JP2013239116A - Node and distribution system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To further reduce a processing load of abnormality detection in a node in which a slave function dependent on a master function is formed as a hierarchical structure and in a distribution system using the node.SOLUTION: A node of a vehicle control system for forming a hierarchical structure of master function-slave function in a software function comprises: master function abnormality detection means (S11) for detecting abnormality of a master function itself; slave function presence determination means (S17) for determining whether or not a slave function directly dependent on the master function is present; slave function abnormality detection means (S19) for detecting abnormality of the slave function directly dependent on the master function when the slave function is determined to be present; and abnormal state set means (S14, S20 and S21) for setting whether or not the master function is in an abnormal state on the basis of detection results of the master function abnormality detection means (S11) or the slave function abnormality detection means (S19).

Description

  The present invention relates to a distributed system in which a plurality of nodes connected by a network line can perform a cooperative operation, and more particularly to an abnormality detection process in a node of the distributed system.

  2. Description of the Related Art Conventionally, a distributed system is known in which a plurality of electronic control devices (nodes) coupled by a network line are connected and these nodes perform coordinated operation to perform highly reliable control (see, for example, Patent Document 1).

  In the distributed system of Patent Document 1, each of the plurality of nodes has a self-diagnosis function. For example, if it is determined that one node is abnormal during the self-diagnosis, the abnormal node is reset and restarted. Further, the other normal node recognizes the abnormal node, and transitions to the backup control mode (for example, the function of the abnormal node is assumed by another normal node). When the restart of the abnormal node is completed, the other normal nodes make a decision to permit the rejoined node to rejoin, and if permitted, the backup control mode is changed to the normal control mode (including the restarted node). All nodes, including each, execute each function synchronously).

  In such a distributed system, it is possible to select a reliable control mode while allowing a node that has been confirmed to be normal from an abnormality to participate in the middle of the system.

JP 2010-220141 A

  In the technology of the distributed system as described in Patent Document 1 above, in order to facilitate the design of the entire system, functions (functions realized by software control) installed in the nodes in the future form a hierarchical structure. It is expected to become more sophisticated and complicated.

  For example, for a layer having a software function (referred to as a parent function here), a function (referred to herein as a child function) controlled (approximated) by the parent function in a lower layer of the parent function layer. Is formed as a hierarchical structure.

  In addition, a control function subordinate to the child function (that is, a function that may be indirectly controlled by the parent function, here called a grandchild function with respect to the parent function) Is formed.

  When the technology as in the prior art document 1 is used for such a control function having a hierarchical structure formed over a plurality of layers, the node having the parent function has the parent function as the entire system during self-diagnosis. In order to confirm whether or not it functions normally, it is necessary to check each abnormality of all the functions related to the parent function itself (here, parent function-child function-grandchild function). .

  For this reason, the node having the parent function has a higher load of abnormality detection processing by the self-diagnosis function as the hierarchical structure becomes deeper (that is, the control function related to the parent function increases).

  Further, when the parent function has a plurality of subordinate functions and subordinate functions, and there are a plurality of parent functions, the processing load of the self-diagnosis is individually generated.

  Furthermore, there is a problem that the software design for checking the abnormality in the entire distributed system becomes complicated.

  In the technology of the distributed system of Patent Document 1, there is no idea for such a hierarchical structure, and a node determined to be abnormal by the self-diagnosis function can simply perform backup control, restart, etc. in order to recover the abnormal state. It only describes that fail-safe processing is being performed. Therefore, it is necessary to further improve a problem that is expected to occur in the future from the technology of the distributed system such as Patent Document 1.

  The present invention has been made in view of the above problems, and further reduces the processing load of abnormality detection in a node in which child functions subordinate to the parent function are formed in a hierarchical structure and a distributed system using the node. The purpose is to be able to do.

