JP5423224B2 - Control system - Google Patents

Description

  The present invention relates to a fail-safe function of a control system that controls a large number of devices and realizes various functions as a whole. Even when a failure occurs in a part of control devices, an alternative process is executed to perform the entire system. It is related with the control system which can maintain the function of and can improve the reliability of the whole system more.

  In recent years, control systems that control a large number of devices and realize various functions as a whole have become widespread. A control device is connected to each device, and each control device is provided with a communication means to exchange data with each other, and each control device does not perform independent control, but can be obtained via other control devices. Control systems that execute control in cooperation, such as controlling a device to be controlled corresponding to itself based on data obtained, are used in various fields.

  Particularly in the field of vehicles, a large number of devices such as actuators or sensors corresponding to various functions are arranged in the vehicle, and ECUs (Electronic Control Units) are arranged and operated as control devices for controlling each device. Yes. Vehicle control is shifting from mechanical control to electrical control, and further, specialization of functions realized by the control system, increase in functions that can be realized, and diversification are progressing. As a result, the number of devices such as actuators and sensors mounted on the vehicle increases, and the processing of the control device tends to be distributed.

  When a large number of control devices cooperate to implement various functions in this way, a failure may occur in some of the control devices, which may cause the system as a whole to stop functioning. In particular, in the field of vehicles, it is desirable to always avoid stopping the function of the entire system, and at least fail-safe to maintain the function of the entire system and restore it while maintaining safety.

  Regarding system failure occurrence avoidance and high reliability, for example, in Patent Document 1, regarding transaction processing by processors of a plurality of distributed modules, if any module fails, a failure occurs in another module. An invention for resuming module transaction processing instead is disclosed.

  In Patent Document 2, regarding the fail-safe function of the vehicle control system, it is possible to determine the state of the own node and transmit / receive the determination result, identify the node where the failure has occurred, and perform backup at another node, An invention that can eliminate the need for a specific master node or the like for determining the state of each node is disclosed. Patent Document 3 discloses the detection of a failure and the detection of recovery, but the backup during the occurrence of a failure is realized mainly by multiplexing of systems related to communication.

  In Patent Document 3, when a failure occurs in a part of logic processing units in a logic circuit composed of a plurality of logic components, normal logic components are reconfigured as a spare logic processing unit. An invention is disclosed in which a self-recovery is enabled by operating or preparing a spare logical processing unit in advance and operating as a spare logical processing unit. On the other hand, in Patent Document 4, in order to apply the invention disclosed in Patent Document 3 to a vehicle control system, a minimum part of processing is performed without causing the same processing as the logic processing unit to be performed. An invention has been disclosed which is configured to be realized in an alternative manner, and is intended to reduce the size and cost of the apparatus.

JP-A-8-278909 JP 2007-126127 A JP-A-8-44581 JP 2000/081991 A

  In a conventional control system, an actuator or a sensor is directly connected to a control device that controls the actuator, a control device that performs arithmetic processing or control processing using data acquired from the sensor, In many cases, data is transmitted from the control device to the control device via a network.

  In this case, in order to reconfigure the physical connection even if a failure occurs in some control devices, a physical redundant configuration such as duplicating the wiring in advance is required, and the number of wiring is increased. It becomes a problem. In particular, in a control system for a vehicle, high reliability is desired, and wire saving and weight reduction are also important issues. Therefore, it is desirable to construct a highly reliable system without using a physical redundant configuration.

  The present invention has been made in view of such circumstances, and even when a failure occurs in a part of the control devices, the substitution process is executed to maintain the function of the entire system and improve the reliability of the entire system. It is an object of the present invention to provide a control system that can be controlled.

  A control system according to a first aspect of the invention includes a plurality of devices that input / output data, one or more input / output devices that are connected to the plurality of devices and that transmit / receive data input / output by each device, and the input / output device. The communication line to which the output device is connected and the data from each device connected to the communication line and transmitted from the input / output device are used, or the data transmitted from the other device is used in advance. A control system including a plurality of control devices that execute control processing for controlling the operation of the device by supplying data to the device via an entry / output device, the control system including any of the plurality of control devices Fault detection means for detecting the occurrence of a fault that cannot be executed by the control process, and alternative process execution means for executing the control process in the control device in which the fault has occurred when the fault detection means detects a fault occurrence. With features That.

  A control system according to a second aspect of the present invention includes a plurality of devices that input / output data, one or a plurality of input / output devices that are connected to the plurality of devices and that transmit / receive data input from each device, and the one Alternatively, the first communication line to which a plurality of input / output devices are connected and the data received from any of the plurality of devices are used, or the device is transmitted using data transmitted from another device. Transmitting / receiving data between a plurality of control devices that transmit data for controlling the operation of the first communication line, a second communication line to which the plurality of control devices are connected, and the first and second communication lines. A control system including a relay device that relays, a failure detection unit that detects a failure that cannot be executed by any one of the plurality of control devices, and a failure detection unit that detects a failure. If a fault is detected, Characterized in that it comprises a alternative process execution means for alternatively executes a control process in the apparatus.

In the present invention, data from a plurality of devices that input and output data is transmitted from the input / output device to which each device is connected to the communication line, and data that is transmitted to control each device is communicated by the input / output device. Receive from the line and give to each device. That is, a device that has been conventionally connected to a control device that controls the device or uses data from the device is separated from the control device and connected to the communication line via the input / output device. As a result, even when the device is normal, it is possible to avoid a situation in which data from the device is disconnected from the system when a failure occurs in the control device that controls the device. Moreover, by transmitting / receiving data from / to each device by the input / output device, transmission / reception of data input / output from / to each device to / from the control device at an appropriate timing and at an appropriate time by the input / output device. It becomes possible to transmit and receive with accuracy.
By separating the transmission / reception of data from multiple devices to the system and the connection of the control device included in the system to the communication line, if any of the control devices fails, The control process can be replaced by sending / receiving data to / from the device. In the present invention, the occurrence of a failure is detected in any of the plurality of control devices included in the system, and when the occurrence of the failure is detected, the alternative processing execution means performs the alternative processing.
As a result, in the present invention, even when a failure occurs in a part of the control device, it is possible to avoid a situation in which data from a device related to the control device cannot be used, and execute a substitute process of the control device. By doing so, it is possible to maintain the functions of the entire system.

In the present invention, a first communication line to which an input / output device to which a plurality of devices are connected is connected and a plurality of control devices that control each device or use data from the device are connected to the second communication line. The communication line may be separated.
When a failure occurs in any of the control devices, the replacement processing is executed by the replacement processing execution means, and when a failure occurs, the other control device executes the replacement processing to maintain the function of the entire system. Is possible. Further, the communication line to which the input / output device is connected and the communication line to which the control device is connected are separated and relayed by the relay device, so that the first and second relay devices that connect the communication lines are connected to each other. The transmission / reception timing of data on the second communication line can be adjusted more efficiently, and the input / output device can connect the relay device without recognizing the data transmission / reception destination to the means for performing the alternative execution process. It is possible to specify the transmission / reception destination, and the configuration of each device can be simplified and the processing load can be reduced.

  In the control system according to a third aspect of the present invention, the plurality of control devices according to the first or second aspect of the invention transmit in advance alternative process data that enables an alternative process when a failure occurs to the alternative process execution means. And the alternative process executing means includes means for recording the alternative process data transmitted from each control device in a recording means, and when the failure detection means detects the occurrence of a failure, the control device in which the failure has occurred is provided. The alternative process data specified and transmitted from the specified control device is read from the recording means, and the alternative process is executed.

In the present invention, alternative processing data that enables alternative processing when each control device itself fails, for example, replication of an application program, a program that simplifies the processing, etc. at the time of initialization processing, startup, etc. Are sent to the alternative process execution means, and the alternative process execution means records the alternative process data from each control device. When a failure occurs and is detected, the alternative process execution unit executes the data transmitted and recorded from the control device in which the failure has occurred. From the system design stage, the alternative process execution means may register the alternative process data that enables the alternative process of each control device in advance. However, the system dynamically collects the system so that it can support various system designs. be able to.
In addition, when the occurrence of a failure can be predicted by itself, each control device may be configured to transmit the replacement processing data to the replacement processing execution unit when the occurrence of the failure is predicted. In this case, it is possible to save resources of the recording means by the alternative process execution means.

