Automatic driving fault processing method and automatic driving system
By receiving vehicle control commands and operating status from the microprocessor for fault detection, shielding abnormal commands, and switching to hot backup mode, the problem of the driver being unable to take over the vehicle in a timely manner is solved, thus improving the safety and reliability of autonomous driving.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- YINGCHE XINGCHUANG INTELLIGENT TECH (SHANGHAI) CO LTD
- Filing Date
- 2022-09-26
- Publication Date
- 2026-06-30
AI Technical Summary
In autonomous driving systems, when the microprocessor experiences hardware or software malfunctions, the driver cannot take over the vehicle in time, leading to increased safety risks.
By receiving vehicle control commands and operating status from the microprocessor, and combining them with a preset fault detection mechanism, if a fault is detected, the command is blocked and a vehicle control request is generated to decelerate and stop the vehicle, and the driver is notified to take over. At the same time, the system switches to hot backup mode to ensure system redundancy.
It enables safe deceleration and stopping in the event of microprocessor failure, improving the safety and reliability of autonomous driving and ensuring driving safety.
Smart Images

Figure CN115892060B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of autonomous driving technology, and in particular to an autonomous driving fault handling method and an autonomous driving system. Background Technology
[0002] With the development of autonomous driving technology, safety has become an increasingly important issue. For Level 3 and higher autonomous vehicles, redundancy is typically required for the Autonomous Driving Domain Controller (ADCU), which contains a microprocessor (MPU) and a microcontroller (MCU), as well as the Automatic Controller (ASC) that controls the vehicle body, steering, and braking systems. This ensures a higher level of functional safety, such as achieving the highest level of Automotive Safety Index (ASIL D). During normal operation within the ADCU, the MPU module, with its strong computing power, is primarily responsible for the operation of algorithms such as vision, localization, planning, sensor fusion, and vehicle control. The MCU, with its real-time performance and high safety features, is mainly responsible for ASC control and planning and vehicle control in case of MPU failure.
[0003] With the introduction of backup systems, system complexity increases, requiring the implementation of synchronization strategies between the main system and redundant systems, as well as the handling of anomalies. For example, when the driver activates autonomous driving, the MPU may fail to output vehicle control commands or abnormal control commands (such as excessive steering and braking commands) due to software or hardware malfunctions. In this case, the MCU needs to detect the fault and control the vehicle to decelerate and stop based on the detection results, while notifying the driver to take over in time. Another example is when the MCU on one side fails, the redundant side needs to take over vehicle control immediately. Otherwise, when a fault occurs, the driver will not be able to immediately realize it and take over the vehicle, which could easily lead to danger. Summary of the Invention
[0004] This invention provides an autonomous driving fault handling method and an autonomous driving system to solve the defect in the prior art where the driver cannot take over the vehicle in time when the internal hardware and software of the autonomous driving domain controller fails, and to achieve safe deceleration and stopping when the internal hardware and software of the autonomous driving domain controller fails.
[0005] The present invention provides an autonomous driving fault handling method, comprising: receiving a vehicle control command and a first operating state sent by a microprocessor; obtaining a first detection result based on the vehicle control command and the first operating state, and in conjunction with a first preset fault detection mechanism; and executing a corresponding fault handling method based on the first detection result.
[0006] According to an autonomous driving fault handling method provided by the present invention, a first detection result is obtained based on the vehicle control command and the first operating state, combined with a first preset fault detection mechanism. The method includes: performing validity detection on the vehicle control command to obtain a first validity detection result; performing state detection on the first operating state to obtain a first operating state detection result; performing communication timeout detection based on the received vehicle control command sent by the microprocessor and the first operating state to obtain a first communication timeout detection result; performing end-to-end protection detection on the microprocessor based on the received vehicle control command and the first operating state to obtain a first end-to-end protection detection result; and obtaining the first detection result based on the first validity detection result, the first operating state detection result, the first communication timeout detection result, and the first end-to-end protection detection result.
[0007] According to an autonomous driving fault handling method provided by the present invention, a corresponding fault handling method is executed based on the first detection result, including: if the first detection result is a failure or fault, then the vehicle control command and the first operating state sent by the microprocessor are blocked, and perception and positioning are performed to generate a first vehicle control request; the first vehicle control request is sent to the main vehicle execution controller to decelerate and stop within the lane, and a driver takeover reminder is generated to notify the driver to take over the vehicle.
[0008] According to an autonomous driving fault handling method provided by the present invention, after sending the first vehicle control request to the main vehicle execution controller, the method includes: receiving a second operating state returned by the main vehicle execution controller based on the first vehicle control request; performing state detection on the second operating state to obtain a second operating state detection result; if the second operating state detection result indicates an operating fault, switching to a hot backup mode and requesting the main vehicle execution controller to exit the working mode and switch to the hot backup mode; and sending the second operating state detection result to a redundant microcontroller so that the redundant microcontroller and the redundant vehicle execution controller communicating with the redundant microcontroller can switch from the hot backup mode to the working mode.
[0009] According to an autonomous driving fault handling method provided by the present invention, the second operating state is the operating state of the main vehicle execution controller after the main vehicle execution controller performs fault detection based on the first vehicle control request and the second preset fault detection mechanism, and determines that there is no fault according to the fault detection result.
[0010] The fault detection based on the first vehicle control request and the second preset fault detection mechanism includes: performing communication timeout detection based on receiving the first vehicle control request; and performing end-to-end protection detection based on the first vehicle control request.
[0011] According to an autonomous driving fault handling method provided by the present invention, the method further includes: sending a second heartbeat signal to a redundant microcontroller, or sending the second heartbeat signal and a second operating state detection result displayed as failure or fault to the redundant microcontroller, so that the redundant microcontroller can determine whether to switch from hot backup mode to working mode based on the second heartbeat signal and the result of fault detection by a third preset fault detection mechanism, and whether to perform perception and positioning to generate a second vehicle control request and send the second vehicle control request to the redundant vehicle execution controller.
