WO2013042494A1 - Vehicle-mounted control device - Google Patents

Vehicle-mounted control device Download PDF

Info

Publication number
WO2013042494A1
WO2013042494A1 PCT/JP2012/070672 JP2012070672W WO2013042494A1 WO 2013042494 A1 WO2013042494 A1 WO 2013042494A1 JP 2012070672 W JP2012070672 W JP 2012070672W WO 2013042494 A1 WO2013042494 A1 WO 2013042494A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
electronic control
control device
safety level
network
Prior art date
Application number
PCT/JP2012/070672
Other languages
French (fr)
Japanese (ja)
Inventor
英寿 小倉
渉 永浦
成沢 文雄
祐 石郷岡
統宙 月舘
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2013042494A1 publication Critical patent/WO2013042494A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for

Definitions

  • the present invention relates to a vehicle-mounted control device, and more particularly to a vehicle-mounted electronic control device that ensures safety in a system that performs cooperative control.
  • the travel control ECU is connected to a number of sensors such as each wheel speed sensor, an inertial sensor that detects vehicle behavior, and a steering angle sensor that detects an operation by a driver. Connected through.
  • the engine control ECU transmits control information related to the engine output, and the traveling control ECU controls the brakes of each wheel based on the control information related to the engine output and sensor information to which the own ECU is connected. Further, the target value is transmitted to the engine control ECU as necessary.
  • the travel control ECU uses control information transmitted from the steering control ECU in addition to the engine control ECU, and performs cooperative control among a plurality of ECUs.
  • the ECU transmits control information to the in-vehicle network and receives necessary control information from the in-vehicle network.
  • the received ECU diagnoses whether there is an error in the control information.
  • Patent Document 1 an ECU having means for rewriting control information according to a diagnosis condition is introduced to check whether the transmitted control information is appropriate in order to prevent writing of unnecessary control information.
  • Patent Document 2 a means for changing the frequency of memory diagnosis according to the type of control information is introduced.
  • the present invention has been made to solve the above-described problems, and has an object to ensure high safety while reducing the processing load related to diagnosis of data passed through an in-vehicle network.
  • the in-vehicle electronic control device that is connected to the in-vehicle network to which a plurality of in-vehicle electronic control devices are connected and transmits / receives data through the in-vehicle network
  • the in-vehicle electronic control device or the in-vehicle electronic control device A first storage unit that stores information related to a safety level assigned to a function included in the device, and another vehicle-mounted electronic control device connected to the vehicle-mounted network or a function included in the other vehicle-mounted electronic control device.
  • a second storage unit that stores information related to the safety level, and data received from another in-vehicle electronic control device connected to the in-vehicle network are stored in the first storage unit and the second storage unit.
  • a diagnosis unit that compares the information and selects the content and degree of diagnosis and performs diagnosis processing; and the on-vehicle electronic control device or the on-vehicle Safety information level assigned to the function child control device has, configured to have a data transmission unit which transmits the added to the data to be transmitted to the vehicle network.
  • the configuration of the in-vehicle network system is shown.
  • a communication frame 200 transmitted and received between ECUs via a network 100 is shown.
  • the internal structure of the diagnostic part 5a is shown. It is the figure which showed the reception data buffer 15a. It is the figure which showed the information 16a of transmission origin ECU. It is the figure which showed the safety level information 17a of other ECU. It is the figure which showed the safety level information 18a of the own ECU. It is the figure which showed the diagnostic information 19a according to a safety level. It is the figure which showed the diagnostic parameter information 20a. It is a figure which shows the flowchart of the execution process 12a of a diagnosis. It is the flowchart figure which showed the range check process to which the diagnostic method 1 belongs.
  • FIG. 6 is a flowchart showing an average value check process stored in a diagnostic method 2; It is the figure which showed the state transition of the diagnostic part 5a.
  • the internal structure of the diagnostic part 5a provided with the configuration state 5a is shown.
  • the internal structure of the diagnostic part 5a is shown.
  • a safety level required for control information handled by the ECU (hereinafter referred to as a safety level) is assigned, and a plurality of diagnostic methods used for diagnostic processing at the time of data reception are assigned to the safety information. Select and execute according to sex level.
  • the safety level represents the degree of safety that the vehicle control system should guarantee for each function.
  • vehicle control systems In recent years, it has become important to be able to guarantee and explain that vehicle control systems operate normally and are as harmless as possible to humans.
  • the safety level is determined by the magnitude of damage when the assigned function does not operate normally. For example, functions such as ECUs that control brake devices, ECUs that control steering devices, and ECUs that control inter-vehicle distances can lead to serious vehicle accidents if abnormalities occur. Is done.
  • FIG. 1 shows the configuration of an in-vehicle network system according to an embodiment of the present invention.
  • the in-vehicle network system includes electronic control units (hereinafter referred to as ECUs) 1a, 1b, and 1c and a network 100.
  • ECUs electronice control units
  • Each ECU has storage means 7a such as ROM and RAM, and arithmetic means (CPU) 8a.
  • the application program 2a, the interface 3a, the RTOS 4a, the diagnosis unit 5a, and the network control drive 6a are stored as programs in the storage means 7a so that they can be executed on the calculation means 8a.
  • the application program 2a is implemented as a plurality of application modules according to the function of the ECU.
  • the interface 3a has a function of mediating the exchange of information between the application program 2a that is higher than the interface 3a, the RTOS 4a that is lower, the diagnosis unit 5a, and the network control drive 6a.
  • the RTOS 4a has a function of executing and managing the application program 2a, the interface 3a, the diagnosis unit 5a, and the network control drive 6a in real time.
  • the diagnosis unit 5a has a function of diagnosing data received from the network 100.
  • the network control drive 6a has a function of discriminating data received from data transmitted from the network 100 and data not received, and acquiring received data. In addition, it has a function of assigning a communication ID to be described later to data transmitted to the network 1000.
  • FIG. 2 shows a communication frame 200 of the network 100.
  • the communication frame 200 includes a communication ID unit 201 that stores a communication ID and a data unit 202 that stores data.
  • the ECU 1a determines whether the data received from the communication ID included in the communication frame 200 among the communication frames 200 transmitted from the ECU 1b or the ECU 1c via the network 100 or the data not received by the network control drive 6a.
  • Data to be received is acquired, and the acquired data is transferred to the interface 3a via the diagnosis unit 5a.
  • the data transferred to the interface 3a is read by an application module in the application program 2a and used for control. .
  • the RTOS 4a executes the above operations in real time.
  • the data mentioned here is data shared between ECUs, and may be control target values and output values calculated by a certain ECU, input values from sensors, abnormality information of ECUs and actuators, and the like.
  • FIG. 3 shows the internal configuration of the diagnosis unit 5a.
  • the diagnostic unit 5a includes a received data recording process 11a, a diagnostic execution process 12a, a diagnostic method 1 (13a1) and 2 (13a2), a failure detection process 14a, a received data buffer 15a, information 16a of a transmission source ECU, and safety of other ECUs. It comprises level information 17a, safety level information 18a of its own ECU, diagnostic information 19a corresponding to the safety level, diagnostic parameter information 20a, and error count information 21a. These pieces of information may be stored in different places as shown, or may be stored in the same storage means. For simplification of description, for example, it is assumed that the diagnostic method 1 performs a range check on received data and the diagnostic method 2 performs a range check on the average value of received data.
  • FIG. 4 shows the received data buffer 15a.
  • the reception data buffer 15a stores reception data for each reception count for each communication ID.
  • the first received data of communication ID 100 is 50
  • the second received data is 50
  • the third received data is 50
  • the first received data of communication ID 101 is 85
  • the second received data is 84
  • the third reception data is 83.
  • FIG. 5 is a diagram showing information 16a of the transmission source ECU.
  • the information 16a of the transmission source ECU stores a communication ID for each transmission source ECU of the communication ID.
  • the communication frame including the communication ID 101 is transmitted from the ECU 1b, and the communication frame including the communication ID 100 is transmitted from the ECU 1c.
  • FIG. 6 is a diagram showing safety level information 17a of another ECU.
  • Each ECU stores safety level information 17a of other ECUs for each safety level.
  • FIG. 6 shows that the ECU 1b belongs to the safety level 1 and the ECU 1c belongs to the safety level 2.
  • the transmission source ECU by giving a communication ID that can be determined by the transmission source ECU to data transmitted / received via the network 1000, the transmitted / received data and the safety level information can be associated with each other.
  • information representing the transmission source ECU or information directly representing the safety level may be attached to data transmitted to the network 1000.
  • FIG. 7 is a diagram showing safety level information 18a of the own ECU.
  • the safety level information 18a of the own ECU stores an attribute of the safety level of the own ECU.
  • FIG. 6 shows that the ECU 1a which is the own ECU belongs to the safety level of 3.