  In order to solve the above-mentioned object, the node according to claim 1 has a function directly subordinate to the parent function as a child function when the main function of software control among the functions installed in each node is a parent function. This node, which is used in a distributed system in which a hierarchical relationship is formed and functions as a parent function, has a parent function abnormality detection means for detecting the presence or absence of abnormality of the parent function itself, and a child function in the parent function. A child function presence determining means for determining whether or not a child function exists, a child function abnormality detecting means for detecting whether or not a child function is abnormal, and a parent function abnormality detecting means or a child function when it is determined that a child function exists. And an abnormal state setting unit that sets whether or not the parent function is in an abnormal state based on the detection result of the abnormality detection unit.

  According to this configuration, in addition to detecting an abnormality of a parent function itself mounted on a node, an abnormality state of the parent function can be set only by detecting an abnormality of a child function directly subordinate to the parent function. Therefore, the processing load can be reduced as compared with the process of detecting abnormality of all functions related to the parent function and setting (= determining) the abnormal state.

  The node according to claim 2 further includes a child function table in which child functions directly subordinate to the parent function are associated and listed in advance, and the child function existence determination unit is directly connected to the parent function based on the child function table. It is characterized by determining whether or not a subordinate function exists.

  According to this configuration, the child function directly subordinate to the parent function can be easily confirmed, and even if the number of directly related child functions increases or decreases due to a change in the parent function, it is easy to rewrite the child function table. The design can be changed.

  The node according to claim 3 is characterized in that the control of the parent function is stopped when an abnormal state is set by the abnormal state setting means.

  According to this configuration, fail-safe control can be performed by stopping the parent function in an abnormal state where the operation cannot be guaranteed.

  The node according to claim 4 is characterized in that when the parent function is an application function, the parent function can select a plurality of abnormal states in the abnormal state setting means.

  According to this configuration, it is possible to select an optimum abnormal state by comprehensively judging the abnormality detection result of the child function.

  Further, the node according to claim 5 is further characterized by further comprising notification means for notifying that the node is in an abnormal state when the abnormal state setting means sets the abnormal state.

  According to this configuration, when the parent function is set to an abnormal state, it is possible to warn of the abnormal state by using a warning light, sound, or display, and thus notify the vehicle user of the abnormality. Can do.

  Furthermore, in the distributed system according to claim 6, each node is connected so as to be able to communicate with each other via a network line, and can function as the parent function according to any one of claims 1 to 5. It is characterized by having a plurality of nodes.

  According to this configuration, even if there are multiple parent functions and the hierarchical structure of the functions is complicated, it is only necessary to detect an abnormality of a child function directly subordinate to the parent function in the node. Can be simplified.

It is a figure which shows the hierarchical relationship of each function in embodiment of this invention. It is a schematic structure figure showing the composition of the vehicle control system (distribution system) in the embodiment of the present invention. It is a flowchart which shows the abnormality detection process of the parent function in embodiment of this invention. It is the table in which the abnormality detection result of each parent function in the embodiment of the present invention, the abnormality detection result of its subordinate child function, and the final abnormal state result of each parent function are recorded.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In an embodiment of the present invention, a plurality of electronic control devices (hereinafter referred to as nodes connected to a network line) distributed and arranged in a device perform a coordinated operation by transmitting and receiving data via the network line. It is an example at the time of applying a system to the vehicle control system of a motor vehicle.

  FIG. 1 shows functions of higher layers in functions (functions realized by software control) installed in each node (configuration is explained in FIG. 2) connected to each other via a network line so as to communicate with each other. It is a figure which shows an example when the hierarchical relationship in which the function of a lower layer is controlled (≒ dependent) is formed.

  In FIG. 1, the functions at the top of the hierarchy include an ACC (Adaptive Cruise Control) function, a pre-crash safety function, and the like. It is a function of an application that directly controls the function required by.