  The control system according to a fourth aspect of the present invention is the control system according to any one of the first to third aspects, wherein identification information for identifying the data is assigned to the data from each device and the data to be provided to the device. The substitute process executing means, when transmitting data to the communication line by the control process, adds identification information indicating that the data is a substitute process different from the original identification information. It transmits to a communication line, It is characterized by the above-mentioned.

  In the present invention, the data transmitted and received by each device to and from each control device via the input / output device is added with identification information for identifying the data separately, so that a failure occurs. In the case where data is transmitted by performing the substitution process by the substitution process execution unit, identification information indicating that the data is transmitted by the substitution process is given to the data. As a result, other control devices, devices, or input / output devices that use the data recognize themselves that the substitute processing is being executed based on the identification information that is received or given to the data. Is possible. Since it is possible to identify whether or not the data is transmitted by alternative processing, each controller recognizes that the control device has been restored when the failed control device has recovered and data transmission has been resumed It becomes possible, and the response to recovery can be executed in cooperation with the entire system.

  In the control system according to a fifth aspect of the present invention, each of the plurality of control devices according to any one of the first to fourth aspects periodically transmits information indicating its own operation status to a communication line. The detection means is characterized by detecting the occurrence of a failure on the basis of information indicating the operation status transmitted from each control device.

  In the present invention, the occurrence of a failure is detected based on the information indicating the operation status of each control apparatus periodically transmitted to the communication line. Since the information is periodically transmitted, it is possible to detect not only the contents of the operation status indicated by the information but also a failure in the control device that does not transmit the information. The operation status of each control device can be shared between devices connected to the same communication line, and the determination that a failure has occurred can be ensured by a plurality of devices.

  In a control system according to a sixth aspect of the present invention, the failure detection means according to any one of the first to fourth aspects includes means for transmitting an operation status inquiry to each control device and means for receiving a response to the inquiry. The occurrence of a failure is detected based on a response from each control device.

  In the present invention, the failure detection means makes an inquiry to each control device, and grasps the operation status of each control device by a response to the inquiry. It may be determined from the content of the response, or it may be detected that a failure has occurred in a control device that does not respond. As a result, since the operation status is grasped at a necessary time in response to the inquiry, it is possible to further reduce the processing load on each control device and the communication load on the communication line.

  The control system according to a seventh aspect of the present invention is the control system according to the fifth or sixth aspect, wherein when the failure detection means detects a failure occurrence, the usage rate of the hardware resource is determined based on a comparison of the operation status of each control device. It is characterized by comprising means for specifying a control device lower than the apparatus, and means for operating the control device specified by the means as the alternative process execution means.

  In the present invention, based on the operation status of each control device, a control device having a hardware resource usage rate lower than others and a light operation load or having a sufficient resource is executed. As a result, it is possible to improve the reliability of the entire system by causing another device to execute the substitute process, and to make the processing load of the entire system uniform and efficient.

  In the control system according to an eighth aspect of the present invention, each of the plurality of control devices according to any one of the first to seventh aspects detects a failure in the other control device, and detects the occurrence of the failure by the means. A failure occurrence notification is output to the communication line, and the failure detection means receives the failure occurrence notification from at least one control device among the plurality of control devices when the occurrence of the failure is detected. Further, it is characterized in that it is determined that a failure has occurred.

  In the present invention, each control device detects the occurrence of a fault by mutual transmission / reception of data exchanged periodically for cooperation processing or based on information indicating the operation status transmitted mutually in the above-described invention. Means for notifying the occurrence of a failure to another control device when the occurrence of the failure in the other control device is detected. When the failure detection means detects the occurrence of a failure by collecting the operation status of each control device or the like, it determines that a failure has occurred only when a failure notification is received from another control device. . As a result, the possibility of erroneously detecting the occurrence of a failure can be reduced, and the reliability can be further improved.

  The control system according to a ninth aspect of the present invention further comprises a recovery detection means for detecting recovery of control processing by the control device in which the failure has occurred in any of the first to eighth inventions, wherein the recovery detection means detects the recovery. In this case, the alternative process executing means stops the alternative process.

  In the present invention, when it is detected that a failure has occurred in some of the control devices and an alternative process is being performed, when the control device is restored by a self-recovery function or the like, this is detected and the original The system is restored. As a result, the system can be completely restored and the reliability can be improved.

  The control system according to a tenth aspect of the invention is characterized in that each of the plurality of control devices in the ninth aspect of the invention detects a recovery of a failure that has occurred in another control device, and a failure recovery notification when the recovery is detected by the means. And the recovery detecting means detects the recovery of the fault, and when the fault recovery notification is received from at least one control apparatus of the plurality of control apparatuses, the fault is recovered. It is characterized by confirming that.

  In the present invention, at the time of recovery detection, each control device communicates with each other by transmitting / receiving data exchanged periodically for cooperation processing or based on information indicating the operation status transmitted mutually in the above-described invention. And a means for detecting recovery, and when recovery of a failure in another control device is detected, the recovery is further notified to another control device. The recovery detection means determines that the failure has been recovered only when the recovery is detected not only by its own detection but also by another control device. As a result, it is possible to reduce the possibility of erroneously detecting failure recovery and further improve the reliability.

  The control system according to an eleventh aspect of the present invention is characterized in that, in the second aspect, the relay process execution means is provided in the relay device.

  A control system according to a twelfth aspect of the present invention is the control system according to the second aspect, wherein the failure detection means is provided in the relay device.

  In the present invention, when a failure occurs in a part of the control devices in the control system, a means for executing the control process instead of the control device, or a failure detection means for detecting a failure occurrence in any of the control devices, The recovery detection means may be realized by connecting a dedicated device to the communication line, by a specific control device, by an input / output device to which a device is directly connected, or different. You may implement | achieve with the relay apparatus which relays transmission / reception of the data between communication lines.

However, the relay device determines the necessity of data relay and relays it by a so-called gateway function, so that each control device that requires all data by transmitting and receiving all data or each device that requires data is connected. Since it has a function to transmit to the input / output device as necessary, it can be realized by using the relay device, so that the load on the control device can be reduced compared to other control devices. Efficiency can be improved.
In addition, the relay device temporarily stores data transmitted to all connected communication lines in order to transmit only the necessary data at the timing when each control device and input / output device require data. It can be assumed that each data is transmitted from the database after being recorded. In this case, since a large amount of data is recorded, the occurrence of a failure can be detected under more flexible conditions, and the operation status of each control device can be grasped. In addition, since the resource for recording is provided more than other devices, it is possible to record a large amount of substitute processing data, and in order to realize with a minimum configuration, it is desirable to be realized by a relay device. .

  In the case of the present invention, a control system including each device such as an actuator and a sensor and a control device that provides control data to the actuator based on data output from the sensor to control the data from each device to the system. Even if a failure occurs in some control devices as a configuration in which the input is routed through the input / output device without going through each control device, it is possible to avoid the detachment of each device from the system, and the data The control process to be used can be executed in place of another specific control device, relay device, input / output device or the like to maintain the functions of the entire system. Thereby, the reliability of the whole system can be improved.

  By applying the control system of the present invention to an in-vehicle control system related to driving control of a vehicle, higher safety and reliability can be realized in the in-vehicle control system by a cooperative process that communicates with each other.

