WO2017038290A1 - Verification system, verification device, and vehicle control device - Google Patents

Verification system, verification device, and vehicle control device Download PDF

Info

Publication number
WO2017038290A1
WO2017038290A1 PCT/JP2016/071474 JP2016071474W WO2017038290A1 WO 2017038290 A1 WO2017038290 A1 WO 2017038290A1 JP 2016071474 W JP2016071474 W JP 2016071474W WO 2017038290 A1 WO2017038290 A1 WO 2017038290A1
Authority
WO
WIPO (PCT)
Prior art keywords
timing
execution
instruction
verification
test
Prior art date
Application number
PCT/JP2016/071474
Other languages
French (fr)
Japanese (ja)
Inventor
隆博 飯田
正裕 松原
敦寛 大野
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2017038290A1 publication Critical patent/WO2017038290A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software

Definitions

  • the present invention relates to a verification system, a verification device, and a vehicle control device.
  • Patent Document 1 discloses a technique for correcting a verification pattern according to the specifications of each model.
  • the present invention is a technique for solving such a conventional problem, and an object of the present invention is to provide a verification system, a verification device, and a vehicle control device that can reproduce verification of a problem that is difficult to reproduce. And
  • the present invention is a verification system for verifying a defect caused by execution timing of a control program, an instruction generation unit that generates a test instruction to the control program based on a predetermined test condition, and the control according to the test instruction
  • a result acquisition unit that acquires an execution result executed by the program, wherein the test instruction includes an execution timing of the control program, and the instruction generation unit is set based on the predetermined test condition If it is determined that the execution result is not abnormal as compared with the comparison value, a new test instruction in which the execution timing is changed is generated.
  • the present invention it is a technique for solving such a conventional problem, and it is possible to reproduce a verification of a defect that is difficult to reproduce.
  • FIG. 1 is a diagram illustrating a configuration of a verification system according to a first embodiment.
  • the flowchart of timing adjustment. 9 is a flowchart of timing adjustment at regular intervals in the second embodiment.
  • 10 is an example of timing replication in the third embodiment.
  • Example of interval explanation at timing duplication. 10 is a flowchart of timing replication processing according to the fourth embodiment.
  • Example 5 it is a figure which shows the structure which provides a timing adjustment part in ECU.
  • the operation example of the structure which provided the timing adjustment part in ECU. 20 is a data table example according to the sixth embodiment.
  • FIG. 1 shows the configuration of this embodiment.
  • the verification system of the present embodiment is a verification system for verifying a defect caused by the execution timing of a control program, an instruction generation unit 306 that generates a test instruction to the control program based on a predetermined test condition, and a test instruction And a result acquisition unit 305 that acquires an execution result executed by the control program according to the test instruction, the test instruction includes the execution timing of the control program, and the instruction generation unit 306 is set based on a predetermined test condition If it is determined that the execution result is not abnormal as compared with the comparison value, a new test instruction with a changed execution timing is generated.
  • the verification system includes the verification device 1 and a verification target.
  • An ECU (Electronic Control Unit) 2 to be verified in this embodiment is virtually operated on a virtual verification environment (for example, an environment in which a hardware-in-the-loop simulation (HILS) environment is reproduced on a server).
  • the reproduced ECU may be an actual ECU (real ECU).
  • the verification device 1 simulates the operation of the sensor and the vehicle, transmits the calculation result to the ECU, and the ECU performs the operation verification by operating based on the received calculation result.
  • the verification apparatus 1 can determine the verification result by receiving and analyzing the operation information of the ECU 2.
  • the ECU 2 receives a data or transmits data, a communication device 201, a ROM (Read Only Memory) 202 that is a storage device in which a control program is stored, and a ROM 202
  • a CPU Central Processing Unit
  • a RAM Random Access Memory
  • An input / output device 205 that outputs a control signal is provided.
  • FIG. 3 shows the structure of software implemented on the ROMs of the verification device 1 and the ECU 2.
  • a predetermined test condition is input to the verification apparatus 1 by the verifier.
  • the test condition is called a test scenario.
  • the test scenario is created by a verifier assuming that a failure will occur, and details will be described later.
  • the test scenario interpretation unit 301 has a function of interpreting the contents of the test scenario, and creates and outputs a test instruction (verification instruction) and a result acquisition instruction for reproducing the test scenario by the control program based on the test scenario.
  • the verification instruction includes the processing timing of the control program
  • the result acquisition instruction includes the result acquisition timing for acquiring the processing result processed by the control program.
  • the timing adjustment unit 302 acquires the test instruction and the result acquisition instruction, performs timing adjustment described later, changes the processing timing and the result acquisition timing, and outputs the result.
  • the test instruction unit 303 acquires the test instruction and outputs it to the program execution unit.
  • the result acquisition unit 305 inputs the result acquisition timing included in the result acquisition instruction to the program execution unit 304.
  • the program execution unit 304 has a function of executing a control program to be tested.
  • the program execution unit 304 acquires the test instruction and executes the process described in the test instruction. Further, the program execution unit 304 acquires a result acquisition instruction from the result acquisition unit 305, acquires data at a timing instructed by the result acquisition instruction, and generates a test execution result.