  • FIG. 8 is a diagram showing diagnosis information 19a corresponding to the safety level.
  • the diagnostic information 19a corresponding to the safety level stores a diagnostic method to be executed for each safety level.
  • the diagnostic method 1 is executed in the first diagnosis
  • the diagnostic method 2 is executed in the next diagnosis
  • the diagnostic method 1 is executed in the first diagnosis. Indicates that no diagnosis is performed.
  • the load of the diagnosis process can be reduced.
  • whether or not the received data can be acquired may be determined based on the safety level of the transmission source.
  • FIG. 9 is a diagram showing the diagnostic parameter information 20a.
  • the diagnostic parameter information 20a stores an upper limit value and a lower limit value for each diagnosis method and communication ID.
  • the upper limit value is 100 and the lower limit value is 0.
  • the upper limit value is 90 and the lower limit value is 10 indicates that the upper limit value is 80 and the lower limit value is 20 in the case of the diagnosis method of 2 and the communication ID of 101. In this way, it is possible to vary the range of data values to be guaranteed for each safety level and perform diagnostic processing.
  • the main components in FIG. 3 are diagnostic execution processing 12a, diagnostic methods 1 and 2, received data buffer 15a, source ECU information 16a, other ECU safety level information 17a, and own ECU safety level information 18a.
  • the diagnosis information 19a, the diagnosis parameter information 20a, and the error count information 21a corresponding to the safety level will be described with reference to the flowchart of the diagnosis execution process 12a in FIG.
  • FIG. 10 is a flowchart of the diagnosis execution process 12a. Hereinafter, each step of FIG. 10 will be described.
  • Step S11 the communication ID is read from the reception data buffer 15a.
  • step S12 the ECU of the data transmission source is specified based on the communication ID and the information 16a of the transmission source ECU, and the safety level of the transmission destination ECU is read from the safety level information 17a of the other ECU.
  • step S13 the safety level of the own ECU is read from the safety level information 18a of the own ECU.
  • Step S14 the safety level of the transmission source ECU is compared with the safety level of the own ECU, and if the safety level of the transmission source ECU is lower than the safety level of the own ECU, step S15 is executed. If the safety level of the transmission source ECU is not lower than the safety level of the own ECU, the process is terminated.
  • step S15 the diagnostic information 19a corresponding to the safety level is read from the safety level of the transmission source ECU. Since the diagnostic information 19a stores a diagnostic method to be executed for each safety level, the diagnosis is selectively executed according to the safety level input in this step.
  • Step S16 executes the first diagnostic method according to the safety level.
  • step S17 it is determined whether there is a next diagnosis method corresponding to the safety level, and if there is, step S18 is executed. If not, the process ends.
  • step S18 the next diagnostic method corresponding to the safety level is executed, and the process returns to step S17.
  • FIG. 11 is a flowchart showing a range check process to which the diagnosis method 1 belongs.
  • Step S21 reads the communication ID.
  • Step S22 In step S22, the upper limit value and the lower limit value in the diagnostic parameter information 20a are read based on the communication ID.
  • Step S23 A step S23 reads the data of the communication ID.
  • step S24 In step S24, it is determined whether the data is within the range of the upper limit value and the lower limit value read from step S22. If it does not fit, step S25 is executed, and if it does not fit, step S26 is executed.
  • step S25 In step S25, the error count in the error count information 21a is set to 0, and the process ends.
  • Step S26 A step S26 increments the error count in the error count information 21a and ends the process.
  • FIG. 12 is a flowchart showing an average value check process stored in the diagnostic method 2.
  • Step S31 the communication ID, the data, and the number of times the data is received are read from the reception data buffer.
  • Step S32 In step S32, an average value of the communication ID data is calculated.
  • Step S33 A step S33 reads the upper limit value and the lower limit value in the diagnostic parameter information 20a based on the communication ID.
  • Step S34 In step S34, it is determined whether the average value of the data is within the range between the upper limit value and the lower limit value read in step S33. If it does not fit, step S35 is executed, and if not, step S36 is executed.
  • step S35 In step S35, the error count in the error count information 21a is set to 0, and the process ends.
  • Step S36 A step S36 increments the error count in the error count information 21a and ends the process.
  • FIG. 13 is a diagram showing error count information 21a when executed using received data of communication IDs 100 and 101 stored in the received data buffer 15a.
  • the error count of the communication ID 100 is 0, and the error count of the communication ID 101 is 1.
  • the failure detection process 14a has a function of determining whether the failure is normal or failure from the result recorded in the error count information 21a. Thereby, the application program 2a in FIG. 1 can detect whether the transmission source ECU is normal or malfunctioning via the interface 3a.
  • the safety level is defined for the ECU connected to the network 100.
  • a safety level may be defined for each function, application program 2a, application module belonging to the application program 2a, and communication ID.
  • different safety levels are assigned to a plurality of data that are calculated by different application modules in an ECU and transmitted to the outside of the ECU, and the receiving ECU has a safety level assigned to the ECU on the data transmitting side.
  • the diagnostic processing may be varied based on the safety level assigned to each application module.
  • the contents of diagnosis may be varied on the receiving side based on the safety level of the transmitting application module. In this case, data is not exchanged via the network 100, but data is exchanged between memory partitions or between a plurality of memories.
  • the diagnostic content and level of the received data can be varied based on the safety level of the data transmission source ECU, so the diagnostic processing load can be reduced. For example, when data is transmitted from an ECU with a high safety level to an ECU with a low safety level, data with guaranteed safety is transmitted, so that the necessity for diagnosis is small. Also, when data is transmitted between ECUs of the same safety level, data with guaranteed safety is transmitted, so that the necessity for diagnosis is similarly small. Further, when data is transmitted from an ECU with a low safety level to an ECU with a high safety level, the data can be prevented from being acquired without performing a diagnostic process. In this way, the received data diagnosis process can be omitted based on the safety level of the ECU.
  • the quality of each software may be different.
  • the diagnostic processing of received data can be varied based on the safety level required for each function of each ECU. Therefore, the influence of variation can be absorbed in the quality of software installed in each ECU.
  • FIG. 13 is a diagram showing the state transition of the diagnosis unit 5a.
  • the diagnosis unit 5a includes a configuration state 53a and a normal state 54a under a communication establishment state 52a.
  • the network control drive 6a Immediately after entering the power-on state 51a, the network control drive 6a performs communication establishment processing according to the communication protocol in order to establish communication of the in-vehicle network.
  • the communication establishment is set to the transition condition 55a.
  • the diagnosis unit 5a changes to the communication establishment state 52a after the power-on state 51a.
  • the communication established state 52a data can be exchanged between the own ECU and another ECU via the network 100.
  • a transition is made to the configuration state 53a that transmits and receives safety level information of other ECUs according to the transition condition 56a.
  • the transition to the normal state 54a is made by the transition condition 57a for acquiring all the safety level information of the other ECUs in the configuration state 5a.
  • the operation described in the ⁇ first embodiment> is possible. Specifically, a communication ID can be given without giving information directly representing the safety level in the communication frame 200.
  • FIG. 14 shows an internal configuration of the diagnosis unit 5a including the configuration state 5a.
  • the diagnosis unit 5a includes a transmission data process 35a, a reception data recording process 11a, a diagnosis execution process 12a, a diagnosis method 1 and 2, a failure detection process 14a, a reception data buffer 15a, and a transmission source ECU. It includes information 16a, safety level information 17a of another ECU, safety level information 18a of its own ECU, diagnostic information 19a corresponding to the safety level, diagnostic parameter information 20a, and error count information 21a.
  • the diagnosis execution process 12a passes the safety level of the own ECU stored in the safety level information 18a of the own ECU of the own ECU to the transmission data process 35a.
  • the transmission data processing 35a transmits the passed safety level of the own ECU by the network control drive 6a.
  • the network control drive 6a Based on the communication ID of the communication frame 200 transmitted from another ECU via the network 100, the network control drive 6a determines whether the communication frame 200 is to be received by the own ECU, and if it is a communication frame to be received. Receive. In the received data recording process, data is stored according to the communication ID of the received communication frame.
  • the diagnosis execution process 12a reads the source ECU information 16a from the communication ID stored in the received data buffer 15a, identifies the source ECU, and based on the source ECU specified in the safety level information 17a of the other ECU.
  • the safety level stored in the reception data buffer 15a is stored. If the diagnosis execution process 12a acquires all the safety level information of the other ECUs, the diagnosis execution process 12a notifies the transition to the normal state 54a.
  • the condition for transition from the config state 53a to the normal state 54a may be a case where at least one safety level information of another ECU is stored.
  • the paths 22a to 34a connect the components described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