1 is a configuration diagram illustrating a configuration of an in-vehicle control system in Embodiment 1. FIG. It is a block diagram which simplifies and shows the internal structure of ECU and GW which comprise the vehicle-mounted control system of Embodiment 1, and the connection of each apparatus. 4 is a flowchart illustrating an example of transmission / reception processing of alternative processing data by the ECU and GW according to the first embodiment. 3 is a flowchart illustrating an example of a processing procedure executed by a control unit of a GW according to the first embodiment. It is explanatory drawing which shows the example of the content of ID provided to the data transmitted / received in the vehicle-mounted control system in Embodiment 1. FIG. 4 is a flowchart illustrating an example of a procedure of failure detection processing by a GW according to the first embodiment. 6 is a flowchart illustrating an example of a procedure of recovery detection processing by a GW according to the first embodiment. 6 is a flowchart illustrating an example of a processing procedure executed by a control unit of the GW and any ECU in the second embodiment. FIG. 10 is a block diagram showing a connection configuration of ECUs, GWs, and IOUs that constitute the in-vehicle control system of the third embodiment.

  Hereinafter, the present invention will be specifically described with reference to the drawings showing embodiments thereof. In the embodiment described below, an example in which the control system according to the present invention is applied to an in-vehicle control system including a large number of actuators, sensors, and ECUs mounted on a vehicle will be described.

(Embodiment 1)
FIG. 1 is a configuration diagram showing the configuration of the in-vehicle control system in the first embodiment. The vehicle-mounted control system according to Embodiment 1 includes various sensors 1a, 1b, 1c, 1d, 1e, such as a temperature sensor or camera mounted on the front of a vehicle, a wheel speed sensor attached to a tire shaft, or a yaw rate sensor. 1f, 1g, 1h, actuators 2a, 2b, 2c, 2d such as brakes, headlights, door locks, etc., and actuators 2a, 2b,... Based on data obtained from various sensors 1a, 1b,. ECU 3a, 3b, 3c to be controlled and GW (Gate Way) 4 for relaying data transmission / reception between different networks, and further, input / output of various sensors 1a, 1b,... And actuators 2a, 2b,. IOUs (input-output units: input / output units) 5a, 5b, and 5c that transmit and receive to the network.

  The various sensors 1a, 1b,... And the actuators 2a, 2b,... Are connected to the IOUs 5a, 5b,. The sensors 1a, 1b,... And the actuators 2a, 2b,... May be configured to be able to communicate with the IOUs 5a, 5b, 5c via a Zika line or via LIN (Local Interconnect Network).

  The ECUs 3a, 3b, 3c, GW4, and IOUs 5a, 5b, 5c are each connected to a CAN (Controller Area Network) bus 7 and transmit / receive control data to / from each other. In the first embodiment, the connection form between the ECUs 3a, 3b, 3c, GW4, and the IOUs 5a, 5b, 5c is a bus type, and the communication protocol is CAN. However, the connection form may be a star type, a daisy chain type, or the like, and the communication protocol may be another communication protocol.

  The IOUs 5a, 5b, and 5c are connected to sensors 1a, 1b,... And actuators 2a, 2b,. Which sensor 1a, 1b,... And actuator 2a, 2b,... Is connected to the same IOU 5a (or IOU 5b, 5c) is designed based on a physical distance. In the example shown in FIG. 1, since the three sensors 1a, 1b, 1c and the one actuator 2a in the left part of the front part of the vehicle are arranged close to each other, they are connected to one IOU 5a. Three sensors 1d, 1e, 1f in the right part of the front part of the vehicle and one actuator 2b are connected to the same IOU 5b, and two sensors 1g, 1h in the rear part of the vehicle and two actuators 2c, 2d are the same. Connected to the IOU 5c. The sensors 1a, 1b,... And the actuators 2a, 2b,... Are not directly connected to the ECUs 3a, 3b, 3c for performing processing such as whether to use or control data from them, Connected to the IOUs 5a, 5b, and 5c arranged in the vicinity, the IOUs 5a, 5b, and 5c collect input and output with the ECU.

  For example, in the following description, the ECU 3a uses data from the sensors 1a and 1d and transmits control data to control the operations of the actuators 2a and 2b. However, the sensors 1a and 1d and the actuators 2a and 2b are both It is not directly connected to the ECU 3a. The sensors 1a and 1d and the actuators 2a and 2b are connected to different IOUs 5a and 5b, respectively. Further, the ECU 3b uses the data from the sensors 1b, 1f, and 1h disposed at the front and rear portions of the vehicle, and transmits control data to control the operations of the actuators 2c and 2d. Also in this case, none of the sensors 1b, 1f, 1h and the actuators 2c, 2d are directly connected to the ECU 3b.

  As will be described later, in the first embodiment, when a failure occurs in any of the ECUs 3a, 3b, 3c, a failure has occurred using data used by the ECU in which the failure has occurred. The processing executed by the ECU is executed by another device. In the first embodiment, shoulder replacement, that is, substitution processing is performed by the GW 4.

  With such a configuration, when a failure occurs in any of the ECUs 3a, 3b, and 3c, the processing executed in the ECU in which the failure has occurred is continued and used in the ECU in which the failure has occurred. It is possible to avoid a situation in which information from the sensors 1a, 1b,... That has been used cannot be used, or a situation in which the controlled actuators 2a, 2b,.

  For comparison, for example, when the sensors 1a, 1b,... Or the actuators 2a, 2b,... Are directly connected to the ECUs 3a, 3b, 3c that use them, the failure occurs in any of the ECUs 3a, 3b, 3c. When this occurs, the processing executed by the ECU is stopped and the sensors 1a, 1b,... Or actuators 2a, 2b,.

  In addition, the configuration using the IOUs 5a, 5b, and 5c is desirably functionally connected, but the sensors 1a, 1b,... And the actuators 2a, 2b,. .. Is more effective for wire saving in that the length of the signal lines 6, 6,... In particular, the left part and the right part of the front part of the vehicle in FIG. 1 have a large number of devices such as sensors 1a, 1b,.

  FIG. 2 is a block diagram schematically showing the internal configuration of the ECU 3a and the GW 4 that constitute the in-vehicle control system of the first embodiment, and the connection of each device. Information such as measured values detected by the sensors from the sensors 1a, 1b,... And information indicating the control state from the actuators 2a, 2b,. The IOUs 5a, 5b, 5c periodically transmit data from the sensors 1a, 1b,... Or data from the actuators 2a, 2b,. The GW 4 also periodically transmits data such as measured values output from other sensors (not shown) to the CAN bus 7 via another CAN bus 7 (not shown in FIG. 2). As a result, the ECUs 3a, 3b that control the actuators 2a, 2b,... Can always acquire the latest data.

  The ECU 3a includes a control unit 30a, a storage unit 31a, and a communication unit 32a. Since the internal configuration of the ECUs 3b and 3c is the same as the internal configuration of the ECU 3a, detailed description thereof is omitted.

  A CPU (Central Processing Unit) is used for the control unit 30a. The storage unit 31a uses a nonvolatile memory such as a flash memory or an EEPROM (Electrically Erasable and Programmable Read Only Memory), and stores a control program 33a that is read and executed by the control unit 30a.

  The communication unit 32 a realizes communication via the CAN bus 7. That is, in the first embodiment, the communication unit 32a conforms to the CAN protocol and includes a CAN controller and a CAN transceiver. The control unit 30a can send and receive data to and from the other ECUs 3b, 3c, GW4 and IOUs 5a, 5b, 5c via the CAN bus 7 by the communication unit 32a. Each of the data transmitted / received via the CAN bus 7 is assigned a “CANID” (hereinafter simply referred to as an ID) corresponding to the contents of the data, and each ECU 3a, 3b, 3c is assigned to the data addressed to itself. The IDs stored in advance may be stored in the storage units 31a, 31b, 31c, etc., so that data other than the address for itself may not be received.

  Note that a part (controller) of the control unit 30a, the storage unit 31a, and the communication unit 32a in the ECU 3a may be configured as a microcomputer.

  Based on the control program 33a, the control unit 30a of the ECU 3a configured as described above receives data from the sensors 1a and 1d when the data is transmitted from the IOUs 5a and 5b, and performs calculation using the received data. Processing to be performed, processing to transmit data obtained by calculation results to the CAN bus 7 so as to be used by other ECUs 3b and 3c, or processing to transmit to the CAN bus 7 by the communication unit 32a to control the operation of the actuators 2a and 2b The processing as a control device constituting the in-vehicle control system is performed.

