JP5533789B2 - In-vehicle electronic control unit - Google Patents

Description

  The present invention relates to an in-vehicle electronic control device equipped with a plurality of cores.

  Conventionally, as an electronic control device mounted on an automobile (vehicle), a multi-core system having a plurality of cores has been adopted, and the control with the highest priority (hereinafter referred to as the highest priority control) is assigned to one core (hereinafter referred to as the highest priority). And a control having a lower priority than the highest priority control (hereinafter referred to as low priority control) is assigned to a core other than the highest priority core.

  In such an electronic control device having a multi-core configuration, a core for monitoring whether or not an abnormality has occurred in the highest priority control allocation core (hereinafter referred to as a monitoring core) is provided. The low priority assigned to the core set in the abnormal state for cores set in advance (hereinafter referred to as the abnormal set core) among the cores other than the highest priority control assigned core when the monitoring core detects There is known one in which the execution of control is stopped and the highest priority control is executed instead (see, for example, Patent Document 1). This makes it possible to continuously execute the highest priority control.

JP 2008-305317 A

  However, in the technique described in Patent Document 1, in order to cause the above-described abnormal-time setting core that has been executing the low-priority control to execute the highest-priority control, the abnormal-time setting core is temporarily restarted. Need to be initialized. For this reason, there has been a problem that the highest priority control cannot be executed until the restart of the abnormal setting core is completed.

  The present invention has been made in view of these problems, and an object of the present invention is to provide a technique capable of shortening a high-priority control interruption period in a multi-core electronic vehicle control apparatus.

  The vehicle-mounted electronic control device according to claim 1, which has been made to achieve the above object, includes a plurality of cores, and among the plurality of cores, a priority is high in a control process executed by the vehicle-mounted electronic control device. A core that executes an important process that is a process set in advance as a process is a main core, and a core that executes a normal process that is a process set in advance as a process having a lower priority than the important process among a plurality of cores is a sub-core. And the sub-core operates one or more first sub-schedulers and one or more second sub-schedulers that manage processing executed by the sub-core, and a main scheduler that manages the first sub-scheduler and the second sub-scheduler. The main scheduler is necessary for the sub-core to execute the process when there is no abnormality in the main core. Resources are allocated to the first sub-scheduler, and resources are not allocated to the second sub-scheduler, thereby causing the first sub-scheduler to execute normal processing and stopping the second sub-scheduler. When an abnormality occurs, the first sub-scheduler and the second sub-scheduler allocate resources to cause the first sub-scheduler to execute normal processing and the second sub-scheduler to execute important processing. To do.

  In the in-vehicle electronic control device configured as described above, when an abnormality occurs in the main core, when no abnormality occurs in the main core, the resource is not allocated and the second sub-scheduler is stopped. By assigning resources, it is possible to cause the second sub-scheduler to execute important processing. That is, the sub-core can execute the important process without restarting the sub-core after the abnormality occurs in the main core. The time required to change the resource in the core is shorter than the time required to restart the core. For this reason, when an abnormality occurs in the main core that executes the important process, the interruption period until the sub-core starts executing the important process in place of the main core can be shortened.

  The on-vehicle electronic control device according to claim 1, further comprising a plurality of sub-cores, wherein each of the plurality of sub-cores executes different normal processing by the first sub-scheduler, and performs different processing among the divided important processing. When the important process is executed by the second sub-scheduler and includes a plurality of vehicle control processes for controlling the vehicle, the important process includes a plurality of vehicle control processes. Among them, it is preferable to divide the processing so that the processing that may cause inconvenience in the vehicle control when the processing order is changed is executed in the same sub-core.

  According to the vehicle-mounted electronic control device configured as described above, when the processing order is changed, the processing order is changed by executing a plurality of processes that may cause inconvenience in vehicle control by different sub-cores. Therefore, it is possible to suppress the occurrence of inconvenience in vehicle control.

  Further, in the on-vehicle electronic control device according to claim 1 or 2, as described in claim 3, the main scheduler is configured such that the second sub-scheduler executes processing in preference to the first sub-scheduler. It is good to manage.