  • the result acquisition unit 305 acquires the test execution result, compares the expected value described in the result acquisition instruction with the execution value of the test execution result, and confirms whether the defect has been reproduced.
  • the result acquisition unit 305 calculates the difference between the execution result and the expected value of the test input or the adjusted test input to generate difference information.
  • the timing adjustment unit 302 acquires the difference information, corrects the previous adjusted test input, creates a new adjusted test input, and executes the test again.
  • a test is executed by inputting a test scenario, and the test is repeated until the fault is reproduced based on the test execution result, so that the fault is surely generated.
  • Figure 4 shows an example of program execution when a problem occurs.
  • a function X402 that is the cause of the failure is mounted, and a call function 401 for executing the function X402 is mounted.
  • the function X402 executes a process A 402-1 and a process B 402-2 that use the variable A.
  • the function X outputs a variable Z calculated based on the value of the variable A as an execution result.
  • the interrupt Y403 is a function having a process for rewriting the value of the variable A. In the defect example, the interrupt Y403 is called between the process A 402-1 and the process B 402-2 of the function X402, and inconsistency occurs between two processes that should be originally calculated with the same value.
  • the calculation of the variable Z based on the calculation result leads to the occurrence of a malfunction.
  • the interval between two consecutive processes in the function is very short, and it is very difficult to reliably execute the interrupt function between the processes.
  • FIG. 5 shows an example of a test scenario acquired by the test scenario interpretation unit 301.
  • the test scenario 501 includes information on whether the operation is executed, the content of the operation, the operation target, the expected value after the operation ends, the instruction timing of the operation, and the determination target.
  • the operation execution order is expressed using relative time based on processing such as order, absolute time, and function.
  • the content of the operation is to specify the operation content of the control program such as the start and end of processing, data initialization, and log acquisition by data acquisition.
  • the operation target is a unit that specifies a variable, a function, a process in the function, a task for executing the function, a memory address, a CPU core number, or the like.
  • the initial value of the variable in the case of initialization, can be specified, the start time and end time of other processes, the data value can be specified, and multiple values and value ranges can be specified.
  • the expected value is used for comparison with the execution result at the time of verification determination, except in the case of initialization.
  • the instruction timing specifies the timing or event at which the operation is performed. As the instruction timing, for example, an absolute time, a relative time based on a certain operation, a numerical order, or the like is designated.
  • the determination target indicates that the verification result is used when determining whether the verification result is normal or not when acquiring the execution result.
  • information for specifying the operation of the control program may be described in the test scenario. By describing this test scenario, the verifier can define desired verification contents.
  • FIG. 6 shows a test instruction 601 created by the test scenario interpretation unit and the timing adjustment unit.
  • the test instruction 601 describes an operation necessary for verification, an instruction timing for executing the operation, and an operation target.
  • software operation such as initialization, execution or termination of processing, interruption or restart, or setting of sensor input value is designated.
  • As the timing for executing the operation an absolute time from the start of execution of the control program or a relative time from the operation as the base point can be designated.
  • the verification apparatus 2 can instruct a desired verification operation to the program execution unit 304.
  • FIG. 7 shows a result acquisition instruction 701 created by the test scenario interpretation unit and the timing adjustment unit.
  • the result acquisition instruction 701 describes an operation such as data acquisition, an instruction timing for executing the operation, an operation target, an expected value of the target, and information on whether the target is a determination target.
  • the command timing specifies the absolute time from the start of execution of the control program and the relative time from the base operation as the timing to execute the operation.
  • the target it is possible to describe the start-up end time of a function or a task that operates the function, and the destination where values such as variables and memory addresses are stored.
  • Expected values include values according to the target, time information and relative time from the processing that is the base point for the start end time, values that would be recorded in variables, memory addresses, etc. Is described.
  • the determination target indicates that the verification result is used when determining whether the verification result is normal or not when acquiring the execution result. By generating the result acquisition timing in this way, the verification apparatus 2 can specify a desired verification result for the program execution unit 304.
  • a method for creating the result acquisition instruction 701 from the example of the test scenario 501 will be described. Select data acquisition and other status collection operations from the action items. Then, the execution condition is converted into instruction timing. Further, among the operations other than data acquisition, result acquisition timing data for acquiring data of start and end times of processing units such as functions, tasks, and interrupts is generated. By acquiring the start time and end time of the processing unit, later timing adjustment can be performed.
  • FIG. 8 shows an execution result 801 acquired from the program execution unit 304 based on the result acquisition instruction 701 and the test instruction 601.
  • the execution result 801 describes the execution timing, the operation target, and the execution value.
  • the execution timing of the operation information for specifying the time and the order such as the absolute time when the operation target is executed or the relative time from the operation as the base point is described.
  • the target includes a variable, a function, a function end time or start time, a memory address, a task (control program execution unit), and the like.
  • the execution value a value corresponding to the target is described, and a numerical value, time information, a truth value, or the like is described.
  • the verification apparatus can determine the verification result of the control program.
  • the result value of specific timing such as 20 ⁇ sec, 30 ⁇ sec, and 40 ⁇ sec after the start of the function X can be obtained as the execution value obtained from the program execution unit 304.
  • an actual ECU is used as a verification target, it is not possible to obtain a result value of such a specific timing.