  In addition, functions in a layer lower than the layer with application functions are classified as system functions. This system function is not a function that directly realizes a function that the user wants to implement, but is necessary for the operation of each application function. In FIG. 1, the system functions include forward vehicle detection control (long distance, short distance), engine control, ABS (anti-lock brake system) control, meter control, and the like. The lower layer functions of these system functions are also classified as system functions. For example, the lower layer of the forward vehicle detection control (long distance) includes millimeter wave radar control and forward camera control, and forward vehicle detection control ( There are front camera control and sonar control in the lower layer. Airflow control and fuel injection electronic control are in the lower layer of engine control, brake hydraulic pressure control and lock sensor control are in the lower layer of ABS control, and speedometer control and warning light are in the lower layer of meter control. There is control.

  On the other hand, as another view of FIG. 1, this hierarchical relationship is such that a layer having a main function (referred to as a parent function) of control of software installed in a certain node is lower than a layer of the parent function layer. The software functions controlled by the parent function (that is, subordinate to the parent function) (referred to herein as child functions) are formed as a hierarchical structure. In addition, in a lower layer of the child function layer, software functions controlled by the child functions (that is, subordinate to the child functions) (that is, functions that may be indirectly controlled by the parent function) It can be seen that a grand function) is formed for the parent function.

  This hierarchical relationship (parent function-child function-grandchild function) is a functional relationship that is considered during self-diagnosis of each node. For example, when a node equipped with the ACC control function of FIG. 1 performs self-diagnosis, ACC control (parent function) -forward vehicle detection control (far distance) (child function) -millimeter wave radar control (grandchild function) Such a hierarchical relationship is defined. The definition of the parent function is not necessarily an application layer function. For example, when a node equipped with the function of forward vehicle detection control (far distance) performs self-diagnosis, the hierarchical relationship of forward vehicle detection control (far distance) (parent function) -millimeter wave radar control (child function) As described above, a hierarchical relationship (parent function-child function-grandchild function-...) Is defined with a function of software installed in a node performing self-diagnosis as a parent function.

  In addition, there are various application functions installed in the vehicle such as a car navigation control function and a smart entry control function, but in this embodiment, focusing on functions related to comfort / safety control that require a self-diagnosis, an example The ACC control function and the pre-crash safety control function will be sequentially described below.

  First, the basic function of ACC control will be described. In ACC control, the position (distance) of the preceding vehicle and obstacles obtained by the function of forward vehicle detection control (long distance), even if the vehicle user (especially the driver) does not step on the accelerator (not shown) This is a function of automatically maintaining an arbitrarily set speed based on information on relative speed. This forward vehicle detection control (far distance) is based on vehicle forward information obtained by the millimeter wave radar control for detecting an object in front of the vehicle and the camera control function for photographing the front of the vehicle. Control to detect (distance) and relative speed. In the ACC control, if there is a preceding vehicle that is slower than the set speed, the brake is controlled by ABS (anti-lock brake system) control to decelerate, and control is performed so that the vehicle travels with a constant inter-vehicle distance. In addition, when the preceding vehicle disappears, the engine is controlled to re-accelerate and return to traveling at the set vehicle speed.

  Next, basic functions of pre-crash safety control will be described. Pre-crash safety control is based on the information on the position (distance) and relative speed of front vehicles and obstacles such as walls obtained by the function of forward vehicle detection control (long distance, short distance). It is a function that detects obstacles and obstacles and prepares for a collision. This forward vehicle detection control (far distance, short distance) includes millimeter wave radar control for detecting an object in front of the vehicle (particularly a distant object), camera control for photographing the front of the vehicle, and an object in front of the vehicle (particularly a nearby object). Control is performed to detect the position (distance) and relative speed of the preceding vehicle and obstacles based on the vehicle front information obtained by the sonar control function for detecting the vehicle. In the pre-crash safety control, if there is a risk of a collision, the driver assists the brake by stepping on a brake (not shown), and if not, the automatic brake is controlled by the ABS control.