The objective of the present invention is to secure high safety while reducing the processing load incurred in the diagnosis of data delivered via a vehicle-mounted network. A diagnosis unit (5a) is provided with a received data recording process (11a), a diagnosis execution process (12a), diagnosis method 1 (13a1) and 2 (13a2), a failure detection process (14a), a received data buffer (15a), transmission source ECU information (16a), other-ECU safety level information (17a), own-ECU safety level information (18a), diagnosis information (19a) in accordance with safety level, diagnosis parameter information (20a), and error count information (21a).

Description

車載制御装置In-vehicle control device
 本発明は、車載制御装置に関し、特に協調制御を行うシステムにおいて安全性を確保する車載電子制御装置に関する。 The present invention relates to a vehicle-mounted control device, and more particularly to a vehicle-mounted electronic control device that ensures safety in a system that performs cooperative control.
 近年、安全性向上の観点から走行安定制御を取入れた自動車が開発されている。これらの自動車は各輪を独立して制御することにより、横滑りやスピンの誘発を抑制することでコーナリング時の走行安定性を確保し、運転者の安全性に貢献する。ところでこのような技術が可能となった背景には、車両内の電子制御装置(以下ECUと呼称)を車載ネットワークによって協調して制御することにより成立っている。下記特許文献1によれば、走行制御ECUは各車輪速センサ、車両挙動を検知する慣性センサ、ドライバーによる操作を検知する操舵角センサなど多くのセンサが接続され、さらにエンジン制御ECUが車載ネットワークを介して接続されている。エンジン制御ECUはエンジン出力に係る制御情報が送信され、走行制御ECUはそのエンジン出力に係る制御情報と自ECUが接続されているセンサ情報を基に各輪のブレーキを制御する。また必要に応じてエンジン制御ECUに目標値を送信する。また、他の従来技術においては、走行制御ECUはエンジン制御ECUのほかにステアリング制御ECUから送信される制御情報も利用しており、複数のECU間で協調制御を行っている。 In recent years, automobiles incorporating driving stability control have been developed from the viewpoint of improving safety. These vehicles control each wheel independently to prevent side slip and spin, thereby ensuring driving stability during cornering and contributing to driver safety. By the way, the background that such a technique has become possible is realized by controlling an electronic control device (hereinafter referred to as ECU) in a vehicle in cooperation with an in-vehicle network. According to Patent Document 1 below, the travel control ECU is connected to a number of sensors such as each wheel speed sensor, an inertial sensor that detects vehicle behavior, and a steering angle sensor that detects an operation by a driver. Connected through. The engine control ECU transmits control information related to the engine output, and the traveling control ECU controls the brakes of each wheel based on the control information related to the engine output and sensor information to which the own ECU is connected. Further, the target value is transmitted to the engine control ECU as necessary. In another conventional technique, the travel control ECU uses control information transmitted from the steering control ECU in addition to the engine control ECU, and performs cooperative control among a plurality of ECUs.
 ところで、複数のECU間で協調制御を行う場合、ECUは制御情報を車載ネットワークに送信し、必要な制御情報を同じく車載ネットワークから受信する。受信したECUは制御情報に誤りがないかを診断する。 By the way, when cooperative control is performed among a plurality of ECUs, the ECU transmits control information to the in-vehicle network and receives necessary control information from the in-vehicle network. The received ECU diagnoses whether there is an error in the control information.
 一般的に、受信する制御情報が多いほど診断に対する診断に係る処理は大きくなり、また制御情報の書込み処理も同様に大きくなり、ECUの処理資源に負担を及ぼす。上記特許文献1では、不要な制御情報の書込みを防止するため送信された制御情報が適正であるか診断の条件によって、制御情報を書き換える手段を備えたECUが紹介されている。また上記特許文献2では、制御情報の種類に応じてメモリの診断頻度を変える手段が紹介されている。 Generally, the more control information to be received, the larger the process related to the diagnosis, and the control information writing process also becomes larger, which imposes a burden on the processing resources of the ECU. In the above-mentioned Patent Document 1, an ECU having means for rewriting control information according to a diagnosis condition is introduced to check whether the transmitted control information is appropriate in order to prevent writing of unnecessary control information. In Patent Document 2, a means for changing the frequency of memory diagnosis according to the type of control information is introduced.
特開2007-011734号公報JP 2007-011734 A 特開2003-323353号公報JP 2003-323353 A 特開2005-145197号公報JP 2005-145197 A
 上記特許文献1に記載の技術については、ECUのリプログラミングを行う際に不要な制御情報の書込みを防止して、書込み処理に係る負荷を低減するが、ECUの動作中の診断処理に係る負荷は低減できない。また特許文献2については、メモリに格納された制御情報の種類に応じて診断頻度を変えることにより、安全に係る制御情報はその診断頻度を上げることによって早期に異常を検知することができるものの、ECU間等のデータの受け渡しの際の診断については考慮されておらず、また診断処理に係る負荷は低減できない。 With respect to the technique described in Patent Document 1, writing of control information that is unnecessary when reprogramming the ECU is prevented to reduce the load related to the writing process, but the load related to the diagnostic process during the operation of the ECU. Cannot be reduced. For Patent Document 2, by changing the diagnosis frequency according to the type of control information stored in the memory, the control information related to safety can detect an abnormality early by increasing the diagnosis frequency. Diagnosis at the time of data exchange between ECUs or the like is not taken into consideration, and the load related to the diagnostic processing cannot be reduced.
 本発明は、上記のような課題を解決するためになされたものであり、車載ネットワークで受け渡しされるデータの診断に係る処理負荷を低減しつつ、高い安全性を確保することを目的とする。 The present invention has been made to solve the above-described problems, and has an object to ensure high safety while reducing the processing load related to diagnosis of data passed through an in-vehicle network.
 上記課題を解決するため複数の車載電子制御装置が接続された車載ネットワークに接続され、前記車載ネットワークを介してデータの送受信を行う車載電子制御装置において、前記車載電子制御装置または前記車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を格納する第一の記憶部と、前記車載ネットワークに接続された他の車載電子制御装置または該他の車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を格納する第二の記憶部と、前記車載ネットワークに接続された他の車載電子制御装置から受信したデータについて、前記第一の記憶部と前記第二の記憶部とに格納された情報を比較して診断の内容及び程度を選択し、診断処理を行う診断部と、前記車載電子制御装置または前記車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を、前記車載ネットワークに送信するデータに付与して送信するデータ送信部と、を有するように構成する。 In order to solve the above-mentioned problem, in the in-vehicle electronic control device that is connected to the in-vehicle network to which a plurality of in-vehicle electronic control devices are connected and transmits / receives data through the in-vehicle network, the in-vehicle electronic control device or the in-vehicle electronic control device A first storage unit that stores information related to a safety level assigned to a function included in the device, and another vehicle-mounted electronic control device connected to the vehicle-mounted network or a function included in the other vehicle-mounted electronic control device. A second storage unit that stores information related to the safety level, and data received from another in-vehicle electronic control device connected to the in-vehicle network are stored in the first storage unit and the second storage unit. A diagnosis unit that compares the information and selects the content and degree of diagnosis and performs diagnosis processing; and the on-vehicle electronic control device or the on-vehicle Safety information level assigned to the function child control device has, configured to have a data transmission unit which transmits the added to the data to be transmitted to the vehicle network.
 本発明に係るECUによれば、制御情報ごとに診断方法を使い分けすることができ、診断に係る処理負荷の低減を実現することができる。
 本発明の他の目的、特徴及び利点は添付図面に関する以下の本発明の実施例の記載から明らかになるであろう。 According to the ECU according to the present invention, it is possible to properly use the diagnostic method for each control information, and it is possible to reduce the processing load related to the diagnosis.
Other objects, features and advantages of the present invention will become apparent from the following description of embodiments of the present invention with reference to the accompanying drawings.
車載ネットワークシステムの構成を示す。The configuration of the in-vehicle network system is shown. ECU間がネットワーク100を介して送受信する通信フレーム200を示す。A communication frame 200 transmitted and received between ECUs via a network 100 is shown. 診断部5aの内部構成を示す。The internal structure of the diagnostic part 5a is shown. 受信データバッファ15aを示した図である。It is the figure which showed the reception data buffer 15a. 送信元ECUの情報16aを示した図である。It is the figure which showed the information 16a of transmission origin ECU. 他ECUの安全性レベル情報17aを示した図である。It is the figure which showed the safety level information 17a of other ECU. 自ECUの安全性レベル情報18aを示した図である。It is the figure which showed the safety level information 18a of the own ECU. 安全性レベルに応じた診断情報19aを示した図である。It is the figure which showed the diagnostic information 19a according to a safety level. 診断パラメータ情報20aを示した図である。It is the figure which showed the diagnostic parameter information 20a. 診断の実行処理12aのフローチャートを示す図である。It is a figure which shows the flowchart of the execution process 12a of a diagnosis. 診断方法1が属する範囲チェック処理を示したフローチャート図である。It is the flowchart figure which showed the range check process to which the diagnostic method 1 belongs. 診断方法2に格納されている平均値チェック処理を示したフローチャート図である。FIG. 6 is a flowchart showing an average value check process stored in a diagnostic method 2; 診断部5aの状態遷移を示した図である。It is the figure which showed the state transition of the diagnostic part 5a. コンフィグ状態5aを備える診断部5aの内部構成を示す。The internal structure of the diagnostic part 5a provided with the configuration state 5a is shown. 診断部5aの内部構成を示す。The internal structure of the diagnostic part 5a is shown.
 近年車両制御システムのソフトウェア規模は飛躍的に増大しており、車両制御システムの安全性を保証するためには、システム開発時やリプログラミング時のチェックだけでは充分でなく、システム動作時の診断処理により安全性を保証する必要がある。 In recent years, the size of software in vehicle control systems has increased dramatically, and in order to guarantee the safety of vehicle control systems, it is not sufficient to check only during system development and reprogramming, as well as diagnostic processing during system operation. Therefore, it is necessary to guarantee safety.
 本発明に係るECUにおいては、ECUが扱う制御情報に対して求められる安全性のレベル(以下、安全性レベルという)付けを行い、データ受信時の診断処理に用いられる複数の診断方法をその安全性レベルに応じて選択し実行する。 In the ECU according to the present invention, a safety level required for control information handled by the ECU (hereinafter referred to as a safety level) is assigned, and a plurality of diagnostic methods used for diagnostic processing at the time of data reception are assigned to the safety information. Select and execute according to sex level.