  • the test scenario interpretation unit 301 selects an operation other than data acquisition among the operations. Then, an operation not selected as the test instruction is selected as a result acquisition instruction. Next, the result acquisition instruction generates an item for acquiring the start time and the end time when the operation target of the test instruction is an execution unit such as a function, an interrupt, or a task.
  • the processing that is the base point of the operation described in the instruction timing or expected value is an execution unit such as a function, interrupt, or task, its start and end times are generated. Further, the expected value of the start time of the generated item is described using the instruction timing described in the test scenario 501. For example, it is possible to confirm whether the expected value of the interrupt Y moves according to the instruction timing by using the instruction timing described in the test scenario 501.
  • the start time of function X is not specified in the test scenario, it is not described.
  • the end time can be set arbitrarily for each function, or can be specified at random.
  • FIG. 9 shows a flowchart of timing adjustment.
  • step 901 the process is started.
  • step 902 the target expected value that is the determination target described in the result acquisition instruction 701 is compared with the target execution value of the execution result 801.
  • step 903 it is determined whether the control program has failed. When the execution value matches the expected value, it is determined that the control program is operating normally, and no defect is found, so step 906 is executed next.
  • step 904 is executed.
  • the execution result is output so that the contents of the defect can be analyzed, and the process ends in step 905.
  • step 906 the execution time from the start time to the end time of the process is adjusted.
  • the result acquisition instruction 701 was expected to take 5 ⁇ SEC from the interrupt Y start time to the end time, but when actually executed, the execution time required 10 ⁇ SEC. Therefore, the set value of the end time of the function generated by the test scenario interpretation unit 301 is corrected to 10 ⁇ SEC.
  • the execution result 801 By using the execution result 801, more accurate verification can be performed using the actual execution time.
  • step 907 the processing start time is adjusted.
  • the start time of the interrupt Y is 120 ⁇ SEC, but in the result acquisition instruction 701, the expected value of the start time of the interrupt Y is 10 ⁇ SEC, and there is a deviation.
  • Such deviations are caused by deviations in the control information of the non-verified control that was simplified when estimating the timing calculation in advance or the actual machine operation information, and in the case of interrupts, etc. It can happen from the time lag until it occurs.
  • the timing adjustment unit 302 adjusts the instruction timing of the test instruction 601 to match the execution value at the start time with the expected value.
  • the interrupt Y is instructed to start 10 ⁇ SEC after the start of the function X, but actually starts after 20 ⁇ SEC. Therefore, the instruction timing is adjusted and corrected to an instruction timing for operating an interrupt immediately after the function X starts. In step 908, the process ends.
  • the timing adjustment unit performs verification again using the new test instruction timing and result acquisition timing.
  • This embodiment allows the verifier to design a test scenario and input it to the verification device, so that the timing adjustment unit can always execute the test scenario as expected. That is, by correcting the verification scenario from the execution result and repeatedly performing re-verification, it is possible to reliably realize the assumed failure and specify the situation when the failure occurs. In addition, if it cannot be realized, it can be confirmed or proved that the expected failure does not occur.
  • the instruction generation unit is configured to be able to repeatedly execute an execution timing setting operation for setting a new execution timing based on the execution result, and as the number of repetitions of the execution timing setting operation increases, A new execution timing is set so that the difference between the two increases. Specifically, when a problem does not occur, the problem is reproduced by shifting the execution timing of processing at regular intervals.
  • FIG. 10 shows a timing adjustment method in this embodiment. This processing is performed in step 907.
  • step 1001 this process is started.
  • step 1002 it is confirmed whether the number of timing adjustments is an even number or an integer number. This is because the timing before and after the base timing can be designated by switching between positive and negative correction values in the subsequent steps.
  • step 1003 a correction unit value is added to the timing correction value that is a value for correcting the processing start time.
  • the timing correction value is a value that can adjust the execution timing, such as time information such as minutes and hours, or numerical information.
  • the correction unit is a minimum width for shifting the timing, and uses a value that can adjust the execution timing, such as time information such as minutes and hours, and numerical information. By adding the timing correction value, the width can be switched at regular intervals.
  • step 1004 the timing in the future direction can be specified by making the sign of the timing correction value positive.
  • step 1005 the timing of the past direction is designated by making the sign of the timing correction value negative.
  • step 1006 the timing correction value is added to the execution timing of the test instruction 601. This correction processing stops processing after an arbitrary number of times or an arbitrary time, and outputs that the defect has not been reproduced as a determination result.
  • correction can be performed by shifting the timing, so the verifier can correct the deviation. The failure can be reproduced without doing it.
  • the predetermined test condition includes a reference execution timing set in advance as a reference, and the instruction generation unit 306 sets a plurality of different execution timings based on the reference execution timing.
  • the failure is reproduced by executing the interrupt Y, which is the process specified in the test scenario, a plurality of times.
  • FIG. 11 shows a copy example of this embodiment.
  • the interrupt Y1101 is a function similar to the interrupt Y403 in FIG. 4, and its timing chart is shown.
  • a function X1103 is the function X402 in FIG. 4 and shows a timing chart thereof.
  • the interrupt Y1101 must be executed between the processes A 402-1 and 402-3.