  The basic configuration, operation principle, and control method for the ACC control as described above can be realized by using a well-known technique as described in, for example, Japanese Patent Application Laid-Open No. 2001-347851. Detailed description is omitted. Similarly, the pre-crash safety control can be realized by using a well-known technique as described in, for example, Japanese Patent Application Laid-Open No. 2011-37308, and detailed description thereof is omitted here.

  In FIG. 1, various system functions are subordinate to an actual vehicle in order to execute the application functions described above. In the following, in order to explain the points of the invention in an easy-to-understand manner, it is assumed that the system function directly subordinate to the application function ACC control is dependent only on the front vehicle detection control (long distance) function, and the pre-crash safety control The system function directly subordinate to will be described on the assumption that only the function of front vehicle detection control (long distance, short distance) is subordinate.

  FIG. 2 is a schematic configuration diagram showing the configuration of the vehicle control system (distributed system) in the embodiment of the present invention. Each node is equipped with an application function and a system function, and the nodes are connected to each other via a network line 100 so as to communicate with each other.

  The basic configuration of the hardware of the nodes 110 to 130 is configured as a well-known microcomputer (hereinafter referred to as a microcomputer) (not shown), and is a ROM that is a memory storing a program describing processing contents and data temporarily. RAM is stored. Although not shown, this hardware includes a CPU that executes a program stored in the ROM and a timer counter that measures time. Although not shown, this hardware mainly includes a communication circuit such as an interface unit having a communication driver and a communication controller for communicating with other nodes and an input / output (I / O) unit for communicating with a sensor or actuator. It has components. Each component in the node is communicably connected via a system bus (not shown). Various programs are recorded in the ROM in advance, a program for processing communication of the interface unit and I / O unit, a program for controlling application functions and system functions, each node's own CPU and memory, communication Programs for executing self-diagnostic functions for circuits, software (OS, etc.), fail-safe processing (functions can be safely stopped or restarted after reset) and fault-tolerant processing (functions can be reduced even if functions are reduced) The program for operating) is recorded. In addition, the RAM has a function of storing data results calculated by the CPU and data acquired from other nodes. Although not shown, the hardware further includes a nonvolatile memory (storage device). In this storage device, a software function mounted on a node (a parent function) and a function directly subordinate (that is, a child function mounted on the node or another node and controlled by the parent function) There are child function tables (112, 122, 134, 135) that are associated and listed. Further, the child function table stores a self-diagnosis result of the child function. Details of the child function table will be described later with reference to FIG.

  The node 110 has a function of an ACC control 111 that is a software application function, and the node 120 has a function of a pre-crash safety control 121 that is an application function. Further, the node 130 is equipped with a function of the vehicle front detection control 131 that is a software system function, and the function of the vehicle front detection control 131 is divided into two functions of a long distance 132 and a short distance 133. And can be operated independently by well-known virtual machine technology. Each of these nodes 110 to 130 is communicably connected to a network line 100 which is a communication network capable of multiplex communication, and the same contents are simultaneously transmitted from a certain node to all other nodes connected to the network line 100. The broadcast transmission to be transmitted is possible.

  Further, for each function of software installed in each node (110, 120, 130), a self-diagnosis function for diagnosing abnormality of the function is prepared. This self-diagnosis function is executed at regular timing (for example, every 1 to several cycles of the communication cycle or every elapse of a predetermined time such as every several minutes). In addition, while executing the self-diagnosis of the target function (= parent function), not only the parent function but also the abnormal state of the child function subordinate to the parent function is confirmed, and finally the parent function itself Is set (= determined) whether or not is in an abnormal state.

  In addition, a method for detecting the abnormality of the child function will be described with reference to FIGS. For example, there is a node 130 on which a vehicle front detection control 132 (child function) subordinate to the ACC control 111 (parent function) described above is mounted. The node 130 performs a self-diagnosis of the vehicle front detection control 132 (child function) at the regular timing. Each time the self-diagnosis is performed, the self-diagnosis result is transmitted from the node 130 to the network line 100.

