Patent Grant
10780894
The present invention relates to a technology for controlling a vehicle.
In recent years, many vehicle control systems include an electronic control unit (ECU) which operates electronic vehicle control instruments, and an in-vehicle network (local area network) which enables communication between ECUs.
In addition, in recent years, there has been an increasing demand for an automatic driving system which automatically carries a vehicle to a destination, without a driver's access, brake, or steering operation. In the automatic driving system, it is necessary to ensure sufficient safety even when an automatic driving integrated ECU which takes over the driver's determination fails. Which state is safe depends on a driving environment. For example, it can be said that it is safe to keep driving without stopping in harsh environments such as expressways or extreme cold areas.
Redundancy of functions is known as a method for keeping an automobile driving even when an ECU fails. The redundancy is a method for preparing two or more ECUs having the same function and switching to the other when one is broken. For example, it is conceivable that only one ECU transmits a control command value to an in-vehicle network in a normal state and the other ECU transmits a control command value to the in-vehicle network when the ECU is broken. However, this method has a problem that cost increases because two ECUs must be prepared.
Function substitution is known as another method for keeping an automobile driving even when an ECU fails. In PTL 1, when a failure of an ECU is detected, a substitution destination of the function of the failed ECU is selected, and a function program of the failed ECU is transmitted to the substitution destination. The substitution destination ECU substitutes the function of the failed ECU by using the function program. Therefore, high reliability is realized without providing a new ECU.
PTL 1: JP 2002-221075 A
In the technique disclosed in PTL 1, when a substitution destination ECU is selected, an appropriate ECU is selected from limited information. However, if the substitution destination ECU is selected based on the limited information, it is impossible to know whether the ECU can reliably substitutes the function.
The present invention has been made in an effort to solve the above problems, and an object of the present invention is to provide a vehicle control technique capable of enhancing the safety of function substitution.
A vehicle control device according to the present invention determines whether a substitution is successful by monitoring an operation after starting the substitution.
According to a vehicle control device of the present invention, since the success or failure of a substituted function can be determined, the safety after function substitution can be secured.
In the following, for convenience of description, a program executed by a computing device may be explained as an operation subject, but it is noted that it is the computing device that actually executes the program.
The program area 113 stores a failure detection unit 1131, a substitution request unit 1132, a monitoring unit 1133, a determination unit 1134, a notification unit 1135, and a communication unit 1136 as programs executed by the CPU 111. The data area 114 stores state data 1141, an original data buffer 1142, a substitution data buffer 1143, a comparison table 1144, an error counter 1145, and a transmission buffer 1146. Details of each functional unit and data will be described below.
The program area 123 stores a traveling track generation unit 1231 and a communication unit 1232 as programs executed by the CPU 121. The data area 124 stores traveling track data 1241 and a transmission request flag 1242. Details of each functional unit and data will be described below.
The program area 133 stores an automatic parking unit 1331, a substitution processing unit 1332, and a communication unit 1333 as programs executed by the CPU 131. The data area 134 stores traveling track data 1341, a function substitution flag 1342, and a transmission request flag 1343. Details of each functional unit and data will be described below.
The program area 143 stores a navigation unit 1431 and a communication unit 1432 as programs executed by the CPU 141. Details of each functional unit will be described below.
The program area 153 stores a display unit 1531 and a communication unit 1532 as programs executed by the CPU 151. Details of each functional unit will be described below.
An action ID 11421 is the number of the operation sequence, and the vehicle performs the operation, for example, in ascending order of numbers. A distance 11422 is a distance traveled in the sequence of the corresponding number. A curvature 11423 is a traveling angle in the sequence of the corresponding number. For example, when the curvature 11423 is 0% and the distance 11422 is 300, it indicates going straight 300 meters.
The automatic driving integrated ECU 12 creates a traveling plan up to a next cycle, for example, at predetermined intervals. Since the surrounding environment of the vehicle varies from moment to moment, the automatic driving integrated ECU 12 sequentially creates the traveling track data 1241 while reflecting a situation at that point in each cycle.
In the data example illustrated in
Since it is considered that the vehicle continues to move during the period from the occurrence of the failure of the ECU to the start of the function substitution, it is necessary to set the allowable threshold value 11442 in consideration of this. For example, if the time from the detection of the failure of the automatic driving integrated ECU 12 to the start of the function substitution is 100 ms, a car traveling at 100 km/h travels about 2.8 meters in 100 ms. Then, a distance 13412 to be calculated by the automatic parking ECU 13 for the same action ID 13411 as the action ID 12411 is 2.8 meters less than the distance 12412. Therefore, it is desirable that the allowable threshold value 11442 relating to the automatic driving integrated ECU 12 is 2.8 meters or a numerical value with an appropriate coefficient or an error added thereto. In
The data ID 11461 is a value which indicates a type of data transmitted and received on the in-vehicle network 16. For example, when the in-vehicle network 16 is a CAN, a CAN ID can be used as the data ID 11461. The data value 11462 indicates a data value transmitted to the in-vehicle network 16. When the transmission request flag 11463 is set, data is transmitted from the transmission buffer 1146 to the in-vehicle network 16.
