This patent application relates to fail-safe systems for autonomous vehicles, and more particularly to performing safing maneuvers such as to follow a safe trajectory upon detection of a fault.
Autonomous vehicles typically include a variety of cameras, lidars and other sensors to monitor nearby conditions such as the location of nearby objects such as lane markings, roadside objects and other vehicles. A controller includes autonomy logic to process data received from these sensors to determine inputs for throttle, brake and/or steering actuators that control operation of the vehicle.
However, these sensors may become impaired or even fail. Impairment or failure may be due to operating conditions, tampering, physical damage, component failure, lost connection, and for other reasons. The loss of one or more sensors may impede the autonomous vehicle's ability to operate properly.
What is needed is a way to safely control an autonomous vehicle when data from a sensor is lost or corrupted or otherwise reduced in quality.
In one embodiment, the vehicle's control systems include an A-kit module that operates autonomy logic to generate a desired trajectory from sensor data. A B-kit module receives the desired trajectory and generates inputs for actuators such as steering, brake and throttle actuators based on the desired trajectory. Safing logic (which may be located in the A-kit, B-kit, both the A-kit and the B-kit or elsewhere within or outside of the vehicle) receives a sensor fault indication and executes a safing maneuver to bring the vehicle to a safe state.
In some aspects, the techniques described herein relate to an apparatus or method for controlling an autonomous vehicle including: an A-kit module that receives sensor data and operates autonomy logic to generate a desired trajectory and a contingency trajectory that specifies a safing maneuver; a B-kit module that receives the desired trajectory, and generates corresponding inputs for steering, brake and/or throttle actuators of the vehicle based on the desired trajectory; and safing logic, configured to receive a sensor fault indication and the contingency trajectory, and configured to perform the safing maneuver to operate corresponding inputs for the steering, brake, and other throttle actuators to bring the vehicle to a safe state.
In some aspects, the A-kit sends the contingency trajectory to the B-kit module; and the B-kit module executes the safing logic to perform the contingency trajectory.
In some aspects, the B-kit module receives secondary sensor data and operates reduced level autonomy logic within the safing logic to perform the safing maneuver.
In some aspects, the secondary sensor data is received from an OEM sensor accessed via a Controller Area Network (CAN) bus on the vehicle.
In some aspects, the safing logic receives commands for the safing maneuver received from a companion vehicle via a wireless V2V link.
In some aspects, the commands are provided by autonomy logic in the companion vehicle.
In some aspects, the commands are provided by a human located in the companion vehicle.
In some aspects, the safing maneuver results in bringing the vehicle to a stop to a roadside or results in the vehicle following a companion vehicle.
In some aspects, a drone is activated upon the fault indication, to receive or generate drone sensor data and operate autonomy logic to generate a contingency trajectory, and to forward the contingency trajectory to the safing logic over a wireless link; and wherein the safing logic receives the contingency trajectory from the drone over the wireless link, and executes the contingency trajectory to perform the safing maneuver.
In some aspects, the contingency trajectory is generated on the B-kit module based on sensor data received from the drone.
In some aspects, the fault is a one or more of a sensor fault, autonomy logic fault, or interface fault that results in an inability to continuously generate desired trajectories within a certain time interval.
As shown more particularly in
The human driver 42 provides inputs to the system controller 70 via typical human input devices 40 such as a throttle pedal (TH), brake pedal (BR) and steering wheel (ST). It should be understood that the reference to a “throttle” herein does not mean the vehicle must be driven by an internal combustion engine. The vehicle may be propelled by electric motors or other alternatives to fossil fuels.
The human driver 42 can also view a display 50 and operate other inputs 75.
The autonomy logic 10 receives inputs from sensors 15 such as one or more camera(s), lidar(s), radar(s), position sensor(s), and/or receive data from other sources via communication link(s) 62 and other inputs. The autonomy logic typically includes perception logic to determine that one or more current conditions are present from such sensor data, and then execute autonomous planner logic to generate one or more trajectories depending on those detected current conditions. The autonomy logic may be implemented such as the autonomy logic described in U.S. Patent Publication No. US2022/0198936A1 entitled “Shared Control for Vehicles Travelling in Formation” or as described in U.S. Patent Publication No. US20210129843A1 entitled “Behaviors That Reduce Demand on Autonomous Follower Vehicles” (each of which are hereby incorporated by reference) in or in many other ways.
