by the driver of the vehicle, for example by actuating the brake or the accelerator pedal or by a steering intervention. In at least partially automated vehicles, the first set of control inputs u_per(k) can however also be ascertained on the basis of a comparison between the vehicle state x(k) and the specified trajectory, and then provided. In any case, this first set of control inputs u_per(k) is supplied to a so-called safety filter 12. The safety filter 12 checks whether the first set of control inputs u_per(k) is safe. If the first set of control inputs u_per(k) is safe, the safety filter 12 passes this first set of control inputs, unchanged, as a safe set of control inputs u(k) to the vehicle system 100. If the first set of control inputs u_per(k) is not safe, the safety filter 12 modifies the first set of control inputs u_per(k) and thus generates a safe set of control inputs u(k) for the vehicle control. The safety filter 12 is therefore also referred to as a check and modification component.

The safety filter 12 thus outputs a safe set of control inputs u(k) in any case, which set can then be used to control the actuator components of the vehicle.

The temporal development of the vehicle system 100, i.e., the vehicle state x(k+1) at a second later time k+1, results from a functional relationship

$x\left(k+1\right)=f\left(x\left(k\right),u\left(k\right),w\left(k\right)\right)$

on the basis of the vehicle state x(k), the applied set of safe control inputs u(k), and all disruptive influences and uncertainties w(k). FIG. 1 illustrates that the check and, where applicable, modification of the provided control inputs u_per(k) takes place continuously by setting k+1=k.

The flow chart 20 of FIG. 2 illustrates a first exemplary embodiment of a method according to the present invention for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory.

In a first method step 21, a vehicle state x(k) at a first time k is determined with the aid of suitable perception means. Furthermore, in method step 21, a first set of control inputs u_per(k) for the first time k is provided.

The vehicle state x(k) and the provided set of control inputs u_per(k) are used in the next method step 22 to predict the vehicle state x(k+1) at a later second time k+1. The corresponding calculation (calculate, x+1) is generally also based on disruptive influences and uncertainties w(k) at time k.

In method step 23, it is checked whether the provided set of control inputs u_per(k) is safe.

For this purpose, it is first checked whether the provided set of control inputs u_per(k) is permissible, i.e., whether u_per(k)∈U, where U is the set of all possible sets of control inputs within specified boundary conditions for the control inputs. The boundary conditions for U are generally actuator-related boundary conditions, such as maximum acceleration, maximum braking effect, maximum control speed, maximum steering angle, etc.

It is then checked whether the vehicle state x(k+1) predicted for the later time k+1 in method step 22 is safe, since the method according to the present invention assumes that, only in this case, the provided set of control inputs u_per(k) can also be considered safe. For this purpose, it is first checked as a necessary condition whether the predicted vehicle state x(k+1) is within a predetermined maximum controlled invariant MCI state set C_∞,

$x\left(k+1\right)\in C_{\infty }$

where the MCI state set C_∞ is defined such that it comprises all permissible vehicle states x(k)∈X for which a set of control inputs u(k)∈U exists which transfers the vehicle into a safe state for a next time k+1, namely, for all possible sets of disruptive influences w(k)∈W. In the exemplary embodiment described here, x(k+1), and thus also the provided set of control inputs u_per(k), is however only considered safe if the condition

$h\left(x\left(k+1\right)\right)\le \left(1-\gamma \right)h\left(x\left(k\right)\right)$

is also fulfilled for all possible sets of disruptive influences w(k)∈W, where γ is a specifiable value greater than 0 and less than/equal to 1, γ∈(0, 1].

If all conditions queried in method step 23 are fulfilled, the provided set of control inputs u_per(k) is considered safe, method step 24, and is provided as u(k) to the vehicle system for controlling the actuator components.

If the check in method step 23 reveals that the provided set of control inputs u_per(k) cannot be considered safe, this provided set of control inputs u_per(k) is modified in order to generate a safe set of control inputs u(k). For this purpose, in the exemplary embodiment described here, in method step 25, the following optimization problem with the quadratic target function

$u\left(k\right)={\mathrm{argmin}}_{u\in U}{u-u_{\mathrm{per}}\left(k\right)}^2$

and secondary conditions of the form

$h\left(x\left(k+1\right)\right)\le \left(1-\gamma \right)h\left(x\left(k\right)\right)\mathrm{for}\mathrm{all}w\left(k\right)\in W.$

is solved. The resulting set of safe control inputs u(k) is provided as u(k) to the vehicle system for controlling the actuator components.

Method steps 21 to 25 explained above are continuously repeated by setting k+1=k in each case after passing through method steps 24 or 25.

In the design variant described in connection with FIG. 2, the optimization problem for modifying the provided set of control inputs u_per(k) must be solved completely during vehicle operation, which requires a comparatively high computational effort.