  In addition to the above-described processing, the control unit 30a of the ECU 3a transmits, to the GW 4, alternative processing data for enabling the alternative processing in the GW 4 when a failure occurs in itself. Specifically, the substitute processing data is a copy of the control program 33a, a simplified version of the control program 33a, or the like. It may contain a special reference table.

  Further, the control unit 30a periodically transmits information indicating its own operation status as data to the CAN bus 7 via the communication unit 32a. When an operation status inquiry message transmitted from the GW 4 is received, information indicating its own operation status may be transmitted as a response to the message.

  Moreover, ECU3a detects generation | occurrence | production of the failure in other ECU3b, 3c by the process of the control part 30a. When the ECUs 3a, 3b, and 3c detect the occurrence of a fault, the ECUs 3a, 3b, and 3c transmit a fault occurrence notification to the CAN bus 7 including information for identifying the ECU in which the fault has occurred. By transmitting the failure occurrence notification to the CAN bus 7, the occurrence of the failure can be recognized by the other ECUs 3c, GW4, and IOUs 5a, 5b, 5c.

  The failure detection may be detected by the IOUs 5a, 5b, and 5c. If the IOU 5a, 5b, 5c cannot receive control data to be periodically transmitted from any of the ECUs 3a, 3b, 3c to control the actuators 2a, 2b,. The transmission source ECU detects that a failure has occurred and notifies the other of the occurrence of the failure. When the data that should be periodically output from the sensors 1a, 1b,... Is not output, the IOUs 5a, 5b, 5c may detect that a failure has occurred in the sensor and notify the occurrence of the failure.

  In addition, the ECU 3a recovers by the self-diagnosis and self-repair functions when recovery is possible even if a failure occurs. Specifically, for example, the control unit 30a causes itself to input a reset signal when a runaway state occurs such that the CPU usage rate exceeds a predetermined ratio by executing one process. After the recovery, the control unit 30a of the ECU 3a executes processing as a control device constituting the in-vehicle control system based on the control program 33a as described above, and also resumes periodic transmission of information indicating the operation status.

  Regarding the restoration, the control unit 30a of the ECU 3a detects this when the other ECUs 3b and 3c are restored after a failure occurs. When the recovery is detected, the control unit 30a transmits a recovery notification to the CAN bus 7 including information for identifying the recovered ECU. By transmitting the recovery notification to the CAN bus 7, the other ECUs 3c, GW4, and IOUs 5a, 5b, 5c can recognize the recovery.

  The GW 4 includes a control unit 40, a storage unit 41, and a communication unit 42. The controller 40 uses a CPU. The storage unit 41 uses a memory such as a flash memory or an EEPROM, and executes an alternative process as a substitute for the ECUs 3a, 3b, and 3c as well as the control program 43 that the control unit 40 reads and executes to realize the gateway function. For this purpose, alternative processing control programs 44a, 44b, and 44c are stored. The data for executing the alternative process is not limited to the control program executed by the control unit 40, but may be a specific table, control data, or the like. The alternative processing control programs 44a, 44b, and 44c may be temporarily stored in a temporary storage unit using a DRAM (Dynamic Random Access Memory) or an SRAM (Static Random Access Memory) included in the GW 4.

  The communication unit 42 realizes communication according to the CAN protocol via the CAN bus 7. A CAN controller and a CAN transceiver are used. The control unit 40 can transmit and receive data to and from the ECUs 3a, 3b, 3c and the IOUs 5a, 5b, 5c via the CAN bus by the communication unit 42.

  The GW 4 is connected to a plurality of different CAN buses 7 and is received by the communication unit 42 based on the control program 43 stored in the storage unit 41 in order to relay data transmission / reception between the CAN buses 7 and 7. All possible data, that is, data transmitted to the CAN bus 7 is monitored. The GW 4 stores the correspondence between the data ID given to the received data, the necessity of relay, and the relay destination in the storage unit 41, and determines the necessity of relay of each data. In this case, a so-called gateway function is relayed.

  The control unit 40 of the GW 4 configured as described above stores, in the storage unit 41, the substitute processing data transmitted to realize the substitute processing from each ECU 3a, 3b, 3c in addition to the gateway function. Keep it. Specifically, for example, the control unit 40 receives a copy of each control program transmitted as substitute process data from each ECU 3a, 3b, 3c, and as shown in FIG. 2, the substitute process control program 44a. , 44b, 44c, respectively. The control unit 40 stores the correspondence between the information for identifying the ECUs 3a, 3b, and 3c that are the transmission source of the alternative process data and each alternative process data stored in the storage unit 41. When a failure occurs in any of the ECUs 3a, 3b, and 3c, the control unit 40 identifies the ECU, reads out the alternative process data based on the correspondence stored in the storage unit 41, and executes the alternative process.

  In addition to the gateway function, the control unit 40 of the GW 4 further detects the occurrence of a failure in any of the ECUs 3a, 3b, 3c. Specifically, the control unit 40 of the GW 4 receives information indicating the operation status periodically transmitted from the ECUs 3 a, 3 b, and 3 c at the communication unit 42. And the control part 40 recognizes the operation condition in each of ECU3a, 3b, 3c according to the presence or absence of reception, or the content of the operation condition which the received information shows, and judges whether the failure has generate | occur | produced.

  Furthermore, contrary to the detection of the occurrence of the failure, the control unit 40 detects the recovery after the failure has occurred in any of the ECUs 3a, 3b, 3c. The control unit 40 recognizes the operation status of the ECUs 3a, 3b, and 3c according to whether or not information indicating the operation status periodically transmitted from the ECUs 3a, 3b, and 3c is received or the content of the operation status indicated by the received information. Determine whether the fault has been recovered.

  Hereinafter, the execution process of the alternative process data transmission / reception process, the failure detection process, and the alternative process performed by the ECUs 3a, 3b, 3c, and the GW 4 will be described with reference to flowcharts.

  FIG. 3 is a flowchart illustrating an example of transmission / reception processing of alternative processing data by the ECUs 3a, 3b, 3c and GW 4 according to the first embodiment. In FIG. 3, the processing by the ECUs 3 b and 3 c is the same as the processing by the ECU 3 a, and thus illustration is omitted.

  The control unit 30a of the ECU 3a transmits substitute process data by the communication unit 32a in preparation for a case where a failure occurs in the ECU 3a (step S11). The timing at which the substitute processing data is transmitted by the ECU 3a is preferably the time when the physical connection relationship is established, such as when the ECU 3a is initialized, at the first start-up, or when the entire in-vehicle control system is inspected during the vehicle assembly process. .

  The control unit 40 of the GW 4 monitors the CAN bus 7 by the communication unit 42 and determines whether or not alternative processing data has been received (step S12). When it is determined that the alternative process data is not received (S12: NO), the control unit 40 returns the process to step S12 and waits until the alternative process data is received from the ECU 3a.

  When it is determined that the alternative process data has been received (S12: YES), the control unit 40 stores the received alternative process data in the storage unit 41 as the alternative process control program 44a (step S13). The control unit 40 stores the correspondence between the stored alternative process data and the ECU 3a that is the transmission source of the alternative process data (step S14). Note that the GW 4 is not necessarily required to receive and store alternative process data from all the ECUs 3a, 3b, 3c.

  Moreover, the control part 40 determines ECU (for example, ECU3a) which confirms the below-mentioned failure occurrence or recovery detection as an initial process, and registers the identification information of ECU (step S15).

  As described above, when the physical connection relationship of the in-vehicle control system is established, the alternative process data is received and stored from the ECUs 3a, 3b, and 3c, so that it is possible to cope with various system designs. It is possible to execute alternative processing at the time of occurrence. Of the processes shown in the flowchart of FIG. 3, the processes in steps S12 to S14 on the GW 4 side are always executed at regular intervals, and the ECUs 3a, 3b, and 3c are able to predict the occurrence of their own failures. It is good also as composition which performs processing of Step S11. In this case, it is not necessary to store a large number of alternative processing data (substitute processing control program in the present embodiment) in the storage unit 41 of the GW 4 in advance, and the storage capacity of the storage unit 41 can be saved.

