U.S. patent application number 15/860450 was filed with the patent office on 2018-05-24 for communication architecture for connected vehicle control systems.
The applicant listed for this patent is Peloton Technology, Inc.. Invention is credited to Stephen Michael ERLIEN, John Connelly KEGELMAN, Todd Christopher KLAUS, Charles A. PRICE, Austin Bennett SCHUH, Brian Jeremy SILVERMAN, Joshua Philip SWITKES, Colleen Kelly TWITTY.
Application Number | 20180144640 15/860450 |
Document ID | / |
Family ID | 61245208 |
Filed Date | 2018-05-24 |
United States Patent
Application |
20180144640 |
Kind Code |
A1 |
PRICE; Charles A. ; et
al. |
May 24, 2018 |
COMMUNICATION ARCHITECTURE FOR CONNECTED VEHICLE CONTROL
SYSTEMS
Abstract
Controllers, control architectures, systems and methods are
described for controlling a host vehicle's participation in a
platoon. Described vehicle platooning control systems may include a
platoon controller and a gateway processor. The platoon controller
is configured to determine torque and braking requests for at least
partially automatically controlling the host vehicle to platoon
with a platoon partner. The gateway processor coordinates
communications between a host vehicle and the platoon partner and
optionally a network operations center. A dedicated communications
link may optionally directly connect the platoon controller to the
gateway processor, with no other devices being coupled to the
dedicated communications link. In some embodiments, the gateway
processor is not coupled to any of the host vehicle's control
related communication bus(es). In some embodiments, the gateway
processor includes a message logger and the platoon controller does
not have any logging capabilities.
Inventors: |
PRICE; Charles A.; (Los
Altos, CA) ; ERLIEN; Stephen Michael; (Mountain View,
CA) ; KEGELMAN; John Connelly; (Mountain View,
CA) ; KLAUS; Todd Christopher; (San Jose, CA)
; SCHUH; Austin Bennett; (Los Altos, CA) ;
SILVERMAN; Brian Jeremy; (Mountain View, CA) ;
SWITKES; Joshua Philip; (Mountain View, CA) ; TWITTY;
Colleen Kelly; (San Francisco, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Peloton Technology, Inc. |
Mountain View |
CA |
US |
|
|
Family ID: |
61245208 |
Appl. No.: |
15/860450 |
Filed: |
January 2, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
PCT/US2017/047825 |
Aug 21, 2017 |
|
|
|
15860450 |
|
|
|
|
62377970 |
Aug 22, 2016 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
B60W 2300/12 20130101;
B60W 30/14 20130101; B60W 2710/0666 20130101; G05D 1/0088 20130101;
G07C 5/008 20130101; B60W 10/22 20130101; B60W 2556/50 20200201;
B60W 2554/4041 20200201; G01G 19/022 20130101; H04L 67/12 20130101;
B60W 2710/22 20130101; G05D 1/0278 20130101; B60W 10/10 20130101;
G05D 2201/0213 20130101; B60W 2530/20 20130101; G05D 1/0287
20130101; H04W 84/005 20130101; B60W 10/06 20130101; B60W 2520/10
20130101; B60W 2554/804 20200201; G08G 1/22 20130101; B60W
2710/0627 20130101; B60W 2510/0638 20130101; B60W 2710/0661
20130101; G05D 1/0293 20130101; B60W 10/184 20130101; B60W 40/13
20130101; G05D 1/0285 20130101; B60W 10/20 20130101; B60W 2530/10
20130101; B60W 2554/801 20200201; G05D 1/0295 20130101; B60W
2520/28 20130101; B60W 2556/65 20200201; G01G 19/086 20130101; G05D
1/0055 20130101; B60W 2710/1005 20130101; G01S 19/13 20130101; B60W
2510/0657 20130101; B60W 2510/1005 20130101; G05D 1/02 20130101;
H04W 4/46 20180201; B60W 30/165 20130101; B60W 30/18 20130101; B60W
2540/10 20130101; B60W 2556/60 20200201; B60W 2710/0605 20130101;
G08G 1/127 20130101; B60R 16/0231 20130101; B60W 2710/20
20130101 |
International
Class: |
G08G 1/00 20060101
G08G001/00; B60R 16/023 20060101 B60R016/023; G07C 5/00 20060101
G07C005/00; G05D 1/02 20060101 G05D001/02 |
Claims
1. A vehicle platooning control system for controlling a host
vehicle's participation in a platoon that includes the host vehicle
and a platoon partner vehicle, the host vehicle having one or more
host vehicle communication buses, the vehicle platooning control
system comprising: a platoon controller configured to determine
vehicle control commands for at least partially automatically
controlling the host vehicle to platoon with the platoon partner
vehicle, the platoon controller being configured to receive sensor
information from one or more host sensors on the host vehicle, at
least some of the sensor information being received over one of the
host vehicle communication buses; a gateway processor arranged to
coordinate communications between a host vehicle and the platoon
partner, the gateway processor being configured to (i) receive
partner state information from the platoon partner and pass the
partner state information to the platoon partner for use in
determining the vehicle control commands, the partner state
information being indicative of at least one of a speed, a braking
level, or a GNSS position of the platoon partner; and (ii) receive
host vehicle state information from the platoon controller and pass
the host vehicle state information to the platoon partner, the host
vehicle state information being indicative of at least one of a
speed, a braking level, or a GNSS position of the host vehicle, and
wherein the gateway processor is not coupled to any of the host
vehicle communication buses and is not capable of transmitting any
messages on any of the vehicle communication buses or directly
receiving sensor information from any of the host sensors; and a
dedicated wired communication link that directly connects the
platoon controller and the gateway processor, wherein no other
devices are coupled to the dedicated wired communication link.
2. A vehicle platooning control system as recited in claim 1,
wherein the vehicle control commands include at least one of a
torque request and a braking request.
3. A vehicle platooning control system as recited in claim 1,
wherein: the gateway processor is configured to wirelessly
communicate with the platoon partner using a first wireless
communications protocol; the gateway processor is further
configured to communicate with a network operations center using a
second wireless communications protocol selected from the group
consisting of a cellular communications protocol and a satellite
communications protocol; and the platoon controller and the gateway
processor communicate over the dedicated wired communication link
using an Ethernet protocol.
4. A vehicle platooning control system as recited in claim 3,
wherein the first wireless communications protocol is a
short-range, vehicle-to-vehicle wireless communications
protocol.
5. A vehicle platooning control system as recited in claim 3,
wherein the first wireless communications protocol uses encryption
for communication between the host vehicle and the platoon
partner.
6. A vehicle platooning control system as recited in claim 3,
wherein the first wireless communications protocol is selected from
the group consisting of: Dedicated Short Range Communications
(DSRC; cellular communications; Citizen's Band (CB) radio; General
Mobile Radio Service (GMRS); Family Radio Service (FRS); WiFi
communications; and Zigbee communications.
7. A vehicle platooning control system as recited in claim 3,
wherein the second wireless communications protocol uses encryption
for communication between the gateway processor and the network
operations center.
8. A vehicle platooning control system as recited in claim 1,
wherein: the platoon controller is configured as a first system on
module (SOM); and the gateway processor is configured as second
system on module (SOM).
9. A vehicle platooning control system as recited in claim 1,
further comprising a display mounted in a cabin of the host
vehicle, wherein the gateway processor is further configured to
receive a video stream from the partner vehicle and forward the
video stream to the display, the video stream showing a view in
front of the platoon partner vehicle; and the video stream is not
passed to the platoon controller.
10. A vehicle platooning control system as recited in claim 1,
wherein: the gateway processor further comprises a message logger,
the message logger being configured to log partner state
information and host state information passed through the gateway
processor; the platoon controller does not have any logging
capabilities; and the platoon controller further passes the vehicle
control commands to the gateway controller and the message logger
logs all of the torque and braking requests generated by the
platoon controller.
11. A vehicle platooning control system as recited in claim 1,
further comprising: a vehicle interface controller arranged to
manage communications between the platoon controller and one or
more host vehicle control units, the vehicle interface controller
being configured to receive the vehicle control commands from the
platoon controller and to communicate corresponding vehicle control
commands to the appropriate host vehicle control unit(s), the
vehicle interface controller including a safety monitor that
includes one or more safety monitoring algorithms that, during
platooning, verify that platooning meets selected safety criteria,
and wherein the vehicle interface controller is configured to
transmit and receive messages on at least one of the host vehicle
communication buses.
12. A vehicle platooning control system as recited in claim 11,
wherein: the vehicle interface controller has an ASIL rating that
is at least ASIL-C compliant; and the platoon controller and the
gateway processor are each QM rated under ISO 26262.
13. A vehicle platooning control system as recited in claim 11,
wherein: the gateway processor receives verified partner state
information from the partner vehicle that has been verified by a
vehicle interface controller on the partner vehicle, and passes the
verified partner state information to the platoon controller
without modification by the gateway processor; the platoon
controller passes the verified partner state information to the
host vehicle vehicle interface controller without modification by
the platoon controller; the host vehicle vehicle interface
controller uses the verified partner state information in at least
one of the safety monitoring algorithms; the verified partner state
information is passed in partner state information data blocks,
each partner state information data block including a checksum
applied by the vehicle interface controller on the partner vehicle;
and the host vehicle vehicle interface controller is configured to
utilize the checksum to verify the integrity of the verified
partner state information.
14. A vehicle platooning control system as recited in claim 13,
wherein the gateway processor is further configured to receive
unverified partner state information from the partner vehicle, the
unverified partner state information including at least GNSS
position information indicative of a position of the partner
vehicle, and wherein the unverified partner state information is
passed to the platoon controller and used by the platoon controller
in the determination of the vehicle control commands
15. A vehicle platooning control system as recited in claim 14,
wherein the gateway processor is further configured such that the
unverified partner state information is not passed to the host
vehicle vehicle interface controller.
16. A vehicle platooning control system as recited in claim 11,
wherein the one or more host vehicle communication buses are
Controller Area Network (CAN) buses.
17. A vehicle platooning control system as recited in claim 11,
wherein the gateway processor further comprises a message logger,
the message logger being configured to log state information passed
through the gateway processor, the logged state information
including: verified partner state information received from the
partner vehicle that has been verified by a vehicle interface
controller on the partner vehicle; unverified partner state
information received from the partner vehicle, the unverified
partner state information including at least GNSS position
information indicative of a position of the partner vehicle;
verified host vehicle state information that is verified by the
vehicle interface controller on the host vehicle; and unverified
host vehicle state information received from the platoon
controller, the unverified host vehicle state information including
at least GNSS position information indicative of a position of the
host vehicle.
18. A vehicle platooning control system as recited in claim 17,
wherein: the platoon controller is arranged to pass the vehicle
control commands to the gateway processor and the message logger
logs all of the vehicle control commands generated by the platoon
controller; and the platoon controller is configured to have no
message logging capability.