The automatic driving integrated ECU 12 transmits the traveling track data 1241 to the monitoring device 11. The transmission interval may be periodic, or may be returned in response to a request from the monitoring device 11. The monitoring device 11 stores the received traveling track data 1241 in the original data buffer 1142.
When the automatic driving integrated ECU 12 fails, the monitoring device 11 detects that the automatic driving integrated ECU 12 has failed. For example, if the periodically received traveling track data 1241 is not transmitted, it is determined that the automatic driving integrated ECU 12 has failed. The monitoring device 11 requests the automatic parking ECU 13 to create a traveling plan in place of the automatic driving integrated ECU 12. Upon receiving the request, the automatic parking ECU 13 starts substitution.
The navigation ECU 14 periodically transmits navigation data, such as destination/peripheral map/route, to the in-vehicle network 16. Since the in-vehicle network 16 is a bus type network, the automatic parking ECU 13 can also receive the navigation data received before the automatic driving integrated ECU 12 failed. The automatic parking ECU 13 creates the traveling track data 1341 by using the navigation data and the like received from the navigation ECU 14, and transmits the traveling track data 1341 to the monitoring device 11.
The monitoring device 11 compares the traveling track data 1241 calculated before the automatic driving integrated ECU 12 fails with the traveling track data 1341 calculated by the substitution of the automatic parking ECU 13, and determines whether the substitution is successful. The monitoring device 11 transmits the determination result to the meter ECU 15. The meter ECU 15 notifies a driver of the success or failure of the substitution by displaying the determination result on a screen.
(
The failure detection unit 1131 determines whether the traveling track data 1241 could be received. For example, it is possible to distinguish whether the traveling track data 1241 could be received by an argument when calling the failure detection unit 1131 in
(
The failure detection unit 1131 calls the substitution request unit 1132. The substitution request unit 1132 has a role of requesting the automatic parking ECU 13 to perform substitution.
(
The substitution request unit 1132 stores data requesting the automatic parking ECU 13 to perform the substitution in the transmission buffer 1146 and sets the transmission request flag 11463 of the corresponding data to 1 (a value requesting transmission).
(
By checking the value of the state data 1141, the monitoring unit 1133 checks whether the automatic driving integrated ECU 12 is in a normal state. For example, when the value is 0, it is normal, and when the value is 1, it is abnormal. If it is normal, the process proceeds to step S113302, and if it is abnormal, the process proceeds to S113303.
(
The monitoring unit 1133 stores the received traveling track data 1241 in the original data buffer 1142. The traveling track data 1241 can be delivered, for example, as an argument when calling the monitoring unit 1133.
(
The monitoring unit 1133 stores the received traveling track data 1341 in the substitution data buffer 1143. The traveling track data 1341 can be delivered, for example, as an argument when calling the monitoring unit 1133.
(
The monitoring unit 1133 compares the traveling track data 1241 stored in the original data buffer 1142 with the traveling track data 1341 stored in the substitution data buffer 1143 and checks whether a difference between both is within the allowable threshold value 11442. If it is within the threshold value, the process proceeds to step S113305; otherwise, the process proceeds to step S113306.
(
In this step, the success or failure of the substitution is determined according to whether the difference falls within the range of the allowable threshold value 11442, but the determination criteria is not limited thereto. For example, it may be determined based on whether the difference is equal to the assumed value.
(
When the traveling track data 1241 and 1341 are constituted by a plurality of operation steps (that is, a plurality of action IDs), the monitoring unit 1133 performs this step for each action ID corresponding to the traveling plan after a current time. When the difference with respect to any one of the action IDs exceeds the allowable threshold value 11442, it may be regarded as the failure of the substitution, and, for example, when the sum of the differences exceeds the allowable threshold value 11442, it may be regarded as the failure of the substitution.
(
The monitoring unit 1133 calls the determination unit 1134. The argument to be delivered to the determination unit 1134 is a value (for example, 0) indicating that the difference in step S113304 is within the allowable threshold value 11442.
(
The monitoring unit 1133 calls the determination unit 1134. The argument to be delivered to the determination unit 1134 is a value (for example, 1) indicating that the difference in step S113304 exceeds the allowable threshold value 11442.