  FIG. 4 is a flowchart illustrating an example of a processing procedure executed by the control unit 40 of the GW 4 according to the first embodiment.

  The control unit 40 executes a process that exhibits a normal gateway function (step S21), and periodically executes a failure occurrence detection process, which will be described later, during the normal process (step S22). Then, the control unit 40 determines whether or not a failure has been detected by the process (step S23). If the control unit 40 determines that no failure has been detected (S23: NO), it returns the process to step S21 and returns to the normal process.

  If the controller 40 determines that a failure has been detected by the failure detection process (S23: YES), the controller 40 identifies the ECU in which the failure has occurred (step S24), and is transmitted from the identified ECU and stored in the storage unit 41. The alternative processing data is read (step S25) and executed (step S26). At this time, the control unit 40 continues to execute normal processing that exhibits its gateway function.

  Next, the control unit 40 executes recovery detection processing of the ECU in which the failure has occurred (step S27), and determines whether failure recovery has been detected by the processing (step S28). When it is determined that failure recovery has not been detected (S28: NO), the control unit 40 returns the process to step S26 to continue execution of the alternative process data, and executes the recovery detection process.

  When it is determined that the failure recovery is detected by the recovery detection process (S28: YES), the control unit 40 stops the execution of the alternative process data corresponding to the ECU in which the failure is recovered (step S29), and ends the process.

  As a result, even if a failure occurs in the ECU 3a in the in-vehicle control system, the function of the in-vehicle control system is maintained because the GW 4 takes over the process executed by the ECU 3a. Since the data from the sensor 1a used by the ECU 3a for its own processing is transmitted to the CAN bus 7 via the IOU 5a, the GW 4 can still use it. Compared with a conventional configuration in which data from the sensor 1a cannot be acquired due to a failure in the ECU 3a and substitution processing cannot be performed sufficiently, the system functions can be maintained more reliably and reliability can be improved. Will improve.

  Here, when the control unit 40 of the GW 4 transmits the data transmitted by the ECU 3a to the CAN bus 7 by executing the replacement process of the ECU 3a, the ID given to the data is the ID for the replacement process. Is granted.

  FIG. 5 is an explanatory diagram showing an example of the contents of IDs given to data transmitted and received by the in-vehicle control system in the first embodiment. The ECUs 3a, 3b, 3c, the GW 4 and the IOUs 5a, 5b, 5c store the correspondence between data contents and IDs as shown in the explanatory diagram of FIG. 5, and identify each data.

  In FIG. 5, the data to which the ID “010” is assigned has the ECU 3a identified by “A” as the transmission source, for example, the transmission cycle is 20 msec, and the ID is “011” when the alternative process is executed. Is given and transmitted. Further, the data to which the ID “020” is assigned is sent from the ECU 3c identified by “C”, for example, the transmission cycle is 200 msec, but the ID “021” is assigned when the alternative process is executed. In addition, it is shown that the transmission cycle is 400 msec. As described above, in the case of executing the substitution process, it is allowed that the accuracy of the transmitted data is reduced from 16 bits to 8 bits, the transmission cycle is extended, and the like.

  In the example of contents shown in FIG. 5, the ID given to the data that is the transmission source of the ECU 3b identified by “B” is “100”, and is used for an alternative process when a failure occurs in the ECU 3b. It is indicated that the ID is “101”. For example, the control unit 30a of the ECU 3a that uses data transmitted from the ECU 3b receives data whose ID is “100”. If the data with ID “101” is transmitted to the CAN bus 7 after the failure occurs in the ECU 3b and the data with ID “100” cannot be received, the control unit 30a uses this as an alternative process. Recognize that the data is transmitted by execution, and receive and use it. When the failure of the ECU 3b is recovered later, and the ECU 3b starts transmitting data whose ID is “100” by its own process again, the control unit 30a of the ECU 3a transmits the data whose ID is “100” from the CAN bus 7. The data received by the communication unit 32a and detected that the ECU 3b has recovered, and thereafter, the data with the ID “101” transmitted by the substitute process is not used.

  In this way, by making it possible to identify the normal ID and the substitute processing ID, the ECUs 3a, 3b, 3c, GW4 and IOUs 5a, 5b, 5c using the respective data recognize the occurrence and recovery of the failure by themselves. It is possible to respond to failures and recovery throughout the entire system in a coordinated manner.

  Next, details of the failure detection process and the recovery detection process will be described. FIG. 6 is a flowchart illustrating an example of a procedure of failure detection processing by the GW 4 according to the first embodiment. The processing procedure shown in the flowchart of FIG. 6 corresponds to the details of the failure occurrence detection process of step S22 shown in the flowchart of FIG. In the following description, the process of the ECU 3a is described as an example of the notification process on the ECU 3a, 3b, 3c side, but the process of the ECU 3b, 3c is also the same, and thus detailed description thereof is omitted.

  The control unit 30a of the ECU 3a performs normal processing (step S31). As described above, the control unit 30a periodically acquires information indicating the operation status at a constant period and transmits the information as data by the communication unit 32a (step S31). S32). At this time, the information indicating the operation status is the usage rate of each resource such as CPU, memory, and communication. You may include free memory space.

  And the control part 30a of ECU3a judges whether the failure was detected in other ECU3b, 3c (step S33). The control unit 30a can detect a failure of the other ECUs 3b and 3c based on data transmitted and received by the communication unit 32a. For example, when using data that is obtained by calculation in the ECU 3b and periodically transmitted to the CAN bus 7, the ECU 3a detects that a failure has occurred in the ECU 3b when the data is not transmitted from the ECU 3b. In addition, the control unit 30a may detect that a failure has occurred when the numerical information included in the data is outside the predetermined normal range, or the numerical information outside the normal range is continuously N times or more a predetermined number of times. For the first time, a failure may be detected.

  When it is determined that the failure of the other ECUs 3b and 3c is not detected (S33: NO), the control unit 30a of the ECU 3a returns the process to step S31 and continues to execute the normal process. Repeat transmission of information indicating the situation. When it is determined that a failure has been detected (S33: YES), the control unit 30a notifies the other of the occurrence of the failure (step S34). Specifically, the control unit 30a identifies the ECU (for example, ECU 3b) in which the failure has occurred, and includes the identification information of the identified ECU 3b and the data to which the failure occurrence notification ID is assigned by the communication unit 32a. 7 to send. Thereby, GW4, other ECU3c, and IOU5a, 5b, 5c can recognize a failure generation.

  On the other hand, the control part 40 of GW4 receives the information which shows the operation condition which should be regularly transmitted from ECU3a, 3b, 3c by the communication part 41 (step S41). The control unit 40 determines whether or not a failure has occurred in any of the ECUs 3a, 3b, and 3c based on the received information (step S42). Specifically, when the control unit 40 cannot receive information indicating an operation state to be periodically transmitted from a certain ECU beyond a time corresponding to a predetermined period, it is determined that a failure has occurred in the ECU. to decide. Further, the control unit 40 may determine that a failure has occurred based on the information indicating the operation status of each of the ECUs 3a, 3b, and 3c when the usage rate of the CPU is equal to or higher than a predetermined ratio, It may be determined that a failure has occurred when the free area is less than a predetermined value.

  If the control unit 40 determines that a failure has occurred in step S42 (S42: YES), the control unit 40 does not determine only by the determination of the control unit 40, but the failure occurrence determined by the initial processing shown in the flowchart of FIG. The detection ECU is inquired whether or not it is recognized that a failure has occurred (step S43). The control unit 40 determines whether or not there is a response from the ECU (step S44). If it is determined that there is no response (S44: NO), the process returns to step S44 and waits until there is a response. At this time, if there is no response even if the upper limit of the predetermined waiting time is exceeded, the process is terminated. At this time, the failure detection ECU can determine that a failure has occurred. In addition, an upper limit is set for the number of times the response is determined, and the control unit 40 ends the process when the upper limit is exceeded. Also at this time, the failure detection ECU determines that a failure has occurred.

