Autonomous driving and its safety design from the perspective of control systems
Latest update time:2020-07-12
Reads:
Preface
Intelligent driving is an interdisciplinary subject that requires knowledge from engineering disciplines such as vehicle engineering, control engineering, and computer science, as well as the support of basic sciences such as mathematics and physics. Intelligent driving vehicles are equipped with advanced on-board sensors, controllers, data processors, actuators and other devices to have functions such as sensing, decision-making and planning, and control execution in complex driving environments to achieve safety, efficiency, comfort and safety. Energy-saving smart driving. So whether it is sensors, controllers and actuators in the physical sense, or sensor perception, decision planning and control execution at the algorithm level, it is actually a control system. This article will
talk to you about
the relationship between control systems and autonomous driving safety design
from the perspective of control theory and control engineering
.
1. Overview of control system
The 1940s was a critical period for the formation of automation technology and theory. In order to solve technical problems such as artillery control, torpedo navigation, and aircraft navigation raised by the military, a group of scientists gradually formed a system focusing on the analysis and design of single-variable control systems. Classical control theory and methods. For example, the earliest cruise control system was designed using PID control system using classical control theory.
From the late 1950s to the early 1960s, a large number of engineering practices, especially the development of aerospace technology, involved a large number of optimal control problems of multi-input and multi-output systems, which were difficult to solve using classical control theory, so the maximum value system was developed. Principle, dynamic programming and state space method as the core of modern control theory. The automobile anti-lock braking system (ABS) is a typical optimal control system design using modern control theory.
The idea of intelligent control appeared in the 1960s. Intelligent control is a control method with intelligent information processing, intelligent information feedback and intelligent control decision-making. It is an advanced stage of the development of control theory and is mainly used to solve complex problems that are difficult to solve using traditional methods. System control issues. The main characteristics of intelligent control research objects are uncertain mathematical models, high nonlinearity and complex task requirements. It is suitable for the control of complex systems that have the ability to respond quickly to changes in the environment and tasks and require the use of knowledge for control. question. Most complex car control systems, such as car power systems, assisted driving systems and autonomous driving systems, fall into this category.
In 1971, Professor Fu Jingsun, the founder of intelligent control, proposed the concept of intelligent control and summarized three types of intelligent control systems:
1) A control system in which humans act as controllers;
2) A control system that combines man and machine as a controller;
3) Intelligent control system without human participation.
Does it look familiar? The autonomous driving level defined in SAE J3016 is also inextricably related to the above three types of intelligent control systems. If the entire vehicle is regarded as a controlled object, L0 and L1 are basically the first type, that is, a control system in which humans act as controllers; L2 and L3 should belong to the second type, that is, a control system in which humans and machines are combined as controllers; L4 and L5 are the last, unattended intelligent control systems.
2. Control systems and autonomous driving
An automatic control system refers to an organic whole composed of controlled objects and control devices connected in a certain manner in order to achieve various complex control tasks. A general control system can be represented in the form of a block diagram similar to the following.
Here we focus on the feedback signal, which is a signal taken out from the output end of the system (or component) and sent back to the input end of the system (or component) in reverse direction. It is called a feedback signal. Feedback can be divided into main feedback and local feedback. It is one of the most important and basic elements to achieve the three major performance indicators of the control system (rapidity, stability and accuracy). Only with feedback signals can a closed-loop system be formed, allowing the system to reduce and eliminate deviations caused by disturbances to improve control accuracy and anti-interference capabilities.
If the entire driving control system is regarded as a control system, which is divided into sensing, planning and decision-making, and control execution, let's take a look at the mapping of the three types of intelligent control systems proposed by Professor Fu Jingsun to various driving control systems. What is the composition of .