(
The determination unit 1134 determines whether the difference between the original data and the substitution data is within the allowable threshold value 11442. For example, it can be determined whether the delivered argument is 0. If it is within the allowable threshold value 11442, the process proceeds to step S113402; otherwise, the process proceeds to step S113403.
(
The determination unit 1134 resets the error counter 1145 to 0.
(
The determination unit 1134 adds 1 to the error counter 1145.
(
The determination unit 1134 determines whether the error counter 1145 has reached a predetermined threshold value or more. When the error counter 1145 is the threshold value or more, it is regarded that the substitution has failed. In this flowchart, it is set to three times as an example. If the error counter 1145 is 3 or more, the process proceeds to step S113406; otherwise, this flowchart is ended.
(
The determination unit 1134 calls the notification unit 1135. The argument to be delivered to the notification unit 1135 is set to a value (for example, 0) indicating that the substitution has succeeded.
(
The determination unit 1134 calls the notification unit 1135. The argument to be delivered to the notification unit 1135 is set to a value (for example, 1) indicating that the substitution has failed.
(
The notification unit 1135 checks whether the substitution has succeeded. For example, if the delivered argument is 0, it is successful, and if the delivered argument is 1 it is failed. If the substitution is successful, the process proceeds to step S113502; otherwise, the process proceeds to step S113503.
(
The notification unit 1135 stores data for notifying that the function substitution has succeeded in the transmission buffer 1146. The data ID 11461 is a value previously assigned to data for notifying the success or failure of the substitution. The notification unit 1135 sets the transmission request flag 11463 of the stored data to 1.
(
The notification unit 1135 stores data for notifying that the function substitution has failed in the transmission buffer 1146. The data ID 11461 is a value previously assigned to data for notifying the success or failure of the substitution. The notification unit 1135 sets the transmission request flag 11463 of the stored data to 1.
(
The communication unit 1136 checks whether the traveling track data 1241 or 1341 has been received. If received, the process proceeds to step S113602, and if not received, the process proceeds to step S113603.
(
The communication unit 1136 calls the monitoring unit 1133 with the received traveling track data 1241 or 1341 as an argument.
(
The communication unit 1136 calls the failure detection unit 1131 with a value (for example, 0) indicating that the traveling track data 1241 or 1341 is not received as an argument.
(
In this step, when the traveling track data 1241 or 1341 is not received, the failure detection unit 1131 is immediately called, but the present invention is not limited thereto. For example, the number of times of not being received may be counted, and the failure detection unit 1131 may be called when the count value reaches a certain value or more.
(
The communication unit 1136 calls the failure detection unit 1131 with a value (for example, 1) indicating that the traveling track data 1241 or 1341 is received as an argument.
(
The communication unit 1136 checks whether there is data in which the transmission request flag 11463 of the transmission buffer 1146 is set to 1. If there is the data, the process proceeds to step S113606, and if there is no data, this flowchart is ended.
(
The communication unit 1136 transmits, to the in-vehicle network 16, the data in which the transmission request flag 11463 is set to 1. The communication unit 1136 resets the transmission request flag 11463 corresponding to the transmitted data to 0.
(
The traveling track generation unit 1231 generates the traveling track data 1241 necessary for reaching the destination and sets the transmission request flag 1242 to 1.
(
The traveling track generation unit 1231 calls the communication unit 1232.
(
The communication unit 1232 transmits, to the in-vehicle network 16, the traveling track data 1241 in which the transmission request flag 1242 is set to 1.
(
The communication unit 1232 clears the transmission request flag 1242 corresponding to the transmitted data to 0.
(
When the gear of the vehicle is in the back and the automatic parking function is on, the automatic parking unit 1331 automatically parks the vehicle without depending on the operation by the driver.
(
The substitution processing unit 1332 checks whether the function substitution flag 1342 is 1. If 1, the process proceeds to step S133202; otherwise, the process proceeds to step S133203.
(
The substitution processing unit 1332 generates the traveling track data 1341 necessary for reaching the destination and sets the transmission request flag 1343 to 1.
(
The substitution processing unit 1332 may perform the process of generating the traveling track data 1341 at the same function level as the traveling track generation unit 1231, or may perform the process of generating the traveling track data 1341 at a lower function level. The function level used herein is a control parameter corresponding to the usefulness of the traveling track data, such as the number of operation sequences, accuracy, and the like. When the function level of the substitution processing unit 1332 is dropped below the traveling track generation unit 1231, it is possible to minimize an increase in the level of safety.
(
The substitution processing unit 1332 calls the communication unit 1333.