 ここで、安全性レベルとは、車両制御システムが機能毎に保証すべき安全性の度合いを表す。近年、車両制御システムが正常に動作し、人間に可能な限り危害を与えないことを保証および説明できることが重要になってきている。具体的には、機能の誤作動等によって人間に危害が及ぶことを防ぐため、その機能ごとに安全性レベルを割当て、その基準を満たすように車両制御システムを開発する必要がある。安全性レベルは、割当てられる機能が正常に動作しないときの被害の大きさ等によって決定される。例えば、ブレーキ装置を制御するECUや、ステアリング装置を制御するECU、車間距離を制御するECU等の機能については、異常が生じると重大な車両事故に繋がる虞があるため、高い安全性レベルが付与される。 Here, the safety level represents the degree of safety that the vehicle control system should guarantee for each function. In recent years, it has become important to be able to guarantee and explain that vehicle control systems operate normally and are as harmless as possible to humans. Specifically, in order to prevent harm to humans due to malfunction of functions, it is necessary to assign a safety level for each function and to develop a vehicle control system so as to satisfy the standards. The safety level is determined by the magnitude of damage when the assigned function does not operate normally. For example, functions such as ECUs that control brake devices, ECUs that control steering devices, and ECUs that control inter-vehicle distances can lead to serious vehicle accidents if abnormalities occur. Is done.
<第1の実施の形態>
 以下、図面に従って説明する。 <First Embodiment>
Hereinafter, it demonstrates according to drawing.
 図1に本発明の一実施形態である車載ネットワークシステムの構成を示す。車載ネットワークシステムは電子制御装置(以下ECU)1aおよび1bおよび1cとネットワーク100を備える。各ECUはROMやRAM等の記憶手段7aと、演算手段(CPU)8aとを有する。また、アプリケーション・プログラム2aとインターフェース3aとRTOS4aと診断部5aとネットワーク制御ドライブ6aが演算手段8a上で実行可能となるように、記憶手段7aにプログラムとして格納されている。 FIG. 1 shows the configuration of an in-vehicle network system according to an embodiment of the present invention. The in-vehicle network system includes electronic control units (hereinafter referred to as ECUs) 1a, 1b, and 1c and a network 100. Each ECU has storage means 7a such as ROM and RAM, and arithmetic means (CPU) 8a. The application program 2a, the interface 3a, the RTOS 4a, the diagnosis unit 5a, and the network control drive 6a are stored as programs in the storage means 7a so that they can be executed on the calculation means 8a.
 アプリケーション・プログラム2aはECUの機能に応じた複数のアプリケーションモジュールとして実装される。インターフェース3aはインターフェース3aから上位にあるアプリケーション・プログラム2aと下位にあるRTOS4aと診断部5aとネットワーク制御ドライブ6aの情報のやりとりを仲介する機能を有する。RTOS4aはアプリケーション・プログラム2aとインターフェース3aと診断部5aとネットワーク制御ドライブ6aをリアルタイムに実行し管理する機能を有する。診断部5aはネットワーク100から受信したデータを診断する機能を有する。ネットワーク制御ドライブ6aはネットワーク100から伝達されるデータから受信するデータと受信しないデータを判別し、受信するデータを取得する機能を有する。また、ネットワーク1000へ送信するデータに対して、後述する通信IDを付与する機能を有する。これらの機能は、演算手段8aが記憶手段7aからプログラムを読出し、実行することで実現される。 The application program 2a is implemented as a plurality of application modules according to the function of the ECU. The interface 3a has a function of mediating the exchange of information between the application program 2a that is higher than the interface 3a, the RTOS 4a that is lower, the diagnosis unit 5a, and the network control drive 6a. The RTOS 4a has a function of executing and managing the application program 2a, the interface 3a, the diagnosis unit 5a, and the network control drive 6a in real time. The diagnosis unit 5a has a function of diagnosing data received from the network 100. The network control drive 6a has a function of discriminating data received from data transmitted from the network 100 and data not received, and acquiring received data. In addition, it has a function of assigning a communication ID to be described later to data transmitted to the network 1000. These functions are realized by the calculation means 8a reading out and executing the program from the storage means 7a.
 図2はネットワーク100の通信フレーム200である。通信フレーム200は通信IDを格納する通信ID部201とデータを格納するデータ部202を備える。 FIG. 2 shows a communication frame 200 of the network 100. The communication frame 200 includes a communication ID unit 201 that stores a communication ID and a data unit 202 that stores data.
 以上の構成によりECU1aは、ECU1bやECU1cからネットワーク100を介して送信される通信フレーム200のうち通信フレーム200に含まれる通信IDから受信するデータか受信しないデータかをネットワーク制御ドライブ6aによって判別して受信するデータを取得し、取得されたデータは診断部5aを介してインターフェース3aに渡され、インターフェース3aに渡されたデータはアプリケーション・プログラム2aにあるアプリケーションモジュールが読込み、制御のために利用される。RTOS4aは以上の動作をリアルタイムに実行する。なお、ここで言うデータとは、ECU間で共有されるデータであり、あるECUで演算された制御目標値や出力値、センサからの入力値、ECUやアクチュエータの異常情報等であって良い。 With the above configuration, the ECU 1a determines whether the data received from the communication ID included in the communication frame 200 among the communication frames 200 transmitted from the ECU 1b or the ECU 1c via the network 100 or the data not received by the network control drive 6a. Data to be received is acquired, and the acquired data is transferred to the interface 3a via the diagnosis unit 5a. The data transferred to the interface 3a is read by an application module in the application program 2a and used for control. . The RTOS 4a executes the above operations in real time. The data mentioned here is data shared between ECUs, and may be control target values and output values calculated by a certain ECU, input values from sensors, abnormality information of ECUs and actuators, and the like.
 以上、ECUの動作について概略を説明した。以下、本発明の診断部5aについて詳細に説明する。 The outline of the operation of the ECU has been described above. Hereinafter, the diagnosis unit 5a of the present invention will be described in detail.
 図3は診断部5aの内部構成を示す。診断部5aは受信データ記録処理11aと診断の実行処理12aと診断方法1(13a1)および2(13a2)と故障検知処理14aと受信データバッファ15aと送信元ECUの情報16aと他ECUの安全性レベル情報17aと自ECUの安全性レベル情報18aと安全性レベルに応じた診断情報19aと診断パラメータ情報20aとエラーカウント情報21aを備える。これらの情報は、図示するように別々の箇所に格納されていてもよいし、同一の記憶手段内に格納されていてもよい。なお説明の簡単化のため、例えば診断方法1では受信データの範囲チェック、診断方法2では受信データの平均値の範囲チェックがされるものとする。 FIG. 3 shows the internal configuration of the diagnosis unit 5a. The diagnostic unit 5a includes a received data recording process 11a, a diagnostic execution process 12a, a diagnostic method 1 (13a1) and 2 (13a2), a failure detection process 14a, a received data buffer 15a, information 16a of a transmission source ECU, and safety of other ECUs. It comprises level information 17a, safety level information 18a of its own ECU, diagnostic information 19a corresponding to the safety level, diagnostic parameter information 20a, and error count information 21a. These pieces of information may be stored in different places as shown, or may be stored in the same storage means. For simplification of description, for example, it is assumed that the diagnostic method 1 performs a range check on received data and the diagnostic method 2 performs a range check on the average value of received data.
 図4は受信データバッファ15aを示した図である。受信データバッファ15aは通信IDごとに各受信回数の受信データが格納されている。図4では通信ID100の1回目の受信データは50、2回目の受信データも50、3回目の受信データも50で、通信ID101の1回目の受信データは85、2回目の受信データは84、3回目の受信データは83であることを示す。 FIG. 4 shows the received data buffer 15a. The reception data buffer 15a stores reception data for each reception count for each communication ID. In FIG. 4, the first received data of communication ID 100 is 50, the second received data is 50, the third received data is 50, the first received data of communication ID 101 is 85, the second received data is 84, The third reception data is 83.
 図5は送信元ECUの情報16aを示した図である。送信元ECUの情報16aは通信IDの送信元ECUごとに通信IDが格納されている。図5では101の通信IDを含む通信フレームはECU1bから送信されることを示し、100の通信IDを含む通信フレームはECU1cから送信されることを示す。 FIG. 5 is a diagram showing information 16a of the transmission source ECU. The information 16a of the transmission source ECU stores a communication ID for each transmission source ECU of the communication ID. In FIG. 5, the communication frame including the communication ID 101 is transmitted from the ECU 1b, and the communication frame including the communication ID 100 is transmitted from the ECU 1c.
 図6は他ECUの安全性レベル情報17aを示した図である。他ECUの安全性レベル情報17aは安全性レベルごとに各ECUが格納されている。図6では1の安全性レベルにECU1bが、2の安全性レベルにECU1cが属していることを示す。このように、ネットワーク1000を介して送受信されるデータに、送信元ECUが判別できる通信IDを付与することで、送受信されるデータと安全性レベルの情報とを関連付けることができる。なお、ネットワーク1000に送信されるデータに対して送信元ECUを表す情報または安全性レベルを直接表す情報を付与してもよい。 FIG. 6 is a diagram showing safety level information 17a of another ECU. Each ECU stores safety level information 17a of other ECUs for each safety level. FIG. 6 shows that the ECU 1b belongs to the safety level 1 and the ECU 1c belongs to the safety level 2. In this way, by giving a communication ID that can be determined by the transmission source ECU to data transmitted / received via the network 1000, the transmitted / received data and the safety level information can be associated with each other. Note that information representing the transmission source ECU or information directly representing the safety level may be attached to data transmitted to the network 1000.
 図7は自ECUの安全性レベル情報18aを示した図である。自ECUの安全性レベル情報18aは自ECUの安全性レベルの属性が格納されている。図6では3の安全性レベルに自ECUであるECU1aが属していることを示す。ここで格納されている自ECUの安全性レベル情報18aと他ECUの安全性レベル情報17aとを比較することにより、受信データの診断方法を可変することができる。 FIG. 7 is a diagram showing safety level information 18a of the own ECU. The safety level information 18a of the own ECU stores an attribute of the safety level of the own ECU. FIG. 6 shows that the ECU 1a which is the own ECU belongs to the safety level of 3. By comparing the safety level information 18a of the own ECU stored here and the safety level information 17a of the other ECU, the received data diagnosis method can be varied.
 図8は安全性レベルに応じた診断情報19aを示した図である。安全性レベルに応じた診断情報19aは安全性レベルごとに実行する診断方法が格納されている。図8では1の安全性レベルでは最初の診断においては診断方法1が、次の診断においては診断方法2が実行され、2の安全性レベルでは最初の診断においては診断方法1が、次の診断においては診断が実行されないことを示す。このように、安全性レベルに基づいて診断方法と回数を可変することで、診断処理の負荷を削減できる。また、診断処理だけでなく、受信データの取得可否について、送信元の安全性レベルに基づいて決定してもよい。 FIG. 8 is a diagram showing diagnosis information 19a corresponding to the safety level. The diagnostic information 19a corresponding to the safety level stores a diagnostic method to be executed for each safety level. In FIG. 8, at the safety level of 1, the diagnostic method 1 is executed in the first diagnosis, the diagnostic method 2 is executed in the next diagnosis, and at the safety level of 2, the diagnostic method 1 is executed in the first diagnosis. Indicates that no diagnosis is performed. Thus, by changing the diagnosis method and the number of times based on the safety level, the load of the diagnosis process can be reduced. In addition to the diagnosis process, whether or not the received data can be acquired may be determined based on the safety level of the transmission source.