  • the actual interrupt 1102 does not always fit between the process A and the process B. Therefore, an interrupt is generated between the process A and the process B by performing the interrupt Y1101 a plurality of times as the duplicate interrupt 1102-1.
  • the instruction generation unit 306 when generating a new test instruction, sets a new execution timing based on the execution timing that brought the execution result.
  • the instruction timing instruction method will be described with reference to FIG.
  • the replication interval 1201 is set. This interval specifies an arbitrary interval of the verifier.
  • the number of copies or the verification interval 1202 is set. When the number is designated, the number is arranged at regular intervals around the designated instruction timing. When the verification interval 1202 is designated, duplicate interrupts 1102-1 that are within the verification interval 1202 are generated.
  • Step 907 a fourth embodiment relating to the timing adjustment means in Step 907 when the replication timing is designated will be described.
  • the difference from the third embodiment is that timing adjustment and replication can be performed simultaneously.
  • the timing adjustment unit can shift the timing by adding a correction unit.
  • FIG. 13 shows processing of this embodiment in the timing adjustment unit 302. Processing is started in STEP1301. In STEP1302, the timing correction of the second embodiment is performed. At this time, the correction unit is set as a verification interval 1202. In STEP 1303, the instruction timing is duplicated. In STEP 1304, verification after the timing adjustment unit 302 is performed. In STEP 1305, when all the determination results are normal values, it is determined to be re-verification. In STEP 1307, the duplication timing is discarded and STEP 1302 is executed again. In step 1306, the verification ends.
  • timing adjustment and timing duplication are performed without duplicating the duplication timing, so that the defect can be reproduced quickly and reliably.
  • the timing adjustment unit and the result acquisition unit are arranged in the ECU 2.
  • an actual ECU is used as the ECU 2
  • a verification system and a control program are mounted on the ECU 2 so as to be connectable to a verification device that outputs a predetermined test condition.
  • FIG. 14 shows the configuration of this embodiment.
  • the verification apparatus 1 has a test scenario interpretation unit 301.
  • the ECU 2 includes a program execution unit 304, a result acquisition unit 305, a timing adjustment unit 302, and a test instruction unit 303.
  • the test instruction unit 303 receives the test instruction from the test scenario interpretation unit 301 and instructs the program execution unit.
  • the timing adjustment unit 302 adjusts the timing based on the execution result acquired by the result acquisition unit 305, and the test instruction unit 303 inputs the test instruction to the program execution unit 304 again.
  • Fig. 15 shows the operation in this configuration.
  • the verification device 1 outputs a test execution request to the ECU 2.
  • the test instruction request includes a test instruction 601 and further outputs request information for performing a test on the control program (OS) in the program execution unit 304.
  • the test execution request is output to the timing adjustment unit 302 and the control program (OS) 304-1.
  • the control program (OS) 304-1 has a function of managing the start / end processing of a control program (task) for executing a control program for controlling the actuator.
  • the control program (OS) 304-1 shifts the operation of the control program to the test mode.
  • Test modes include, for example, “Do not activate any other than the specified interrupt function”, “Limit the sensor input value”, “Specify the task to activate”, “Temporarily save the variable state”, etc.
  • a function that activates only data and processing related to the is executed.
  • control program (OS) 304-1 starts the control program (task) 304-2.
  • the control program (task) 304-2 performs initialization using the state of variables and constants included in the test execution request. Execute each function registered in the task after initialization.
  • the control program (OS) executes the interrupt Y according to the test execution request.
  • control program (OS) 304-1 After the control program (task) 304-2 ends, the control program (OS) 304-1 notifies the data acquisition unit 305 of the variable information of the control program (task) 304-2.
  • the data acquisition unit 305 determines the result received from the control program 304 using the expected value of the variable in the test execution request received from the timing adjustment unit.
  • the data acquisition unit 305 outputs a retest request to the timing adjustment unit 302 when the determination result requests re-verification, that is, in the problem of the present invention, when the result and the expected value all match and the failure cannot be reproduced. .
  • the timing adjustment unit 302 corrects the test scenario by performing the timing adjustment described in the first to fourth embodiments.
  • the timing adjustment unit 302 outputs a test execution request to the control program 304-1 after the test scenario correction.
  • FIG. 16 shows the data structure used in this embodiment.
  • FIG. 16A shows a test instruction 1601 in this embodiment.
  • the test instruction 1601 describes the execution target and execution timing, and the execution target is specified in units in which the operating system such as a task or an interrupt can operate.
  • FIG. 16B shows an initialization setting table 1602.
  • the initialization setting table 1602 can specify an initialization target in which values such as variables and memory addresses are stored, and the initial value.
  • the initialization setting table 1602 may be included in the test instruction 1601.
  • (C) of FIG. 16 represents the result acquisition instruction 1603.
  • This result acquisition instruction 1603 describes the acquisition target and the expected value.
  • the acquisition target is an item that can store a value such as a variable name or a memory address.
  • As the expected value a numerical value corresponding to a numerical value or a variable type is specified, and not only a single value but also a range may be specified.
  • the result acquisition unit 305 determines the execution result by comparing the expected value described in the result acquisition instruction 1603 with the numerical information of the execution value, and the timing adjustment unit 302 adjusts the timing using the second to fourth embodiments. I do.