The autonomy logic 10 produces autonomy control signals 101, 102 that may include a desired trajectory for the vehicle so that corresponding throttle, brake and steering signals can be generated by the controller 70.
The autonomy logic 10 may be part of an A-kit module 20.
The A-kit module 20 is responsible for generating instructions that describe a plan for the vehicle, such as a path that it should follow. The A-kit module also provides a ready signal RDY when the autonomy logic 10 determines that it has sufficient information to devise and approve of a trajectory for the vehicle to be autonomously driven. The A-kit 20 may also exchange data with a companion vehicle or a command center or an aerial drone via the communications 62 such as a Vehicle to Vehicle (V2V) link.
A B-kit module 30 receives inputs from the autonomy logic 10, such as instructions in the form of trajectories 101, 102 from the A-kit (including one or more trajectories to follow) and produces autonomy control signals 32 (for example including throttle (TH), brake (BR) and steering (ST) control signals) to the controller 70. The B-kit 30 may also exchange data with a companion vehicle or a command center or an aerial drone via a wireless interface 63 such as a V2V link. The B-kit 30 may also generate a ready (RDY) signal to report whether it is operating properly to the controller 70.
It should be understood that the A-kit 20 and B-kit 30 modules are preferably independent of one another. For example, a fault of the A-kit 20 electronics or control programming should be recoverable by the B-kit 30 to at least enable the vehicle to reach a safe state.
The controller 70 receives both human control inputs 40 from the human driver 42 and autonomous control inputs 32 (TH, BR, ST) from the B-kit module 30 and choses which set of control inputs to apply. The choice may make use of the RDY signals from the A-kit 20 and B-kit 30 to determine if those components are operating properly. The controller 70 feeds at least a selected one of the throttle control input to a Pulse Width Modulated (PWM) relay (not shown). The relay can select which of the inputs are fed to the vehicle's Electronic Control Unit (ECU) Steering and brake inputs may be controlled over a Controller Area Network (CAN) bus.
The ECU 80 in turn produces electronic control signals used by one or more actuators 90 which may include the vehicles throttle 91, brake 92 and steering 93 actuators that in turn operate the physical throttle, brake and steering sub-systems on the vehicle. In some implementations the ECU may not control one or more of the actuators, such as the steering 93.
The controller 70 may also receive inputs from actuators 90 that indicate their current status.
In some implementations the controller 70 may provide visual or audio alerts outputs to the output device(s) 50. The output device(s) may include indicator lights and/or a speaker and electronics that can playback pre-recorded audio messages to the human driver 42.
The controller 70 may also receive data from the human 42 such as via other input devices 75 such as a microphone or keyboard.
The B-kit module 30 receives the desired trajectory 101 and generates “maneuvers” in the form of inputs to the steering, brake and or throttle actuators 90 based on the desired trajectory 101. In some instances, the autonomy control signals 32 may pass from the B-kit to the controller 70 and/or directly to the ECU 80 before resulting in control signals being input to the actuators 90.
Here, the A-kit 20 may also be responsible for detecting one or more fault conditions. Such faults may include a failure detected by one of the sensors 15 or in one or more of the sensors 15 itself. However these faults may be detected in other components such as in the autonomy logic 10 itself, or in other processors, or in other components of the A-kit 20.
In some environments, the A-kit module 20 also continuously sends one or more contingency trajectories 102 to the B-kit 30. The contingency trajectory(ies) 102 are typically also continuously generated by governing logic or other parts of the autonomy logic 10 based on current conditions. A given contingency trajectory 102 is executed by the B-kit module to perform a safing maneuver in response to a particular fault or faults.
The safing maneuver, as specified by a contingency trajectory, may include stopping the vehicle, pulling to the side of the road, taking an exit, changing the vehicle's speed, or changing position with respect to another vehicle, or other some other maneuver that places the vehicle in a known safe state.
In another scenario depicted in
In yet another scenario, the safing maneuver 102 may be provided by a human located in a companion vehicle. For example, braking, throttle and steering inputs may be provided over the V2V link to directly control the vehicle's actuators in an emergency situation.
In some aspects, the techniques described herein relate to an apparatus for controlling an autonomous vehicle including: an A-kit module that receives sensor data and operates autonomy logic to generate a desired trajectory and a contingency trajectory that specifies a safing maneuver; a B-kit module that receives the desired trajectory, and generates corresponding inputs for steering, brake and/or throttle actuators of the vehicle based on the desired trajectory; and safing logic, configured to receive a sensor fault indication and the contingency trajectory, and configured to perform the safing maneuver to operate corresponding inputs for the steering, brake, and other throttle actuators to bring the vehicle to a safe state.