  In the vehicle-mounted electronic control device configured as described above, when an abnormality occurs in the main core, the second sub-scheduler that executes the important process has priority over the first sub-scheduler that executes the normal process. In other words, even when an abnormality occurs in the main core, the important process executed by the main core can be executed in the sub-core with priority over the normal process. As a result, it is possible to prevent the occurrence of a situation in which the important process is reduced because the normal process is executed with priority, and the important process cannot be executed.

  Further, in the on-vehicle electronic control device according to any one of claims 1 to 3, as described in claim 4, the sub-core has an abnormality determination preset for abnormality determination from the main core. An abnormality determination means may be provided for determining whether or not an abnormality has occurred in the main core based on the abnormality determination signal.

  According to the on-vehicle electronic control device configured as described above, since the sub-core has a function of detecting the abnormality of the main core, it is not necessary to separately provide a core for detecting the abnormality of the main core.

  Further, in the on-vehicle electronic control device according to any one of claims 1 to 4, as described in claim 5, an important process program for executing an important process and a normal process are executed. The main core and sub-core are configured to be able to execute processing by accessing the memory and acquiring the program, and the memory management means has an abnormality in the main core. If the sub-core does not occur, the sub-core cannot access the critical processing program, and if the main core fails, the sub-core can access the critical processing program. It is good to do so.

  According to the on-vehicle electronic control device configured as described above, in the sub-core that needs to be able to access the important processing program when an abnormality occurs in the main core, the important processing is erroneously performed when no abnormality occurs in the main core. It is possible to prevent a situation in which an important process is executed by accessing the program.

2 is a block diagram showing a configuration of an ECU 1. FIG. It is a block diagram explaining operation | movement of the cores 21, 22, and 23 at the time of normal operation | movement of ECU1 of 1st Embodiment. It is a figure explaining the management method of RAM13 by MMU14. It is a flowchart which shows the execution state of the alternative process at the time of abnormality of 1st Embodiment. It is a block diagram explaining operation | movement of the cores 21, 22, and 23 at the time of abnormality of the core 21 of 1st Embodiment. It is a figure which shows the content and distribution of an important process. It is a block diagram explaining operation | movement of the cores 21, 22, and 23 at the time of normal operation | movement of ECU1 of 2nd Embodiment. It is a flowchart which shows the execution state of the alternative process at the time of abnormality of 2nd Embodiment. It is a timing chart which shows distribution of important processing of a 2nd embodiment. It is a flowchart which shows the execution state of the alternative process at the time of abnormality of 3rd Embodiment. It is a figure which shows the content of the normal process of the 2nd core 22, distribution of the important process and normal process of 3rd Embodiment.

(First embodiment)
A first embodiment of the present invention will be described below with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of an electronic control device (hereinafter referred to as ECU) 1 of the present embodiment.

The ECU 1 is mounted on a vehicle and includes a microcomputer (microcomputer) 3, an input circuit 4, and an output circuit 5, as shown in FIG.
Among these, the microcomputer 3 includes a crank signal from the crankshaft sensor, a cylinder discrimination signal from the camshaft sensor, various other sensor signals from a water temperature sensor, a throttle opening sensor, and the like, and a shift position switch and an air conditioner switch of the transmission. And the like, the fuel injection control that takes in the various switch signals from the input circuit 4 through the input circuit 4 and outputs the drive signal to the injector through the output circuit 5 and the drive to the ignition device through the output circuit 5 Engine control such as ignition timing control that outputs a signal is performed.

  The microcomputer 3 includes a CPU 11, a ROM 12, a RAM 13, a memory management unit (hereinafter referred to as “MMU”) 14, an I / O 15, a bus line connecting these components, and the like, and is based on a program stored in the ROM 12 and the RAM 13. Various processes for controlling the engine are executed.

  Further, the CPU 11 includes CPU cores (hereinafter simply referred to as cores) 21, 22 and 23. Hereinafter, the core 21, the core 22, and the core 23 are also referred to as a first core 21, a second core 22, and a third core 23, respectively. And between the 1st core 21 and the 2nd core 22, and between the 1st core 21 and the 3rd core 23 are connected so that data communication is possible.