19. A vehicle platooning control system as recited in claim 3,
wherein: the gateway processor is configured to receive an
authorization to platoon from the network operations center and to
indicate such authorization to the platoon controller; and the
platoon controller is configured such that it will not initiate
platooning unless it has received indication of the authorization
to platoon.
20. A vehicle platooning control system as recited in claim 1,
wherein the host vehicle and the platoon partner are both
tractor-trailer trucks.
21. A connected vehicle control system for at least partially
automatically controlling a host vehicle based at least in part on
second vehicle current operating state information received from a
second vehicle, the connected vehicle control system comprising: a
gateway processor arranged to coordinate communications between the
host vehicle and the second vehicle and to receive the second
vehicle current operating state information from the second
vehicle; and a connected vehicle controller configured to
communicate with the gateway processor and to determine torque and
braking requests for at least partially automatically controlling
the host vehicle based at least in part on the second vehicle
current operating state information.
22. A connected vehicle control system as recited in claim 21,
wherein the gateway processor receives the second vehicle current
operating state information from the second vehicle and passes the
second vehicle current operating state information to the connected
vehicle controller for use in determining the torque and braking
requests, the second vehicle current operating state information
being indicative of at least one of: a speed, a braking level, and
a position of the second vehicle.
23. A connected vehicle control system as recited in claim 22,
wherein the gateway processor receives host vehicle state
information from the connected vehicle controller and passes the
host vehicle state information to the second vehicle, the host
vehicle state information being indicative of at least one of: a
speed, a braking level, and a position of the host vehicle.
24. A connected vehicle control system as recited in claim 21, for
use on a host vehicle having one or more host vehicle communication
buses, wherein: the connected vehicle controller is configured to
receive sensor information from one or more host sensors on the
host vehicle, wherein at least some of the sensor information is
received over one of the host vehicle communication buses; and the
gateway processor is not coupled to any of the host vehicle
communication buses and is not capable of transmitting any messages
on any of the vehicle communication buses or directly receiving
host vehicle sensor information from any of the host sensors.
25. A connected vehicle control system as recited in claim 21,
wherein: the gateway processor is configured to wirelessly
communicate with the second vehicle using a first wireless
communications protocol; and the gateway processor is further
configured to communicate with a network operations center using a
second wireless communications protocol selected from the group
consisting of: a cellular communications protocol and a satellite
communications protocol.
26. A connected vehicle control system as recited in claim 25,
wherein the first wireless communications protocol is a short-range
vehicle-to-vehicle wireless communications protocol.
27. A connected vehicle control system as recited in claim 26,
wherein the short-range wireless communications protocol uses
encryption for communication between the gateway processor and the
second vehicle.
28. A connected vehicle control system recited in claim 25, wherein
the first wireless communications protocol is selected from the
group consisting of: Dedicated Short Range Communications (DSRC);
cellular communications; Citizen's Band (CB) radio; General Mobile
Radio Service (GMRS); Family Radio Service (FRS); WiFi
communications; and Zigbee communications.
29. A connected vehicle control system as recited in claim 25,
wherein the second wireless communications protocol uses encryption
for communication between the gateway processor and the network
operations center.
30. A connected vehicle control system as recited in claim 21,
wherein: the connected vehicle controller is configured as a first
system on module (SOM); and the gateway processor is configured as
second system on module (SOM).
31. A connected vehicle control system as recited in claim 21,
further comprising a dedicated wired communication link that
directly connects the connected vehicle controller and the gateway
processor, and wherein no other devices are coupled to the
dedicated wired communication link.
32. A connected vehicle control system as recited in claim 31,
wherein the dedicated wired communication link is selected from the
group consisting of: a co-axial cable, a twisted pair wiring, and a
fiber optic link.
33. A connected vehicle control system as recited in claim 31,
wherein the connected vehicle controller and the gateway processor
communicate over the dedicated wired communication link using an
Ethernet protocol.
34. A connected vehicle control system as recited in claim 21,
further comprising a display mounted in a cabin of the host
vehicle, and wherein: the gateway processor is further configured
to receive a video stream from the second vehicle and forward the
video stream to the display; and the gateway processor is further
configured such that the video stream is not passed to the
connected vehicle controller.
35. A connected vehicle control system as recited in claim 23,
wherein: the gateway processor further comprises a message logger,
the message logger being configured to log the second vehicle
current operating state information and the host state information
passed through the gateway processor; and the connected vehicle
controller does not have any logging capabilities.
36. A connected vehicle control system as recited in claim 35,
wherein the connected vehicle controller further passes the torque
and braking requests to the gateway controller and the message
logger logs all of the torque and braking requests generated by the
connected vehicle controller.
37. A connected vehicle control system as recited in claim 21,
wherein the host vehicle and the second vehicle are both
tractor-trailer trucks.
38. A method of at least partially automatically controlling a host
vehicle based at least in part on second vehicle current operating
state information received from a second vehicle, the method
comprising: receiving the second vehicle operating state
information from the second vehicle at a gateway on the host
vehicle; transmitting the second vehicle operating state
information from the gateway to a connected vehicle controller on
the host vehicle; receiving, by the connected vehicle controller,
host vehicle sensor information from one or more sensors on the
host vehicle; determining torque and braking requests for at least
partially automatically controlling the host vehicle based at least
in part on the second vehicle current operating state information
and the host vehicle sensor information, the torque and braking
requests being determined by the connected vehicle controller; and
controlling the host vehicle based at least in part on the
determined torque and braking requests.
39. A method as recited in claim 38, wherein: all communications
from the second vehicle are received through the gateway; the
connected vehicle controller is configured such that it does not
directly receive any information transmitted from any device
outside the host vehicle; and the connected vehicle controller is
configured such that all information received from devices outside
of the host vehicle and utilized by the connected vehicle
controller is received through the gateway.
40. A method as recited in claim 38, wherein the second vehicle
operating state information is: received by the gateway in
encrypted form; decrypted by the gateway; and passed from the
gateway to the connected vehicle controller in a decrypted
form.
41. A method as recited in claim 38, wherein the second vehicle
operating state information received by the gateway is
authenticated by the gateway prior to being transmitted to the
connected vehicle controller, and second vehicle operating state
information that has not been authenticated by the gateway is not
sent from the gateway to the connected vehicle controller.
42. A method as recited in claim 38, further comprising:
transmitting selected host vehicle sensor information from the
connected vehicle controller to the gateway on the first vehicle;
and transmitting the selected host vehicle sensor information from
the gateway on the first vehicle to the second vehicle.
43. A method as recited in claim 38, wherein the second vehicle
current operating state information is indicative of at least one
of a speed, a braking level, and a position of the second
vehicle.
44. A method as recited in claim 38, wherein the gateway: has a
direct wired connection to the connected vehicle controller; is not
connected to any vehicle communication buses on the host vehicle;
and does not directly receive any of the host vehicle sensor
information from any of the one or more sensors that generate the
host vehicle sensor information.
45. A method as recited in claim 44, wherein communications between
the gateway and the connected vehicle controller are made using an
Ethernet protocol.
46. A method as recited in claim 38, further comprising: receiving
a video feed from the second vehicle at the gateway; and forwarding
the video feed from the gateway to a display for the driver; and
wherein the video feed is not transmitted to the connected vehicle
controller and is not used by the connected vehicle controller in
the determination of the torque and braking requests.
47. A method as recited in claim 46, wherein the video feed is a
view facing forward from the second vehicle.
48. A method as recited in claim 38, further comprising: receiving
at the gateway a video feed from a forward facing camera mounted on
the host vehicle; and forwarding the video feed from the gateway to
the second vehicle.
49. A method as recited in claim 38, wherein the gateway manages
all communications with the second vehicle.
50. A method as recited in claim 49, further comprising:
transmitting messages to, and receiving messages from a network
operations center, wherein the gateway manages all communications
with the network operations center.
51. A method as recited in claim 38, wherein the host vehicle and
the second vehicle are both tractor-trailer trucks.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a Continuation-in-Part of PCT
Application No. PCT/US2017/047825 filed Aug. 21, 2017, which claims
priority of U.S. Provisional Patent Application No. 62/377,970,
filed on Aug. 22, 2016. Each of these priority applications is
incorporated herein by reference in its entirety.
BACKGROUND
[0002] The present application relates generally to controllers,
architectures, methods and systems for enabling vehicles to drive
in a partially or fully autonomous mode and/or closely follow one
another safely using automatic or partially automatic control.
[0003] In recent years significant strides have been made in the
field of automated vehicle control. One segment of vehicle
automation relates to connected vehicle control such as vehicular
convoying systems that enable vehicles to follow closely together
in a safe, efficient and convenient manner. Following closely
behind another vehicle has the potential for significant fuel
savings benefits, but is generally unsafe when done manually by the
driver. One type of vehicle convoying system is sometimes referred
to as vehicle platooning in which a second, and potentially
additional, vehicle(s) is/are automatically or semi-automatically
controlled to closely follow a lead vehicle in a safe manner.
[0004] The fuel efficiency advantages of platooning are
particularly noticeable in fields such as the trucking industry in
which long distances tend to be traveled at highway speeds. One of
the on-going challenges of vehicle platooning and convoying systems
is creating controller systems architectures that are cost
effective, efficient and meet the stringent safety standards
required for integration into mainstream road vehicles. Although
existing gap control system architectures work well, there are
continuing efforts to develop improved platoon controllers that
provide safe and fuel efficient operation while delivering a
comfortable user experience.
[0005] Beyond platooning there are a wide variety of partially or
fully autonomous vehicle control application in which verified
knowledge about what a second vehicle is doing can be very helpful
in managing the partially or fully autonomous control of a host
vehicle.
[0006] There are several industry and government standards relating
to road vehicle safety. One well known international standard for
classifying the functional safety of electrical and electronic
system in road vehicles is the ASIL (Automotive Safety Integrity
Level) standard defined by ISO 26262--Functional Safety for Road
Vehicles standard. There are four safety integrity levels
identified by the ASIL standard (ASIL-A, ASIL-B, ASIL-C and ASIL-D)
with ASIL-A corresponding to the lowest level compliance
requirements and ASIL-D representing the highest integrity
requirements. Items having safety requirements that are not
dictated by the standard are designed as QM (Quality
Management).
[0007] Many ECUs, powertrain control modules (PCMs) and other
controllers used in commercially available road vehicles are
designed to expect that all commands that they receive come from
ASIL compliant components that conform to a particular minimum ASIL
level. Therefore, in some circumstances, it is desirable for
control commands issued from the platoon controller to be ASIL
rated or to meet other designated reliability criteria or standard.
At the same time, some of the data (such as GPS position data) that
is useful in platoon control does not itself have a reliability
that can is suitable for ASIL rating. The present application
describes platoon control system architectures that are
particularly well suited for efficiently handling platooning
control related tasks using information available from a variety of
sources. When desired, the powertrain control commands ultimately
issued by the control system may be ASIL rated.