 図9は診断パラメータ情報20aを示した図である。診断パラメータ情報20aは診断方法と通信IDごとの上限値と下限値が格納されている。図9では1の診断方法でかつ100の通信IDの場合、上限値は100で下限値は0であること、1の診断方法でかつ101の通信IDの場合、上限値は90で下限値は10であること、2の診断方法でかつ101の通信IDの場合、上限値は80で下限値は20であることを示す。このように、安全性レベル毎に保証されるべきデータの値の範囲を可変し、診断処理を行うことができる。 FIG. 9 is a diagram showing the diagnostic parameter information 20a. The diagnostic parameter information 20a stores an upper limit value and a lower limit value for each diagnosis method and communication ID. In FIG. 9, in the case of 1 diagnosis method and 100 communication IDs, the upper limit value is 100 and the lower limit value is 0. In the case of 1 diagnosis method and 101 communication ID, the upper limit value is 90 and the lower limit value is 10 indicates that the upper limit value is 80 and the lower limit value is 20 in the case of the diagnosis method of 2 and the communication ID of 101. In this way, it is possible to vary the range of data values to be guaranteed for each safety level and perform diagnostic processing.
 次に本発明の基本的な動作例を以下説明する。図3において主体となるのは、診断の実行処理12aと診断方法1および2と受信データバッファ15aと送信元ECUの情報16aと他ECUの安全性レベル情報17aと自ECUの安全性レベル情報18aと安全性レベルに応じた診断情報19aと診断パラメータ情報20aとエラーカウント情報21aであり、図10の診断の実行処理12aのフローチャートを用いて説明する。 Next, a basic operation example of the present invention will be described below. The main components in FIG. 3 are diagnostic execution processing 12a, diagnostic methods 1 and 2, received data buffer 15a, source ECU information 16a, other ECU safety level information 17a, and own ECU safety level information 18a. The diagnosis information 19a, the diagnosis parameter information 20a, and the error count information 21a corresponding to the safety level will be described with reference to the flowchart of the diagnosis execution process 12a in FIG.
 図10は診断の実行処理12aのフローチャートを示す図である。以下、図10の各ステップについて説明する。
(ステップS11)
 ステップS11は、受信データバッファ15aから通信IDを読込む。
(ステップS12)
 ステップS12は、通信IDと送信元ECUの情報16aに基づいて、データ送信元のECUを特定し、他ECUの安全性レベル情報17aから送信先ECUの安全性レベルを読込む。
(ステップS13)
 ステップS13は、自ECUの安全性レベル情報18aから自ECUの安全性レベルを読込む。
(ステップS14)
 ステップS14は、送信元ECUの安全性レベルと自ECUの安全性レベルを比較し、送信元ECUの安全性レベルが自ECUの安全性レベルより低ければステップS15を実行する。送信元ECUの安全性レベルが自ECUの安全性レベルより低くなければ、処理を終了する。
(ステップS15)
 ステップS15は、送信元ECUの安全性レベルから安全性レベルに応じた診断情報19aを読込む。診断情報19aは安全性レベルごとに実行する診断方法が格納されているため、本ステップで入力される安全性レベルによって選択的に診断が実行されることとなる。
(ステップS16)
 ステップS16は、当該安全性レベルに応じた最初の診断方法を実行する。
(ステップS17)
 ステップS17は、当該安全性レベルに応じた次の診断方法が有るか判定し、有る場合はステップS18を実行する。無い場合は処理を終了する。
(ステップS18)
 ステップS18は、当該安全性レベルに応じた次の診断方法を実行し、ステップS17に戻る。 FIG. 10 is a flowchart of the diagnosis execution process 12a. Hereinafter, each step of FIG. 10 will be described.
(Step S11)
In step S11, the communication ID is read from the reception data buffer 15a.
(Step S12)
In step S12, the ECU of the data transmission source is specified based on the communication ID and the information 16a of the transmission source ECU, and the safety level of the transmission destination ECU is read from the safety level information 17a of the other ECU.
(Step S13)
In step S13, the safety level of the own ECU is read from the safety level information 18a of the own ECU.
(Step S14)
In step S14, the safety level of the transmission source ECU is compared with the safety level of the own ECU, and if the safety level of the transmission source ECU is lower than the safety level of the own ECU, step S15 is executed. If the safety level of the transmission source ECU is not lower than the safety level of the own ECU, the process is terminated.
(Step S15)
In step S15, the diagnostic information 19a corresponding to the safety level is read from the safety level of the transmission source ECU. Since the diagnostic information 19a stores a diagnostic method to be executed for each safety level, the diagnosis is selectively executed according to the safety level input in this step.
(Step S16)
Step S16 executes the first diagnostic method according to the safety level.
(Step S17)
In step S17, it is determined whether there is a next diagnosis method corresponding to the safety level, and if there is, step S18 is executed. If not, the process ends.
(Step S18)
In step S18, the next diagnostic method corresponding to the safety level is executed, and the process returns to step S17.
 次に上記診断の実行処理12aに用いられる診断方法1および診断方法2に属する診断方法の例を以下説明する。 Next, examples of diagnostic methods belonging to the diagnostic method 1 and the diagnostic method 2 used in the diagnostic execution process 12a will be described below.
 図11は診断方法1が属する範囲チェック処理を示したフローチャート図である。以下、図11の各ステップについて説明する。
(ステップS21)
 ステップS21は、通信IDを読込む。
(ステップS22)
 ステップS22は、通信IDに基づいて診断パラメータ情報20aにある上限値と下限値を読込む。
(ステップS23)
 ステップS23は、通信IDの当該データを読込む。
(ステップS24)
 ステップS24は、当該データがステップS22から読込んだ上限値と下限値の範囲に収まっているか判定する。収まっていれば、ステップS25を実行し、収まっていなければ、ステップS26を実行する。
(ステップS25)
 ステップS25は、エラーカウント情報21aにあるエラーカウントを0にし、処理を終了する。
(ステップS26)
 ステップS26は、エラーカウント情報21aにあるエラーカウントをインクリメントし、処理を終了する。 FIG. 11 is a flowchart showing a range check process to which the diagnosis method 1 belongs. Hereinafter, each step of FIG. 11 will be described.
(Step S21)
Step S21 reads the communication ID.
(Step S22)
In step S22, the upper limit value and the lower limit value in the diagnostic parameter information 20a are read based on the communication ID.
(Step S23)
A step S23 reads the data of the communication ID.
(Step S24)
In step S24, it is determined whether the data is within the range of the upper limit value and the lower limit value read from step S22. If it does not fit, step S25 is executed, and if it does not fit, step S26 is executed.
(Step S25)
In step S25, the error count in the error count information 21a is set to 0, and the process ends.
(Step S26)
A step S26 increments the error count in the error count information 21a and ends the process.
 図12は診断方法2に格納されている平均値チェック処理を示したフローチャート図である。以下、図12の各ステップについて説明する。
(ステップS31)
 ステップS31は、通信IDと当該データと当該データの受信回数を受信データバッファから読込む。
(ステップS32)
 ステップS32は、通信IDのデータの平均値を算出する。
(ステップS33)
 ステップS33は、通信IDに基づいて診断パラメータ情報20aにある上限値と下限値を読込む。
(ステップS34)
 ステップS34は、当該データの平均値がステップS33にて読込んだ上限値と下限値の範囲に収まっているか判定する。収まっていればステップS35を実行し、収まっていなければステップS36を実行する。
(ステップS35)
 ステップS35は、エラーカウント情報21aにあるエラーカウントを0にし、処理を終了する。
(ステップS36)
 ステップS36は、エラーカウント情報21aにあるエラーカウントをインクリメントし、処理を終了する。 FIG. 12 is a flowchart showing an average value check process stored in the diagnostic method 2. Hereinafter, each step of FIG. 12 will be described.
(Step S31)
In step S31, the communication ID, the data, and the number of times the data is received are read from the reception data buffer.
(Step S32)
In step S32, an average value of the communication ID data is calculated.
(Step S33)
A step S33 reads the upper limit value and the lower limit value in the diagnostic parameter information 20a based on the communication ID.
(Step S34)
In step S34, it is determined whether the average value of the data is within the range between the upper limit value and the lower limit value read in step S33. If it does not fit, step S35 is executed, and if not, step S36 is executed.
(Step S35)
In step S35, the error count in the error count information 21a is set to 0, and the process ends.
(Step S36)
A step S36 increments the error count in the error count information 21a and ends the process.
 以上の構成によれば100の通信IDに付属するデータは1の安全性レベルに基づいて診断方法1の範囲チェックがなされ、エラーカウントは0となる。他方101の通信IDに付属するデータは2の安全性レベルに基づいて診断方法1と診断方法2のチェックがなされ、結果的に診断方法2によってエラーカウントがインクリメントされる。図13は受信データバッファ15aに格納されている100と101の通信IDの受信データを用いた実行した時のエラーカウント情報21aを示した図である。100の通信IDのエラーカウントは0であり、101の通信IDのエラーカウントは1であることを示している。 According to the above configuration, the data attached to 100 communication IDs is checked for the range of diagnostic method 1 based on the safety level of 1, and the error count becomes 0. On the other hand, the data attached to the communication ID 101 is checked by the diagnostic method 1 and the diagnostic method 2 based on the safety level of 2, and as a result, the error count is incremented by the diagnostic method 2. FIG. 13 is a diagram showing error count information 21a when executed using received data of communication IDs 100 and 101 stored in the received data buffer 15a. The error count of the communication ID 100 is 0, and the error count of the communication ID 101 is 1.
 故障検知処理14aはエラーカウント情報21aに記録している結果から正常か故障かを判定する機能を有する。これにより図1のアプリケーション・プログラム2aはインターフェース3aを介して送信元ECUが正常であるか故障であるかを検知することができる。 The failure detection process 14a has a function of determining whether the failure is normal or failure from the result recorded in the error count information 21a. Thereby, the application program 2a in FIG. 1 can detect whether the transmission source ECU is normal or malfunctioning via the interface 3a.
 本実施例ではネットワーク100に接続されているECUに対し安全性レベルを定義した。異なる実施例として安全性レベルを機能、アプリケーション・プログラム2a、アプリケーション・プログラム2aに属するアプリケーションモジュール、通信ID毎に対し定義してもよい。例えば、あるECU中の異なるアプリケーションモジュールで演算され、ECU外部へ送信される複数データについて、それぞれ異なる安全性レベルが付与され、受信側のECUはデータ送信側のECUに付与された安全性レベルではなく、アプリケーションモジュール毎に付与された安全性レベルに基づいて診断処理を可変してよい。また、同一ECU内でも、安全性レベルが異なるアプリケーションモジュール同士でデータの授受が行われる場合に、送信側アプリケーションモジュールの安全性レベルに基づいて受信側で診断内容を可変して良い。この場合は、ネットワーク100を介したデータのやり取りではなく、メモリパーティッション間や複数メモリ間でのデータのやり取りとなる。 In this embodiment, the safety level is defined for the ECU connected to the network 100. As a different embodiment, a safety level may be defined for each function, application program 2a, application module belonging to the application program 2a, and communication ID. For example, different safety levels are assigned to a plurality of data that are calculated by different application modules in an ECU and transmitted to the outside of the ECU, and the receiving ECU has a safety level assigned to the ECU on the data transmitting side. Instead, the diagnostic processing may be varied based on the safety level assigned to each application module. Further, even when data is exchanged between application modules having different safety levels even within the same ECU, the contents of diagnosis may be varied on the receiving side based on the safety level of the transmitting application module. In this case, data is not exchanged via the network 100, but data is exchanged between memory partitions or between a plurality of memories.