FIG. 2 is a block diagram for explaining the operations of the cores 21, 22, 23 and the MMU 14 during normal operation of the ECU 1.
As shown in FIG. 2, the first core 21 performs processing with the highest priority among the processing executed by the ECU 1 (hereinafter referred to as “important processing”) with 80% of the processing load executable by the first core 21. Use to run.

  The second core 22 operates the sub-schedulers 31 and 32 that manage the processing executed by the second core 22 and the main scheduler 35 that manages the sub-schedulers 31 and 32. The sub-scheduler 31 executes a process having a lower priority than the important process executed by the first core 21 (hereinafter referred to as a normal process) using 60% of the processing load that can be executed by the second core 22, The sub-scheduler 32 is configured to execute an important process when the first core 21 is abnormal. As the scheduling method by the scheduler, for example, EDF or Preemption can be used.

  The third core 23 operates the sub-schedulers 41 and 42 that manage the processes executed by the third core 23 and the main scheduler 45 that manages the sub-schedulers 41 and 42. The sub-scheduler 41 executes normal processing different from that of the second core 22 using 50% of the processing load executable by the third core 23, and the sub-scheduler 42 is important when the first core 21 is abnormal. It is configured to perform processing.

  The RAM 13 is provided with first, second, third core storage areas 51, 52, 53 assigned to the cores 21, 22, 23, respectively. The MMU 14 manages the RAM 13 so that only the cores 21, 22, and 23 can access the first, second, and third core storage areas 51, 52, and 53 during the normal operation of the ECU 1.

FIG. 3 is a diagram for explaining a method of managing the RAM 13 by the MMU 14.
The MMU 14 uses the access rights set in the first, second, and third core storage areas 51, 52, and 53, as shown in FIG. 3, from other cores to the storage area assigned to the specific core. Memory protection is provided by restricting access. At this time, the access right setting can be changed by an operation at a specific privilege level. The privilege level is an operation mode of the cores 21, 22, and 23. In this embodiment, the hypervisor mode and the user mode can be set in descending order of authority, and the MMU 14 is configured by using the hypervisor mode. You can change your access rights. The access right is a right to access the first, second, and third core storage areas 51, 52, and 53.

  Specifically, the access right is set for the core 21 in the first core storage area 51, the access right is set for the core 22 in the second core storage area 52, and the access right is set in the third core storage area 53. The core 23 is set.

  That is, the MMU 14 manages the RAM 13 so that only the cores 21, 22, and 23 can access the first, second, and third core storage areas 51, 52, and 53 during normal operation of the ECU 1.

  In the ECU 1 configured as described above, when the microcomputer 3 is activated (powered on) and starts operating, the core 21 accesses the first core storage area 51 of the RAM 13 and reads and executes a program for important processing. .

  When the microcomputer 3 is activated, the core 22 accesses the second core storage area 52 of the RAM 13 and reads and executes the program of the main scheduler 35. As a result, the main scheduler 35 activates the sub-schedulers 31 and 32. However, the main scheduler 35 operates the sub-scheduler 31 by assigning resources to the sub-scheduler 31, while stopping the operation of the sub-scheduler 32 by not assigning resources to the sub-scheduler 32. Note that the above-mentioned resource is a time allocated to the execution of the process among the time during which the real time property of the core can be guaranteed. When the sub-scheduler 31 starts its operation, the sub-scheduler 31 accesses the second core storage area 52 of the RAM 13 and reads and executes the normal processing program.

  Further, when the microcomputer 3 is activated, the core 23 accesses the third core storage area 53 of the RAM 13 in the same manner as the core 22 and reads and executes the program of the main scheduler 45. As a result, the main scheduler 45 activates the sub-schedulers 41 and 42. However, the main scheduler 45 operates the sub-scheduler 41 by assigning resources to the sub-scheduler 41, while stopping the operation of the sub-scheduler 42 by not assigning resources to the sub-scheduler 42. When the sub-scheduler 41 starts its operation, it accesses the third core storage area 53 of the RAM 13 and reads and executes the normal processing program.