SUMMARY
[0008] A variety of controllers, control architectures, systems,
methods and algorithms are described for at least partially
automatically controlling a host vehicle's based at least in part
on information received from a second vehicle, as for example
second vehicle sensor information. One such example is controlling
the host vehicle's participation in a platoon.
[0009] In some embodiments, a vehicle control system includes at
least two of (i) a connected vehicle or platoon controller, (ii) a
gateway processor, and (iii) a vehicle interface controller. The
connected vehicle/platoon controller is configured to determine
vehicle control commands for at least partially automatically
controlling the host vehicle based at least in part on current
operating state information received from the second vehicle. The
gateway processor coordinates communications between a host vehicle
and the second vehicle/platoon partner. The vehicle interface
controller manages communications between the connected
vehicle/platoon controller and one or more host vehicle control
units. The vehicle interface controller may also include a safety
monitor that includes one or more safety monitoring algorithms that
verify that connected vehicle/platooning operation is safe.
[0010] In some embodiments, the vehicle interface controller is at
least ASIL-C compliant, whereas the connected vehicle/platoon
controller and the gateway processor may be rated at a lower ASIL
rating or QM rated under ISO 26262.
[0011] In some embodiments, the platoon controller is configured as
a listener capable of receiving messages transmitted on at least
one of the host vehicle's communication buses, but is not capable
of transmitting messages onto any of the vehicle's control related
communication buses. The vehicle interface controller is configured
to transmit and receive messages on at least one of the vehicle
communication buses (e.g. a CAN bus). The gateway processor is not
coupled to any of the vehicle's control related buses and is not
capable of receiving or transmitting any messages on any such
vehicle buses.
[0012] In some embodiments, the control commands include torque and
braking requests, and an interface between the connected
vehicle/platoon controller and the vehicle interface controller
includes the connected vehicle/platoon controller's torque and
braking request. In some embodiments, the interface also includes
verified partner state information indicative of at least a speed
and a braking level of the second vehicle. The verified partner
state information is preferably information sent and verified by a
vehicle interface controller on the second vehicle and may be used
in at least one of the safety monitoring algorithms implemented by
the host vehicle's vehicle interface controller.
[0013] In some implementations, the verified partner state
information received by the gateway processor from the second
vehicle is passed to the connected vehicle/platoon controller
without modification by the gateway processor. The connected
vehicle/platoon controller in turn passes the verified state
information to the vehicle interface controller without
modification while also using that information in the determination
of the vehicle control commands In some embodiments, the verified
partner state information is passed in data blocks that each
include a checksum applied by the vehicle interface controller on
the partner vehicle. The host vehicle's vehicle interface
controller may then utilize the checksums to verify the integrity
of the partner state information.
[0014] In some embodiments, the gateway processor also receives
unverified partner state information such as GNSS position data
from the partner vehicle. The unverified partner state information
is passed to the connected vehicle/platoon controller and used by
the connected vehicle/platoon controller in the determination of
the vehicle control commands, but is not passed to the vehicle
interface controller.
[0015] In various embodiments, the interface between a platoon
controller and the vehicle interface controller may optionally
further include one or more of (i) a platoon state indicator that
indicates when the platoon controller believes its vehicle control
commands should be directing operation of the host vehicle, (ii) a
driver input indicator, (iii) a retarder command, (iv) a steering
command.
[0016] In some embodiments, the connected vehicle/platoon
controller is configured as a first system on module (SOM), the
gateway processor is configured as second system on module (SOM),
and the vehicle interface controller is implemented as a single
packaged integrated circuit.
[0017] In some embodiments, the gateway processor receives host
vehicle state information from the platoon controller and passes
the host vehicle state information to the platoon partner, the host
vehicle state information being indicative of at least a speed, a
braking level and a position of the host vehicle. In some preferred
embodiments the speed and braking level information is verified by
the vehicle interface controller and is passed through the platoon
controller and gateway processor without modification.
[0018] In some embodiments, the gateway processor is configured to
wirelessly communicate with the platoon partner using a
short-range, vehicle-to-vehicle wireless communications protocol,
as for example the DSRC protocol. The gateway processor may also be
configured to communicate with a networks operations center using
cellular or satellite communications.
[0019] In some embodiments, a dedicated communications link
directly connects the platoon controller to the gateway processor,
with no other devices being coupled to the dedicated communications
link. The connected vehicle/platoon controller and the gateway
processor may be arranged to communicate over the dedicated
communication link using a standard communications protocols such
as Ethernet.
[0020] In some embodiments, the gateway processor also receives a
video stream from the partner vehicle and forwards the video stream
to a display mounted in the cabin so that the video stream can be
viewed by the driver. The video stream, which may be a view of the
road in front of the partner vehicle, is not passed to the platoon
controller.
[0021] In some embodiments, the gateway processor includes a
message logger and the connected vehicle/platoon controller does
not have any logging capabilities. The message logger may be
configured to log all of the partner state information and host
state information passed through the gateway processor. In some
embodiments, the platoon controller passes the torque and braking
requests, and any other information that the system designers
desire to be logged to the gateway controller for logging
purposes.
[0022] In some embodiments, the vehicle control system comprises
the aforementioned connected vehicle/platoon controller and vehicle
interface controller with or without the described gateway
processor.
[0023] In other embodiments, the vehicle control system comprises
the aforementioned connected vehicle/platoon controller and gateway
processor with or without the described vehicle interface
controller.
[0024] In yet another aspect, a vehicle control system includes a
vehicle controller configured to determine vehicle control commands
for at least partially automatically controlling the host vehicle
based at least in part on sensor information. The vehicle control
commands are arranged to be directly or indirectly utilized by one
or more host vehicle control units resident on the host vehicle.
The vehicle control system also includes one or more safety
monitoring algorithms that, during at least partially automated
driving, verify that selected vehicle control commands received
from the vehicle controller meet selected safety criteria. At least
some of the safety algorithms utilize sensor data in the
verification of the commands received from the vehicle controller.
The sensor data used by the safety algorithms may come from the
host vehicle and/or a second vehicle. In some embodiments, the
vehicle controller may include any of the components described
above.
BRIEF DESCRIPTION OF THE DRAWINGS
[0025] The invention and the advantages thereof, may best be
understood by reference to the following description taken in
conjunction with the accompanying drawings in which:
[0026] FIG. 1 is a block diagram of a controller architecture
suitable for use in an automated or partially automated vehicle
control system that supports platooning.
[0027] FIG. 2 is a block diagram of a representative platoon
controller architecture suitable for use in the automated or
partially automated vehicle control system of FIG. 1.
[0028] FIG. 3 is a block diagram of a gap controller in accordance
with one embodiment.
[0029] FIGS. 4A-4C are a series of diagrams illustrating different
control states used by a gap regulator in accordance with one
embodiment during different operational states.
[0030] FIG. 5 is a state space diagram illustrating a sliding mode
control scheme.
[0031] FIG. 6 is a specific ASIL compliant controller hardware
architecture suitable for use in an automated or partially
automated vehicle control system that supports platooning.
[0032] FIG. 7 illustrates components of a gateway in accordance
with one embodiment.
DETAILED DESCRIPTION
[0033] The present invention will now be described in detail with
reference to several embodiments thereof as illustrated in the
accompanying drawings. In the following description, numerous
specific details are set forth in order to provide a thorough
understanding of embodiments of the present invention, including
the description of a plurality of different aspects of the
invention, including, in some case, one or more alternatives. It
will be apparent to those skilled in the art that the invention can
be practice without implementing all of the features disclosed
herein.
[0034] The Applicant has proposed various vehicle platooning
systems in which a second, and potentially additional, vehicle(s)
is/are automatically, or semi-automatically controlled to closely
follow a lead vehicle in a safe manner. By way of example, U.S.
application Ser. Nos. 15/605,456, 15/607,902; 13/542,622 and
13/542,627; U.S. Provisional Application Nos. 62/377,970 and
62/343,819; and PCT Application Nos. PCT/US2014/030770,
PCT/US2016/049143 and PCT/US2016/060167 describe various vehicle
platooning systems in which a trailing vehicle is at least
partially automatically controlled to closely follow a designated
lead vehicle. Each of these earlier applications is incorporated
herein by reference.
[0035] One of the goals of platooning is typically to maintain a
desired longitudinal distance between the platooning vehicles,
which is frequently referred to herein as the "desired gap". That
is, it is desirable for the trailing vehicle (e.g., a trailing
truck) to maintain a designated gap relative to a specific vehicle
(e.g., a lead truck). The vehicles involved in a platoon will
typically have sophisticated control systems suitable for
initiating a platoon, maintaining the gap under a wide variety of
different driving conditions, and gracefully dissolving the platoon
as appropriate.
[0036] The architecture and design of control systems suitable for
implementing vehicle platooning may vary widely. The specific
controller design can vary based on the level of automation
contemplated for the controller, as well as the nature of and
equipment available on the host vehicles participating in the
platoon. By way of example, FIG. 1 diagrammatically illustrates a
vehicle control architecture that is suitable for use with
platooning tractor-trailer trucks. The specific controller
illustrated is primarily designed for use in conjunction with a
platooning system in which both vehicles include an active driver.
The driver of the lead vehicle being fully responsible for control
of the front vehicle. The a driver of the trailing vehicle is
responsible for steering the trailing vehicle, but the platoon
controller 110 is primarily responsible for controlling the
trailing vehicles torque and braking requests during active
platooning. However it should be appreciated that generally similar
control schemes can be used in systems which contemplate more
automated control of one or both of the platoon partners or which
utilize vehicle control commands other than or in addition to
torque and braking requests.
[0037] In the illustrated embodiment illustrated in FIG. 1, a
platoon controller 110, receives inputs from a number of sensors
130 on the tractor and/or one or more trailers or other connected
units, and a number of actuators and actuator controllers 150
arranged to control operation of the tractor's powertrain and other
vehicle systems. An actuator interface 160 may be provided to
facilitate communications between the platoon controller 110 and
the actuator controllers 150. The platoon controller 110 also
interacts with an inter-vehicle communications controller 170 which
orchestrates communications with the platoon partner and a NOC
communications controller 180 that orchestrates communications with
a network operations center (NOC). The vehicle also preferably has
selected configuration files 190 that include known information
about the vehicle.
[0038] Some of the functional components of the platoon controller
110 include gap controller 112, a variety of estimators 114, one or
more partner vehicle trackers 116 and various monitors 118. In many
applications, the platoon controller 110 will include a variety of
other components 119 as well. Exemplary embodiments of the platoon
controller 110 and gap controller 112 are described in more detail
below with reference to FIGS. 2 and 3.
[0039] Some of the sensors utilized by the platoon controller 110
may include GNSS (GPS) unit 131, wheel speed sensors 132, inertial
measurement devices 134, radar unit 137, lidar unit 138, cameras
139, accelerator pedal position sensor 141, steering wheel position
sensor 142, brake pedal position sensor 143, and various
accelerometers 144. Of course, not all of these sensors will be
available on all vehicles involved in a platoon and not all of
these sensors are required in any particular embodiment. A variety
of other sensor 149 (now existing or later developed or
commercially deployed) may be additionally or alternatively be
utilized by the platoon controller in other embodiments. In the
primary embodiments described herein, GPS position data is used.