 本実施例の発明によれば、データ送信元ECUの安全性レベルに基づいて、受信データの診断内容・程度を可変するため、診断の処理負荷を削減できる。例えば、高い安全性レベルのECUから低い安全性レベルのECUへデータが送信される場合は、安全性が保証されたデータが送信されるため、診断の必要性は少ない。また、同じ安全性レベルのECU同士でデータを送信される場合も、安全性が保証されたデータが送信されるため、同様に診断の必要性は少ない。また、低い安全性レベルのECUから高い安全性レベルのECUへデータが送信される場合は、診断処理を行うことなくデータを取得しないようにすることもできる。このように、ECUの安全性レベルに基づいて、受信データの診断処理を省くことができる。 According to the invention of the present embodiment, the diagnostic content and level of the received data can be varied based on the safety level of the data transmission source ECU, so the diagnostic processing load can be reduced. For example, when data is transmitted from an ECU with a high safety level to an ECU with a low safety level, data with guaranteed safety is transmitted, so that the necessity for diagnosis is small. Also, when data is transmitted between ECUs of the same safety level, data with guaranteed safety is transmitted, so that the necessity for diagnosis is similarly small. Further, when data is transmitted from an ECU with a low safety level to an ECU with a high safety level, the data can be prevented from being acquired without performing a diagnostic process. In this way, the received data diagnosis process can be omitted based on the safety level of the ECU.
 また、一般に各ECUに搭載されるソフトウェアは異なる開発主体によって作成されるため、それぞれのソフトウェアの品質が異なる場合がある。本実施例の発明によれば、各ECUに搭載されるソフトウェアが保証するデータの安全性が各々異なる場合でも、各ECUの機能毎に求められる安全性レベルに基づいて受信データの診断処理を可変するため、各ECUに搭載されるソフトウェアの品質にばらつきの影響を吸収できる。また、新たなECUや機能の追加や統合を行い易い、既存のソフトウェア資産の再利用性が向上するといった利点がある。 Also, since the software installed in each ECU is generally created by different development entities, the quality of each software may be different. According to the invention of this embodiment, even if the safety of data guaranteed by software installed in each ECU is different, the diagnostic processing of received data can be varied based on the safety level required for each function of each ECU. Therefore, the influence of variation can be absorbed in the quality of software installed in each ECU. In addition, there are advantages that new ECUs and functions can be easily added and integrated, and the reusability of existing software assets is improved.
<第2の実施の形態>
 第1の実施の形態では他ECUの安全性レベル情報を備えている場合の動作例を示した。以下、第2の実施の形態では他ECUの安全性レベル情報を備えていない場合について説明する。図13は診断部5aの状態遷移を示した図である。診断部5aは通信確立の状態52aのもとコンフィグ状態53aとノーマル状態54aが備わっている。電源オン状態51aになった直後、ネットワーク制御ドライブ6aは車載ネットワークの通信を確立するため、通信プロトコルに従った通信確立処理を行う。通信確立を遷移条件55aに診断部5aは電源オン状態51aになってから通信確立の状態52aへ遷移する。通信確立の状態52aにおいては、自ECUと他ECUの間でネットワーク100を介してデータのやり取りが可能となる。通信が確立されると、遷移条件56aにより、他ECUの安全性レベル情報を送受信するコンフィグ状態53aに遷移する。コンフィグ状態5aにおいて他ECUの安全性レベル情報を全て取得する遷移条件57aによって、ノーマル状態54aに遷移する。ここでノーマル状態54aでは他ECUの安全性レベル情報17aに他ECUの安全性レベルが格納されていることになるため、<第1の実施の形態>において説明した動作が可能となる。具体的には、通信フレーム200内に安全性レベルを直接表す情報を付与せず、通信IDを付与することができる。 <Second Embodiment>
In 1st Embodiment, the operation example in case the safety level information of other ECU was provided was shown. Hereinafter, the case where the safety level information of another ECU is not provided will be described in the second embodiment. FIG. 13 is a diagram showing the state transition of the diagnosis unit 5a. The diagnosis unit 5a includes a configuration state 53a and a normal state 54a under a communication establishment state 52a. Immediately after entering the power-on state 51a, the network control drive 6a performs communication establishment processing according to the communication protocol in order to establish communication of the in-vehicle network. The communication establishment is set to the transition condition 55a. The diagnosis unit 5a changes to the communication establishment state 52a after the power-on state 51a. In the communication established state 52a, data can be exchanged between the own ECU and another ECU via the network 100. When communication is established, a transition is made to the configuration state 53a that transmits and receives safety level information of other ECUs according to the transition condition 56a. The transition to the normal state 54a is made by the transition condition 57a for acquiring all the safety level information of the other ECUs in the configuration state 5a. Here, in the normal state 54a, since the safety level of the other ECU is stored in the safety level information 17a of the other ECU, the operation described in the <first embodiment> is possible. Specifically, a communication ID can be given without giving information directly representing the safety level in the communication frame 200.
 以下コンフィグ状態53aを備える本発明の診断部5aについて説明する。図14はコンフィグ状態5aを備える診断部5aの内部構成を示す。また診断部5aは、図15に示すように、送信データ処理35aと受信データ記録処理11aと診断の実行処理12aと診断方法1および2と故障検知処理14aと受信データバッファ15aと送信元ECUの情報16aと他ECUの安全性レベル情報17aと自ECUの安全性レベル情報18aと安全性レベルに応じた診断情報19aと診断パラメータ情報20aとエラーカウント情報21aを備える。診断の実行処理12aは、送信データ処理35aに自ECUの自ECUの安全性レベル情報18aに格納されている自ECUの安全性レベルを渡す。送信データ処理35aは渡された自ECUの安全性レベルをネットワーク制御ドライブ6aによって送信する。ネットワーク制御ドライブ6aはネットワーク100を介して他ECUから送信される通信フレーム200の通信IDに基づいて、自ECUが受信すべき通信フレーム200であるかを判別し、受信すべき通信フレームであれば受信する。受信データ記録処理では、受信した通信フレームの通信IDに従ってデータを格納する。診断の実行処理12aは受信データバッファ15aに格納されている通信IDから送信元ECUの情報16aを読込み、送信元ECUを特定し、他ECUの安全性レベル情報17aに特定した送信元ECUに基づいて受信データバッファ15aに格納されている安全性レベルを記憶する。また診断の実行処理12aは他ECUの安全性レベル情報を全て取得すれば、それを通知し、ノーマル状態54aに遷移させる。なお、コンフィグ状態53aからノーマル状態54aへ遷移する条件は、他ECUの安全性レベル情報を少なくとも1つ記憶した場合としてもよい。なお、パス22aから34aは、上述した各構成部を接続している。 Hereinafter, the diagnosis unit 5a of the present invention having the configuration state 53a will be described. FIG. 14 shows an internal configuration of the diagnosis unit 5a including the configuration state 5a. Further, as shown in FIG. 15, the diagnosis unit 5a includes a transmission data process 35a, a reception data recording process 11a, a diagnosis execution process 12a, a diagnosis method 1 and 2, a failure detection process 14a, a reception data buffer 15a, and a transmission source ECU. It includes information 16a, safety level information 17a of another ECU, safety level information 18a of its own ECU, diagnostic information 19a corresponding to the safety level, diagnostic parameter information 20a, and error count information 21a. The diagnosis execution process 12a passes the safety level of the own ECU stored in the safety level information 18a of the own ECU of the own ECU to the transmission data process 35a. The transmission data processing 35a transmits the passed safety level of the own ECU by the network control drive 6a. Based on the communication ID of the communication frame 200 transmitted from another ECU via the network 100, the network control drive 6a determines whether the communication frame 200 is to be received by the own ECU, and if it is a communication frame to be received. Receive. In the received data recording process, data is stored according to the communication ID of the received communication frame. The diagnosis execution process 12a reads the source ECU information 16a from the communication ID stored in the received data buffer 15a, identifies the source ECU, and based on the source ECU specified in the safety level information 17a of the other ECU. The safety level stored in the reception data buffer 15a is stored. If the diagnosis execution process 12a acquires all the safety level information of the other ECUs, the diagnosis execution process 12a notifies the transition to the normal state 54a. The condition for transition from the config state 53a to the normal state 54a may be a case where at least one safety level information of another ECU is stored. The paths 22a to 34a connect the components described above.
 以上の構成によれば、予め他ECUの安全性レベル情報を備えていなくとも、通信確立以降<第2の実施の形態>にある動作をすれば、自ECUが他ECUの安全性レベル情報を備えることができる。
 上記記載は実施例についてなされたが、本発明はそれに限らず、本発明の精神と添付の請求の範囲の範囲内で種々の変更および修正をすることができることは当業者に明らかである。 According to the above configuration, even if the safety level information of the other ECU is not provided in advance, if the operation in the <second embodiment> is performed after the communication is established, the own ECU will obtain the safety level information of the other ECU. Can be provided.
While the above description has been made with reference to exemplary embodiments, it will be apparent to those skilled in the art that the invention is not limited thereto and that various changes and modifications can be made within the spirit of the invention and the scope of the appended claims.
 1a、1b、1c 電子制御装置(ECU)
 2a アプリケーション・プログラム
 3a インターフェース
 4a RTOS
 5a 診断部
 6a ネットワーク制御ドライブ
 11a 受信データ記録処理
 12a 診断の実行処理
 13a1 診断方法1
 13a2 診断方法2
 14a 故障検知処理
 15a 受信データバッファ
 16a 送信元ECUの情報
 17a 他ECUの安全性レベル情報
 18a 自ECUの安全性レベル情報
 19a 安全性レベルに応じた診断情報
 20a 診断パラメータ情報
 21a エラーカウント情報
 22a、23a、24a、25a、26a、27a、28a、29a、30a、31a、32a、33a、34a パス
 35a 送信データ処理
 51a 電源オン状態
 52a 通信確立の状態
 53a コンフィグ状態
 54a ノーマル状態
 55a、56a、57a 遷移条件
 200 通信フレーム
 201 通信ID部
 202 データ部
 1000 ネットワーク 1a, 1b, 1c Electronic control unit (ECU)
2a Application program 3a Interface 4a RTOS
5a Diagnosis unit 6a Network control drive 11a Received data recording process 12a Diagnosis execution process 13a1 Diagnosis method 1
13a2 Diagnosis method 2
14a Failure detection processing 15a Received data buffer 16a Information of the source ECU 17a Safety level information of the other ECU 18a Safety level information of the own ECU 19a Diagnostic information according to the safety level 20a Diagnostic parameter information 21a Error count information 22a, 23a , 24a, 25a, 26a, 27a, 28a, 29a, 30a, 31a, 32a, 33a, 34a Pass 35a Transmission data processing 51a Power-on state 52a Communication establishment state 53a Configuration state 54a Normal state 55a, 56a, 57a Transition condition 200 Communication frame 201 Communication ID part 202 Data part 1000 Network