  Further, the cores 22 and 23 execute, as part of the normal process, an abnormality replacement process for performing an important process instead of the core 21 when an abnormality of the core 21 is detected. The abnormal alternative process starts when the sub-schedulers 31 and 41 start their operations, and executes the process independently of other normal processes on the sub-scheduler.

  Here, the procedure of the substitute processing at the time of abnormality executed by the cores 22 and 23 will be described with reference to FIGS. FIG. 4 is a flowchart showing an execution state of the substitute processing at the time of abnormality. FIG. 5 is a block diagram for explaining the operations of the cores 21, 22, 23 and the MMU 14 when the core 21 is abnormal. FIG. 6A is a diagram showing the contents of important processes, and FIG. 6B is a timing chart showing the distribution of important processes.

  When the abnormality substitution process is executed, the core 22 (core 23) first executes an abnormality determination process for determining whether or not an abnormality has occurred in the first core 21 in S10. In the present embodiment, for example, when a signal indicating the value of the watchdog timer (hereinafter referred to as a WDT signal) is input from the first core 21 and the value indicated by the WDT signal is equal to or greater than a preset abnormality determination value, It is determined that an abnormality has occurred in the first core 21.

  In S20, it is determined whether an abnormality has occurred in the first core 21 based on the determination result in S10. If no abnormality has occurred in the first core 21 (S20: NO), the process proceeds to S10 and returns to the state in which the above-described process is executed. On the other hand, if an abnormality occurs in the first core 21 (S20: YES), in S30, the operation mode is set to the hypervisor mode, and the access right of the RAM 13 in the MMU 14 is changed from the cores 22 and 23 to the first. It changes so that the storage area 51 for 1 core can be accessed. As a result, the cores 22 and 23 can read the important process program from the RAM 13. In S40, a reset signal is output to the first core 21. As a result, the first core 21 stops operating.

  Thereafter, in S50, the resource of the sub-scheduler is changed. Specifically, the main scheduler 35 (45) allocates resources to both the sub-scheduler 31 (41) and the sub-scheduler 32 (42) to operate the sub-scheduler 31 (41) and the sub-scheduler 32 (42). . As a result, when the sub-scheduler 32 (42) starts its operation, as shown in FIG. 5, it accesses the first core storage area 51 of the RAM 13 and reads and executes the important process program.

  As shown in FIG. 6 (a), the important processing is processing for detecting the crank angle and the cam angle for 50% of the processing load of 80% (hereinafter referred to as crank / cam angle detection processing). And 30% of the processing load assigned to the processing for fuel injection control and ignition timing control (hereinafter referred to as injection / ignition control processing) (hereinafter referred to as exhaust gas recirculation (EGR) valve opening control processing) The exhaust gas recirculation process). In engine control, when performing injection / ignition control processing, it is necessary to obtain information on the previous crank angle and cam angle, so the crank / cam angle detection processing and injection / ignition control processing are not divided. Must run in the same core. On the other hand, in the exhaust gas recirculation process, the timing between processes is relatively unimportant. That is, even if the execution interval varies, there is little influence on the purpose of control. For this reason, the exhaust gas recirculation process is executed in the core different from the crank / cam angle detection process and the injection / ignition control process.

  Since the processing load assigned to the sub-scheduler 32 of the second core 22 is 40%, the crank / cam angle detection process and the injection / ignition control process that require a processing load of 50% can be executed. Can not. On the other hand, exhaust gas recirculation processing that requires a processing load of 30% can be executed.

  Further, since the processing load assigned to the sub-scheduler 42 of the third core 23 is 50%, the crank / cam angle detection process and the injection / ignition control process that require a processing load of 50% can be executed. it can.

  Therefore, as shown in FIG. 6 (b), among the important processes, the exhaust gas recirculation process that requires a processing load of 30% is allocated to the second core 22, and the crank / recycle process that requires a processing load of 50% is assigned. Cam angle detection processing and injection / ignition control processing are assigned to the third core 23.