The input signals include environmental information, vehicle information, etc. The control object can be understood macroscopically as the vehicle itself, and the output is horizontal and vertical control, etc. In human driving control systems, the driver still plays a major role in the entire control system, and the car basically only
Play a relevant role in the execution phase. In a semi-autonomous driving control system, although the driver is allowed to "take off his hands or eyes" in some circumstances, the driver still plays an important role in the entire control system. For example, the driver will be asked to identify some boundary scenarios that the vehicle cannot recognize. The driver can take over the vehicle as needed. The driver needs to perform a complete dynamic driving task (Fall-back) as a backup (Fall-back) when the vehicle control system fails. Task). It can be seen from this that the human driver's participation still runs through the entire control system. Looking at the fully automatic driving control system, the vehicle is required to perform complete dynamic driving tasks and backups, and the human driver no longer participates in any link of the control system loop. It can be seen that it will be a very big challenge for the vehicle to operate independently and continue to achieve the three major control system goals of speed, stability and accuracy. This is not just a goal that can be achieved by improving any one link, but an improvement of the entire control system. During the Great Leap Forward, sensor performance, processor computing power, and actuator reliability requirements all need to be greatly improved.
3. Control system and autonomous driving safety
What is the definition of functional safety in the automotive functional safety standard ISO 26262? There are no unreasonable risks caused by hazards caused by abnormal functional performance of electronic and electrical systems. So the core is still function. Any function, especially electronic and electrical related functions, is a control system composed of input, logic and output modules. Functional safety development begins with the definition of related items, and its purpose is also to clearly define the functions, interfaces and boundaries of related items. This is also a complex control system. This prepares the functional failure definition and vehicle performance for the next stage of risk assessment and hazard analysis.
Let’s look at security requirements, no matter which level they are, functional security requirements, technical security requirements or software and hardware security requirements. In addition to the requirements in the previous stage, the key inputs for deriving these requirements are also very important, such as system design block diagrams, software architecture design diagrams, etc. In fact, all requirements can be divided into input, logic and output modules to derive relevant requirements from the entire control system, and then be assigned to the corresponding ECU, system components or software and hardware modules.
Safety mechanisms are technical solutions implemented by functions, elements or other technologies of electronic and electrical systems to detect faults and control failures. How to detect faults? No matter how complex the control system is, it can be broken down into multiple simple control loops according to functions and requirements. If the entire control loop is a white box, the input of the control system is predictable and the transfer function is known, that is, a known input must have a known output, such a system can usually be monitored using simple feedback.
In fact, many functional safety designs are composed of many such small modules. Once any problem or fault occurs in the control system, the monitoring module can judge and identify it through the known characteristics and models of the control system. So if the input is unknown due to the limitations of the control system, and the transfer function and model are also unknown or inaccurate, how to ensure the accuracy of the control system? If the control system is safety-related, how to ensure its safety? This is what functional safety is expected to address.
So how to design a control system with uncertain input signals and complex and uncertain mathematical models? In systems with a relatively high degree of intelligence, hierarchical intelligent control methods can be used for design. Hierarchical Intelligent Control is gradually developed on the basis of artificial intelligence, adaptive control, operations research and other theories. It is one of the earliest theories of intelligent control. When the system is composed of several divisible and interrelated subsystems, all decision-making units of the system can be arranged hierarchically according to certain priorities and affiliations. Each unit at the same level is subject to intervention from the upper level, and at the same time, it has influence on the next level. unit exerts influence. If the goals of units at the same level conflict with each other, the units at the upper level will coordinate. This is a multi-level, multi-objective structure, with each unit arranged hierarchically between different levels to form a pyramid-shaped structure.
The advantages of this type of structure are high global and local control performance, good flexibility and reliability, and the impact of changes in any sub-process on decision-making is local. Starting from the lowest execution level, the intelligence requirements gradually increase. The higher the level, the more intelligence is required, while the accuracy decreases. This type of structure has the following characteristics:
1) The higher the level of the controller, the greater the impact on the system;
2) The higher the level, the more uncertain information there is, making it difficult to quantify the problem description.
It can be seen that the intelligence of hierarchical intelligent control is mainly reflected at high levels, and problems encountered at high levels are often uncertain.