  When it is determined that there is a response (S44: YES), the control unit 40 determines whether or not the occurrence of the failure is confirmed by the failure detection ECU based on the content of the response (step S45). If the occurrence of a failure has not been confirmed (S45: NO), the control unit 40 ends the failure occurrence detection process and returns the process to step S22 in the flowchart of FIG. At this time, the occurrence of a failure is detected by the determination of the GW 4, but the state is indeterminate. Until the ECU 3a, 3b, 3c including the ECU for detecting the occurrence of a failure is determined to have been confirmed to have a failure by the processing described later, the determination becomes uncertain.

  If it is determined in step S45 that the failure has been confirmed by the failure detection ECU (S45: YES), the control unit 40 determines the failure (step S46) and ends the failure detection process. Then, the process returns to step S22 in the flowchart of FIG. At this time, since the failure has been confirmed, it is determined in step S22 that a failure has occurred.

  Further, the control unit 40 may detect the occurrence of a failure by receiving a failure occurrence notification transmitted from each of the ECUs 3a, 3b, 3c or the IOUs 5a, 5b, 5c. Accordingly, in step S42, if the control unit 40 determines from the received information indicating the operation status that no failure has occurred (S42: NO), whether or not a plurality of failure occurrence notifications have been received from other devices. Is determined (step S47). When it is determined that the failure occurrence notification is not received from a plurality (S47: NO), the control unit 40 ends the failure occurrence detection process as it is, and returns the process to step S23 of the flowchart of FIG.

  If the controller 40 determines that a plurality of failure notifications have been received (S47: YES), the failure occurrence is confirmed (S46), the failure detection process is terminated, and the process proceeds to step S23 in the flowchart of FIG. Return to.

  Note that the processing in step S47 is configured to determine whether or not a plurality of failure occurrence notifications have been received in order to improve the certainty. However, if even one failure occurrence notification is received from the outside, a failure has occurred. May be determined. Further, when at least one failure occurrence notification is received from the outside (S47: YES), the failure occurrence is temporarily stored, the failure occurrence detection process is executed again, and the operation status from each ECU 3a, 3b, 3c. The occurrence of a failure may be confirmed based on the information indicating the above. If the failure can be confirmed at this time, the processing of steps S43 to S45 may be skipped to confirm the occurrence of the failure (S46).

  FIG. 7 is a flowchart illustrating an example of a procedure of recovery detection processing by the GW 4 according to the first embodiment. The processing procedure shown in the flowchart of FIG. 7 corresponds to the details of the recovery detection process in step S27 shown in the flowchart of FIG. In the following description, the process of the ECU 3a is described as an example of the notification process on the ECU 3a, 3b, 3c side, but the process of the ECU 3b, 3c is also the same, and thus detailed description thereof is omitted.

  The control unit 30a of the ECU 3a performs its own normal operation (step S51), and transmits information indicating its own operation status by the communication unit 32a at a constant cycle (step S52). This is the same as step S31 in the flowchart of FIG.

  Then, the control unit 30a determines whether or not the failure has been recovered in the other ECUs 3b and 3c (step S53). The control unit 30a detects that the failure of the ECU 3b has been restored when the data that has been stopped from being transmitted from the ECU 3b is transmitted again to the CAN bus 7 and is successfully received by the communication unit 32a. The control unit 30a may detect that the failure has been restored when the numerical information included in the data is within a predetermined normal range, and the numerical information within the normal range a predetermined number of times N or more. It may be detected that the failure has been recovered only when the error is obtained.

  When it is determined that the recovery of the other ECUs 3b and 3c is not detected (S53: NO), the control unit 30a returns the process to step S51 and continues to execute the normal process. The information indicating is transmitted. When it is determined that the recovery has been detected (S53: YES), the control unit 30a notifies the other of the recovery of the failure (step S54). Specifically, data including an ID for failure recovery notification including identification information of the recovered ECU 3b is transmitted to the CAN bus 7 by the communication unit 32a. Thereby, GW4, other ECU3c, and IOU5a, 5b, 5c can recognize failure recovery.

  On the other hand, the control part 40 of GW4 receives the information which shows the operation condition which should be regularly transmitted from ECU3a, 3b, 3c by the communication part 41 (step S61, the process similar to S41). The control unit 40 determines whether or not the ECU in which the failure has occurred is restored based on the received information (step S62). Specifically, when the reception of the information indicating the operation status from the ECU in which the failure has occurred is resumed, the control unit 40 determines that the failure in the ECU has been recovered. Further, the control unit 40 may determine that the failure has been recovered when the CPU usage rate is less than a predetermined ratio based on the information indicating the operation status of each of the ECUs 3a, 3b, and 3c. If the area is equal to or greater than a predetermined value, it may be determined that the failure has been recovered.

  When the control unit 40 determines that the failure has been recovered in step S62 (S62: YES), the failure occurrence determined in the initial process shown in the flowchart of FIG. The detection ECU is inquired whether or not it is recognized that the failure has been recovered (step S63). The control unit 40 determines whether or not there is a response from the ECU (step S64). If it determines that there is no response (S64: NO), it returns the process to step S64 and waits until there is a response. At this time, if there is no response even if the upper limit of the predetermined standby time is exceeded, the recovery detection process is terminated. At this time, it is possible to determine that a failure has occurred in the failure detection ECU and that the failure has not been recovered. In addition, an upper limit is set for the number of times the response is determined, and the control unit 40 ends the process when the upper limit is exceeded. Also at this time, the failure detection ECU determines that a failure has not occurred and has not been recovered.

  When determining that there is a response (S64: YES), the control unit 40 determines whether or not failure recovery has been confirmed by the failure detection ECU based on the content of the response (step S65). When the failure recovery is not confirmed (S65: NO), the control unit 40 ends the recovery detection process and returns the process to step S28 in the flowchart of FIG. At this time, the recovery is detected by the determination of the GW 4, but the state is indeterminate. Until the ECU 3a, 3b, 3c including the ECU for detecting the occurrence of failure is determined to have been confirmed to be recovered by the processing described later, the determination becomes uncertain.

  If the controller 40 determines in step S65 that failure recovery has been confirmed by the failure detection ECU (S65: YES), the controller 40 determines failure recovery (step S66), and ends the recovery detection process. The process returns to step S28 in the flowchart of FIG. At this time, since failure recovery has been confirmed, it is determined in step S28 that the failure has been recovered.

  Furthermore, the control unit 40 may detect failure recovery by receiving a failure recovery notification transmitted from each of the ECUs 3a, 3b, 3c or the IOUs 5a, 5b, 5c. Accordingly, in step S62, when the control unit 40 determines from the received information indicating the operation status that the failure has not been recovered (S62: NO), whether or not a plurality of failure recovery notifications have been received from other devices. Is determined (step S67). If the control unit 40 determines that a plurality of failure recovery notifications have not been received (S67: NO), it ends the recovery detection process as it is, and returns the process to step S28 in the flowchart of FIG.

  If the controller 40 determines that a plurality of failure recovery notifications have been received (S67: YES), the failure recovery is confirmed (S66), the recovery detection process is terminated, and the process proceeds to step S28 in the flowchart of FIG. return.

  The processing in step S67 is configured to determine whether or not a plurality of failure recovery notifications have been received in order to improve the certainty. However, if at least one failure recovery notification is received from the outside, the failure recovery is performed. It is good also as a structure to confirm. Further, when at least one failure recovery notification is received from the outside (S67: YES), the failure recovery is temporarily stored, the recovery detection process is executed again, and the operation status from each ECU 3a, 3b, 3c is displayed. A configuration may be adopted in which failure recovery is confirmed based on the information shown, and if it can be confirmed at this time, the processing of steps S63 to S65 is skipped to confirm failure recovery (S66).