  • This example uses the same information as the result acquisition instruction 701 and test execution result 801 of Example 1, but is different in that there is no timing specification for the result acquisition instruction.
  • the operation assumed by the control program to be verified may not be performed due to a processing load for recording a detailed execution time such as a function.
  • this is a case where the actual ECU is a verification target instead of the virtual ECU.
  • the use of the present embodiment makes it possible to reproduce the problem even in a control program in which a detailed execution time cannot be recorded.
  • Verification device 2 ECU 201 Communication device 202 ROM 203 CPU 204 RAM 205 Input / Output Device 301 Test Scenario Interpretation Unit 302 Timing Adjustment Unit 303 Test Instruction Unit 304 Program Execution Unit 305 Result Acquisition Unit 401 Call Function 402 Function X 402-1 Function A Processing A 402-2 Function X Processing B 403 Interrupt Y 501 Test scenario 601 Test instruction timing 701 Result acquisition timing 801 Execution result 901 Timing adjustment processing start 902 Determination target comparison processing 903 Determination result confirmation 904 Determination result output processing 905 Processing end 906 Execution time adjustment processing 907 Start time adjustment processing 908 Processing end 1001 Timing adjustment processing start 1002 Timing adjustment count confirmation 1003 Timing correction value addition processing 1004 Timing correction value code change processing 1005 Timing correction value code change processing 1006 Instruction timing correction processing 1007 Processing end 1101 Interrupt Y time chart 1102 Interrupt Y interrupt timing 1102-1 Interrupt Y duplication timing 1103 Function X time chart 1201 Duplication interval 1202 Ver

Abstract

The purpose of the present invention is to provide a verification system, a verification device, and a vehicle control device with which it is possible to reproduce verification of a defect that is difficult to reproduce. The present invention is a verification system for verifying a defect caused by the execution timing of a control program, wherein the verification system is provided with an instruction generation unit for generating a test instruction to the control program on the basis of a prescribed test condition, and a result acquisition unit for acquiring an execution result executed by the control program according to the test instruction. The test instruction includes the execution timing of the control program, and the instruction generation unit generates a new test instruction in which the execution timing is changed when the execution result is determined to have no abnormality in comparison with a set comparison value on the basis of the prescribed test condition.

Description

検証システム、検証装置、及び、車両制御装置Verification system, verification apparatus, and vehicle control apparatus
 本発明は、検証システム、検証装置、及び、車両制御装置に関する。 The present invention relates to a verification system, a verification device, and a vehicle control device.
 コントローラの検証技術としては、特許文献1では機種毎の仕様に応じた検証パターンを補正する技術が開示されている。 As a controller verification technique, Patent Document 1 discloses a technique for correcting a verification pattern according to the specifications of each model.
特開2014-52358号公報JP 2014-52358 A
 従来の機能検証方法では、特定タイミングに依存する不具合の確認が困難であった。例えば、速度などの外界の情報をセンシング中に機能を実行するスイッチなどが押されることで、センシング途中の意味の取れない値を使用してしまい不具合に繋がる。これらの特定のタイミングでのみ発生する事象は再現が困難であるため、機能検証時に確認することができないか、又は長い時間をかける必要があった。 In the conventional function verification method, it is difficult to confirm a defect depending on a specific timing. For example, when a switch for executing a function during sensing external information such as speed is pressed, an insignificant value during sensing is used, leading to a problem. Since an event that occurs only at these specific timings is difficult to reproduce, it cannot be confirmed at the time of function verification, or it has been necessary to take a long time.
 本発明は、このような従来の課題を解決するための技術であり、再現が難しい不具合の検証を再現することを可能とする検証システム、検証装置、及び、車両制御装置を提供することを目的とする。 The present invention is a technique for solving such a conventional problem, and an object of the present invention is to provide a verification system, a verification device, and a vehicle control device that can reproduce verification of a problem that is difficult to reproduce. And
 本発明は、制御プログラムの実行タイミングに起因する不具合を検証する検証システムであって、所定のテスト条件に基づいて前記制御プログラムへのテスト指示を生成する指示生成部と、前記テスト指示に従って前記制御プログラムが実行した実行結果を取得する結果取得部と、を備え、前記テスト指示には、前記制御プログラムの実行タイミングが含まれ、前記指示生成部は、前記所定のテスト条件に基づいて設定される比較値と比較して前記実行結果が異常でないと判断される場合には、前記実行タイミングを変更した新たなテスト指示を生成する。 The present invention is a verification system for verifying a defect caused by execution timing of a control program, an instruction generation unit that generates a test instruction to the control program based on a predetermined test condition, and the control according to the test instruction A result acquisition unit that acquires an execution result executed by the program, wherein the test instruction includes an execution timing of the control program, and the instruction generation unit is set based on the predetermined test condition If it is determined that the execution result is not abnormal as compared with the comparison value, a new test instruction in which the execution timing is changed is generated.
 本発明によれば、このような従来の課題を解決するための技術であり、再現が難しい不具合の検証を再現することが可能となる。 According to the present invention, it is a technique for solving such a conventional problem, and it is possible to reproduce a verification of a defect that is difficult to reproduce.