  Then, the node 110 receives the self-diagnosis result of the vehicle front detection control 132 from the node 130 via the network line 100, and is managed by the ACC control 111 (parent function) (memory provided in the hardware of the node 110). It is stored in the child function table 112 of the device. When the ACC control 111 (parent function) needs a diagnosis result of the vehicle front detection control 132 (child function) subordinate to its function (that is, during the self-diagnosis of the ACC control), the ACC control 111 (parent function) ) Is detected from the child function table 112 managed by the vehicle front detection control 132 (child function).

  Note that sensors (= generic name for sensors and actuators) 140 are connected to the node 130. Each of the sensors 140 includes, as hardware, a communication circuit such as an input / output (I / O) unit for communicating with each sensor or actuator and the sensors in addition to a microcomputer. It is connected so that it can communicate. In FIG. 2, millimeter wave radar control 141, front camera control 142, and sonar control 143 are provided as software functions of sensors 140. The microcomputers of these sensors are provided with a self-diagnosis function for diagnosing sensor failures at regular timing. When the sensors perform self-diagnosis, the self-diagnosis result is immediately transmitted from the sensors to the node 130 and stored in the child function table (134 or 135) of the node 130.

  That is, the vehicle front detection control 131 of the node 130 has a function of processing each measurement data received from these sensors, and the vehicle front detection control 131 manages the self-diagnosis result received from the sensors (of the node 130). It has a processing function for storing in the child function table (134, 135) of the storage device provided in the hardware.

  Next, by using the flowchart of FIG. 3 and the child function table of FIG. 4, software functions (here, ACC control, pre-crash safety control, etc.) installed in a certain node (for example, 110, 120, 130) in the embodiment of the present invention. In the vehicle front detection control), the abnormality detection process when the function of the software becomes a parent function and the self-diagnosis is executed by the microcomputer of each node will be described.

  FIG. 3 is a flowchart when the self-diagnosis function for a function mounted on a certain node executes an abnormality detection process. In addition, since the basic processing of the abnormality detection processing is the same for each function installed in each node, it will be described collectively as a common flowchart here. It should be noted that abnormality detection processing is performed assuming that the function to be self-diagnosis = parent function.

  First, in FIG. 3, when the accessory switch of the vehicle is turned on, or after it is turned on, at a regular timing, the parent function mounted on the node starts the abnormality detection process.

  In step S10, first, a diagnosis is performed to determine whether there is any abnormality in the microcomputer or program that operates the parent function, and the process proceeds to step S11.

  In step S11 (corresponding to the parent function abnormality detecting means of the present invention), it is determined whether there is an abnormality in the parent function itself in response to the diagnosis execution result in step S10. If there is an abnormality in the parent function itself (YES), the process proceeds to step S12, and if there is no abnormality, the process proceeds to step S17.

  In step S12, although there is an abnormality in the parent function itself, it is determined whether or not the parent function can return to normal by the recovery operation, that is, whether or not the parent function itself can be controlled continuously. If it is determined that continuation is possible (YES), the process proceeds to step S13 to perform fail-safe processing. In this fail-safe process, the parent function is reset once and a restart process is performed. Further, during the restart process, an abnormality as described in, for example, Patent Document 1 is diagnosed according to the necessity of the parent function (there is a function of another node that requires processing data of the parent function being diagnosed). Normal data before transmission or data obtained by simple control such as proportional control is transmitted to other nodes as dummy data. When the restart is completed, the process returns to step 10 again, and the abnormality diagnosis of the parent function is executed again.

  If it is determined in step S12 that the parent function cannot be continued (NO), the process proceeds to step S14.

  In step S14 (corresponding to the abnormal state setting means of the present invention), it is set that the parent function is in an abnormal state (here, stored in the child function table of the storage device). Then, the process proceeds to step S15.