[0012] According to an autonomous driving fault handling method provided by the present invention, the method further includes: receiving a first heartbeat signal sent by a redundant microcontroller, or receiving a first heartbeat signal sent by a redundant microcontroller and a third operating state detection result indicating failure or malfunction, wherein the third operating state detection result is obtained by the redundant microcontroller performing state detection based on a third operating state sent by a redundant vehicle execution controller; obtaining a second detection result based on the first heartbeat signal and in conjunction with a fourth preset fault detection mechanism; determining that the redundant microcontroller has failed based on the second detection result indicating failure or malfunction; and determining that the redundant vehicle execution controller has failed based on the third operating state detection result indicating failure or malfunction.
[0013] The present invention also provides an autonomous driving fault handling device, comprising: a data receiving module for receiving vehicle control commands and a first operating state sent by a microprocessor; a fault detection module for obtaining a first detection result based on the vehicle control commands and the first operating state, and in conjunction with a first preset fault detection mechanism; and a fault handling module for executing a corresponding fault handling method based on the first detection result.
[0014] The present invention also provides an autonomous driving system that applies any of the autonomous driving fault handling methods described above, including a microprocessor and a main microcontroller, wherein: the microprocessor sends vehicle control commands and a first operating state to the main microcontroller; the main microcontroller obtains a first detection result based on the received vehicle control commands and the first operating state, and in conjunction with a first preset fault detection mechanism; and the main microcontroller executes a corresponding fault handling method based on the first detection result.
[0015] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of any of the above-described autonomous driving fault handling methods.
[0016] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of any of the above-described autonomous driving fault handling methods.
[0017] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of any of the above-described autonomous driving fault handling methods.
[0018] The autonomous driving fault handling method and autonomous driving system provided by the present invention, by receiving vehicle control commands and a first operating state sent by the microprocessor, and combining them with a first preset fault detection mechanism, performs fault detection on the microprocessor. This allows for the determination of the corresponding fault handling method based on whether the microprocessor has malfunctioned, thereby controlling the vehicle to stop safely and improving the safety and reliability of autonomous driving. In addition, by combining the first preset fault detection mechanism to perform fault detection on the microprocessor, the system can ensure that the vehicle can safely decelerate and stop in the event of software or hardware failure, thus effectively guaranteeing driving safety. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0020] Figure 1 This is a flowchart illustrating the autonomous driving fault handling method provided by the present invention;
[0021] Figure 2 This is a schematic diagram of the structure of the autonomous driving fault handling device provided by the present invention;
[0022] Figure 3 This is a schematic diagram of the structure of the autonomous driving system provided by the present invention;
[0023] Figure 4 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0024] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0025] Figure 1 This diagram illustrates a flowchart of an autonomous driving fault handling method according to the present invention, the method comprising:
[0026] S11 receives vehicle control commands and the first operating status sent by the microprocessor.
[0027] S12, based on the vehicle control command and the first operating state, and in conjunction with the first preset fault detection mechanism, obtain the first detection result.
[0028] S13, Based on the first detection result, execute the corresponding fault handling method.
[0029] It should be noted that S1N in this specification does not represent the order of the autonomous driving fault handling methods. The autonomous driving fault handling method of the present invention is described in detail below.
[0030] Step S11: Receive vehicle control commands and the first operating status sent by the microprocessor.
[0031] It should be noted that the main execution entity of this method is the main microcontroller (MCU-A). The main microcontroller (MCU-A) receives the vehicle control commands and the first operating state sent by the microprocessor (MPU). The first operating state is the operating state of the MPU itself.
[0032] Step S12: Based on the vehicle control command and the first operating state, and in conjunction with the first preset fault detection mechanism, obtain the first detection result.
[0033] In this embodiment, based on the vehicle control command and the first operating state, and in conjunction with a first preset fault detection mechanism, a first detection result is obtained, including: performing validity detection on the vehicle control command to obtain a first validity detection result; performing state detection on the first operating state to obtain a first operating state detection result; performing communication timeout detection based on the vehicle control command sent by the microprocessor and the first operating state to obtain a first communication timeout detection result; performing end-to-end protection detection on the microprocessor based on the received vehicle control command and the first operating state to obtain a first end-to-end protection detection result; and obtaining the first detection result based on the first validity detection result, the first operating state detection result, the first communication timeout detection result, and the first end-to-end protection detection result. It should be noted that fault detection of the MPU is performed by the MCU-A to determine whether the MPU is faulty, thereby facilitating the subsequent determination of the corresponding fault handling method based on the fault detection result. Specifically:
[0034] The validity of vehicle control commands is checked, including: a range check is performed based on the command; if the command does not conform to a preset range, it is considered invalid. For example, the preset range is a maximum deceleration of no more than 4 m / s². 2Therefore, the maximum deceleration requested in the vehicle control command cannot exceed 4 m / s². 2 Otherwise, the vehicle control command will be invalid.
[0035] The first operating state is checked, including checking whether the first operating state is normal, so as to determine whether the microprocessor is operating normally.
[0036] Based on the vehicle control commands and first operating status sent by the microprocessor, communication timeout detection is performed, including: receiving the vehicle control commands and first operating status sent by the microprocessor based on a preset communication cycle; and detecting whether the number of times the received vehicle control commands and first operating status are received meets the number of cycles of the preset communication cycle.