However, GPS is just one of the currently available global
navigation satellite systems (GNSS). Therefore, it should be
appreciated that data from any other GNSS system or from other
suitable position sensing systems may be used in place of, or in
addition to the GPS system.
[0040] Many (but not all) of the described sensors, including wheel
speed sensors, 132, radar unit 137, accelerator pedal position
sensor 141, steering wheel position sensor 142, brake pedal
position sensor 143, and accelerometer 144 are relatively standard
equipment on newer trucks (tractors) used to pull semi-trailers.
However, others, such as the GNSS unit 131 and lidar unit 138 (if
used) are not currently standard equipment on such tractors or may
not be present on a particular vehicle and may be installed as
needed or desired to help support platooning.
[0041] Some of the vehicle actuators controllers 150 that the
platoon controller may direct at least in part include engine
torque controller 152 (which is often part of the integrated
functionality of an engine control unit (ECU) or powertrain control
module (PCM)); transmission controller 154; brake controller 156;
steering controller 157 (when automated steering is provided); and
clutch controller 158. Of course, not all of these actuator
controllers will be available or are required in any particular
embodiment and it may be desirable to interface with a variety of
other vehicle actuator controllers 159 that may be available on the
controlled vehicle as well. Therefore, it should be appreciated
that the specific actuator controllers 150 directed or otherwise
utilized by the platoon controller on any particular controlled
vehicle may vary widely. Further, the capabilities of any
particular actuator controller (e.g. engine torque controller 152),
as well as its interface (e.g., the nature and format of the
commands, instructions, requests and messages it can handle or
generate) will often vary with the make and model of that
particular actuator controller. Therefore, an actuator interface
160 is preferably provided to translate requests, commands,
messages and instructions from the platoon controller 110 into
formats that are appropriate for the specific actuator controller
hardware and software utilized on the controlled vehicle. The
actuator interface 160 also provides a mechanism for
communicating/translating messages, commands, instructions and
requests received from the various actuator controllers back to the
platoon controller 110. Typically an appropriate actuator interface
would be provided to interact with each of the specific vehicle
controllers utilized. In various embodiments, this may include one
or more of: an engine torque interface 161; a brake interface 162;
a transmission interface 164; a retarder interface 165 (if a
separate retarder controller is used); a steering interface 167;
and/or any other appropriate controller interface 169.
[0042] Large trucks and other heavy vehicles frequently have
multiple systems for "braking" the truck. These include the
traditional brake system assemblies mounted in the wheels of the
vehicle--which are often referred to in the industry as the
"foundation brakes." Most large trucks/heavy vehicles also have a
mechanism referred to as a "retarder" that is used to augment the
foundation brakes and serve as an alternative mechanism for slowing
the vehicle or to help prevent the vehicle from accelerating down a
hill. Often, the retarder will be controlled by the engine torque
controller 152 and in such embodiments, the retarder can be
controlled by sending appropriate torque commands (which may be
negative) to the engine torque controller 152. In other embodiments
a separate retarder controller (not shown) may be accessible to,
and therefore directed by, platoon controller 110 through an
appropriate retarder interface 165. In still other embodiments, the
platoon controller 110 may separately determine a retard command
that it sends to the actuator interface 160. In such embodiments
the actuator interface will interpret the retard command and pass
on appropriate retardation control commands to the ECU or other
appropriate vehicle controller.
[0043] The communications between vehicles may be directed over any
suitable channel and may be coordinated by inter-vehicle
communications controller 170. By way of example, the Dedicated
Short Range Communications (DSRC) protocol (e.g. the IEEE 802.11p
protocol), which is a two-way short to medium range wireless
communications technology that has been developed for vehicle to
vehicle communications, works well. Of course other communications
protocols and channels may be used in addition to or in place of a
DSRC link. For example, the inter vehicle communications may
additionally or alternatively be transmitted over a cellular
communications channel such as 4G LTE Direct, 5G, a Citizen's Band
(CB) Radio channel, one or more General Mobile Radio Service (GMRS)
bands, one or more Family Radio Service (FRS) bands, Wi-Fi, Zigbee
or any other now existing or later developed communications
channels using any suitable communication protocol.
[0044] The specific information transmitted back and forth between
the vehicles may vary widely based on the needs of the controllers.
In various embodiments, the transmitted information may include the
current commands generated by the platoon controller 110 such as
requested/commanded engine torque 280, requested/commanded braking
deceleration 282. They may also include steering commands, gear
commands, etc. when those aspects are controlled by platoon
controller 110. Corresponding information is received from the
partner vehicle, regardless of whether those commands are generated
by a platoon controller or other suitable controller on the partner
vehicle (e.g., an adaptive cruise control system (ACC) or a
collision mitigation system (CMS)), or through other or more
traditional mechanisms--as for example, in response to driver
inputs (e.g., accelerator pedal position, brake position, steering
wheel position, etc.).
[0045] In many embodiments, much or all of the tractor sensor
information provided to platoon controller 110 is also transmitted
to the platoon partner and corresponding information is received
from the platoon partner so that the platoon controllers 110 on
each vehicle can develop an accurate model of what the partner
vehicle is doing. The same is true for any other relevant
information that is provided to the platoon controller, including
any vehicle configuration information 190 that is relevant to the
platoon controller. It should be appreciated that the specific
information transmitted may vary widely based on the requirements
of the platoon controllers 110, the sensors and actuators available
on the respective vehicles, and the specific knowledge that each
vehicle may have about itself.
[0046] The information transmitted between vehicles may also
include information about intended future actions. For example, if
the lead vehicle knows it approaching a hill, it may expect to
increase its torque request (or decrease its torque request in the
context of a downhill) in the near future and that information can
be conveyed to a trailing vehicle for use as appropriate by the
platoon controller 110. Of course, there is a wide variety of other
information that can be used to foresee future torque or braking
requests and that information can be conveyed in a variety of
different forms. In some embodiments, the nature of the expected
events themselves can be indicated (e.g., a hill, or curve or exit
is approaching) together with the expected timing of such events.
In other embodiments, the intended future actions can be reported
in the context of expected control commands such as the expected
torques and/or other control parameters and the timing at which
such changes are expected. Of course, there are a wide variety of
different types of expected events that may be relevant to the
platoon control.
[0047] The communications between the vehicles and the NOC may be
transmitted over a variety of different networks, such as the
cellular network, various Wi-Fi networks, satellite communications
networks and/or any of a variety of other networks as appropriate.
The communications with the NOC may be coordinated by NOC
communications controller 180. The information transmitted to
and/or received from the NOC may vary widely based on the overall
system design. In some circumstances, the NOC may provide specific
control parameters such as a target gap tolerance. These control
parameters or constraints may be based on factors known at the NOC
such as speed limits, the nature of the road/terrain (e.g., hilly
vs. flat, winding vs. straight, etc.) weather conditions, traffic
or road conditions, etc. In other circumstances the NOC may provide
information such information to the platoon controller. The NOC may
also provide information about the partner vehicle including its
configuration information and any known relevant information about
its current operational state such as weight, trailer length,
etc.
[0048] The configuration file 190 may include a wide variety of
information about the host vehicle that may be considered relevant
to the controller. By way of example, some of the information might
include the vehicle's specification including such things as engine
performance characteristics, available sensors, the nature of its
braking system, the location of its GNSS antenna relative to the
front of the cab, gear ratios, differential ratios etc.
[0049] FIG. 2 illustrates a particular embodiment of a platoon
controller 110. In the illustrated embodiment, the platoon
controller 110 includes a gap controller 112, a plurality of
estimators 114, one or more trackers 116, any desired monitors 118
and potentially any of a variety of other components 119.
[0050] In the illustrated embodiment, the gap controller 112
includes a target and state setter 200, a gap regulator 210 and a
gap estimator 240. In general, the target and state setter 200 is
arranged to determine the intended operational mode (state) of the
gap regulator 210 and the values of any variable control parameters
that are appropriate for use in that operational mode.
[0051] The gap regulator 210 is arranged to control the trailing
platoon partner in the manner designated by the target and state
setter 200. In the gap control operational mode, the gap regulator
210 controls the vehicle in a manner that seeks to attain and
maintain the desired gap in accordance with any designated control
parameters specified by the state setter 200. In other modes, the
gap regulator 210 controls the vehicle in a manner that seeks to
attain the appropriate response for the selected operational
mode.
[0052] The gap estimator 240 is arranged to estimate/determine the
current gap based on actual measurements and/or other information
that is available to the platoon controller 110. It should be
apparent that an accurate understanding of the current gap is
important to successful operation of the gap regulator. At the same
time, it should be appreciated that any measurement system has
inherent tolerances and can be subject to reporting errors and/or
may become unavailable in some circumstances. Thus, the gap
estimator 240 is configured to receive information from multiple
position or relative position related sensors and to fuse such data
into a reliable estimate of the current gap.
[0053] The torque and braking requests generated by GAP regulator
210 are sent to the appropriate actuator interface (e.g., engine
torque interface 161 and brake interface 162 respectively). The
engine torque interface 161 then forwards an appropriate torque
command to engine torque controller 152 which directs the delivery
of the requested torque by directing various engine operating
parameters such as fuel charge, valve timing, retarder state, etc.
appropriately. The brake interface 162 generates an appropriate
brake request that is sent to the brake controller 156.
[0054] A particular embodiment of gap controller 112 is described
in more detail below with reference to FIG. 3.
[0055] Returning to FIG. 2, there are a variety of estimators 114
that are useful for the gap controller 112. In various embodiments
these may include one or more of a mass estimator 271, a drag
estimator 273, a ground speed estimator 275, a gyro bias estimator
277 and/or other estimators 279.
[0056] The mass estimator 271 is arranged to estimate the
respective masses of the platoon partners. These mass estimations
may be used by the gap controller 112 to help scale its torque and
brake requests appropriately based on the respective weights
(masses) of the platoon partners.
[0057] The drag estimator 273 is arranged to estimate the
respective drag resistances of the platoon partners. These drag
resistance estimates may also be used by the gap controller to help
adjust its torque and brake requests appropriately. In general, the
drag resistance of any particular truck or other vehicle can vary
based on a variety of factors including: (a) its drag profile
(which in the context of a truck may change based on the trailer
being pulled--if any, or other characteristics of the load); (b)
the vehicle's current speed, (c) wind speed and direction, (d)
rolling resistance, (e) platoon state (e.g., whether a platoon is
active, the position of the vehicle within the platoon, the gap),
(f) bearing wear, etc.
[0058] The ground speed estimator 275 is arranged to estimate the
actual ground speed of the respective platoon partners. Many trucks
and other vehicles have wheel speed sensors that can quite
accurately measure the rotational speed of the associated wheels.