  As described above, when the control unit 40 of the GW 4 detects the occurrence of a failure by its own processing, or detects the failure recovery, it is confirmed whether the ECU identified as the failure occurrence detection ECU recognizes the failure. Or, when a notification is received from other ECUs 3a, 3b, 3c, IOUs 5a, 5b, 5c, etc., it is determined that a failure has occurred and that the failure has been recovered. As a result, the possibility of erroneously detecting the occurrence of a failure or failure recovery can be reduced, and the reliability can be further improved.

  In the first embodiment, the failure occurrence detection process and the recovery detection process include the confirmation process as described above. However, the present invention is not limited to this, and steps S43 to S47 and steps S63 to S63 are included. The process of S67 may be omitted, and the control unit 40 of the GW 4 may be configured to detect occurrence of a failure or failure recovery based solely on the operation status.

(Embodiment 2)
In the first embodiment, the alternative process is executed by the GW 4. On the other hand, in the second embodiment, when the GW 4 detects the occurrence of a failure, the GW 4 identifies a device having a relatively light processing load among the devices other than the ECU in which the failure has occurred, including itself. The configuration is such that an alternative process is executed.

  The hardware configuration of the in-vehicle control system in the second embodiment is the same as the configuration in the first embodiment, and the procedure of the alternative process of the GW 4 is different. Therefore, the same reference numerals are given to the same components as those in the first embodiment, and detailed description thereof will be omitted, and different alternative processing procedures will be described below.

  FIG. 8 is a flowchart illustrating an example of a processing procedure executed by the control unit 40 of the GW 4 and any of the ECUs 3a, 3b, and 3c in the second embodiment. Of the processing procedures shown in the flowchart of FIG. 8, the steps common to the processing procedure shown in the flowchart of FIG. 4 in the first embodiment are denoted by the same step numbers and detailed description thereof is omitted.

  When the control unit 40 of the GW 4 determines that a failure has occurred (S23: YES), when the ECU (for example, the ECU 3b) in which the failure has occurred is identified (S24), an operation periodically transmitted from each ECU 3a, 3c. Based on the information indicating the situation, the operation statuses of the ECUs 3a and 3c and themselves are compared (step S71). Based on the comparison, the control unit 40 identifies a device having a resource usage rate lower than the others as a device that executes the substitute process (step S72). Specifically, the control unit 40 identifies a device having the lowest CPU usage rate or a device having the largest free memory capacity as a device for executing the substitute process. The control unit 40 reads the substitute process data of the ECU in which the failure identified in step S24 has occurred (S25), and transmits it to the device identified in step S72 (step S73).

  Note that if the control unit 40 determines that the failure has been recovered (S28: YES), the control unit 40 instructs the apparatus identified in step S72 to stop the execution of the substitute process data (step S74).

  In any of the ECUs 3a and 3c identified as devices that execute the substitute process (hereinafter, described as the ECU 3a), the control unit 30a receives the substitute process data transmitted from the GW 4 by the communication unit 32a (step S75). The data is stored in a temporary storage unit such as DRAM or SRAM (not shown) (step S76) and executed (step S77).

  The control unit 30a of the ECU 3a specified as the device that executes the substitute process has received a stop instruction from the GW 4, or has detected the recovery of the ECU 3b in which a failure has occurred due to its own detection process. Is determined (step S78). If the control unit 30a does not receive the stop instruction and determines that the recovery is not detected (S78: NO), the control unit 30a returns the process to step S77 and continues the execution of the alternative process data. At this time, the control unit 30a continues to execute its normal processing. When the control unit 30a receives a stop instruction or determines that recovery has been detected (S78: YES), the control unit 30a stops the execution of the alternative process data (step S79), and stores the alternative process data stored in the temporary storage unit. Erasing is performed (step S80), and the process is terminated.

  In the second embodiment, when the ECU 3a executes an alternative process of the ECU 3b, the data transmitted from the IOUs 5a, 5b, and 5c to the ECU 3b must be changed so as to be received by the ECU 3a. At this time, the IOUs 5a, 5b, and 5c transmit data to the CAN bus 7 in the same manner as before the occurrence of the failure, and the ECU 3a receives and stores a list of IDs of data that should be received together with the substitute processing data. Receive. Further, when the IOUs 5a, 5b, and 5c transmit data by explicitly indicating the data destination with an ID, the IOUs 5a, 5b, and 5c receive a notification from the GW 4, or a failure occurs in their own processing. And detecting the occurrence of a failure by recognizing that the destination should be changed in order for the substitution process to be executed when a failure occurs. Alternatively, the data may be transmitted to a device that executes the alternative process.

  As shown in the second embodiment, when a failure occurs, a device whose operating hardware resource usage rate is lower than that of other devices is executed to perform substitution processing, thereby maintaining the functions of the entire system and improving reliability. In addition, the processing load of the entire system can be made uniform and efficient.

(Embodiment 3)
In the first embodiment, the IOUs 5a, 5b, 5c to which the devices such as the sensors 1a, 1b,... And the actuators 2a, 2b,... Are connected are the same network via the CAN bus 7 to which the ECUs 3a, 3b, 3c are connected. It was set as the structure connected in. In contrast, in the third embodiment, the network to which IOUs 5a, 5b, 5c are connected and the network to which the ECUs 3a, 3b, 3c are connected are separated.

  The in-vehicle control system according to the third embodiment includes devices such as sensors 1a, 1b,... And actuators 2a, 2b,. The internal configurations of the GW 4 and the GW 4 are the same as those in the first embodiment. Therefore, the same reference numerals are assigned to common components, and detailed description thereof is omitted.

  FIG. 9 shows a connection configuration of each device, such as sensors 1a, 1b,... And actuators 2a, 2b,. FIG.

  As shown in FIG. 9, in the in-vehicle control system according to the third embodiment, various sensors 1a, 1b,... And actuators 2a, 2b, ... are connected to IOUs 5a, 5b, 5c by signal lines 6, 6,. ing. The IOUs 5a, 5b, and 5c are connected to the GW 4 via the first network 8. A second network 9 different from the first network 8 is connected to the GW 4, and the ECUs 3 a, 3 b, 3 c are configured to transmit and receive data to and from each other via the second network 9.

  The communication protocols of the first network 8 and the second network 9 are not limited. The first network 8 may be configured such that the IOUs 5a, 5b, and 5c can transmit and receive data to each other through multiplexed communication, or each of the IOUs 5a, 5b, and 5c is individually connected to the GW 4 and has one-to-one data. May be configured to transmit and receive. The first network 8 and the second network 9 may have the same communication protocol.

  Like the first embodiment, the sensors 1a, 1b,... And the actuators 2a, 2b,... May be configured to be able to communicate with the IOUs 5a, 5b, 5c, respectively, by LIN.

  Alternative processing data transmission / reception processing by the ECUs 3a, 3b, 3c and the GW 4, the execution procedure of the alternative processing, the failure detection processing by the GW 4, and the recovery detection processing are also configured to include two different networks 8 and 9 as in the third embodiment. This can be realized by each processing procedure shown in the flowcharts of FIGS. In the third embodiment, it is difficult for the IOUs 5a, 5b, and 5c to detect the occurrence and recovery of failures in the ECUs 3a, 3b, and 3c by themselves. However, since the GW 4 always relays, when the IOUs 5a, 5b, and 5c specify the destination and send data to any of the ECUs 3a, 3b, and 3c, the GW 4 does not recognize the occurrence or recovery of the failure. The control unit 40 may be used as it is in order to perform substitution processing. Also, in the case of a configuration in which substitution processing is executed by any of the ECUs 3a, 3b, and 3c having sufficient resources, the control unit 40 of the GW 4 identifies a device that is executing the substitution processing and specifies a data destination. The alternative process is executed without any problem by relaying the change. During the execution of the substitute process, when the data is transmitted from the GW 4 to the IOUs 5a, 5b, and 5c, the substitute process ID is transmitted and the substitute process is executed in the IOUs 5a, 5b, and 5c. It is possible to recognize that.