Claims (11)

  1.  複数の車載電子制御装置が接続された車載ネットワークに接続され、前記車載ネットワークを介してデータの送受信を行う車載電子制御装置において、
     前記車載電子制御装置または前記車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を格納する第一の記憶部と、
     前記車載ネットワークに接続された他の車載電子制御装置または該他の車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を格納する第二の記憶部と、
     前記車載ネットワークに接続された他の車載電子制御装置から受信したデータについて、前記第一の記憶部と前記第二の記憶部とに格納された情報を比較して診断の内容及び程度を選択し、診断処理を行う診断部と、
     前記車載電子制御装置または前記車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を、前記車載ネットワークに送信するデータに付与して送信するデータ送信部と、
    を有することを特徴とする車載電子制御装置。     In an in-vehicle electronic control device that is connected to an in-vehicle network to which a plurality of in-vehicle electronic control devices are connected, and that transmits and receives data through the in-vehicle network,
    A first storage unit for storing information related to a safety level assigned to the function of the vehicle-mounted electronic control device or the vehicle-mounted electronic control device;
    A second storage unit for storing information related to a safety level assigned to another vehicle-mounted electronic control device connected to the vehicle-mounted network or a function of the other vehicle-mounted electronic control device;
    About the data received from the other vehicle-mounted electronic control apparatus connected to the said vehicle-mounted network, the information stored in said 1st memory | storage part and said 2nd memory | storage part is compared, and the content and grade of a diagnosis are selected. A diagnostic unit for performing diagnostic processing;
    A data transmission unit that transmits information on the safety level assigned to the function of the in-vehicle electronic control device or the in-vehicle electronic control device, to the data to be transmitted to the in-vehicle network,
    An on-vehicle electronic control device comprising:
  2.  複数の車載電子制御装置が接続された車載ネットワークに接続され、前記車載ネットワークを介してデータの送受信を行う車載電子制御装置において、
     前記車載ネットワークに送信するデータに、データ送信元を表す通信IDを付与するID付与部と、
     前記車載電子制御装置または前記車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を格納する第一の記憶部と、
     前記車載ネットワークに接続された複数の車載電子制御装置と、前記通信IDとを対応付ける情報を格納する第二の記憶部と、
     前記車載ネットワークに接続された他の車載電子制御装置または該他の車載電子制御装置が有する機能と安全性レベルとを対応付ける情報を格納する第三の記憶部と、
     前記車載ネットワークに接続された他の車載電子制御装置から受信したデータについて、前記第一の記憶部と前記第二の記憶部と前記第三の記憶部に格納された情報に基づいて診断の内容及び程度を選択し、診断処理を行う診断部と、
    を有することを特徴とする車載電子制御装置。     In an in-vehicle electronic control device that is connected to an in-vehicle network to which a plurality of in-vehicle electronic control devices are connected, and that transmits and receives data through the in-vehicle network,
    An ID assigning unit that assigns a communication ID representing a data transmission source to data transmitted to the in-vehicle network;
    A first storage unit for storing information related to a safety level assigned to the function of the vehicle-mounted electronic control device or the vehicle-mounted electronic control device;
    A second storage unit that stores information associating a plurality of in-vehicle electronic control devices connected to the in-vehicle network and the communication ID;
    A third storage unit for storing information associating the function and safety level of the other in-vehicle electronic control device or the other in-vehicle electronic control device connected to the in-vehicle network;
    About the data received from the other vehicle-mounted electronic control apparatus connected to the said vehicle-mounted network, the content of diagnosis based on the information stored in said 1st memory | storage part, said 2nd memory | storage part, and said 3rd memory | storage part A diagnosis unit that selects the degree and performs a diagnosis process;
    An on-vehicle electronic control device comprising:
  3.  請求項1または2いずれか一項に記載の車載電子制御装置であって、
     前記電子制御装置は、前記車載ネットワークに接続された他の車載電子制御装置から受信した、安全性レベルに関する情報を含んだデータ通信フレームを記録する受信データ記録処理部を有することを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to claim 1 or 2,
    The electronic control device includes a received data recording processing unit that records a data communication frame including information related to a safety level received from another on-vehicle electronic control device connected to the on-vehicle network. Electronic control device.
  4.  請求項3に記載の車載電子制御装置であって、
     前記車載ネットワークの通信確立後に、
     安全性レベルを含んだ通信フレームを送受信するコンフィグ状態に遷移し、
     前記通信フレームに含まれる安全性レベルを少なくとも1つ記憶した後に、
     前記コンフィグ状態から安全性レベルを含まない通信フレームを送受信するノーマル状態に遷移することを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to claim 3,
    After establishing communication of the in-vehicle network,
    Transition to the configuration state to send and receive communication frames including the safety level,
    After storing at least one safety level included in the communication frame,
    A vehicle-mounted electronic control device, wherein a transition is made from the config state to a normal state in which a communication frame not including a safety level is transmitted and received.
  5.  請求項1に記載の車載電子制御装置であって、前記車載ネットワークに接続された他の車載電子制御装置または該他の車載電子制御装置が有する機能に割当てられた安全性レベルに関する情報を、前記車載ネットワークの通信確立後に前記車載ネットワークから取得し、前記第二の記憶部へ格納することを特徴とする車載電子制御装置。 The on-vehicle electronic control device according to claim 1, wherein information related to a safety level assigned to another on-vehicle electronic control device connected to the on-vehicle network or a function of the other on-vehicle electronic control device is An in-vehicle electronic control apparatus, which is obtained from the in-vehicle network after establishment of communication in the in-vehicle network and stored in the second storage unit.
  6.  請求項2に記載の車載電子制御装置であって前記車載ネットワークに接続された他の車載電子制御装置または該他の車載電子制御装置が有する機能と安全性レベルとを対応付ける情報を、前記車載ネットワークの通信確立後に前記車載ネットワークから取得し、前記第三の記憶部へ格納することを特徴とする車載電子制御装置。 3. The vehicle-mounted electronic control device according to claim 2, wherein the vehicle-mounted network is configured to associate another vehicle-mounted electronic control device connected to the vehicle-mounted network or a function of the other vehicle-mounted electronic control device with a safety level. The vehicle-mounted electronic control device is obtained from the vehicle-mounted network after the communication is established and stored in the third storage unit.
  7.  請求項1から6いずれか一項に記載の車載電子制御装置であって、
     前記診断の程度には、前記車載ネットワークに接続された他の車載電子制御装置から受信したデータについて診断処理を行わずにデータを取得しない場合が含まれていることを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to any one of claims 1 to 6,
    The degree of diagnosis includes a case where data is not acquired without performing diagnosis processing on data received from another on-vehicle electronic control device connected to the on-vehicle network. .
  8.  請求項1から7いずれか一項に記載の車載電子制御装置であって、
     前記診断の程度には、受信したデータの診断回数が含まれていることを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to any one of claims 1 to 7,
    The on-vehicle electronic control device according to claim 1, wherein the diagnosis level includes a diagnosis count of received data.
  9.  請求項1から8いずれか一項に記載の車載電子制御装置であって、
     前記診断の内容には、受信したデータの正常性を診断するための閾値の範囲が含まれていることを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to any one of claims 1 to 8,
    The on-vehicle electronic control device according to claim 1, wherein the contents of the diagnosis include a threshold range for diagnosing the normality of the received data.
  10.  請求項1から9いずれか一項に記載の車載電子制御装置であって、
     前記安全性レベルは、割当てられる機能が正常に動作しないときの被害の大きさによって決定されることを特徴とする車載電子制御装置。     The on-vehicle electronic control device according to any one of claims 1 to 9,
    The in-vehicle electronic control device according to claim 1, wherein the safety level is determined by a magnitude of damage when an assigned function does not operate normally.
  11.  請求項1または2いずれか一項に記載の車載電子制御装置を少なくとも一つ備えた車両制御システム。 A vehicle control system comprising at least one on-vehicle electronic control device according to any one of claims 1 and 2.
PCT/JP2012/070672 2011-09-20 2012-08-14 Vehicle-mounted control device WO2013042494A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2011204043A JP5542760B2 (en) 2011-09-20 2011-09-20 In-vehicle control device
JP2011-204043 2011-09-20