(
The communication unit 1333 checks whether the transmission request flag 1343 is 1. If 1, the process proceeds to step S133302; otherwise, the process proceeds to step S133304.
(
The communication unit 1333 transmits, to the in-vehicle network 16, the traveling track data 1341 in which the transmission request flag 1343 is set to 1.
(
The communication unit 1333 clears the transmission request flag 1343 corresponding to the transmitted data to 0.
(
The communication unit 1333 checks whether there is the received navigation data and the function substitution flag 1342 is 1. If these conditions are satisfied, the process proceeds to step S133305; otherwise, this flowchart is ended.
(
The communication unit 1333 stores the received data in a buffer which the substitution processing unit 1332 can refer to.
(
The navigation unit 1431 calculates the entire route for reaching the destination set by the user.
(
The navigation unit 1431 calls the communication unit 1432 with the current map of the surroundings of the vehicle, the destination, and the traveling route as the argument.
(
The communication unit 1432 transmits, to the in-vehicle network 16, the navigation data, such as the surrounding map, the destination, the traveling route, and the like, which are delivered as the argument.
(
In this step, the navigation ECU 14 voluntarily transmits the navigation data to the in-vehicle network 16 to support initialization of function substitution, but is not limited thereto. For example, the navigation data may be transmitted in response to the substitution request.
(
The display unit 1531 checks whether data indicating that the substitution has failed (for example, data having a value of 1) has been received. If received, the process proceeds to step S153102; otherwise, the process proceeds to step S153103.
(
The display unit 1531 displays on the display device 156 that the automatic parking ECU 13 has failed to execute the function in place of the automatic driving integrated ECU 12.
(
The display unit 1531 checks whether data indicating that the substitution has succeeded (for example, data having a value of 0) has been received. If received, the process proceeds to step S153104; otherwise, this flowchart is ended.
(
The display unit 1531 displays on the display device 156 that the automatic parking ECU 13 has succeeded to execute the function in place of the automatic driving integrated ECU 12.
(
The communication unit 1532 checks whether there is the received data. If there is the received data, the process proceeds to step S153202, and if there is no received data, this flowchart is ended.
(
The communication unit 1532 calls the display unit 1531.
The vehicle control system 1 according to the first embodiment can determine whether the automatic parking ECU 13 has succeeded in the function substitution by comparing the control parameters before and after the start of substitution. Therefore, it is suitable for an automatic driving system which requires high reliability.
In the vehicle control system 1 according to the first embodiment, since the functions are made redundant by the function substitution between the ECUs, there is no need to make the ECU body redundant. Therefore, a highly reliable system can be constructed at a low cost.
In the second embodiment, a meter ECU 15 and a navigation ECU 14 are connected to an in-vehicle network 16, an automatic driving integrated ECU 12 is connected to an in-vehicle network 22, and an automatic parking ECU 13 is connected to an in-vehicle network 23. Each in-vehicle network is connected through a gateway 21, and the gateway 21 can mutually communicate by relaying communication data. The in-vehicle network 22 and the in-vehicle network 23 are one-to-one communication networks such as Ethernet (registered trademark).
When it is determined that the automatic parking ECU 13 has failed in the function substitution, the gateway 21 may not transmit all the data transmitted from the automatic parking ECU 13. For example, even if the traveling track data 1341 is received, it can be discarded without being transmitted. Therefore, an influence range of abnormal data can be kept to a minimum.
After the automatic parking ECU 13 starts the function substitution (or after issuing the substitution request), the gateway 21 may change a routing table so that the data transmitted to the automatic driving integrated ECU 12 is transmitted to the automatic parking ECU 13 at the time before the automatic driving integrated ECU 12 fails. Therefore, the function substitution can be started smoothly.
In the vehicle control system 1 according to the second embodiment, the gateway 21 controls the relay destination of the communication data, thereby smoothly starting the function substitution, or when the substitution fails, the influence on other ECUs can be minimized.
The automatic parking microcomputer 136 is a microcomputer having the same function as that of the automatic parking ECU 13 described in the first embodiment. The monitoring microcomputer 137 is a microcomputer having the same function as that of the monitoring device 11 described in the first embodiment.
In the vehicle control system 1 according to the third embodiment, since the monitoring microcomputer 137 is provided in the automatic parking ECU 13 to realize the same function as that of the monitoring device 11, it is possible to realize the equivalent function at a lower cost than constructing the monitoring device 11 as an independent ECU.