実施例1の検証システムの構成を示す図。1 is a diagram illustrating a configuration of a verification system according to a first embodiment. 検証対象となるECUの内部構造を示す図。The figure which shows the internal structure of ECU used as verification object. 検証システムの機能構造を示す図。The figure which shows the function structure of a verification system. 検証対象となるプログラムの例。An example of a program to be verified. テストシナリオのデータテーブル例。Data table example of test scenario. テスト指示のデータテーブル例。An example data table of test instructions. 結果取得指示のデータテーブル例。The example of a data table of a result acquisition instruction. 実行結果のデータテーブル例。Execution result data table example. タイミング調整のフローチャート。The flowchart of timing adjustment. 実施例2における一定間隔のタイミング調整のフローチャート。9 is a flowchart of timing adjustment at regular intervals in the second embodiment. 実施例3におけるタイミング複製の例。10 is an example of timing replication in the third embodiment. タイミング複製時の間隔説明例。Example of interval explanation at timing duplication. 実施例4におけるタイミング複製処理のフローチャート。10 is a flowchart of timing replication processing according to the fourth embodiment. 実施例5において、ECUにタイミング調整部を設ける構成を示す図。In Example 5, it is a figure which shows the structure which provides a timing adjustment part in ECU. ECUにタイミング調整部を設けた構成の動作例。The operation example of the structure which provided the timing adjustment part in ECU. 実施例6におけるデータテーブル例。20 is a data table example according to the sixth embodiment.
 以下、本発明の実施形態に係る検証システムについて、図面を用いて説明する。 Hereinafter, a verification system according to an embodiment of the present invention will be described with reference to the drawings.
 図1に本実施例の構成を示す。本実施例の検証システムは、制御プログラムの実行タイミングに起因する不具合を検証する検証システムであって、所定のテスト条件に基づいて制御プログラムへのテスト指示を生成する指示生成部306と、テスト指示に従って制御プログラムが実行した実行結果を取得する結果取得部305と、を備え、テスト指示には、制御プログラムの実行タイミングが含まれ、指示生成部306は、所定のテスト条件に基づいて設定される比較値と比較して実行結果が異常でないと判断される場合には、実行タイミングを変更した新たなテスト指示を生成する。 FIG. 1 shows the configuration of this embodiment. The verification system of the present embodiment is a verification system for verifying a defect caused by the execution timing of a control program, an instruction generation unit 306 that generates a test instruction to the control program based on a predetermined test condition, and a test instruction And a result acquisition unit 305 that acquires an execution result executed by the control program according to the test instruction, the test instruction includes the execution timing of the control program, and the instruction generation unit 306 is set based on a predetermined test condition If it is determined that the execution result is not abnormal as compared with the comparison value, a new test instruction with a changed execution timing is generated.
 本実施例では、検証システムは、検証装置1と検証対象によって構成される。本実施例における検証対象となるECU(Electronic Control Unit)2は、仮想の検証環境(例えばHILS(Hardware-In-the-Loop Simulation)環境をサーバー上で再現した環境)上で動作する仮想的に再現されたECU(仮想ECU)であるが、実際のECU(実ECU)を対象としても良い。
検証装置1はセンサや車両の動作をシミュレーションし、計算結果をECUに送信し、ECUは受け取った計算結果を元に動作することで、動作の検証を実施する。検証装置1はECU2の動作情報を受信し、解析することで検証結果を判定できる。 In this embodiment, the verification system includes the verification device 1 and a verification target. An ECU (Electronic Control Unit) 2 to be verified in this embodiment is virtually operated on a virtual verification environment (for example, an environment in which a hardware-in-the-loop simulation (HILS) environment is reproduced on a server). The reproduced ECU (virtual ECU) may be an actual ECU (real ECU).
The verification device 1 simulates the operation of the sensor and the vehicle, transmits the calculation result to the ECU, and the ECU performs the operation verification by operating based on the received calculation result. The verification apparatus 1 can determine the verification result by receiving and analyzing the operation information of the ECU 2.
 ECU2は図2に示すように、データを受信、あるいはデータを送信するための通信装置201と、制御プログラムが格納された記憶装置であるROM(Read Only Memory)202と、このROM202に格納された制御プログラムを実行する演算回路であるCPU(Central Processing Unit)203と、ソフトウェアの状態を記憶する記憶装置となるRAM(Random Access Memory)204と、センサからの値を取得し制御対象のアクチュエータへと制御信号を出力する入出力装置205が備えられている。 As shown in FIG. 2, the ECU 2 receives a data or transmits data, a communication device 201, a ROM (Read Only Memory) 202 that is a storage device in which a control program is stored, and a ROM 202 A CPU (Central Processing Unit) 203 that is an arithmetic circuit that executes a control program, a RAM (Random Access Memory) 204 that is a storage device that stores the state of software, and a value obtained from a sensor is acquired and transferred to an actuator to be controlled. An input / output device 205 that outputs a control signal is provided.