In some aspects, the techniques described herein relate to an apparatus wherein: the A-kit sends the contingency trajectory to the B-kit module; and the B-kit module executes the safing logic to perform the contingency trajectory.
In some aspects, the techniques described herein relate to an apparatus wherein: the B-kit module receives secondary sensor data and operates reduced level autonomy logic within the safing logic to perform the safing maneuver.
In some aspects, the techniques described herein relate to an apparatus wherein the secondary sensor data is received from an OEM sensor accessed via a Controller Area Network (CAN) bus on the vehicle.
In some aspects, the techniques described herein relate to an apparatus wherein: the safing logic receives commands for the safing maneuver received from a companion vehicle via a wireless V2V link.
In some aspects, the techniques described herein relate to an apparatus wherein: the commands are provided by autonomy logic in the companion vehicle.
In some aspects, the techniques described herein relate to an apparatus wherein the commands are provided by a human located in the companion vehicle.
In some aspects, the techniques described herein relate to an apparatus wherein the safing maneuver results in bringing the vehicle to a stop to a roadside or results in the vehicle following a companion vehicle.
In some aspects, the techniques described herein relate to an apparatus additionally including: a drone, initially carried on the vehicle or a companion vehicle and activated upon the fault indication, to receive drone sensor data and operate autonomy logic to generate a contingency trajectory, and to forward the contingency trajectory to the safing logic over a wireless link; and wherein the safing logic receives the contingency trajectory from the drone over the wireless link, and executes the contingency trajectory to perform the safing maneuver.
In some aspects, the techniques described herein relate to an apparatus wherein the contingency trajectory is generated on the B-kit module based on sensor data received from the drone.
In some aspects, the techniques described herein relate to an apparatus wherein the fault is a one or more of a sensor fault, autonomy logic fault, or interface fault that results in an inability to continuously generate desired trajectories within a certain time interval.0 to further assist with generating the contingency trajectory 102.
In some embodiments, the drone 150 may itself include autonomy logic 152. The autonomy logic 152 in drone 150 may generate the contingency trajectory 102 and forward it to the B-kit 30 such as over wireless link 63. The B-kit module 30 may receive this contingency trajectory 102 from the drone and execute the resulting safing maneuver(s).
The contingency trajectory(ies) may also involve generating safing maneuvers for a companion vehicle. For example, a fault may occur in only one of a pair of vehicles travelling in a convoy. However the contingency trajectory should involve generating safing maneuvers so that both vehicles reach a safe stage.
The following Table lists some examples of safing maneuvers, the corresponding system functions and a description of each.
At some point as shown in
In
Autonomy logic on the vehicle with the failed sensor may suggest or restrict the motions of a companion vehicle. In one example, after detecting a fault, a follower vehicle F may request that the companion vehicle L to speed up if the failure relates to a condition where the follower vehicle F may not be able to stop quickly or safely. In another example, the part of the autonomy logic responsible for contingency planning in a follower vehicle F may instruct autonomy logic in a leader vehicle L to slow down or speed up as soon as possible— well before a human driver in the lead vehicle would notice or react to the fault.
In addition, “safing data” may include something other than a trajectory, such as where the B kit has sufficient intelligence to process safing data to derive a safing maneuver on its own. In one example, the safing data could simply include positions and speeds of all nearby traffic.
The drone sensor data (e.g., the “safing data”) may be replaced or augmented by VtoV data received from third party vehicles or from Vehicle-to-Infrastructure (VTI) data available from transportation infrastructure.
Safing data may also originate from companion vehicle. In one example, this can be a video feed from a rear facing camera on the leader which is forwarded to failed follower over a V2V link.
The failure detection logic may be located in any or all of the A-Kit (A), B-Kit(B), Controller (C), or ECU (E), or a human (H). Thus generally speaking, the contingency trajectory may also be located in or generated by any of the A-kit 20, B-kit 30, Controller 70, ECU 80, or human 42.
A “command” executed in response to a fault may include generating governing data. Autonomy logic responsible for carrying out the safing maneuver may also exist in any of the A-kit 20, B-kit 30, Controller 70, ECU 80, or human 42 in the companion vehicle.