  In step S15, processing for stopping the parent function is performed. In addition, a process is performed to warn the user with a warning light (not shown) provided in the meter device (not shown) that the parent function is in an abnormal state (that is, the parent function is disabled). Specifically, a warning signal is transmitted to a node (not shown) having a meter control function capable of executing warning light control from the node determined to be in an abnormal state via the network line 100, and the warning signal is received. Then, the node controls lighting of the warning lamp and notifies the warning (corresponding to the notification means of the present invention). Then, this process ends (END).

  If there is no abnormality in the parent function in step S11 (NO), the process proceeds to step S16. In step S16, the existence of a child function directly dependent on the parent function is confirmed. The existence of this child function is confirmed by referring to a child function table described later with reference to FIG. If the existence of the child function is confirmed, the process proceeds to step S17.

  In step S17 (corresponding to the child function existence determination means of the present invention), it is determined whether or not there is a child function directly subordinate to the parent function based on the confirmation result in step S16. If there is a directly subordinate child function (YES), the process proceeds to step S18, and if no child function exists (NO), the process proceeds to step S20.

  In step S18, the self-diagnosis result of each child function directly subordinate to the parent function is detected (= the diagnosis result of the child function stored in the child function table is acquired), and the process proceeds to step S19.

  In step S19 (corresponding to the child function abnormality detecting means of the present invention), based on the result of step S18, it is determined whether or not an abnormality has been detected in the child function directly subordinate to the parent function. If there is no abnormality in the child function (NO) (normal case), the process proceeds to step S20, and if there is an abnormality in the child function (YES), the process proceeds to step S21.

  When the process proceeds to step S20 (corresponding to the abnormal state setting means of the present invention), the parent function is in a completely normal state, assuming that there is no abnormality in the parent function and no abnormality in the child function directly subordinate to the parent function. A certain thing is set (that is, stored in the child function table of the storage device), and this processing ends (END).

  On the other hand, when the process proceeds to step S21 (corresponding to the abnormal state setting means of the present invention), there is no abnormality in the parent function itself, but the performance of the parent function is maintained because there is an abnormality in the child function directly subordinate to the parent function. If it cannot, the parent function is set to be in an abnormal state (stored in the child function table of the storage device), and the process proceeds to step S22.

  However, the parent function that is the target of the abnormality detection process in FIG. 3 is the application function of the highest hierarchy (that is, a function that does not affect other functions), and even if the child function detected as abnormal is discarded, the parent function Is partially usable, the abnormal state is set and stored (stored in the child function table of the storage device) so that the function of the parent function is reduced (operates the fault tolerant process). In other words, when the parent function is the application function of the highest hierarchy, it is configured so that multiple abnormal states can be selected (Note that there are many opportunities for system functions to be used for various application functions. It also has a significant effect on the function, so the system function has a single abnormal state).

  In step S22, processing for stopping the parent function is performed. In addition, a process for warning the user that the parent function is in an abnormal state (that is, the parent function has become unusable or has entered a fault-tolerant process) (the warning light control in step S15 described above) (Corresponding to the notification means of the present invention). Then, this process ends (END).

  Next, step S10 (check of parent function abnormality), step S16 (check of child function table), step S19 (child function abnormality detection), steps S14, S20 and S21 (abnormal state setting) described above are shown in FIG. This will be described in detail using the function table.

  In FIG. 4, as an example of the parent function, here, ACC control 111 (corresponding child function table 112), pre-crash safety control 121 (corresponding child function table 122), vehicle front detection control (long distance) 131 (corresponding The above-mentioned corresponding steps will be specifically described using the vehicle function detection table 134) and the vehicle forward detection control (short distance) 132 (corresponding child function table 135) (other points for easy understanding of the points of the invention). Examples of parent functions are omitted).