  That is, when the operation starts, the sub-scheduler 32 accesses the first core storage area 51 of the RAM 13 and reads out and executes the exhaust gas recirculation processing program from the important processing. On the other hand, when the sub-scheduler 42 starts its operation, the sub-scheduler 42 accesses the first core storage area 51 of the RAM 13 and reads and executes the crank / cam angle detection processing and injection / ignition control processing programs from the important processing. To do.

Then, as shown in FIG. 4, when the process of S50 ends, in S60, its own operation mode is set to the user mode, and the abnormality replacement process is ended.
In the ECU 1 configured as described above, the main scheduler 35 (45) allocates resources to the sub-scheduler 31 (41) and does not allocate resources to the sub-scheduler 32 ( 42), the sub-scheduler 31 (41) executes normal processing and the sub-scheduler 32 (42) is stopped. By assigning to the scheduler 31 (41) and the sub-scheduler 32 (42), the sub-scheduler 31 (41) executes normal processing and the sub-scheduler 32 (42) executes important processing (S50).

  As a result, when an abnormality occurs in the first core 21, if no abnormality occurs in the first core 21, resources are not allocated to the sub-scheduler 32 (42) that is stopped because the resource is not allocated. By allocating, it is possible to cause the sub-scheduler 32 (42) to execute important processing. That is, the second core 22 (third core 23) can execute the important process without restarting the second core 22 (third core 23) after an abnormality occurs in the first core 21. The time required to change the resource in the core is shorter than the time required to restart the core. For this reason, when an abnormality occurs in the first core 21 that executes the important process, an interruption period until the second core 22 (third core 23) starts executing the important process in place of the first core 21 is reduced. It can be shortened.

  Also, if the processing sequence is changed, the same core (that is, the second core) can be used without dividing the crank / cam angle detection processing and the injection / ignition control processing, which are processing that may cause inconvenience in vehicle control. The important process is divided so as to be executed within 22). As a result, the occurrence of a situation in which the processing order is changed due to the crank / cam angle detection processing and the injection / ignition control processing being executed by different cores is suppressed, and inconvenience in vehicle control is suppressed. be able to.

  The second core 22 (third core 23) receives the WDT signal from the first core 21, and when the value indicated by the WDT signal is equal to or greater than a preset abnormality determination value, It is determined that an abnormality has occurred (S10). Accordingly, since the second core 22 (third core 23) has a function of detecting an abnormality of the first core 21, it is not necessary to separately provide a core for detecting the abnormality of the first core 21.

  Further, when no abnormality occurs in the first core 21, the MMU 14 cannot access the first core storage area 51 by the second core 22 (third core 23), and the first core 21 is abnormal. If this occurs, the access to the RAM 13 is managed so that the second core 22 (third core 23) can access the first core storage area 51. As a result, in the second core 22 (third core 23) that needs to be able to access the first core storage area 51 when an abnormality occurs in the first core 21, no abnormality occurs in the first core 21. Occasionally, the occurrence of a situation in which the first core storage area 51 is erroneously accessed and an important process is executed can be prevented.

  In the embodiment described above, the ECU 1 is the on-vehicle electronic control device according to the present invention, the first core 21 is the main core according to the present invention, the second core 22 and the third core 23 are the sub-core according to the present invention, and the sub-schedulers 31 and 41 are the main cores. The first sub-scheduler in the invention, the sub-schedulers 32 and 42 are the second sub-scheduler in the present invention, the processing of S10 is the abnormality determination means in the present invention, the WDT signal is the abnormality determination signal in the present invention, the RAM 13 is the memory in the present invention, The MMU 14 is a memory management means in the present invention.

(Second Embodiment)
A second embodiment of the present invention will be described below with reference to the drawings. In the second embodiment, only parts different from the first embodiment will be described.

The ECU 1 in the second embodiment is the same as the first embodiment except that the operation of the cores 22 and 23 during the normal operation of the ECU 1 and the abnormality replacement process are changed.
FIG. 7 is a block diagram illustrating operations of the cores 21, 22, 23 and the MMU 14 during normal operation of the ECU 1 according to the second embodiment.