[0037] It should be added that the preset communication cycle can be set according to actual communication needs, and no further limitation is made here. For example, a cycle of 10 milliseconds is used, and the MPU sends a vehicle control command and the first operating status to the MCU-A once. In addition, the preset threshold can be set according to actual detection needs. For example, if the preset threshold is 5, then every 5 cycles, the corresponding data is checked to see if the number of times the data is received is 5.
[0038] Furthermore, based on the received vehicle control commands and the first operating state, end-to-end (E2E) protection detection is performed on the microprocessor, including: using an E2E algorithm to perform E2E protection detection based on the received vehicle control commands and the first operating state. It should be noted that the E2E algorithm can be an existing algorithm, such as the CRC16 algorithm to ensure data consistency, the Rolling Counter algorithm to ensure data real-time performance, or an algorithm designed for E2E protection detection based on specific requirements.
[0039] For example, when using the CRC16 algorithm, based on the received vehicle control command and the first operating state, the E2E algorithm is used to perform E2E protection detection, including: receiving the vehicle control command and the first operating state, wherein a CRC control field is pre-added to the vehicle control command and the first operating state; evaluating the CRC control field in the vehicle control command and the first operating state, and calculating the CRC control field; and determining whether the calculation result conforms to the preset received content.
[0040] When using the Rolling Counter algorithm, E2E protection detection is performed based on the received vehicle control command and the first operating state using the E2E algorithm. This includes: receiving the vehicle control command and the first operating state, where a Rolling Counter field is pre-added to the vehicle control command and the first operating state; and performing diagnostics based on the increment of the Rolling Counter field. It is important to note that before receiving the vehicle control command and the first operating state sent by the microprocessor, the microprocessor adds a Rolling Counter field to the vehicle control command and the first operating state to be sent, and counts according to a preset counting rule. Furthermore, the preset counting rule is that after each execution, the counter increments by a preset value and is reset to zero after reaching the preset maximum value. The preset setting can be configured according to actual needs. For example, when it is set to 1, the corresponding counter value for each count follows the sequence 0->1->2->3->...->14->15->0->1->... and so on.
[0041] The first detection result is obtained as follows: if at least one of the first validity detection result, the first operating status detection result, the first communication timeout detection result, and the first end-to-end protection detection result is invalid or faulty, then the first detection result is invalid or faulty; if the first validity detection result, the first operating status detection result, the first communication timeout detection result, and the first end-to-end protection detection result are all valid or normal, then the first detection result is valid or normal.
[0042] In an optional embodiment, when the MPU sends the vehicle control command and the first operating state to the MCU-A, the method further includes: sending the vehicle control command and the first operating state to a redundant microcontroller (MCU-B) so that the MCU-B can perform fault detection on the MPU based on the received vehicle control command and the first operating state. Specifically, the method of fault detection on the MPU can refer to the method by which the main microcontroller obtains the first detection result based on the vehicle control command and the first operating state, combined with the first preset fault detection mechanism, and is not further limited here.
[0043] Step S13: Based on the first detection result, execute the corresponding fault handling method.
[0044] In this embodiment, based on the first detection result, a corresponding fault handling method is executed, including: if the first detection result is a failure or malfunction, the vehicle control commands and the first operating state sent by the microprocessor are blocked, and perception and positioning are performed to generate a first vehicle control request; the first vehicle control request is sent to the main vehicle execution controller (ASC-A) to decelerate and stop within the lane, and a driver takeover reminder is generated to notify the driver to take over the vehicle. It should be noted that at this time, MCU-A and ASC-A are in working mode; the hot backup mode is the backup mode when the system is in normal operating condition. Furthermore, perception and positioning can be achieved by activating their internal perception and positioning modules.
[0045] In an optional embodiment, the corresponding fault handling method is executed according to the first detection result, and further includes: if the first detection result is valid or normal, it indicates that the MPU is operating normally without fault, and then it is necessary to perform fault detection on MCU-A, ASC-A, ASC-B and redundant vehicle execution controller (ASC-B) in order to determine the corresponding fault handling method.
[0046] Specifically, the main microcontroller is used to perform fault detection on the main vehicle execution controller. After sending the first vehicle control request to the main vehicle execution controller, the process includes: receiving the second operating status returned by the main vehicle execution controller based on the first vehicle control request; performing operating status detection based on the second operating status and combining it with a second preset fault detection mechanism to obtain a second detection result; if the second detection result indicates an abnormal operation or fault, switching to hot backup mode and requesting the main vehicle execution controller to exit the working mode and switch to hot backup mode; and sending the second operating status detection result to the redundant microcontroller so that the redundant microcontroller and the redundant vehicle execution controller communicating with the redundant microcontroller can switch from hot backup mode to working mode, thereby decelerating the vehicle and generating a driver takeover reminder to notify the driver to take over the vehicle.
[0047] It should be added that if the second operating status detection result is normal operation, the microprocessor, main microcontroller and main trailer execution controller will all maintain their working mode unchanged, and the redundant microcontroller and redundant vehicle execution controller will all maintain their hot backup mode unchanged.
[0048] Furthermore, the second operating state is the operating state of the main vehicle actuator controller after performing fault detection based on the first vehicle control request and the second preset fault detection mechanism, and determining that there is no fault based on the fault detection result. In other words, after receiving the first vehicle control request, the main vehicle actuator controller performs fault detection on the main microcontroller based on the second preset fault detection mechanism, and sends its own operating state (i.e., the second operating state) to the main microcontroller based on the fault detection result that there is no fault.
[0049] Specifically, fault detection is performed based on the first vehicle control request and in conjunction with a second preset fault detection mechanism, including: performing communication timeout detection based on receiving the first vehicle control request to obtain a second communication timeout detection result; and performing end-to-end protection detection based on the first vehicle control request to obtain a second end-to-end protection detection result. It should be noted that the processes for obtaining the second communication timeout detection result and the second end-to-end protection detection result can refer to the above; the processes for obtaining the first communication timeout detection result and the first end-to-end protection detection result will not be repeated here.