  The child function table 112 records in advance that the child function directly subordinate to the parent function is the vehicle front detection control (long distance) or the like with respect to the ACC control of the parent function. Judged by checking.

  The abnormality detection result by the self-diagnosis of the parent function and its child function is stored in the table as a binary value of abnormality (×) or not abnormal (O) (the same applies to other child function tables).

  In this child function table 112, all (O) are stored as “abnormality detection results” assuming that there is no abnormality in the parent function and its child functions. In addition, “O” is stored as a normal state (not an abnormal state) setting of “abnormal state” based on the abnormality detection result of the parent function or the child function.

  The child function table 122 records in advance that a child function directly subordinate to the parent function is vehicle forward detection control (far distance), vehicle forward detection control (short distance), etc., with respect to the pre-crash safety control of the parent function. The existence of a child function is determined by checking this list.

  In this child function table 122, “abnormality detection result” is stored as (◯) because there is no abnormality in the parent function. However, the “abnormality detection result” of the child function is stored as “×” because there is an abnormality in the vehicle front detection control (short distance) (in addition, “◯” is stored as the other child functions are not abnormal). ). Therefore, (Δ) (partially abnormal state) is stored in the “abnormal state” setting based on the abnormality detection result of the child function. Here, (△) is stored, for example, as an application function (a function that does not affect other functions) in which the pre-crash safety control is positioned at the top of the function hierarchy, and vehicle forward detection control (long distance) This is because an alternative function (such as partially covering a short distance with the function of the front camera) can be realized. Here, even if some functions are reduced, the operation is continued (fault tolerant processing) (that is, a plurality of abnormal states can be set by comprehensively judging the abnormality detection results of the child functions).

  The child function table 134 records in advance that the child function directly subordinate to the parent function is the front camera and the millimeter wave radar with respect to the vehicle forward detection control (far distance) of the parent function. Is determined by checking this list.

  In this child function table 134, all (O) are stored as “abnormality detection results”, assuming that there is no abnormality in the parent function and its child functions. In addition, “O” is stored as a normal state (not an abnormal state) setting of “abnormal state” based on the abnormality detection result of the parent function or the child function.

  The child function table 135 records in advance that the child function directly subordinate to the parent function for the vehicle forward detection control (short distance) of the parent function is the front camera and the sonar. Determined by checking the list.

  In this child function table 135, “abnormality detection result” stores (◯) because there is no abnormality in the parent function. However, the “abnormality detection result” of the child function is stored as (×) because the sonar has an abnormality (the other child functions are stored as (◯) as having no abnormality). Therefore, assuming that the setting of the “abnormal state” based on the abnormality detection result of the child function is an abnormal state, “x” indicating a function stopped state due to the abnormality is stored.

  When this parent function is a system function required for the operation of each application function such as vehicle forward detection control (short distance), this system function is used for a plurality of other different functions. Therefore, in consideration of the load effect of the abnormal processing of the entire vehicle control system, even if some of the child functions are normal, it is preferable to simply set the abnormal state (×) as the functional unit (that is, the partial abnormal state ( Δ) and it is preferable that there is no intermediate state that requires a detailed abnormality notification for each higher function).

  In an abnormal state (Δ, ×), the vehicle user is warned via a warning light. Although not described in detail in the present embodiment, if an abnormality is detected in the parent function itself by the self-diagnosis in step S11 of FIG. 3, “abnormality” in the child function table regardless of whether or not there is an abnormality in the child function. "Status" is stored in x.

  As described above, according to the embodiment described above, in the vehicle control system having a hierarchical structure of software functions, the abnormality state of the parent function is set by detecting the abnormality of the child function directly subordinate to the certain parent function mounted on the node. can do. Therefore, the processing load can be reduced by a simpler method than the process of detecting the abnormality of all the functions related to the parent function (child function-grandchild function-...) And setting the abnormal state.