The actual ground speed at which the vehicles are traveling will
vary based on the respective diameters of the wheels and slip
conditions of the tires. The precise diameter of the wheels can
vary based on the tires used. Furthermore, the diameter of the
wheels will vary over time with tire wear, changes in ambient
temperature and other factors. The wheel diameter will even change
over the course of a particular trip as the tires heat up (or
otherwise change in temperature) during use. In practice, all of
these variations in wheel diameter are potentially significant
enough to impact the gap estimation and gap control. Therefore, the
ground speed estimator 275 is arranged to estimate the actual
ground speed based on measured wheel speed and other available
information such as GNSS information. The ground speed estimates
are particularly useful in times when tracker based gap
measurements (e.g., radar, cameras, lidar, ultrasound etc.) aren't
available--which may occur, for example, when the platoon partners
are laterally offset due to a lane change, etc.
[0059] Several of the measurements utilized by the gap controller
112 are inertial measurements that are gyro based. These may
include yaw measurements which indicate the rate at which the
associated vehicle is turning, longitudinal acceleration
measurements, etc. Gyros often have an inherent measurement error
referred to as a gyro bias that can affect measurements. The gyro
bias estimator 277 estimates such biases to allow the gap
controller to compensate for such gyro based measurement
errors.
[0060] The platoon controller 110 can include any other estimators
279 that may be useful to any particular gap controller 112 as
well.
[0061] The platoon controller 110 may also include one or more
trackers 116. Each tracker 116 is arranged to measure or otherwise
determine the gap. One type of tracker that is used in many
implementations is a radar based radar tracker 283. Newer
commercially available trucks often come equipped with a radar unit
as standard equipment and radar trackers are particularly well
suited for use in such vehicles. Of course, one or more radar units
may be installed on any vehicle that does not come pre-equipped
with a radar unit to facilitate use of radar tracker 283. By way of
example, some specific radar trackers are described in more detail
in co-pending U.S. application Ser. Nos. 15/590,715 and 15/590,803,
both filed May 9, 2017, both of which are incorporated herein by
reference.
[0062] Lidar is another distance measuring technology that is well
suited for measuring the gap between vehicles. Lidar is quickly
gaining popularity for use in automated and autonomous driving
applications. Lidar tracker 286 is well suited for use on vehicles
that have or are provided with lidar units. Cameras and stereo
cameras are also becoming more popular distance measuring tools for
use in various automated and autonomous driving applications.
[0063] Of course, other distance measuring technologies can be used
to measure or estimate the gap between vehicles as represented by
other trackers 289. By way of example, a GPS tracker could be used
that is based primarily on the respective reported GPS positions of
the vehicles. In another example, ultrasound based distance
measuring unit may be used.
[0064] The tracker(s) used in many embodiments are configured to
fuse data from multiple sensors to help validate the measurements
of the primary sensors used by the respective trackers. The
aforementioned radar tracker application describes a variety of
methods for fusing data to help validate measurements of a primary
sensor in that manner.
[0065] In various embodiments, the gap estimator 240 could replace
or be replaced by one or more of the trackers, or could be thought
of as a tracker itself since it determines/estimates the gap based
on inputs from multiple sensors. In the illustrated embodiment, the
gap estimator 240 is shown separately as part of gap controller 112
since it fuses distance data from the tracker(s) and any other
available sources such as GNSS sensors on each of the vehicles.
[0066] The platoon controller 110 may also include one or more
monitors 118 that are configured to monitor specific components
that are relevant to gap control. By way of example, one specific
monitor that is particularly useful to the control of platooning
trucks is brake health monitor 291. The brake health monitor 291 is
configured to monitor the brake system and to identify
circumstances in which the brakes may not be able to deliver the
level of braking normally expected for platoon control--as for
example could occur if the foundation brakes include drum brakes
that have been used while traveling downhill in the mountains to
the extent that they are close to overheating. If the brake health
monitor 291 identifies such a circumstance, it informs the platoon
controller, which can take the appropriate remedial action. The
appropriate remedial action will vary based on the specific
circumstances identified by the brake health monitor, but may
include, for example, actions such as dissolving the platoon,
increasing the target gap to a level more appropriate for the brake
conditions, etc. Of course, the brake health monitor can also
configured to identify circumstances in which the condition of the
brakes has improved (e.g., the brakes have cooled sufficiently) and
inform the platoon controller of those circumstances as well so
that the platoon controller can act accordingly. For example,
improved braking status may allow the target gap to be reduced, a
platoon to be reestablished or other appropriate actions.
[0067] The platoon controller may include any of a variety of other
monitors 299 that are configured to monitor the state or status of
other components, systems, environmental conditions, road or
traffic conditions, etc. that may be relevant to platoon control.
For example, a DSRC link monitor may be provided to monitor the
status of a DSRC communication link between the platoon
partners.
[0068] Referring next to FIG. 3, another embodiment of gap
controller 112 will be described in more detail. Similarly to the
embodiment illustrated in FIG. 2, the gap controller 112 includes a
target and state setter 200, a gap regulator 210 and a gap
estimator 240. In the embodiment of FIG. 3, the target and state
setter 200 includes an operating state selector 203, and a control
parameter selector 206 that determines, selects, sets or otherwise
indicates to the gap regulator the values of any variable control
parameters that are appropriate for use in the selected operational
mode.
[0069] The operating state selector 203 is arranged to determine
the intended operational mode (state) of the gap regulator 210. In
some specific embodiments, the operational modes might include a
"normal" or "gap control" operational mode in which the gap
regulator is configured to control towards attaining an maintaining
a designated gap between the vehicles. In the gap control
operational mode control parameter variables dictated by the
control parameter selector might include the target gap itself
(e.g. 10 m, 12 m, etc.)--which may vary somewhat based on driving
conditions (e.g., weather, terrain, road conditions, traffic,
etc.). Other control parameters during normal operation may include
parameters that impact the draw-in speed, the tightness of the
control, tolerances or variations between torque control and
braking control, etc. In other embodiments, "initiate platoon"
and/or "draw-in" or "pull-in" may be one or more separate states
that are used to establish a platoon and/or to bring the platoon
partners together in a safe manner under at least partially
automated control.
[0070] Another potential operational mode is a "dissolve" mode in
which the platoon controller transitions the trailing vehicle
toward/to a position at which the driver of the trailing vehicle
(or an automatic cruise control system) can safely take over
control of the vehicle. Generally, dissolving a platoon includes
increasing the gap between the vehicles in a controlled manner
to/towards a point at which the platoon can be dissolved and
vehicle control can be safely transferred to manual control by the
driver or to control through the use of a different system such as
adaptive cruise control. The dissolve mode may optionally be
triggered by a wide variety of different circumstances, as for
example, in response to one of the platoon partners or the NOC
deciding to terminate the platoon; the detection of a car
cutting-in between the platooning vehicles; the loss of
communications between the vehicles for an extended period; the
detection of an object in front of the lead vehicle that is too
slow or too close to the platoon; etc.
[0071] Another potential operational mode may be a velocity control
or relative velocity control mode. Velocity control, or relative
velocity control may be preferable to trying to control to maintain
a particular gap in a variety of specific circumstances--as for
example when the trailing vehicle's radar (or other) tracking unit
loses sight of the partner vehicle, as can occur when there is a
lateral offset between the vehicles due to a lane change or other
conditions.
[0072] Of course, there can be a variety of other operational modes
as well.
[0073] The gap regulator 210 is arranged to control the trailing
platoon partner in the manner designated by the target and state
setter 200. In the embodiment illustrated in FIG. 3, the gap
regulator 210 includes a scaler 212 and two separate controllers
which are used in different combinations in different operating
modes. In the illustrated embodiment, the controllers include a
sliding mode controller 215 (which performs gap control) and a
velocity/relative velocity controller 218. It should be appreciated
that in other embodiments, a single controller, additional and/or
different may be provided as appropriate for any particular
implementation.
[0074] In the illustrated embodiment, the feed forward scaler 212
is configured to scale the torque and brake signals from the front
vehicle before adding them to the outputs from the sliding mode and
relative velocity controllers 215, 218 to create the torque and
brake request to the engine and brake controllers. Such scaling may
be based on factors such as the respective weights (masses) of the
platoon partners, the respective drags of the vehicles, the
severity of a braking event (e.g., in high braking scenarios, the
braking command may be increased a bit to provide a margin of
safety to account for uncertainties in braking performance and
reactions times), etc. In other embodiments, such scaling functions
can be integrated into the respective controllers themselves if
desired.
[0075] The sliding mode controller 215 is configured to control the
trailing vehicle in a manner that seeks to attain and maintain the
desired gap in accordance with the target gap and any other control
parameters specified by the control parameter selector 206. Thus,
its primary function is gap control. The velocity controller 218 is
configured to control the trailing vehicles in a manner that
maintains a designated velocity relative to the lead vehicle, or in
some circumstances, simply a designated velocity. In the
illustrated embodiment, these two separate controllers are provided
so that the gap regulator 210 can provide different types of
control, as may be appropriate in different operational
circumstances. A few specific examples are described with reference
to FIGS. 4A-4C. In the described embodiments, both the controllers
215 and 218 are operated continuously during platooning and the
selector/adder 250 is used to select the appropriate signals to
output based on the current operating mode. An optional braking
monitor 255 is a safety feature that may be utilized to help ensure
that the brake commands outputted by selector/adder 250 don't
overly aggressively brake the trailing vehicle except in where
necessary from a safety/crash prevention standpoint. This is to
reduce the risk of traffic behind the trailing platoon partner from
being impacted by unexpected aggressive braking of the trailing
platoon partner.
[0076] The sliding mode controller 215 is arranged to control the
trailing vehicle in a manner such that its relative velocity
relative to the front vehicle varies as a function of the gap
between the vehicles. This characteristic is illustrated in the
state space diagrams of FIG. 5 which show a control scheme in
accordance with one specific implementation. More specifically,
FIG. 5 plots relative velocity between the vehicles (the Y-axis)
vs. gap between the vehicles (the X-axis). FIG. 5 also show a
torque request controller target control line 320. In the
illustrated embodiment, the nominal desired gap is 12 meters--which
is represented by line 310. Thus, the target control point 311 is
12 meters with zero relative velocity, which is the point
represented by the intersection of line 310 (12 meters gap) and
line 312 (zero relative velocity).
[0077] The torque request controller component 221 of gap regulator
210 is configured to generate a torque request that is appropriate
to control the gap in accordance with target control line 320. The
torque request is then implemented by engine torque controller 152.
As can be seen in FIG. 5, when the gap is larger than the desired
gap, the rear truck is controlled to travel slightly faster than
the front truck is traveling such that the relative velocity of the
rear truck has a small positive value. As the rear truck draws
closer to the lead truck, its relative velocity is reduced in a
smooth manner until the gap is reduced to the target control point
311, at which point the relative velocity would be zero if perfect
control were attained. If the rear truck gets closer than the
desired gap, it is slowed so that it has a negative relative
velocity relative to the lead truck to reestablish the desired
gap.