[0050] In one optional embodiment, the main microcontroller performs fault detection on the redundant microcontroller, including: receiving a first heartbeat signal sent by the redundant microcontroller, or receiving a first heartbeat signal sent by the redundant microcontroller and a third operating state detection result indicating failure or fault, wherein the third operating state detection result is obtained by the redundant microcontroller performing state detection based on the third operating state sent by the redundant vehicle execution controller; obtaining a second detection result based on the first heartbeat signal and in conjunction with a fourth preset fault detection mechanism; determining that the redundant microcontroller has failed based on the second detection result indicating failure or fault; and determining that the redundant vehicle execution controller has failed based on the third operating state detection result indicating failure or fault.
[0051] It should be noted that since the redundant microcontroller is in hot backup mode, not in working mode, and there is no urgent safety risk, the fault handling procedure can be followed normally. The corresponding main microcontroller and main vehicle actuator controller remain in working mode, while the redundant microcontroller remains in hot backup mode. When the main microcontroller receives the first heartbeat signal from the redundant microcontroller, the redundant vehicle actuator controller also enters hot backup mode. When the main microcontroller receives the first heartbeat signal from the redundant microcontroller and the third operating status detection result displayed as failure or fault, the corresponding redundant vehicle actuator controller fails.
[0052] In this embodiment, based on the first heartbeat signal and combined with the fourth preset fault detection mechanism, a second detection result is obtained, including: performing heartbeat signal detection on the first heartbeat signal to determine whether the heartbeat signal is lost within a target time period; and performing communication timeout detection based on the received first heartbeat signal. It should be noted that performing heartbeat signal detection on the first heartbeat signal includes: receiving the first heartbeat signal sent by the redundant microcontroller based on a preset period; and determining whether the number of received heartbeat signals conforms to the preset period number, thereby determining whether a heartbeat signal loss has occurred within the target time period.
[0053] It should be noted that the communication timeout detection based on receiving the first heartbeat signal can be performed in accordance with the communication timeout detection based on receiving vehicle control commands sent by the microprocessor and the first operating state, as described above, and will not be repeated here. Additionally, the third operating state is the operating state returned by the redundant vehicle execution controller based on the second vehicle control request sent by the redundant microcontroller; details can be found below, and will not be repeated here.
[0054] In an optional embodiment, the redundant microcontroller is used to perform fault detection on the main microcontroller, including: sending a second heartbeat signal to the redundant microcontroller, or sending a second heartbeat signal and a second operating status detection result displayed as failure or fault to the redundant microcontroller, so that the redundant microcontroller can determine whether to switch from hot backup mode to working mode based on the second heartbeat signal and the result of fault detection by a third preset fault detection mechanism, and whether to perform sensing and positioning to generate a second vehicle control request and send the second vehicle control request to the redundant vehicle execution controller.
[0055] Specifically, the main microcontroller sends a second heartbeat signal to the redundant microcontroller, or sends a second heartbeat signal and a second operating status detection result indicating failure or malfunction to the redundant microcontroller; the redundant microcontroller receives the second heartbeat signal, or receives the second heartbeat signal and a second operating status detection result indicating failure or malfunction.
[0056] In one possible implementation, the redundant microcontroller receives a second heartbeat signal. At this time, the main vehicle execution controller is in a fault-free state. Based on the second heartbeat signal and combined with the third preset fault detection mechanism, a third detection result is obtained. Based on the third detection result being a failure or fault, it is determined that the main microcontroller has failed. The failure of the main microcontroller also means that the main microcontroller cannot operate normally and output control to the main vehicle execution controller. Therefore, it is necessary to adjust the main vehicle execution controller from the working mode to the hot backup mode.
[0057] In addition, the redundant microcontroller switches from hot backup mode to operating mode, and performs sensing and location to generate a second vehicle control request, which is then sent to the redundant vehicle execution controller. This allows the redundant microcontroller to perform fault detection on the redundant vehicle execution controller. Since the main microcontroller supplies power to the microprocessor via a hardwired connection, a failure of the main microcontroller results in a common-cause failure, meaning the microprocessor also fails simultaneously. It should be noted that fault detection of the redundant vehicle execution controller using the redundant microcontroller can be described in the section above regarding fault detection of the ASC-A using the MCU-A; further details are omitted here.
[0058] In another possible implementation, the redundant microcontroller receives a second heartbeat signal and a second operating status detection result indicating failure or malfunction. In this case, since the second operating status detection result indicates failure or malfunction, the corresponding main vehicle execution controller has failed. Based on the second heartbeat signal and combined with the third preset fault detection mechanism, a third detection result is obtained. If the third detection result indicates failure or malfunction, it is determined that the main microcontroller has failed. In this case, the fault handling method for the main microcontroller failure can be determined by referring to the above description of the third detection result indicating failure or malfunction, which will not be elaborated here. If the third detection result indicates normal, the fault detection and corresponding fault handling method for the ASC-A can be performed using the MCU-A as described above, which will not be elaborated here.
[0059] In summary, the embodiments of the present invention, by receiving vehicle control commands and a first operating state from the microprocessor and combining them with a first preset fault detection mechanism, perform fault detection on the microprocessor. This allows for the determination of the corresponding fault handling method based on whether a fault has occurred in the microprocessor, thereby controlling the vehicle to stop safely and improving the safety and reliability of autonomous driving. Furthermore, by combining the first preset fault detection mechanism with microprocessor fault detection, the system can ensure that the vehicle can safely decelerate and stop even in the event of hardware or software failure, thus effectively guaranteeing driving safety.