The safing action may be generated in many places including the vehicle with the failure, a companion vehicle, or a flying drone, or a command center. In any of these cases, autonomy logic or a human being may be the source that initiates the safing maneuver.
A safing action may simply be the execution of a contingency action. However the safing action may comprise a stream of other data that comes from anywhere such as teleoperation from command center, another vehicle, or a drone.
A sequence of events may be as follows:
1. Contingency actions are generated continuously such as by autonomy logic in an A-kit.
2. Fault detection logic in the A-kit detects a fault. Notification of this event is broadcast such as to the B-kit in the same vehicle or a companion vehicle.
3. Fault response logic receives the broadcast notification, decides on and initiates a contingency trajectory as a response.
4. The response may include multiple actions in multiple places. For example, the response may reconfigure assets (such as to launch a drone), or activate a control device (such as a joystick on a leader), transfer or modify control (such as via contingency autonomy commands) and/or data streams (such as generating video from a drone).
5. The response may play out over an extended period of time—such as at least the time it takes to move a follower F off of the road to a safe location, such as onto a shoulder, or to the next exit ramp, for example.
It should be understood that the example embodiments described above may be implemented in many different ways. In some instances, the various “data processors” and / or “logic” may be implemented by a physical or virtual general purpose computer apparatus having a central processor, memory, disk or other mass storage, communication interface(s), input/output (I/O) device(s), and other peripherals. The general-purpose computer is transformed into the processors and executes the processes and methods described above, for example, by loading software instructions into the processor, and then causing execution of the instructions to carry out the functions described.
As is known in the art, such a computer may contain a system bus, where a bus is a set of hardware lines used for data transfer among the components of a computer or processing system. The bus or busses are essentially shared conduit(s) that connect different elements of the computer system (e.g., one or more central processing units, disks, various memories, input/output ports, network ports, etc.) that enables the transfer of information between the elements. One or more central processor units are attached to the system bus and provide for the execution of computer instructions. Also attached to system bus are typically I/O device interfaces for connecting the disks, memories, and various input and output devices. Network interface(s) allow connections to various other devices attached to a network. One or more memories provide volatile and/or non-volatile storage for computer software instructions and data used to implement an embodiment. Disks or other mass storage provides non-volatile storage for computer software instructions and data used to implement, for example, the various procedures described herein.
Embodiments may therefore typically be implemented in hardware, custom designed semiconductor logic, Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), firmware, software, or any combination thereof.
In certain embodiments, the procedures, devices, and processes described herein are a computer program product, including a computer readable medium (e.g., a removable storage medium such as one or more DVD-ROM's, CD-ROM's, diskettes, tapes, etc.) that provides at least a portion of the software instructions for the system. Such a computer program product can be installed by any suitable software installation procedure, as is well known in the art. In another embodiment, at least a portion of the software instructions may also be downloaded over a cable, communication and/or wireless connection.
Embodiments may also be implemented as instructions stored on a non-transient machine-readable medium, which may be read and executed by one or more procedures. A non-transient machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computing device). For example, a non-transient machine-readable medium may include read only memory (ROM); random access memory (RAM); storage including magnetic disk storage media; optical storage media; flash memory devices; and others.
Furthermore, firmware, software, routines, or instructions may be described herein as performing certain actions and/or functions. However, it should be appreciated that such descriptions contained herein are merely for convenience and that such actions in fact result from computing devices, processors, controllers, or other devices executing the firmware, software, routines, instructions, etc.
It also should be understood that the block and system diagrams may include more or fewer elements, be arranged differently, or be represented differently. But it further should be understood that certain implementations may dictate the block and network diagrams and the number of block and network diagrams illustrating the execution of the embodiments be implemented in a particular way.
Accordingly, further embodiments may also be implemented in a variety of computer architectures, physical, virtual, cloud computers, and/or some combination thereof, and thus the computer systems described herein are intended for purposes of illustration only and not as a limitation of the embodiments.
The above description has particularly shown and described example embodiments. However, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the legal scope of this patent as encompassed by the appended claims.
This application claims priority to co-pending U.S. Patent Application Ser. No. 63/318,444 filed Mar. 10, 2022 entitled “Handling Faults in Autonomous Vehicles”, the entire contents of which are hereby incorporated by reference.
Number | Date | Country | |
---|---|---|---|
63318444 | Mar 2022 | US |