  As shown in FIG. 7, the sub-scheduler 31 of the second core 22 executes normal processing using 90% of the processing load that can be executed by the second core 22, and the sub-scheduler 41 of the third core 23 The normal processing is the same as that of the first embodiment except that 80% of the processing load that can be executed by the third core 23 is used.

  Next, the procedure of the abnormality replacement process in the second embodiment will be described with reference to FIGS. FIG. 8 is a flowchart illustrating an execution state of the abnormality replacement process according to the second embodiment. FIG. 9 is a timing chart showing the distribution of important processes in the second embodiment.

As shown in FIG. 8, the abnormality replacement process of the second embodiment is the same as that of the first embodiment except that the process of S50 is omitted and the process of S54 is added.
That is, when the process of S40 is completed, the resource and priority of the sub-scheduler are changed in S54, and then the process proceeds to S60. That is, in S54, the resources allocated to the sub-schedulers 31 (41) and 32 (42) are changed, and the priority of the sub-scheduler 32 (42) is made higher than that of the sub-scheduler 31 (41). Specifically, the main scheduler 35 (45) changes the resource allocated to the sub-scheduler 31 (41) from 90% (80%) to 70% (50%) of the processing load, and the sub-scheduler 32 ( 42) The resources allocated to 42) are changed from 0% (0%) to 30% (50%) of the processing load, and the sub-scheduler 32 (42) is executed before the sub-scheduler 31 (41). Let

  As a result, as shown in FIG. 9, when an abnormality occurs in the first core 21, 30% of the 80% important processing executed by the first core 21 is executed in the second core 22. Later, the control in which 70% of the 90% normal processing executed by the second core 22 is executed is repeated. Further, in the third core 23, after 50% of the 80% of important processing executed by the first core 21 is executed, of the 80% normal processing executed by the third core 23 Control in which 50% of the processing is executed is repeated.

  In the ECU 1 configured as described above, when an abnormality occurs in the first core 21, the sub-scheduler 32 (42) that executes the important process has priority over the sub-scheduler 31 (41) that executes the normal process. (S54). In other words, even if an abnormality occurs in the first core 21, the important processing that was executed by the first core 21 is executed with priority over the normal processing in the second core 22 (third core 23). can do. As a result, it is possible to prevent the occurrence of a situation in which the important process is reduced because the normal process is executed with priority, and the important process cannot be executed.

(Third embodiment)
A third embodiment of the present invention will be described below with reference to the drawings. In the third embodiment, only parts different from the second embodiment will be described.

The ECU 1 in the third embodiment is the same as that in the second embodiment except that the abnormality replacement process is changed.
Next, the procedure of the abnormality replacement process in the third embodiment will be described with reference to FIGS. FIG. 10 is a flowchart illustrating an execution state of the abnormality replacement process according to the third embodiment. FIG. 11A is a diagram illustrating the contents of normal processing of the second core 22, and FIG. 11B is a timing chart illustrating distribution of important processing and normal processing in the third embodiment.

As shown in FIG. 10, the abnormality replacement process of the third embodiment is the same as that of the second embodiment except that the process of S <b> 52 is added.
That is, when the process of S40 is completed, in S52, the process that is set in advance as a small effect even if the operation is stopped is stopped among the normal processes executed by the sub-scheduler 31 (41). Then, the process proceeds to S54.

  For example, in the normal processing executed by the sub-scheduler 31 of the second core 22, as shown in FIG. 11A, 60% of the processing load of 90% is allocated to the power control process, and 30% Assuming that the processing load is assigned to the fuel saving control process, the fuel saving control process having little influence on the safety of the vehicle is stopped even if the operation is stopped.

  As a result, as shown in FIG. 11, if an abnormality occurs in the first core 21, the second core 22 is affected even if the operation stops in 90% of the normal processing executed by the second core 22. After 30% of processing set in advance as small is stopped and then 30% of the 80% important processing executed by the first core 21 is executed, the second core 22 Control in which 60% of the 90% normal processing that has been executed is executed is repeated.