[0060] The autonomous driving fault handling device provided by the present invention is described below. The autonomous driving fault handling device described below can be referred to in correspondence with the autonomous driving fault handling method described above.
[0061] Figure 2 A schematic diagram of an autonomous driving fault handling device according to the present invention is shown. The device includes:
[0062] Data receiving module 21 receives vehicle control commands and the first operating status sent by the microprocessor;
[0063] The fault detection module 22 obtains a first detection result based on the vehicle control command and the first operating state, and in conjunction with a first preset fault detection mechanism.
[0064] The fault handling module 23 executes the corresponding fault handling method based on the first detection result.
[0065] In this embodiment, the fault detection module 22 includes: an instruction detection unit, which performs validity detection on vehicle control instructions to obtain a first validity detection result; a status detection unit, which performs status detection on a first operating state to obtain a first operating state detection result; a first communication timeout detection unit, which performs communication timeout detection based on the vehicle control instructions sent by the microprocessor and the first operating state to obtain a first communication timeout detection result; an end-to-end protection detection unit, which performs end-to-end protection detection on the microprocessor based on the received vehicle control instructions and the first operating state to obtain a first end-to-end protection detection result; and a result acquisition unit, which obtains a first detection result based on the first validity detection result, the first operating state detection result, the first communication timeout detection result, and the first end-to-end protection detection result. It should be noted that fault detection of the MPU is performed by the MCU-A to determine whether the MPU is faulty, thereby facilitating the subsequent determination of the corresponding fault handling method based on the fault detection result.
[0066] Furthermore, the command detection unit includes a range checking subunit, which performs a range check based on the vehicle control command. If the vehicle control command does not conform to the preset range, it is considered invalid. For example, the preset range is a maximum deceleration of no more than 4 m / s². 2 Therefore, the maximum deceleration requested in the vehicle control command cannot exceed 4 m / s². 2 Otherwise, the vehicle control command will be invalid.
[0067] The status detection unit includes a status detection subunit, which detects whether the first operating state is normal, thereby determining whether the microprocessor is operating normally.
[0068] The first communication timeout detection unit includes: a data receiving subunit, which receives vehicle control commands and a first operating state sent by a microprocessor based on a preset communication cycle; and detects whether the number of times the received vehicle control commands and the first operating state meet the preset communication cycle number of cycles.
[0069] The end-to-end protection detection unit performs E2E protection detection based on the received vehicle control commands and the first operating state, using an E2E algorithm. It should be noted that the E2E algorithm can be an existing algorithm, such as the CRC16 algorithm to ensure data consistency, the Rolling Counter algorithm to ensure data real-time performance, or an algorithm designed for E2E protection detection based on specific requirements.
[0070] For example, when using the CRC16 algorithm, the instruction detection unit includes: a data receiving subunit, which receives vehicle control instructions and a first operating state, wherein a CRC control field is pre-added to the vehicle control instructions and the first operating state; an evaluation calculation subunit, which evaluates the CRC control field in the vehicle control instructions and the first operating state and calculates the CRC control field; and a judgment subunit, which judges whether the calculation result conforms to the preset received content.
[0071] When the Rolling counter algorithm is used, the instruction detection unit includes: a data receiving subunit, which receives vehicle control instructions and a first operating state, wherein the vehicle control instructions and the first operating state have a Rolling counter field pre-added; and a diagnosis subunit, which performs diagnosis based on the increment of the Rolling counter field.
[0072] The result acquisition unit includes: a first result acquisition subunit, which determines the first detection result as invalid or faulty if at least one of the first validity detection result, the first operating status detection result, the first communication timeout detection result, and the first end-to-end protection detection result is invalid or faulty; and a second result acquisition subunit, which determines the first detection result as valid or normal if all of the first validity detection result, the first operating status detection result, the first communication timeout detection result, and the first end-to-end protection detection result are valid or normal.
[0073] Correspondingly, the fault handling module 23 includes: a shielding unit, which shields the vehicle control command and the first operating state sent by the microprocessor if the first detection result is failure or fault; a first request generation unit, which performs perception and positioning to generate a first vehicle control request; and a first request sending unit, which sends the first vehicle control request to the main vehicle execution controller (ASC-A) to decelerate and stop in the lane, and generates a driver takeover reminder to notify the driver to take over the vehicle.
[0074] In an optional embodiment, after the first request sending unit sends the first vehicle control request to the main vehicle execution controller, the main microcontroller performs fault detection on the main vehicle execution controller, i.e., the fault detection module, and further includes: a second status receiving unit, which receives the second operating status returned by the main vehicle execution controller based on the first vehicle control request; and a first detection unit, which performs operating status detection based on the second operating status and, in conjunction with a second preset fault detection mechanism, obtains a second detection result.
[0075] Correspondingly, the fault handling module 23 includes: a mode switching unit, which switches to hot backup mode based on the second detection result being an operational abnormality or fault, and requests the main vehicle execution controller to exit the working mode and switch to hot backup mode; and a status sending unit, which sends the second operating status detection result to the redundant microcontroller, so that the redundant microcontroller and the redundant vehicle execution controller communicating with the redundant microcontroller can switch from hot backup mode to working mode, thereby decelerating the vehicle and generating a driver takeover reminder to notify the driver to take over the vehicle.
[0076] The first detection unit includes: a communication timeout detection subunit, which performs communication timeout detection based on receiving the first vehicle control request and obtains a second communication timeout detection result; and an end-to-end protection detection subunit, which performs end-to-end protection detection based on the first vehicle control request and obtains a second end-to-end protection detection result.