 図3は、検証装置1及びECU2のROM上に実装されるソフトウェアの構造を示す。検証装置1には、検証者によって所定のテスト条件が入力される。本実施例では、テスト条件をテストシナリオと呼ぶ。テストシナリオは、不具合が発生するであろうことを想定して検証者が作成したものであり、詳細は後述する。 FIG. 3 shows the structure of software implemented on the ROMs of the verification device 1 and the ECU 2. A predetermined test condition is input to the verification apparatus 1 by the verifier. In this embodiment, the test condition is called a test scenario. The test scenario is created by a verifier assuming that a failure will occur, and details will be described later.
 テストシナリオ解釈部301は、テストシナリオの内容を解釈する機能を有し、テストシナリオを基にしてテストシナリオを制御プログラムで再現するためのテスト指示(検証指示)と結果取得指示を作成し出力する。検証指示には、制御プログラムの処理タイミングが含まれ、結果取得指示には、制御プログラムが処理した処理結果を取得する結果取得タイミングが含まれる。 The test scenario interpretation unit 301 has a function of interpreting the contents of the test scenario, and creates and outputs a test instruction (verification instruction) and a result acquisition instruction for reproducing the test scenario by the control program based on the test scenario. . The verification instruction includes the processing timing of the control program, and the result acquisition instruction includes the result acquisition timing for acquiring the processing result processed by the control program.
 そして、タイミング調整部302は、前記テスト指示と前記結果取得指示を取得し、後記するタイミング調整を行い処理タイミングと結果取得タイミングを変更し出力する。 The timing adjustment unit 302 acquires the test instruction and the result acquisition instruction, performs timing adjustment described later, changes the processing timing and the result acquisition timing, and outputs the result.
 テスト指示部303は、テスト指示を取得しプログラム実行部に出力する。 The test instruction unit 303 acquires the test instruction and outputs it to the program execution unit.
 結果取得部305は、結果取得指示に含まれる結果取得タイミングをプログラム実行部304に入力する。 The result acquisition unit 305 inputs the result acquisition timing included in the result acquisition instruction to the program execution unit 304.
 プログラム実行部304は、テスト対象となる制御プログラムを実行する機能を持つ。プログラム実行部304は、前記テスト指示を取得しテスト指示に記載された処理を実行する。また、プログラム実行部304は、前記結果取得部305より結果取得指示を取得し、結果取得指示で指示されたタイミングでデータを取得し、テスト実行結果を生成する。 The program execution unit 304 has a function of executing a control program to be tested. The program execution unit 304 acquires the test instruction and executes the process described in the test instruction. Further, the program execution unit 304 acquires a result acquisition instruction from the result acquisition unit 305, acquires data at a timing instructed by the result acquisition instruction, and generates a test execution result.
 そして、結果取得部305は、前記テスト実行結果を取得し、前記結果取得指示に記載されている期待値と、前記テスト実行結果の実行値を比較し、不具合が再現されたかを確認する。 Then, the result acquisition unit 305 acquires the test execution result, compares the expected value described in the result acquisition instruction with the execution value of the test execution result, and confirms whether the defect has been reproduced.
 不具合の発生が確認されなかった場合、結果取得部305は前記実行結果と前記テスト入力又は前記調整後テスト入力の期待値との差分を計算し差分情報を生成する。タイミング調整部302は、前記差分情報を取得し、前回の調整後テスト入力を補正し、新たな調整後テスト入力を作成し、再度テストを実行する。 If the occurrence of a failure is not confirmed, the result acquisition unit 305 calculates the difference between the execution result and the expected value of the test input or the adjusted test input to generate difference information. The timing adjustment unit 302 acquires the difference information, corrects the previous adjusted test input, creates a new adjusted test input, and executes the test again.
 図3の構成を用いることで、テストシナリオを入力することでテストが実行され、テスト実行結果を元に不具合が再現されるまでテストを繰り返すことで、確実に不具合を発生させる。 3 By using the configuration shown in FIG. 3, a test is executed by inputting a test scenario, and the test is repeated until the fault is reproduced based on the test execution result, so that the fault is surely generated.
 次に、この検証システムで扱う各データの例を示す。 Next, an example of each data handled by this verification system is shown.
 図4に不具合が起きた場合のプログラム実行例を示す。テスト対象となる制御プログラムには少なくとも不具合の原因箇所である関数X402が実装されており、関数X402を実行するための呼び出し関数401が実装される。関数X402は変数Aを使用する処理A402-1と処理B402-2を実行する。そして関数Xは変数Aの値を元に計算される変数Zを実行結果として出力する。そして割込みY403は変数Aの値を書き換える処理を持つ関数である。不具合例では、割込みY403は関数X402の処理A402-1と処理B402-2の間で呼び出され、本来同じ値で計算しなければならない2つの処理に不整合が発生する。この計算結果を元に変数Zが計算されることで、不具合発生に繋がる。ここで関数内の連続する2つの処理の間隔は非常に短く、処理の間に確実に割り込み関数を実行することは非常に困難である。 Figure 4 shows an example of program execution when a problem occurs. In the control program to be tested, at least a function X402 that is the cause of the failure is mounted, and a call function 401 for executing the function X402 is mounted. The function X402 executes a process A 402-1 and a process B 402-2 that use the variable A. The function X outputs a variable Z calculated based on the value of the variable A as an execution result. The interrupt Y403 is a function having a process for rewriting the value of the variable A. In the defect example, the interrupt Y403 is called between the process A 402-1 and the process B 402-2 of the function X402, and inconsistency occurs between two processes that should be originally calculated with the same value. The calculation of the variable Z based on the calculation result leads to the occurrence of a malfunction. Here, the interval between two consecutive processes in the function is very short, and it is very difficult to reliably execute the interrupt function between the processes.