[0078] The sliding mode controller 215 utilizes a unified sliding
mode control scheme during both the "pull-in" and gap maintenance
stages of platooning. Configuring the sliding mode controller to
control towards target control line 320 helps ensure that the
relative speed vs. gap relationship stays within a region safe for
platooning.
[0079] In the embodiment illustrated in FIG. 3, the sliding mode
controller 215 includes separate controllers (e.g. torque request
controller 221 and brake request generator components 223) which
are configured to control towards different gap control targets.
The different control targets are illustrated in the state space
diagrams of FIG. 5 which show a control scheme in accordance with
one specific implementation. More specifically, FIG. 5 shows a
brake request controller target control line 330 in addition to
torque request controller target control line 320. FIG. 5
additionally shows representative transition paths from various
points in the state space to the torque request target control line
320.
[0080] For most open highway driving conditions, modulating the
torque request alone is sufficient to control the gap appropriately
without requiring the use of the foundation brakes. This is in part
because the torque request can be negative to a certain degree
without needing to actuate the foundation brakes through the use of
engine braking and/or the retarder (if available). As mentioned
above, when fuel is cut-off there will be some pumping losses and
some frictional losses in the powertrain, so some level of negative
torque can be provided while using normal valve timing by simply
reducing the fuel charge appropriately. When larger negative torque
is needed, the engine torque controller 152 can create larger
negative torques by actuating the retarder and/or by taking other
appropriate measures.
[0081] Separately, the brake request controller component 223 of
gap regulator 210 is arranged to generate brake requests during
normal operation that are generally arranged to maintain a
different gap--specifically a smaller gap--than the torque request
controller 221 targets. This difference in the gaps that the torque
and brake request controllers control to is sometimes referred to
herein as the gap tolerance 340. In general, brake requests 213 are
not generated unless or until the gap is reduced at least the gap
tolerance below the torque request target control line 320. Since
the brakes can only be used to slow the vehicle, the effect of this
difference is that the trailing truck will be allowed to creep in a
relatively small amount (2 meters in the example) before the
foundation brakes are actuated when the gap regulator 210 cannot
maintain the desired gap through control of the torque request
alone. When the desired gap can be restored by modulating the
torque requests alone without crossing target brake control line
330, then the foundation brakes do not need to be used at all. This
has the effect of safely maintaining a gap while reducing the
probability that the foundation brakes will be deployed
unnecessarily.
[0082] Normal gap control is illustrated in FIG. 4A. During normal
gap control, the sliding mode controller 215 is use to determine
torque and brake requests that are appropriate to attain and
maintain the target gap set by control parameter selector 206. When
appropriate, the torque and brake requests generated by the sliding
mode controller 215 may be scaled appropriately by selector/adder
250 based on inputs from feed forward scaler 212. In this normal
gap control mode, the outputs of the relative velocity controller
218 are not used in the control of the trailing vehicle.
[0083] In some embodiments, the sliding mode controller 215
includes separate torque request and brake request controllers 221,
223 as illustrated in FIG. 3. The torque request and brake request
controllers 221, 223 are configured to control the engine and
brakes respectively towards different gap targets which tends to
provide a smoother, more comfortable ride and reduce the use of
wheel brakes (e.g., the foundation brakes in tractor-trailer rigs)
compared to control in which the engine and brakes are controlled
to the same target gap. Such a gap control architecture is
described in more detail in U.S. Provisional application No.
62/489,662, which is incorporated herein by reference.
[0084] Although the sliding mode controller 215 works very well to
control the gap, there will be operational circumstances in which
different types of control may be appropriate. For example, a
different type of control may be desirable when it is necessary to
dissolve a platoon and return the trailing vehicle to manual or
other automated control. Typically, the gap between vehicles during
platooning will be smaller, often much smaller, than can safely be
maintained by a driver under manual control. Therefore, in general,
when a platoon is dissolved with the intent to restoring manual
control of the trailing vehicle, it will be desirable to grow the
gap to a distance that is appropriate for manual control before
relinquishing control to the driver. This can be accomplished in a
smooth manner by relative velocity controller 218.
[0085] When operating state selector 203 determines that the
platoon should be dissolved, it directs the GAP regulator 210 to
transition to a dissolve mode as represented by FIG. 4B. In the
dissolve mode, primary control is provided by relative velocity
controller 218. The control parameter selector 206 may designate a
desired (target) relative velocity for the trailing truck during
the dissolve. The specific target relative velocity may vary based
on the nature of the circumstances and/or the vehicles involved in
the platoon. In general, it is desirable to select a relative
velocity that will cause the vehicles to gradually, but
expeditiously separate, without requiring the trailing vehicle to
slow excessively (which could unduly hinder following traffic) and
preferably without requiring the lead vehicle to alter its drive
plan. By way of example, relative velocities during dissolves on
the order of 0.5 to 4 meters per second, as for example, 1-2 m/s,
have been found to work well in the context of platooning
trucks.
[0086] During a dissolve, the lead vehicle may take a variety of
actions. For example, the lead truck may accelerate or increase its
torque command aggressively. In such cases, it may not be desirable
to try to accelerate the trailing truck in a similar manner thereby
allowing the lead vehicle to pull away more than would otherwise
occur under relative velocity control. One way to accomplish this
in the context of platooning trucks is to ignore or otherwise
disable positive torque commands from feed forward scaler 212.
[0087] Another potential scenario is that the lead truck brakes or
slows significantly while under velocity control. In some
circumstances, the velocity controller 218 may be configured to
permit a certain amount of gap shrinkage when the gap is relatively
larger to thereby reduce the overall amount of braking required. In
the illustrated embodiment, the sliding mode controller is
configured to ensure that the gap between the vehicles is always
sufficient to give the trailing vehicle sufficient time to respond
in a manner that prevents the trailing vehicle from running into
the back of the lead vehicle regardless of the occurrence of
(reasonable) unexpected events. Therefore, if the sliding mode
controller is outputting a braking or negative torque signal that
has a greater magnitude than the relative velocity controller, then
that larger braking/negative torque command should be passed to the
vehicle's engine and braking controllers. Therefore, during a
dissolve, the selector/adder 250 is configured to only utilize
negative commands (i.e., braking commands and negative torque
commands) from the sliding mode controller 215 and to only use such
commands when they are greater in magnitude than the commands from
the relative velocity controller 218.
[0088] There may also be operational circumstances outside of
dissolves in which relative velocity control or simply velocity
control is desired. For example, there may be circumstances in
which the back of the lead vehicle moves out of view of the
trailing vehicle's tracker(s) 116 or the tracker(s) 116 otherwise
loses sight of the back of the platoon partner. This can occur, for
example, as a result of a lane change by one of the platoon
partners. In such a circumstance the gap regulator may not have an
accurate measure of the longitudinal gap between the vehicles--and
may have to rely on less accurate approaches for determining the
gap such as the vehicle's respective GNSS positions. In such
circumstances, it may be desirable to control the trailing vehicle
to slowly drop back until the back of the lead vehicle comes within
the tracker's view. Again, the relative velocity controller 218 is
well suited for use in this circumstance--although the preferred
relative velocity control may be a bit different than occurs during
a dissolve. Specifically, the goal is typically not to drop back as
quickly or as far as would occur during a dissolve--thus a smaller
relative velocity (e.g. 0.5 m/s vs. 2 m/s), may be appropriate.
[0089] One approach to such relative velocity control is
illustrated in FIG. 4C. In the velocity control scheme of FIG. 4C
velocity controller 218 is used in conjunction with normal scaling
from feed forward scaler 212. This causes the trailing platoon
partner to better follow lead vehicle accelerations and/or torque
increases than occurs during the dissolve state illustrated in FIG.
4B. At the same time, for safety purposes, braking requests and
negative torque request from the sliding mode controller 215 may be
utilized as appropriate by selector/adder 250 in a manner similar
to the approach described above with respect to FIG. 4B.
Safety Focused Architecture
[0090] When developing an autonomous vehicle controller, it is
important for the system to be safe (truly safe). It is also
important for the system to be verifiably safe. That is, it is
desirable to be able to verify with a high degree of confidence
that the system is safe. As discussed in the background, some
standards organizations and governments have promulgated guidelines
and/or standards intended to classify the safety risks associated
with vehicle operation. One such effort is the Automotive Safety
Integrity Level (ASIL) risk classification scheme defined by ISO
26262--Functional Safety for Road Vehicles standard. There are
currently four safety integrity levels identified by the ASIL
standard: ASIL-A, ASIL-B, ASIL-C, and ASIL-D. ASIL-D represents the
highest integrity requirements and ASIL-A corresponds to the lowest
level compliance requirements of the defined standards. Matters
that are not directly covered by the standard are identified as QM
for "Quality Management" which from the context of ASIL, means that
their integrity levels are not represented to fall within the copy
of any of the ASIL standards.
[0091] There are potentially significant advantages to making a
platoon control system verifiably safe, as for example, by making
the platoon controller ASIL compliant (and/or compliant with other
safety integrity level standards). Most notably, many ECUs,
powertrain control modules (PCMs) and other controllers used in
commercially available road vehicles are designed to expect that
all commands that they receive come from ASIL compliant components
that conform to a particular minimum ASIL level--as for example, at
the ASIL-C level or higher. Therefore, it is desirable for control
commands issued from the platooning system to be ASIL rated or to
meet other designated reliability criteria or standards. It is also
desirable for the overall system to be safe to some chosen level.
Processes and standards like ISO 26262 are also useful to guide the
development of safe systems.
[0092] ASIL compliance is a rigorous standard which requires
extensive command integrity checking and data verification. In
general, data used in ASIL integrity checking must come from, or be
verified by ASIL compliant devices of at least the same integrity
level. Inputs from QM rated devices (or lower level ASIL devices)
may be used in ASIL compliant devices, as long as the
reasonableness of their commands or data are verified by the ASIL
device to the appropriate standards.
[0093] Some of the data used in platoon control (such as GPS
position data) cannot itself be readily verified to a level
required by ASIL. As such, it can be challenging to design every
component in the entire platoon control system in a manner that
meets the ASIL standards and thus ensures that the commands are
proper to achieve safety targets. Therefore, it can be useful to
divide the platoon control system into distinct QM and ASIL
components (or different ASIL level components), with all of the
components that send instructions directly to any of the vehicles
control systems being ASIL compliant (or compliant to the higher
ASIL level).
[0094] FIG. 6 illustrates a platoon control system hardware
architecture that is particularly well suited suitable for ASIL
compliant platoon control. The illustrated embodiment includes
three separate controller hardware units. These include platoon
controller 410, vehicle interface controller 460 and gateway
processor 470. Selected components of a representative gateway
processor 470 are illustrated in FIG. 7. As best seen in FIG. 6,
the platoon controller 410 communicates with the vehicle interface
controller 460 through an interface 420 and with gateway 470
through a direct link 478. In some embodiments, the link 478 is a
dedicated direct wired connection and no other devices are coupled
to that link. The wired connection may be provided by any suitable
form of cabling or traces, as for example co-ax cable, twisted pair
wirings, fiber optics or any other suitable physical connection
medium.