[0077] In an optional embodiment, the fault detection module 22 is further configured to perform fault detection on the redundant microcontroller, specifically including: a data receiving unit, which receives a first heartbeat signal sent by the redundant microcontroller, or receives a first heartbeat signal sent by the redundant microcontroller and a third operating state detection result displayed as failure or fault, wherein the third operating state detection result is obtained by the redundant microcontroller performing state detection based on the third operating state sent by the redundant vehicle execution controller; a second detection unit, which obtains a second detection result based on the first heartbeat signal and in conjunction with a fourth preset fault detection mechanism; and a fault determination unit, which determines that the redundant microcontroller is faulty based on the second detection result being failure or faulty; and determines that the redundant vehicle execution controller is faulty based on the third operating state detection result displayed as failure or faulty.
[0078] Furthermore, the second detection unit includes: a signal detection subunit, which performs heartbeat signal detection on the first heartbeat signal to determine whether the heartbeat signal is lost within the target time period; and a second communication timeout detection unit, which performs communication timeout detection based on the received first heartbeat signal. It should be noted that the signal detection subunit includes: a signal receiving subunit, which receives the first heartbeat signal sent by the redundant microcontroller based on a preset period; and a judgment subunit, which determines whether the number of received heartbeat signals conforms to the preset period number, thereby determining whether a heartbeat signal loss has occurred within the target time period.
[0079] In an optional embodiment, to facilitate fault detection of the main microcontroller by the redundant microcontroller, the device further includes: a data transmission device that sends a second heartbeat signal to the redundant microcontroller, or sends a second heartbeat signal and a second operating status detection result displayed as failure or fault to the redundant microcontroller, so that the redundant microcontroller can determine whether to switch from hot backup mode to working mode based on the second heartbeat signal and the result of fault detection by a third preset fault detection mechanism, and whether to perform sensing and positioning to generate a second vehicle control request and send the second vehicle control request to the redundant vehicle execution controller.
[0080] In one possible implementation, the redundant microcontroller receives a second heartbeat signal. At this time, the main vehicle execution controller is in a fault-free state. Based on the second heartbeat signal and combined with the third preset fault detection mechanism, a third detection result is obtained. Based on the third detection result being a failure or fault, it is determined that the main microcontroller has failed. The failure of the main microcontroller also means that the main microcontroller cannot operate normally and output control to the main vehicle execution controller. Therefore, it is necessary to adjust the main vehicle execution controller from the working mode to the hot backup mode.
[0081] In addition, the redundant microcontroller switches from hot backup mode to operating mode, and performs sensing and location to generate a second vehicle control request, which is then sent to the redundant vehicle execution controller. This allows the redundant microcontroller to perform fault detection on the redundant vehicle execution controller. Since the main microcontroller supplies power to the microprocessor via a hardwired connection, a failure of the main microcontroller results in a common-cause failure, meaning the microprocessor also fails simultaneously. It should be noted that fault detection of the redundant vehicle execution controller using the redundant microcontroller can be described in the section above regarding fault detection of the ASC-A using the MCU-A; further details are omitted here.
[0082] In another possible implementation, the redundant microcontroller receives a second heartbeat signal and a second operating status detection result indicating failure or malfunction. In this case, since the second operating status detection result indicates failure or malfunction, the corresponding main vehicle execution controller has failed. Based on the second heartbeat signal and combined with the third preset fault detection mechanism, a third detection result is obtained. If the third detection result indicates failure or malfunction, it is determined that the main microcontroller has failed. In this case, the fault handling method for the main microcontroller failure can be determined by referring to the above description of the third detection result indicating failure or malfunction, which will not be elaborated here. If the third detection result indicates normal, the fault detection and corresponding fault handling method for the ASC-A can be performed using the MCU-A as described above, which will not be elaborated here.
[0083] In summary, this embodiment of the invention utilizes a fault detection module to detect microprocessor faults based on vehicle control commands and a first operating state received by the data receiving module, combined with a first preset fault detection mechanism. This allows the fault handling module to determine the corresponding fault handling method to control the vehicle to stop safely, improving the safety and reliability of autonomous driving. Furthermore, by combining the first preset fault detection mechanism with microprocessor fault detection, the system can ensure the vehicle can safely decelerate and stop even in the event of hardware or software failure, thereby effectively guaranteeing driving safety.
[0084] The present invention also provides an autonomous driving system that applies any of the autonomous driving fault handling methods described above, including a microprocessor and a main microcontroller, wherein: the microprocessor (MPU) sends vehicle control commands and a first operating state to the main microcontroller (MCU-A); the main microcontroller (MCU-A) obtains a first detection result based on the received vehicle control commands and the first operating state, and in conjunction with a first preset fault detection mechanism; and the main microcontroller (MCU-A) executes the corresponding fault handling method based on the first detection result.
[0085] refer to Figure 3 In one optional embodiment, the autonomous driving system further includes a redundant microcontroller (MCU-B). When the MPU sends the vehicle control command and the first operating state to the MCU-A, the system further includes: the MPU sending the vehicle control command and the first operating state to the MCU-B, so that the MCU-B can perform fault detection on the MPU based on the received vehicle control command and the first operating state. Specifically, the method of fault detection on the MPU can refer to the method by which the main microcontroller obtains the first detection result based on the vehicle control command and the first operating state, combined with the first preset fault detection mechanism. No further limitations are made here.
[0086] In one possible implementation, the autonomous driving system further includes: a main vehicle execution controller (ASC-A). If the first detection result is a failure or malfunction, the MCU-A blocks the vehicle control commands and the first operating state sent by the microprocessor, and performs perception and positioning to generate a first vehicle control request. The MCU-A sends the first vehicle control request to the ASC-A to decelerate and stop within the lane, and generates a driver takeover reminder to notify the driver to take over the vehicle.