Publications (1)

Publication Number Publication Date
WO2013042494A1 true WO2013042494A1 (en) 2013-03-28

Family

ID=47914273

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2012/070672 WO2013042494A1 (en) 2011-09-20 2012-08-14 Vehicle-mounted control device

Country Status (2)

Country Link
JP (1) JP5542760B2 (en)
WO (1) WO2013042494A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023195468A1 (en) * 2022-04-07 2023-10-12 株式会社デンソー Vehicle control system, access control device, and access control method
WO2023210290A1 (en) * 2022-04-28 2023-11-02 株式会社デンソー Mobility service provision system, in-vehicle system, management server, access control method, and program

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101745174B1 (en) * 2015-11-10 2017-06-08 현대오트론 주식회사 Mehtod of restoring electronic control of vehicylar and apparatus performing the same
JP6717184B2 (en) * 2016-12-15 2020-07-01 株式会社デンソー In-vehicle control device
CN109040249B (en) * 2018-06-22 2020-11-20 中车青岛四方车辆研究所有限公司 Vehicle-mounted network system and communication method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004268633A (en) * 2003-03-05 2004-09-30 Mazda Motor Corp Remote damage prediction system
JP2010202127A (en) * 2009-03-05 2010-09-16 Honda Motor Co Ltd Vehicular electronic control device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004268633A (en) * 2003-03-05 2004-09-30 Mazda Motor Corp Remote damage prediction system
JP2010202127A (en) * 2009-03-05 2010-09-16 Honda Motor Co Ltd Vehicular electronic control device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023195468A1 (en) * 2022-04-07 2023-10-12 株式会社デンソー Vehicle control system, access control device, and access control method
WO2023210290A1 (en) * 2022-04-28 2023-11-02 株式会社デンソー Mobility service provision system, in-vehicle system, management server, access control method, and program

Also Published As

Publication number Publication date
JP2013063714A (en) 2013-04-11
JP5542760B2 (en) 2014-07-09

Similar Documents

Publication Publication Date Title
US11599349B2 (en) Gateway device, in-vehicle network system, and firmware update method
CN105981336B (en) Abnormality detection electronic control unit, vehicle-mounted network system, and abnormality detection method
US11165851B2 (en) System and method for providing security to a communication network
JP5353545B2 (en) In-vehicle network device
US20240062595A1 (en) Layered electrical architecture for vehicle diagnostics
US9843523B2 (en) Communication management apparatus and communication management method for vehicle network
WO2013042494A1 (en) Vehicle-mounted control device
US20240053977A1 (en) Gateway device, in-vehicle network system, and firmware update method
JP5310138B2 (en) Vehicle control system
JP2019008618A (en) Information processing apparatus, information processing method, and program
US20110107349A1 (en) Control apparatus, control method and storage medium
JP2018170719A (en) Information processing apparatus, information processing method, and program
JP2014031077A (en) Vehicle operation verification system
JP5365584B2 (en) Control device
JP6874102B2 (en) Fraud detection electronic control unit, in-vehicle network system and fraud detection method
US20110126218A1 (en) Control apparatus, control method and computer program
WO2018179630A1 (en) Information processing device, information processing method and program
US20220029855A1 (en) Relay device system
JP2010018168A (en) System and method for analyzing abnormality for vehicle, and vehicular trouble analyzer
US20220358224A1 (en) Onboard computer, computer program, computer-readable recording medium, and security setting method
JP4948583B2 (en) Control system
CN117492946A (en) Method for controlling access of various applications in vehicle
JP6812765B2 (en) Electronic control device
JP4172461B2 (en) Node diagnostic system
WO2021019636A1 (en) Security device, incident handling method, program, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12833137

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12833137

Country of ref document: EP

Kind code of ref document: A1