[0095] In the illustrated embodiment, the platoon controller 410
incorporates all of the functionality of platoon controller 110
described above. The vehicle interface controller 460 (also
sometimes referred to as a system manager) performs the
functionality of actuator interface 160 and further includes a
number of safety monitors. In some embodiments, the safety monitors
are arranged to execute ASIL compliant safety monitoring algorithms
and the vehicle interface controller 460 is designed as an ASIL
compliant device.
[0096] In general, the vehicle interface controller 460 includes a
higher safety level processor and software (including the safety
monitors) that independently verify the commands transmitted by the
platoon controller 110 before they are passed on to the vehicle
actuators. These verifications use a subset of the available sensor
inputs, together with verification algorithms that are independent
and distinct from those used by the platoon controller.
[0097] The gateway processor 470 is arranged to coordinate
communications between a host vehicle and the platoon partner(s)
and to coordinate communication between the host and the network
operation center and/or any other entities that are external to the
vehicle. As such, in a specific implementation of the system
illustrated in FIG. 1 the gateway processor 470 includes the
inter-vehicle communications controller 170 and NOC communication
controller 180 as best illustrated in FIG. 7. Typically the
inter-vehicle communications controller utilizes a short-range,
vehicle-to-vehicle wireless communications protocol, as for example
the DSRC protocol. The NOC communication controller typically
communicates with a networks operations center using cellular or
satellite communications.
[0098] In some embodiments, the connection (link 478) between the
gateway processor 470 and the platoon controller 410 is a dedicated
direct wired connection and no other devices are coupled to the
link. In some implementations an Ethernet or similar standardized
wired communications protocol is used to pass information between
the gateway processor and the platoon controller. This facilitates
high speed, high reliability communications between the gateway
processor and the platoon controller. In a specific example, a
100BASE or higher (e.g. 1000BASE, 10GBASE, etc.) Ethernet physical
layer may be used, although it should be appreciated that a variety
of other physical layers may be used in other embodiments.
[0099] In some embodiments, the gateway processor 470 is also
arranged to communicate with a forward facing camera 477 mounted on
the vehicle and a dashboard display 475. When the host vehicle is
the lead vehicle in a platoon, the gateway processor transmits a
video feed received from the forward facing camera 477 to the
trailing vehicle(s) so that the driver of the trailing vehicle has
a view of what is in front of the lead vehicle. When the host
vehicle is a trailing vehicle in the platoon, the gateway processor
470 receives such a video feed from the gateway processor on the
lead vehicle and transmits the feed to the dashboard display 475
where it is displayed to give the driver of the host vehicle a view
of what is in front of the lead vehicle. Displaying a view of what
is in front of the lead vehicle to drivers of a trailing vehicle is
desirable since the to give the driver of the trailing vehicle a
sense of comfort and the ability to independently react to
situations that occur in front of the platoon. This can be
particularly important because in many platoons (e.g. platoons that
involve tractor trailer trucks) the trailing vehicle will be very
close to the lead vehicle (much closer than normal manual driving)
and the lead vehicle will effectively block the view of the
trailing vehicle which can be an uncomfortable experience for
drivers and/or passengers in a trailing platoon partner--especially
when they do not have access to a view of what is going on in front
of the platoon.
[0100] The video streams passed through the gateway may be managed
by a video manager 474. Since the gateway 470 communicates directly
with the camera 477 and/or dashboard display 475, the platoon
controller 410 is not in any way burdened by the need to manage
that data flow.
[0101] In some embodiments the gateway 470 also includes a message
logger 473 that logs various messages and other information passed
there through in order to provide a record for diagnostic purposes
and the like. The functionality of the message logger 473 will be
described in more detail below.
[0102] The platoon controller 410 is configured as a listener on
any appropriate vehicle communications buses where it can directly
obtain information about the vehicle's operational state--such as
the vehicle's current wheel speed, any brake or accelerator pedal
inputs, steering wheel position (as appropriate), transmission
gear, etc. It is also coupled to sensor units such as GPS unit 131
to receive positional information about the location of the
vehicle, and to forward looking radar unit 137 to receive
information about the position of objects outside the vehicle
(e.g., radar scenes). Similar information may be obtained from
other sensors as well, such as lidar 138, camera(s) 139 etc. Since
the platoon controller 410 is configured strictly as a listener on
the vehicle's communication bus(es) and does not itself transmit
information over such bus(es), it does not need to be ASIL
compliant, as long as the control commands it outputs to the
vehicle interface controller are verified to ASIL standards by the
vehicle interface controller 460.
[0103] The vehicle interface controller 460 (also sometimes
referred to as the system manager 460), which is ASIL compliant, is
arranged to send commands to, and otherwise communicate with, the
vehicle's engine controller (EECU), the brake controller (BECU),
and/or any other appropriate controllers either directly or via one
or more communications buses, such as the vehicle's CAN
bus(es).
[0104] In the illustrated embodiment, the interface 420 between
platoon controller 410 and vehicle interface controller 460 (also
sometimes referred to as the system manager 460) is fairly narrowly
defined. It includes the substantive commands generated by the
platoon controller--which in the illustrated embodiment include
torque request 422, brake request 424, and optionally a retarder
request 426. When the platoon controller also controls the steering
or other aspects of the host vehicle steering and/or other
appropriate control commands (not shown) may be included as
well.
[0105] The interface 420 also includes a platooning state indicator
428 that is a signal from the platoon controller indicating whether
or not it believes that its output should be directing operation of
the vehicle. The platooning state indicator 428 may take many
forms, as for example a simple flag that when high indicates that
the platoon controller 410 believes that platooning is/should be
active and that its torque, braking and retard commands 422, 424,
426 should be followed. In such an arrangement, a low flag state
indicates that the platoon controller believes that it is not
controlling the vehicle. The vehicle interface controller 460 does
not forward any torque, braking, retard or other control commands
at any time that the platooning state indicator 428 indicates that
platoon control is not active. In the event (generally unlikely)
that one of the safety monitors 465 indicates that platooning is
not appropriate when the platoon controller 410 believes that
platooning is valid (as indicated by platooning state indicator
428), the vehicle interface controller/system manager 460 initiates
a termination of the platoon.
[0106] The interface 420 also facilitates the transmission of
certain state information--which is preferably ASIL validated state
information--about both the host vehicle and the partner truck that
is useful to the safety monitors. Specifically, the host vehicle
state information 441 includes state information about the host
vehicle that has been validated (e.g., ASIL-C validated) by the
system manager 460 and is useful to one or more safety monitors on
the partner vehicle. The partner vehicle state information 444
includes state information about the partner vehicle that has been
validated by the partner vehicle's system manager and is useful for
one or more safety monitors 465 on the host vehicle. Host vehicle
state information 441 is transmitted to the platoon controller 410,
which forwards such information without modification to the gateway
470, which in turn forwards the host vehicle state information to
the gateway on the partner vehicle. Partner vehicle state
information 444 received by gateway 470 from the partner vehicle's
gateway is forwarded without modification to the platoon controller
410 and from there to system manager 460 (again without
modification). Preferably the host state information 441 is
transmitted with a checksum or other suitable data integrity
verification mechanism that allows the receiving system manager to
verify that the data it receives is uncorrupted. Any corrupted
information can then be ignored. With this approach the ASIL
validated state information is passed without modification from one
ASIL compliant device (system manager 460 on a first platoon
partner) to another (system manager 460 on a second platoon
partner) and therefore is suitable for use in ASIL compliant safety
checking algorithms--even when intermediate transmitting devices
(e.g., platoon controller 410, gateway 470) are not themselves ASIL
compliant.
[0107] The host and partner vehicle state information may include
any ASIL validated state information that is used by any of the
safety monitors. This may include, for example, vehicle wheel
speeds, brake requests, torque requests and/or delivered torque,
brake air supply pressure, steering position, accelerometer
readings, brake pad wear, tire pressure, engine temperature, pedal
position and/or any other information about the partner vehicle
used by the system manager 460 as part of a safety monitor. To the
extent that the platoon controller 410 utilizes partner state
information originated by an ASIL validated device beyond the state
information used by the system manager 460, that information can
optionally be included in the vehicle state information 441, 444 as
well--although such inclusion is not necessary and usually not
desirable since such information can typically be obtained and sent
by the partner vehicle's platoon controller, which reduces the
bandwidth that needs to be allocated to the interface 420.
[0108] It is noted that some of the host vehicle's sensor
information (e.g., wheel speed, brake pedal position, radar scenes,
etc) is used by both the platoon controller 410 and the system
manager 460. Since the platoon controller 410 is preferably an
authorized listener on any appropriate vehicle control bus(es), the
platoon controller does not need to wait to receive such
information from the system manager. Rather, it obtains any
relevant host vehicle sensor information directly from the
appropriate sensor over any suitable connection such as an
appropriate CAN bus. However any sensor information relevant to the
system manager on the partner vehicle is read by the system manager
(regardless of whether it is also read by the platoon controller)
and included in host vehicle state information 441 so that the
partner vehicle's system manager is ensured that such information
is ASIL verified. In other embodiments any host vehicle sensor
information that is not directly accessible by the platoon
controller can be received via the system manager 460 acting as an
intermediary.
[0109] Although there will be some overlap in the sensor
information used, it should be appreciated that the host vehicle
sensor information used by the host vehicle platoon controller 410
and the host vehicle system manager 460 will often vary and may
further vary from the partner vehicle sensor information of
interest. For example, the host platoon controller utilizes GNSS
position data in the determination of the torque and braking
requests, however the GNSS position information may not be utilized
by the System Manager since it is not ASIL compliant.
[0110] Some of the sensor information that is used by the safety
monitor on the host vehicle may not be needed by the safety monitor
on the partner vehicle. This may include information such as the
radar scenes, the accelerator pedal position, inputs from a host
vehicle driver interface device 469, etc. To the extent that such
sensor information is not used by the partner vehicle, there is no
need for such information to be included in the vehicle state
information 441, 444.
[0111] Some of a host vehicle's sensor information that is used by
the platoon controller on the partner vehicle may not be ASIL
compliant and therefore may not be used in the safety monitors on
the partner vehicle. Such, sensor information that is not relevant
to the safety monitors on the partner vehicle does not need to be
included as part of vehicle state information 441, 444. Rather,
such data may be obtained by the platoon controller 410 and sent to
the corresponding platoon controller on the partner vehicle (by way
of communication controllers 470). For example, it is extremely
difficult to ASIL validate GPS or other GNSS position data.