[0087] If the first test result is valid or normal, it indicates that the MPU is operating normally without faults. In this case, the autonomous driving system still needs to perform fault detection on MCU-A, ASC-A, ASC-B and redundant vehicle execution controller (ASC-B) in order to determine the corresponding fault handling method.
[0088] Specifically, the MCU-A performs fault detection on the ASC-A. After the MCU-A sends the first vehicle control request to the ASC-A, the process includes: the MCU-A receiving the second operating status returned by the ASC-A based on the first vehicle control request; the MCU-A performing operating status detection based on the second operating status and combining it with a second preset fault detection mechanism to obtain a second detection result; if the second detection result indicates an abnormal operation or fault, the MCU-A switches to hot backup mode and requests the ASC-A to exit the working mode and switch to hot backup mode, and sends the second operating status detection result to the MCU-B, so that the MCU-B and the ASC-B communicating with the MCU-B can switch from hot backup mode to working mode, thereby decelerating the vehicle and generating a driver takeover reminder to notify the driver to take over the vehicle.
[0089] In addition, after receiving the first vehicle control request, ASC-A performs fault detection on the main microcontroller MCU-A based on the second preset fault detection mechanism, and sends its own operating status (i.e., the second operating status) to MCU-A based on the fault detection result being fault-free.
[0090] In an optional embodiment, MCU-A performs fault detection on MCU-B, including: MCU-A receiving a first heartbeat signal sent by MCU-B, or MCU-A receiving the first heartbeat signal sent by MCU-B and a third operating status detection result indicating failure or malfunction, wherein the third operating status detection result is obtained by MCU-B performing status detection based on the third operating status sent by ASC-B; MCU-A obtaining a second detection result based on the first heartbeat signal and in conjunction with a fourth preset fault detection mechanism; MCU-A determining that MCU-B is faulty based on the second detection result indicating failure or malfunction; and MCU-A determining that ASC-B is faulty based on the third operating status detection result indicating failure or malfunction.
[0091] It should be noted that since MCU-B is in hot backup mode, not operating mode, and there is no urgent safety risk, the fault handling procedure can be followed normally. MCU-A and ASC-A remain in operating mode, while MCU-B remains in hot backup mode. When MCU-A receives the first heartbeat signal from MCU-B, ASC-B also enters hot backup mode. When MCU-A receives the first heartbeat signal from MCU-B and the third operating status detection result displayed as failure or fault, ASC-B fails.
[0092] In an optional embodiment, MCU-B is used to perform fault detection on MCU-A, including: MCU-A sending a second heartbeat signal to MCU-B, or MCU-A sending a second heartbeat signal and a second operating status detection result indicating failure or malfunction to MCU-B, so that MCU-B can determine whether to switch from hot backup mode to working mode based on the second heartbeat signal and the result of fault detection by a third preset fault detection mechanism, and whether to perform sensing and positioning to generate a second vehicle control request and send the second vehicle control request to MCU-B.
[0093] In one possible implementation, MCU-B receives a second heartbeat signal. At this time, ASC-A is in a fault-free state. MCU-B then obtains a third detection result based on the second heartbeat signal and a third preset fault detection mechanism. Based on the third detection result indicating failure or fault, MCU-B determines that MCU-A has failed. The failure of MCU-A also means that MCU-A cannot operate normally and output control to ASC-A. Therefore, it is necessary to adjust ASC-A from the working mode to the hot backup mode.
[0094] Additionally, MCU-B switches from hot standby mode to operating mode, and performs sensing and location to generate a second vehicle control request, which is then sent to ASC-A. This allows MCU-B to perform fault detection on ASC-B. MCU-A controls the power supply to the MPU via a hardwired connection. Therefore, if MCU-A fails, it is a common-cause failure, meaning the failure of MCU-A causes the MPU to fail simultaneously. It should be noted that fault detection of ASC-B using MCU-A is similar to the fault detection of ASC-A using MCU-A described above, and will not be further elaborated here.
[0095] In another possible implementation, MCU-B receives a second heartbeat signal and a second operating status detection result indicating failure or malfunction. Since the second operating status detection result indicates failure or malfunction, the corresponding ASC-A is faulty. Based on the second heartbeat signal and a third preset fault detection mechanism, a third detection result is obtained. If the third detection result indicates failure or malfunction, MCU-A is determined to be faulty. In this case, the fault handling method for MCU-A failure can be determined according to the above description of the third detection result indicating failure or malfunction, which will not be elaborated here. If the third detection result is normal, the fault detection and corresponding fault handling method for ASC-A using MCU-A can be performed according to the above description, which will not be elaborated here.
[0096] Figure 4 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 4As shown, the electronic device may include a processor 41, a communication interface 42, a memory 43, and a communication bus 44, wherein the processor 41, the communication interface 42, and the memory 43 communicate with each other via the communication bus 44. The processor 41 can call logical instructions in the memory 43 to execute an autonomous driving fault handling method, which includes: receiving vehicle control instructions and a first operating state sent by the microprocessor; obtaining a first detection result based on the vehicle control instructions and the first operating state, and in conjunction with a first preset fault detection mechanism; and executing a corresponding fault handling method based on the first detection result.
[0097] Furthermore, the logical instructions in the aforementioned memory 43 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0098] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the autonomous driving fault handling method provided by the above methods. The method includes: receiving a vehicle control command and a first operating state sent by a microprocessor; obtaining a first detection result based on the vehicle control command and the first operating state, and in conjunction with a first preset fault detection mechanism; and executing a corresponding fault handling method based on the first detection result.
[0099] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the autonomous driving fault handling method provided by the above methods. The method includes: receiving a vehicle control command and a first operating state sent by a microprocessor; obtaining a first detection result based on the vehicle control command and the first operating state, and in conjunction with a first preset fault detection mechanism; and executing a corresponding fault handling method based on the first detection result.