  Even when the specifications of the vehicle control system are changed and application functions or system functions are added or deleted, the abnormality detection process can be handled by simply rewriting the list of child function tables (simple design change).

  As mentioned above, although embodiment in the vehicle control system (distributed system) of this invention has been described, this invention is not limited to embodiment mentioned above, This invention is invention which concerns on each claim of a claim It can be applied without departing from the gist of the present invention.

  For example, the abnormality detection of the child function is not limited to the method of transmitting the diagnosis result at a regular timing as in the above-described embodiment, and a signal that instructs the child function to send its own diagnosis result is transmitted to the parent function. After transmitting from the node, the child function node may receive the child function diagnosis result signal from the child function node to detect the abnormality of the child function. Such a method is effective when the diagnosis result is stored in the child function.

  In addition, as a child function abnormality detection method, the parent function node sends a signal directly instructing the child function node to perform self-diagnosis, and the executed diagnosis result is transmitted from the child function node to the parent function node. You may make it reply to the node. Such a method is particularly effective when it is determined that the diagnosis result of the child function is out of date.

  In this embodiment, the sensors directly operated by the parent function of the node 130 are each equipped with a self-diagnosis function, and the self-diagnosis of the child function is executed according to the instruction of the parent function. Although it was made to return to a function, it is not restricted to the structure by which the self-diagnosis function is mounted for every such sensors. For example, if the design does not include a self-diagnosis function for the sensors that are directly controlled by the parent function due to memory capacity issues, configure the parent function to have a self-diagnosis function for these sensors. The abnormality detection process may be directly controlled.

  In addition, although a warning lamp is used here as means (warning means) for warning an abnormal condition, the invention is not limited to this. For example, a sound may be emitted from a speaker (not shown) such as a car navigation system (not shown) that is communicably connected via the network line 100, or a warning character may be displayed from a liquid crystal display screen (not shown). These warning lights, sounds, and display means may be combined for warning.

  Although the present embodiment has been described in the case where the distributed system is applied to a vehicle control system for an automobile, the present invention is not limited to this. It can be applied as long as it uses a distributed system. For example, it can also be applied to operation control systems such as trains, airplanes, and ships.

100 Network line 110, 120, 130 Node 111, 121 Application function 131, 132 System function 140 (141, 142, 143) Sensors 112, 122, 134, 135 Child function table

Claims (6)

At least one function implemented by software control is installed in each node,
Among the functions installed in each of the nodes, when the main function of the software control is a parent function,
A node of a distributed system in which a hierarchical relationship is formed in which a function directly subordinate to the parent function is a child function,
Among the nodes, nodes that can function as the parent function include:
A parent function abnormality detecting means for detecting presence or absence of abnormality of the parent function itself;
Child function presence determination means for determining whether or not the child function exists in the parent function;
When it is determined by the child function presence determining means that the child function exists, a child function abnormality detecting means for detecting presence or absence of abnormality of the child function;
Based on the detection result of the parent function abnormality detection means or the child function abnormality detection means,
A node comprising: an abnormal state setting means for setting whether or not the parent function is in an abnormal state. A child function table in which the child functions directly subordinate to the parent function are associated and listed in advance;
The node according to claim 1, wherein the child function existence determination unit determines whether or not the child function directly subordinate to the parent function exists based on the child function table.   3. The node according to claim 1, wherein when the abnormal state is set by the abnormal state setting unit, the control of the parent function is stopped.   4. The node according to claim 1, wherein when the parent function is an application function, the parent function can select a plurality of abnormal states in the abnormal state setting means. 5.   The node further capable of functioning as the parent function when the abnormal state setting unit sets the abnormal state further includes notification means for notifying that the node is in the abnormal state. 5. The node according to any one of 4.   In a distributed system in which each node is connected to be communicable with each other via a network, the node includes a plurality of nodes that can function as the parent function according to any one of claims 1 to 5. Distributed system.

Images