Mapping to autonomous driving control system:
The third execution level corresponds to the reactive layer (or functional layer): it is responsible for performing basic tasks required by the upper layer, performing lower-level operations and controlling hardware actuators. The processing frequency of this layer is relatively high and can meet the requirements of real-time operation and response.
The second coordination level corresponds to the supervisory layer implementing situation classification and reactive navigation: this layer is used to supervise the functional layer and uses data derived from sensors to identify the vehicle's situation and generate trajectories. The processing frequency of this layer is intermediate.
The first organizational level corresponds to the planning layer: this layer generates high-level plans (estimates of roads and intersections), paths that vehicles will follow from their current location to their destination, etc. The frequency of this layer is relatively low and does not need to meet real-time requirements.
Through such a layered design, the security design can also follow the same logic and design corresponding security mechanisms for different levels of features and attributes. Conrad J. Pace and Derek W. Seward used this design method in an automatic excavator application. For the lowest functional layer, due to the real-time requirements of time response and hardware architecture, usually the function
and safety mechanisms do not require isolation design. For the first and second levels, due to the use of non-deterministic algorithms, machine learning and other algorithms, they themselves cannot meet the requirements of security design, and corresponding security mechanisms need to be designed separately to meet their high security level requirements. The security design of these two layers is the same mechanism as the "Checker/Doer" proposed by Phillip Koopman in 2016. The "Doer" here is a function that uses complex algorithms, and the "Checker" is a more traditional software technology used to execute Security requirements. "Checker" only checks whether the decision made by "Doer" violates the corresponding security rules and assumptions. For example, taking path planning as an example, "Checker" always only checks whether the selected planning solution will hit any known obstacles. Feedback signals and information exchange obtained through communication are one of the core elements for realizing this method.
The definition of expected functional safety in the standard ISO/PAS 21448 is that there is no unreasonable risk of hazards caused by insufficient performance of the expected function. One of the most important purposes of the expected functional safety process is to continuously reduce the possibility of unknown scenarios, and these scenarios are one of the important inputs to the entire autonomous driving control system. So this process is to continuously make the input predictable.
The standard also defines the causes of hazardous events through a series of methods and processes, including deficiencies and limitations of system functions and requirements, especially sensor sensing and controller planning algorithms. This process is to continuously optimize the algorithm and continuously improve the model.
The UL 4600 autonomous driving safety assessment standard divides the safety requirements of the autonomous driving system into ODD, sensors, perception, machine learning and artificial intelligence, planning, prediction, decision-making, control and other links. In fact, it also decouples the control system and turns complexity into Jane, provides guidance for security design. UL 4600 also uses a rapid iteration method to continuously improve the standard's requirements using feedback from field data. This also uses feedback to manually optimize input information to improve the model.
4. Conclusion
This article aims to look at autonomous driving and its safety design from the perspective of the control system. There are still many incompleteness and imperfections in the article.
I hope that through this article, more friends in charge of function development can pay attention to safety, and I also hope that more Friends who work on security development focus on features and controls. In fact, everyone has a common goal, which is to design a stable, fast, and accurate automatic driving control system.
Author: David Li
Mr. Li Liangcheng currently works at UL, engaged in functional safety and autonomous driving safety training and consulting services.
references:
[1] China Artificial Intelligence Series White Paper-Intelligent Driving 2017
[2] Hu Shousong. Principle of automatic control
[3] Manel Brini, Paul Crubillé, Benjamin Lussier. “Risk reduction of experimental autonomous vehicles: The Safety-Bag approach.”
[4] Koopman, P., Kane, A. & Black, J., "Credible Autonomy Safety Argumentation,"
[5] Pace C., & Seward D. (nd). “An approach to safety for a robotic excavator.1-7.”
[6] Intelligent control theory and application
Technical exchange group: YasmineMiao (WeChat)
Application notes: (unit) + (name) + functional safety
Event recommendation: SAE 2020 Automotive Electronics and Software Technology Forum
京公网安备 11010802033920号