[0100] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0101] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0102] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for handling autonomous driving faults, characterized in that, include: Receive vehicle control commands and initial operating status sent by the microprocessor; Based on the vehicle control command and the first operating state, and in conjunction with the first preset fault detection mechanism, a first detection result is obtained; Based on the first detection result, execute the corresponding fault handling method; Based on the vehicle control command and the first operating state, and in conjunction with the first preset fault detection mechanism, a first detection result is obtained, including: Based on the received vehicle control command and the first operating state, end-to-end protection detection is performed on the microprocessor to obtain the first end-to-end protection detection result; Based on the received vehicle control commands and the first operating state, end-to-end protection detection is performed on the microprocessor, including: Based on the received vehicle control commands and the first operating state, E2E protection detection is performed using the E2E algorithm; the E2E algorithm includes a Rolling counter algorithm to ensure data real-time performance. When using the Rolling Counter algorithm, based on the received vehicle control commands and the first operating state, E2E protection detection is performed using the E2E algorithm, including: Receive vehicle control commands and a first operating state, wherein a Rolling counter field is pre-added to the vehicle control commands and the first operating state; Diagnosis is based on the increase in the Rolling counter field.
2. The autonomous driving fault handling method according to claim 1, characterized in that, Based on the vehicle control command and the first operating state, and in conjunction with the first preset fault detection mechanism, a first detection result is obtained, including: The validity of the vehicle control command is checked to obtain a first validity check result; Perform state detection on the first operating state to obtain the first operating state detection result; Based on the vehicle control command and first operating state received from the microprocessor, a communication timeout detection is performed to obtain a first communication timeout detection result; The first detection result is obtained based on the first validity detection result, the first operating status detection result, the first communication timeout detection result, and the first end-to-end protection detection result.
3. The autonomous driving fault handling method according to claim 1, characterized in that, Based on the first detection result, the corresponding fault handling method is executed, including: If the first detection result is failure or malfunction, the vehicle control command and the first operating state sent by the microprocessor are blocked, and perception and positioning are performed to generate a first vehicle control request. The first vehicle control request is sent to the main vehicle execution controller to decelerate and stop within the lane, and a driver takeover reminder is generated to notify the driver to take over the vehicle.
4. The autonomous driving fault handling method according to claim 3, characterized in that, After sending the first vehicle control request to the main vehicle execution controller, the process includes: Receive the second operating status returned by the main vehicle execution controller based on the first vehicle control request; Perform status detection on the second operating state to obtain the second operating state detection result; If the second operating status detection result is an operating fault, then switch to hot backup mode, request the main vehicle execution controller to exit the working mode and switch to hot backup mode, and send the second operating status detection result to the redundant microcontroller so that the redundant microcontroller and the redundant vehicle execution controller communicating with the redundant microcontroller can switch from the hot backup mode to the working mode.
5. The autonomous driving fault handling method according to claim 4, characterized in that, The second operating state is the operating state of the main vehicle execution controller after the main vehicle execution controller performs fault detection based on the first vehicle control request and the second preset fault detection mechanism, and determines that there is no fault according to the fault detection result. The fault detection based on the first vehicle control request and the second preset fault detection mechanism includes: Based on receiving the first vehicle control request, a communication timeout detection is performed; Based on the first vehicle control request, perform end-to-end protection detection.
6. The autonomous driving fault handling method according to claim 4, characterized in that, Also includes: Send a second heartbeat signal to the redundant microcontroller, or send the second heartbeat signal and a second operating status detection result showing failure or malfunction to the redundant microcontroller, so that the redundant microcontroller can determine whether to switch from hot backup mode to working mode based on the second heartbeat signal and the result of fault detection by the third preset fault detection mechanism, and whether to perform sensing and positioning to generate a second vehicle control request and send the second vehicle control request to the redundant vehicle execution controller.
7. The autonomous driving fault handling method according to claim 1, characterized in that, Also includes: The system receives a first heartbeat signal from the redundant microcontroller, or receives a first heartbeat signal from the redundant microcontroller and a third operating status detection result that is displayed as a failure or malfunction. The third operating status detection result is obtained by the redundant microcontroller through status detection based on the third operating status sent by the redundant vehicle execution controller. Based on the first heartbeat signal and in conjunction with the fourth preset fault detection mechanism, the second detection result is obtained; Based on the second detection result being a failure or malfunction, the redundant microcontroller is determined to be faulty. Based on the third operating state detection results, which are displayed as failure or malfunction, the redundant vehicle execution controller is determined to be faulty.
8. An autonomous driving system, characterized in that, The autonomous driving fault handling method according to any one of claims 1-7 includes a microprocessor and a main microcontroller, wherein: The microprocessor sends vehicle control commands and the first operating status to the main microcontroller; The main microcontroller obtains a first detection result based on the received vehicle control command and the first operating state, combined with a first preset fault detection mechanism; The main microcontroller executes the corresponding fault handling method based on the first detection result; The main microcontroller is used for: Based on the received vehicle control command and the first operating state, end-to-end protection detection is performed on the microprocessor to obtain the first end-to-end protection detection result; The main microcontroller is also used for: Based on the received vehicle control commands and the first operating state, E2E protection detection is performed using the E2E algorithm; the E2E algorithm includes a Rolling counter algorithm to ensure data real-time performance. When using the Rolling counter algorithm, the main microcontroller is also used for: Receive vehicle control commands and a first operating state, wherein a Rolling counter field is pre-added to the vehicle control commands and the first operating state; Diagnosis is based on the increase in the Rollingcounter field.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the autonomous driving fault handling method as described in any one of claims 1 to 7.
10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of the autonomous driving fault handling method as described in any one of claims 1 to 7.