The present invention is not limited to the above-described embodiments and various modifications can be made thereto. For example, the embodiments have been described in detail for easy understanding of the present invention and are not intended to limit the present invention to those necessarily including all the above-described configurations. In addition, a part of a configuration of a certain embodiment can be replaced with a configuration of another embodiment, and a configuration of another embodiment can be added to a configuration of a certain embodiment. In addition, it is possible to add, remove, or replace another configuration with respect to a part of a configuration of each embodiment.
In the above embodiments, the function substitution target is the traveling track generation unit 1231, but the ECU or other function units can be the function substitution target. For example, in a system in which an actuator is directly connected to the in-vehicle network 16, if an engine control ECU fails, a similar function substitution can be performed. In addition, two or more function units can be targeted for the function substitution. In this case, the state data 1141 can be provided for each function targeted for the function substitution. The same applies to the allowable threshold value 11442, the error counter 1145, the function substitution flag 1342, and the like.
In the above embodiments, it is assumed that the vehicle travels along the traveling track at the center of the road, but the present invention is not limited thereto. In addition, the traveling track data 1241 (and 1341) is expressed as described in
In the above embodiments, the traveling track data 1241 and 1341 are compared so as to determine the success or failure of the substitution to the automatic driving function, but the present invention is not limited thereto. For example, it is also possible to compare a control plan of a target torque.
In the above embodiments, the allowable threshold value 11442 is set as a constant, but the present invention is not limited thereto. For example, it is also possible to measure the elapsed time since the failure of the automatic driving integrated ECU 12 and to dynamically calculate the allowable threshold value 11442 according to the elapsed time.
In
In the above embodiments, the transmission request flag is used within the range necessary for describing the present invention. However, when transmitting other data to the in-vehicle network 16, the transmission request flag can be provided for each data.
In the above embodiments, the ECU requesting the function substitution is fixed to the automatic parking ECU 13, but the present invention is not limited thereto. For example, another ECU may be requested for function substitution according to a situation of a computational load or the like.
In the above embodiments, the automatic parking ECU 13 is provided with the substitution processing unit 1332 in advance, but the present invention is not limited thereto. For example, by transmitting a program during the execution of the system, the substitution destination ECU may be provided with a substitution function.
In the above embodiments, an example in which the function substitution is performed between the ECUs has been described. However, in a case where the same ECU has a plurality of CPUs, when one of the CPUs fails, a configuration similar to that of the present invention can be used to a case where another CPU executes the function substitution in place of the failed CPU. For example, the ECU can have a configuration similar to that of the monitoring device 11, and it is possible to determine the success or failure of the function substitution.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2015-209750 | Oct 2015 | JP | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2016/080890 | 10/19/2016 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2017/073415 | 5/4/2017 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5828972 | Asanuma | Oct 1998 | A |
| 6463373 | Suganuma | Oct 2002 | B2 |
| 6687590 | Kifuku | Feb 2004 | B2 |
| 6904346 | Higashi | Jun 2005 | B2 |
| 7130728 | Suzuki | Oct 2006 | B2 |
| 8358578 | Murashige | Jan 2013 | B2 |
| 9517696 | Zhou | Dec 2016 | B2 |
| 9692345 | Masuda | Jun 2017 | B2 |
| 9783227 | Shimizu | Oct 2017 | B2 |
| 20020093298 | Walter | Jul 2002 | A1 |
| 20020099487 | Suganuma | Jul 2002 | A1 |
| 20030098197 | Laurent | May 2003 | A1 |
| 20040193344 | Suzuki | Sep 2004 | A1 |
| 20090262000 | Kanazawa | Oct 2009 | A1 |
| 20120065823 | Taguchi | Mar 2012 | A1 |
| 20120265405 | Matsumura | Oct 2012 | A1 |
| 20120271513 | Yoneda | Oct 2012 | A1 |
| 20120272091 | Sekiguchi | Oct 2012 | A1 |
| 20160006388 | Masuda | Jan 2016 | A1 |
| 20170220035 | Naoi et al. | Aug 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| 2518627 | Oct 2012 | EP |
| 2002-221075 | Aug 2002 | JP |
| 2010-136286 | Jun 2010 | JP |
| 2013-084284 | May 2013 | JP |
| WO-9826958 | Jun 1998 | WO |
| WO-2015129311 | Sep 2015 | WO |
| Entry |
|---|
| Japanese Office Action dated Feb. 5, 2019 in Japanese Patent Application No. 2015-209750 with its English translation. |
| International Search Report with English translation and Written Opinion issued in corresponding application No. PCT/JP2016/080890 dated Jan. 24, 2017. |
| Supplementary European Search Report dated Jun. 7, 2019 in European Patent Application No. 16859645.0. |
| Number | Date | Country | |
|---|---|---|---|
| 20180257662 A1 | Sep 2018 | US |