  As described above, in the third embodiment, the IOUs 5a, 5b, and 5c are connected to the two different networks 8 and 9, respectively, so that the IOUs 5a, 5b, and 5c are faulty in the ECUs 3a, 3b, and 3c. The process can be executed regardless of whether or not the error occurs. The IOUs 5a, 5b, and 5c do not need to specify data transmission / reception destinations in particular, and the processing load on the IOUs 5a, 5b, and 5c can be reduced.

  In the first to third embodiments, the ECUs 3a, 3b, 3c, the GW 4 and the IOUs 5a, 5b, 5c are configured to be connected to a network such as a CAN bus 7. However, equivalent inventions such as failure detection processing and substitution processing can be realized not only by wired communication via a communication line but also by wireless communication.

  The disclosed embodiments should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

1a, 1b, 1c, 1d, 1e, 1f, 1g, 1h Sensor (device)
2a, 2b, 2c, 2d Actuator (equipment)
3a, 3b, 3c ECU (control device, failure detection means, alternative process execution means)
31a, 31b, 31c Storage unit 4 GW (relay device, failure detection means, alternative process execution means)
41 Storage unit (storage means)
44a, 44b, 44c Alternative processing control program (alternative processing data)
5a, 5b, 5c IOU (input / output device)
7 CAN bus (communication line)
8 First network (first communication line)
9 Second network (second communication line)

Claims (13)

A plurality of devices that input / output data, one or a plurality of input / output devices that are connected to the plurality of devices and that transmit / receive data that each device inputs / outputs, and a communication line to which the input / output devices are connected The data from each device connected to the communication line and transmitted from the input / output device is used, or the data transmitted from the other device is used to transmit the data via the input / output device. A control system including a plurality of control devices that execute control processing to control the operation of the device by giving to
A failure detection means for detecting a failure that cannot be executed by any one of the plurality of control devices;
When the failure detection means detects the occurrence of a failure, the failure detection means comprises an alternative process execution means for performing an alternative execution of the control process in the control device where the failure has occurred ,
The plurality of control devices are respectively
Means for detecting the occurrence of a fault in another control device;
Means for outputting a fault occurrence notification to a communication line when the occurrence of a fault is detected by the means;
With
When the failure detection means does not detect the occurrence of a failure, when the failure occurrence notification is received from at least one control device among the plurality of control devices, the alternative process execution means is the control device in which the failure has occurred. The control process should be executed as an alternative.
Control system according to claim. A plurality of devices that input and output data are connected to the plurality of devices, and one or more input / output devices that transmit and receive data input from each device are connected to the one or more input / output devices. Data for controlling the operation of the device using data received from one of the first communication line and any of the plurality of devices or using data transmitted from another device. A control system including a plurality of control devices for transmission, a second communication line to which the plurality of control devices are connected, and a relay device for relaying data transmission / reception between the first and second communication lines Because
A failure detection means for detecting a failure that cannot be executed by any one of the plurality of control devices;
When the failure detection means detects the occurrence of a failure, the failure detection means comprises an alternative process execution means for performing an alternative execution of the control process in the control device where the failure has occurred ,
The plurality of control devices are respectively
Means for detecting the occurrence of a fault in another control device;
Means for outputting a fault occurrence notification to a communication line when the occurrence of a fault is detected by the means;
With
When the failure detection means does not detect the occurrence of a failure, when the failure occurrence notification is received from at least one control device among the plurality of control devices, the alternative process execution means is the control device in which the failure has occurred. The control process should be executed as an alternative.
Control system according to claim.   The failure detection means includes
  When the occurrence of a failure is detected, a failure occurrence is inquired to the control device in which the failure has been detected, the failure has been confirmed by a response from the control device, and the failure occurrence has not been detected. When a failure notification is received from at least one control device among a plurality of control devices, it is determined that a failure has occurred.
  The control system according to claim 1 or 2.   A plurality of devices that input / output data, one or a plurality of input / output devices that are connected to the plurality of devices and that transmit / receive data that each device inputs / outputs, and a communication line to which the input / output devices are connected The data from each device connected to the communication line and transmitted from the input / output device is used, or the data transmitted from the other device is used to transmit the data via the input / output device. A control system including a plurality of control devices that execute control processing to control the operation of the device by giving to
  A failure detection means for detecting a failure that cannot be executed by any one of the plurality of control devices;
  If the failure detection means detects the occurrence of a failure, an alternative process execution means for executing a substitute control process in the control device in which the failure has occurred;
  Recovery detection means for detecting recovery of control processing by the control device in which the failure occurred;
  With
  When the recovery detection unit detects recovery, the alternative process execution unit stops the alternative process,
  The plurality of control devices are respectively
  Means for detecting the recovery of a failure that occurred in another control device;
  Means for outputting a failure recovery notification to the communication line when recovery is detected by the means;
With
  When the recovery detection unit has not detected the recovery of the failure, the replacement process execution unit stops the replacement process when a failure recovery notification is received from at least one of the plurality of control devices. There is
  Control system characterized by. A plurality of devices that input and output data are connected to the plurality of devices, and one or more input / output devices that transmit and receive data input from each device are connected to the one or more input / output devices. Data for controlling the operation of the device using data received from one of the first communication line and any of the plurality of devices or using data transmitted from another device. A control system including a plurality of control devices for transmission, a second communication line to which the plurality of control devices are connected, and a relay device for relaying data transmission / reception between the first and second communication lines Because
A failure detection means for detecting a failure that cannot be executed by any one of the plurality of control devices;
If the failure detection means detects the occurrence of a failure, an alternative process execution means for executing a substitute control process in the control device in which the failure has occurred;
A recovery detection means for detecting recovery of control processing by the control device in which a failure has occurred ,
When the recovery detection unit detects recovery, the alternative process execution unit stops the alternative process,
The plurality of control devices are respectively
Means for detecting the recovery of a failure that occurred in another control device;
Means for outputting a failure recovery notification to the communication line when recovery is detected by the means;
With
When the recovery detection unit has not detected the recovery of the failure, the replacement process execution unit stops the replacement process when a failure recovery notification is received from at least one of the plurality of control devices. There is
Control system characterized by.   The recovery detection means includes
  When failure recovery is detected, a failure recovery inquiry is made to the control device in which failure recovery is detected, the failure is confirmed by a response from the control device, and failure recovery is not detected When a failure recovery notification is received from at least one control device among a plurality of control devices, it is determined that the failure has been recovered.
  6. The control system according to claim 4 or 5, wherein: The plurality of control devices comprise means for transmitting in advance alternative processing data that enables alternative processing in the event of a failure in itself to the alternative processing execution means,
The alternative process execution means includes:
Comprising means for recording the alternative processing data transmitted from each control device in the recording means;
When the failure detection unit detects the occurrence of a failure, the control device in which the failure has occurred is specified, and the replacement processing data transmitted from the specified control device is read from the recording unit and the replacement processing is executed. The control system according to claim 1, wherein: The data from each device and the data given to the device are given identification information for identifying the data and are transmitted and received through the communication line.
The alternative process execution means, when transmitting data to the communication line by the control process, adds identification information indicating that the data is based on an alternative process different from the original identification information and transmits the data to the communication line. control system according to any one of claims 1 to 7, characterized in that. Each of the plurality of control devices is configured to periodically transmit information indicating its own operation status to the communication line,
It said failure detection means, the control system according to any one of claims 1 to 8 based on the information indicating the operation status sent from the control device, and wherein the that is configured to detect a failure. The failure detection means includes
Means for sending an inquiry of the operating status to each control device;
Means for receiving responses to inquiries, and
The control system according to any one of claims 1 to 8 , wherein a failure occurrence is detected based on a response from each control device. When the failure detection means detects a failure occurrence, a means for identifying a control device having a lower usage rate of hardware resources than other control devices based on a comparison of the operation status of each control device;
The control system according to claim 9 or 10 , further comprising: means for operating the control device specified by the means as the alternative process execution means. The control system according to claim 2 , wherein the substitute processing execution unit is included in the relay device. The control system according to claim 2 , wherein the failure detection unit is included in the relay device.

Images