  In addition, when an abnormality occurs in the first core 21, the third core 23 is set in advance as having a small influence even if the operation stops in 80% of the normal processing executed by the third core 23. 30% of the processing is stopped, and then 80% of the 80% important processing executed by the first core 21 is executed, and then 50% of the normal processing executed by the third core 23 is executed. Control in which 50% of the processing is executed is repeated.

  In the ECU 1 configured as described above, a process that is set in advance as an effect that has a small influence even when the operation is stopped is stopped in the normal process (S52). As a result, the stopped resources can be allocated to the important process. For this reason, it is possible to prevent the occurrence of a situation in which the resources assigned to the normal process are reduced and the important process resources are reduced and the important process cannot be executed.

As mentioned above, although one Embodiment of this invention was described, this invention is not limited to the said embodiment, As long as it belongs to the technical scope of this invention, a various form can be taken.
For example, in the above embodiment, the watchdog timer is used to detect the abnormality of the core 21 on the cores 22 and 23 side, but the abnormality detection method of the core 21 is not limited to this, for example, the lock Steps may be used.

  DESCRIPTION OF SYMBOLS 1 ... ECU, 3 ... Microcomputer, 4 ... Input circuit, 5 ... Output circuit, 11 ... CPU, 12 ... ROM, 13 ... RAM, 14 ... MMU, 15 ... I / O, 21 ... 1st core, 22 ... 2nd Core, 23 ... third core, 31, 32, 41, 42 ... sub-scheduler, 35,45 ... main scheduler, 51 ... first core storage area, 52 ... second core storage area, 53 ... third core use Storage area

Claims (5)

An in-vehicle electronic control device having a plurality of cores,
Among the plurality of cores, a main core that executes an important process that is a process set in advance as a process having a high priority among the control processes executed by the in-vehicle electronic control device,
Among the plurality of cores, a core that executes a normal process that is a process set in advance as a process having a lower priority than the important process is a sub-core,
The sub-core includes one or more first sub-schedulers and one or more second sub-schedulers that manage processing executed by the sub-core, and a main scheduler that manages the first sub-scheduler and the second sub-scheduler. Configured to work,
The main scheduler is
If no abnormality occurs in the main core, a resource that is a time required for the sub core to execute processing is allocated to the first sub scheduler, and the resource is not allocated to the second sub scheduler. By causing the first sub-scheduler to execute the normal processing and stopping the second sub-scheduler,
When an abnormality occurs in the main core, the resource is allocated to the first sub-scheduler and the second sub-scheduler, thereby causing the first sub-scheduler to execute the normal process and the second sub-scheduler. An on-vehicle electronic control device characterized in that the important process is executed. A plurality of the sub-cores;
Each of the plurality of sub-cores executes the different normal processes in the first sub-scheduler, and executes different processes among the divided important processes in the second sub-scheduler.
The important process includes a plurality of vehicle control processes for controlling the vehicle,
The important process is divided so that a process that may cause inconvenience to the vehicle control when the process order is changed among the plurality of the vehicle control processes is executed in the same sub-core. The on-vehicle electronic control device according to claim 1. The main scheduler is
The on-vehicle electronic control device according to claim 1, wherein the second sub-scheduler performs management so that the processing is executed with priority over the first sub-scheduler. The sub-core is
An abnormality determination means is provided for inputting an abnormality determination signal set in advance for abnormality determination from the main core and determining whether an abnormality has occurred in the main core based on the abnormality determination signal. The vehicle-mounted electronic control apparatus of any one of Claims 1-3 characterized by the above-mentioned. A memory for storing an important process program for executing the important process and a normal process program for executing the normal process;
The main core and the sub-core are configured to execute processing by accessing the memory and acquiring a program,
When no abnormality occurs in the main core, the sub-core cannot access the important processing program. When an abnormality occurs in the main core, the sub-core can access the important processing program. As described above, the vehicle-mounted electronic control device according to any one of claims 1 to 4, further comprising memory management means for managing access to the memory.