Therefore, GNSS position data is preferably not included in the
vehicle state information 441, 444. Rather, such information is
passed from the host vehicle's platoon controller to the partner
vehicle's platoon controller via the gateways 470.
[0112] The driver interface device 469 may be a button or other
suitable mechanism positioned at a convenient location on the host
vehicle dashboard or elsewhere in the host vehicle cabin. The
driver interface device 469 is a mechanism that the driver may
press as appropriate to indicate that the driver is ready to
platoon during initiation of a platoon, or to initiate the
dissolution of a platoon when platooning is no longer desired. The
use of the driver interface device 469 is described in more detail
in U.S. patent application Ser. No. 15/607,902 which is
incorporated herein by reference. In the illustrated embodiment,
commands from the driver interface device 469 (which are preferably
ASIL compliant) are sent to the vehicle interface controller 460
and passed from there to the platoon controller 410. Similarly,
requests to the driver interface device pass from the platoon
controller to the vehicle interface controller 460 and from the
vehicle interface controller 460 to the driver interface device
469. This architecture simplifies the work that must be done to
make the driver interface device 469 ASIL compliant. It should be
appreciated, however, that in other embodiments, the platoon
controller 410 may also be a direct listener to commands from the
driver interface device. In the embodiment illustrated in FIG. 6,
interface 420 includes driver platoon related requests and commands
427 which represent the request sent to and commands received from
the driver interface device 469.
[0113] In some specific embodiments, the vehicle interface
controller 460 is implemented as a single dedicated integrated
circuit chip and the platoon controller 410 and gateway processor
470 are each implemented as separate system on modules (SOMs).
[0114] The platoon control system hardware architecture illustrated
in FIG. 6 is particularly well suited for efficiently handling
platooning control related tasks in an ASIL compliant manner using
information available from a variety of sources including sources
that are not themselves ASIL. With the described arrangement, the
powertrain control commands ultimately issued by the control system
may be ASIL rated.
[0115] The hardware architecture of FIG. 6 also has several
advantages from a security standpoint. In the illustrated
embodiment, the gateway processor 470 is not connected to any of
the vehicle's control related communications buses (e.g., the CAN
bus(es)). Therefore, the gateway processor 470, which is
potentially the least secure of the three hardware components, is
not able to transmit any information directly onto any of the more
secure vehicle communications buses or receive any information
directly from such buses--which is advantageous from a security
standpoint since a nefarious entity cannot gain control the vehicle
in any way by somehow hacking into the gateway processor 470.
Furthermore, with this arrangement, the gateway processor 470 does
not need to be ASIL compliant which greatly simplifies its
certification.
[0116] In some embodiments, at least one of the vehicle
communications buses is a dedicated sensor information bus that
only carries sensor based information. The use of sensor
information buses is particularly useful for transmitting high
volume information such as the information or data transmitted by
radar units, lidar units, camera units, ultrasound units, GNSS
units, etc. In most applications, the information transmitted over
a sensor information bus will be synthesized information. For
example, in the context of a radar unit, the information
transmitted over the sensor information bus may be the
identification of objects detected by the radar unit together with
the relative position and relative velocity of such objects.
Similar types of information may be received from lidar, cameras
and/or other distance measuring technologies. Information
transmitted from camera units and/or other sensors may also
arranged to predict future movements or intentions of detected
objects.
[0117] The specific information transmitted over the sensor
information bus may vary widely in accordance with the needs and
capabilities of any system, and when desired, the transmitted
information may include, or take the form of rawer forms for sensor
data. An advantage of using one or more dedicated sensor
information buses is that the sensor information, which may be both
relatively high volume and time critical, does not unduly clog
other vehicle information buses and is not delayed by the
transmission of other types of information over such buses. It also
makes it easy to provide access to the sensor information to
components needing such information while still controlling such
components access to controllers or devices that such components
don't need to have access to--which is desirable from a security
standpoint.
Safety Algorithms
[0118] In the primary embodiments described above, the safety
monitors 465 are resident on the vehicle interface controller 460.
Although this architecture is particularly desirable, it should be
appreciated that safety monitors may be provided at other locations
in the system in addition to, or in some circumstances, in place
of, being located on the vehicle interface controller. For example,
in some embodiments, it may be desirable for various vehicle
controllers such as an ECU or a brake controller to execute its own
safety monitors in addition to, or in place of safety monitors
executed as part of the vehicle interface control.
[0119] An extremely wide variety of different safety algorithms can
be implemented by the safety monitors and the information used by
the safety algorithms may come from a wide variety of sources. In
many circumstances, a safety monitor will utilizes sensor
information from the host vehicle and/or a connected or partner
vehicle. Virtually any sensor information deemed useful to a safety
check may be used. By way of example, some of the sensor
information that may be used by one or more safety monitors may
come from radar units, lidar units, one or more cameras, ultrasonic
distance measuring units, a compass, gyroscopes, GNSS sensors,
accelerometers, wheel speed sensors, tire pressure sensors, brake
pad wear sensors, brake pressure sensors, engine temperature
sensors, ambient temperature sensors, humidity sensors, weather
sensors, pedal position sensors, engine speed sensors, engine
torque sensors, transmission configuration sensors, engine speed
sensors, tire wear sensors, vehicle weight sensors, suspension
pressure sensors, trailer identification information, system fault
sensors, occupant detection sensors, seatbelt status sensors, etc.
The safety monitors may also use system faults identified by
various engine or other vehicle diagnostic systems.
[0120] In many circumstances, the safety monitors fuse information
received from one or more host vehicle sensors, with information
(e.g. sensor information) received from other vehicles to verify
the reasonableness of the commands (e.g., torque and braking
commands) received from the connected vehicle/platoon controller
110. Other safety algorithms may utilize information received from
driver inputs alone or in combination with sensor information
received from one or both vehicles. Such driver inputs may take the
form of inputs to the host (or partner vehicle) driver interface
device 469, driver initiated movement of an accelerator or brake
pedal, actuation of a retarder or any other available source. Still
other safety monitors can utilize information from external sources
such as a network operation center or a source of traffic or road
information as part of a safety check.
[0121] The ability to fuse verified information received from a
second (e.g. partner vehicle) with sensor data received from the
host vehicle itself and/or host vehicle driver inputs as part of
the safety algorithm check is particularly powerful.
[0122] In implementations that utilize a vehicle interface
controller is often desirable to execute any safety algorithms that
utilized verified data received from another vehicle or other
external sources on the vehicle interface controller. In this way,
any safety algorithms executed on the host vehicle controller
cannot be influenced by, and do not need to be aware of, anything
that occurs outside of the vehicle, which inherently provides
another layer of security.
Message Logging
[0123] As mentioned above, the gateway 470 preferably includes a
message logger 473 that is configured to log a variety of messages
and other information passed there through in order to provide a
comprehensive record of platoon session that can be useful for
diagnostic, machine learning purposes and other purposes. In
general, it is desirable to log all of the control related messages
that pass between the vehicles through the gateway. This includes
the verified partner state information 444 and the verified host
vehicle state information 441 that is passed between the system
managers 460 through the gateway 470. It also includes any sensor
information transmitted to, from or between the platoon controllers
410, such as GNSS position data (such information is sometimes
referred to herein as unverified state information since it is not
ASIL verified by the system manager even though it should be
appreciated that various data verification can be performed on such
data by a GPS unit, the platoon controller, the gateway itself or
any other suitable unit if desired).
[0124] In some embodiments the platoon controller itself does not
have any logging capability--which has the advantage of simplifying
the platoon controller's tasks and relieving it of the complexity
and computational load associated with logging. In such embodiments
it is desirable to transmit commands generated by the platoon
controller such as the torque request 422, the braking request 424,
retarder request 426 and platoon state request 428 to the gateway
for logging purposes even if those commands are not conveyed to the
partner vehicle.
[0125] When desired, other sensor information that is utilized by
the platoon controller but not passed to the partner vehicle such
as accelerator pedal inputs, radar scenes or scenes from other
environmental sensors such as lidar, camera systems, etc. may be
recorded as desired for diagnostic purposes. The specific
information recorded may vary based on the design goals of the
logging and/or diagnostic system. It is noted that high bandwidth
streams that are not directly used in platoon control such as the
partner vehicle video feed transmitted to dashboard display 475 or
received from the forward facing camera 477 would typically not be
logged, although that is possible.
[0126] In many embodiments, the system manager 460 also does not
have any independent logging capabilities. When that is the case,
the system manager can be configured to send any information
desired to be logged to the gateway 470 as well. (Such messages
pass through the platoon controller 410 in the illustrated
embodiments). Examples of information that may be desirable to log
may include messages relating to any safety monitor algorithms that
detect an unusual situation or a potential problem; the commands
receive from the driver interface device, the actions of the safety
monitor itself, etc.
[0127] In general, all of the messages logged are time stamped so
that their order and relative timing can readily be reconstructed
as desired.
[0128] In the description above, a safety focused architecture that
is well suited for use in autonomous vehicle and connected vehicle
is described. Although the invention has been described primarily
in the context of a platoon control system, it should be
appreciated that the described architecture is very well suited for
use in a wide variety of connected vehicle application in which the
control of a host vehicle is based in part on sensor inputs from
one or more other vehicles. Thus, exactly the same architectures
can be used in systems in which a connected vehicle controller that
generates torque, braking and/or other control commands based in
part on inputs from a second vehicle is substituted for the platoon
controller.
[0129] More broadly, the described use of higher safety level
processing of control commands generated by a vehicle controller by
a separate system can be used in a wide variety of different
autonomous and automated vehicle applications (including both
partially and fully autonomous/automated vehicle control). For
example, a wide variety of different autonomous/automated vehicle
controllers can readily be substituted for the described platoon
controller.
[0130] Although particular platoon and gap controller architectures
are illustrated in FIGS. 2, 3 and 6, it should be appreciated that
the specific architectures utilized may vary widely to meet the
needs of any particular platooning or other automated vehicle
control scheme. As will be apparent to those familiar with the art,
the described control functionality can be implemented
algorithmically using software or firmware algorithms executing on
one or more processors, using programmable logic, using digital or
analog components or using any combination of the preceding.
[0131] In the detailed description above, it is assumed that the
controlled power plant is an internal combustion engine, as for
example a diesel engine. However, it should be appreciated that the
described control approach can be utilized regardless of the nature
of the power plant used to provide torque to drive the host
vehicle. Thus, for example, the control techniques are equally
applicable to electric vehicles, hybrid vehicles, vehicles using
turbine engines and/or any other type of powerplant. Furthermore,
although the invention has been described primarily in the context
of particular applications related to platooning and vehicle
convoying, it should be appreciated that the invention may be
applied to a variety of other vehicle control systems involving any
of level 1-5 automation, including adaptive cruise control,
highway-only automation systems, low-speed only automation systems,
etc. Therefore, the present embodiments should be considered
illustrative and not restrictive and the invention is not to be
limited to the details given herein, but may be modified within the
scope and equivalents of the appended claims.
* * * * *