FIG. 3 shows a variant of the method according to the present invention which makes use of the fact that the optimization problem described above can be formulated as a parametric quadratic optimization problem with linear secondary conditions under certain preconditions, which are explained in the introduction to the description. Such optimization problems can at least partially already be solved in advance, which is exploited according to the present invention in order to save computing power during driving.

In the exemplary embodiment described here, solutions u* for the parametric quadratic optimization problem with the linear secondary conditions have accordingly been predetermined, i.e., for example, at the factory. These solutions u* have the form

$u^{*}=C_i+{D_i\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\mathrm{for}{R}_i\subset XxU$ $\mathrm{with}i\mathrm{so}{\mathrm{that}\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\in R_i$

where C_i and D_i describe the solution of the quadratic optimization problem as an affine function of the parameters x(k) and u_per(k) within a range R_i and R_i denotes different ranges of the space spanned by X and U. In this case, R_i, C_i and D_i have thus been determined.

The flow chart 30 shown in FIG. 3 shows only method steps that are performed during driving operation.

In a first method step 31, a vehicle state x(k) at a first time k is determined with the aid of suitable perception means. Furthermore, in method step 31, a first set of control inputs u_per(k) for the first time k is provided.

In a next step 32, one of the predetermined ranges R_i is identified on the basis of the vehicle state x(k) and the provided set of control inputs u_per(k) by checking the following condition by incrementing i:

${\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T\in R_i$

After identifying the range R_i in method step 32, a safe set of control inputs u(k) is then determined in method step 33, wherein the predetermined matrices C_i and D_i are used.

$u\left(k\right)=C_i+{D_i\left[{x\left(k\right)}^T,{u_{\mathrm{per}}\left(k\right)}^T\right]}^T.$

The resulting set of safe control inputs u(k) is provided as u(k) to the vehicle system for controlling the actuator components.

Method steps 31 to 33 explained above are continuously repeated by setting k+1=k after passing through method step 33.

Since the optimization problem in the variant described above is solved in advance, this embodiment of the present invention is characterized by real-time capability even with limited computing power.

In conclusion, it should also be pointed out that the method according to the present invention can be applied to all types of vehicle dynamics control, i.e., to a lateral control, a longitudinal control, and also a combined approach in which the lateral and longitudinal dynamics are controlled simultaneously. In addition, a wide variety of disruptive influences and uncertainties can be taken into account within the scope of the method according to the present invention.

Claims

1. A computer-implemented method for providing safe control inputs u(k) for actuator components of a vehicle for implementing a specified trajectory, the method comprising the following steps: a. determining a vehicle state x(k) at a first time k;b. providing a first set of control inputs uper(k) for the first time k; andc. checking whether the first set of control inputs uper(k) is safe by checking whether a vehicle state x(k+1) for a later second time k+1 predicted based on the vehicle state x(k) and the first set of control inputs uper(k) is safe;wherein the predicted vehicle state x(k+1) is considered safe when the predicted vehicle state x(k+1) is within a predetermined maximum controlled invariant (MCI) state set C∞; and,when the vehicle state x(k+1) is not considered safe, a safe set of control inputs u(k) is determined by modifying the first set of control inputs uper(k) such that a vehicle state x(k+1) predicted based on the vehicle state x(k) and the modified set of control inputs u(k) is considered safe.

2. The method according to claim 1, wherein the prediction of the vehicle state x(k+1) is based on a time-invariant linear system model which is described by

3. The method according to claim 2, wherein, in the time-invariant linear system model, (i) infrastructure-related and environmental-influence-related disturbances and uncertainties, and/or (ii) system-model-related errors including linearization errors, and/or (ii) errors in the determination of the vehicle state, are taken into account as disruptive influences.

4. The method according to claim 1, wherein the MCI state set C∞ is described as

5. The method according to claim 4, wherein, when checking whether the predicted vehicle state x(k+1) is safe, it is checked whether the condition:

6. The method according to claim 1, wherein the safe set of control inputs u(k) is determined as a result of an optimization problem.

7. The method according to claim 6, wherein the safe set of control inputs u(k) is determined as a result of an optimization problem with a quadratic target function

8. The method according to claim 6, wherein the safe set of control inputs u(k) is determined as a result of a parametric quadratic optimization problem with the quadratic target function

9. The method according to claim 8, wherein the matrices M and H and the vector b are selected such that the predicted vehicle state x(k+1) f(x(k), u(k), w(k)) fulfills the condition:

10. The method according to claim 8, wherein solutions u* for the parametric quadratic optimization problem with the linear secondary conditions are predetermined as

11. The method according to claim 10, wherein: a. one of the ranges is identified based on the vehicle state x(k) and the first set of control inputs uper(k) by checking the following condition:

12. A computer-implemented system, comprising: a. a perception arrangement configured to determine a vehicle state x(k) at a first time k,b. a performance controller configured to provide a first set of control inputs uper(k); andc. a check and modification component configured to check whether the first set of control inputs uper(k) is safe, and configured to modify the first set of control inputs uper(k) if the first set of control inputs uper(k) is not considered safe.