 図5にテストシナリオ解釈部301が取得するテストシナリオの例を示す。本テストシナリオ501には、動作の実行順序、動作の内容、動作対象、動作終了後の期待値と動作の命令タイミングや、判定対象かの情報が記載されている。 FIG. 5 shows an example of a test scenario acquired by the test scenario interpretation unit 301. The test scenario 501 includes information on whether the operation is executed, the content of the operation, the operation target, the expected value after the operation ends, the instruction timing of the operation, and the determination target.
 動作の実行順序は、順番や絶対時間や関数などの処理を基点とした相対時間を用いて表される。動作の内容とは、処理の開始や、終了や、データの初期化や、データ取得によるログの獲得などの制御プログラムの動作内容を指定するものである。 The operation execution order is expressed using relative time based on processing such as order, absolute time, and function. The content of the operation is to specify the operation content of the control program such as the start and end of processing, data initialization, and log acquisition by data acquisition.
 動作対象とは、変数や、関数や、関数内の処理や、関数を実行させるタスクなどの単位や、メモリ番地や、CPUのコア番号などを指定ものである。 The operation target is a unit that specifies a variable, a function, a process in the function, a task for executing the function, a memory address, a CPU core number, or the like.
 期待値には、初期化の場合は変数の初期値を指定でき、そのほかの処理の起動時間や終了時間やデータの値を指定でき、また、複数の値や値の範囲を指定できる。期待値は初期化の場合を除き、検証の判定時に実行結果と比較するために用いる。命令タイミングは、動作が実施されるタイミングやイベントを指定する。命令タイミングとしては、例えば絶対時間や、ある動作を基点とした相対時間や数字による順番のなどが指定される。判定対象とは、実行結果取得時に検証結果が正常か正常でないかを判定する際に用いられるものであることを表す。その他、制御プログラムの動作の指定に対する情報をテストシナリオに記載してもよい。本テストシナリオを記載することで、検証者は所望の検証内容を定義できる。 As for the expected value, in the case of initialization, the initial value of the variable can be specified, the start time and end time of other processes, the data value can be specified, and multiple values and value ranges can be specified. The expected value is used for comparison with the execution result at the time of verification determination, except in the case of initialization. The instruction timing specifies the timing or event at which the operation is performed. As the instruction timing, for example, an absolute time, a relative time based on a certain operation, a numerical order, or the like is designated. The determination target indicates that the verification result is used when determining whether the verification result is normal or not when acquiring the execution result. In addition, information for specifying the operation of the control program may be described in the test scenario. By describing this test scenario, the verifier can define desired verification contents.
 図6にテストシナリオ解釈部及びタイミング調整部が作成するテスト指示601を示す。テスト指示601には、検証に必要な動作と、動作を実行する命令タイミングと、動作の対象が記載される。動作には、初期化や、処理の実行や終了や、中断、再開や、センサ入力値の設定などの、ソフトウェアの動作を指定する。動作を実施するタイミングには、制御プログラムの実行開始からの絶対時間や、基点となる動作からの相対時間を指定することができる。本テスト指示601を生成することで、検証装置2はプログラム実行部304に対して所望する検証動作を指示できる。 FIG. 6 shows a test instruction 601 created by the test scenario interpretation unit and the timing adjustment unit. The test instruction 601 describes an operation necessary for verification, an instruction timing for executing the operation, and an operation target. For the operation, software operation such as initialization, execution or termination of processing, interruption or restart, or setting of sensor input value is designated. As the timing for executing the operation, an absolute time from the start of execution of the control program or a relative time from the operation as the base point can be designated. By generating this test instruction 601, the verification apparatus 2 can instruct a desired verification operation to the program execution unit 304.
 図7にテストシナリオ解釈部及びタイミング調整部が作成する結果取得指示701を示す。結果取得指示701には、データ取得などの動作と、動作を実行する命令タイミングと、動作の対象と、対象の期待値と、対象が判定対象かの情報が記載される。 FIG. 7 shows a result acquisition instruction 701 created by the test scenario interpretation unit and the timing adjustment unit. The result acquisition instruction 701 describes an operation such as data acquisition, an instruction timing for executing the operation, an operation target, an expected value of the target, and information on whether the target is a determination target.
 命令タイミングは、動作を実施するタイミングとして、制御プログラムの実行開始からの絶対時間や、基点となる動作からの相対時間を指定する。対象には、関数や関数を動作させるタスクなどの起動終了時刻などや、変数やメモリ番地などの値を保存している先を記載できる。期待値には、対象に応じた値が記載され、起動終了時刻に対しては時間情報や基点となる処理からの相対時間が記載され、変数やメモリ番地などでは記録されているであろう値が記載される。判定対象とは、実行結果取得時に検証結果が正常か正常でないかを判定する際に用いられるものであることを表す。このように結果取得タイミングを生成することで、検証装置2はプログラム実行部304に対して所望する検証結果を指定することができる。 The command timing specifies the absolute time from the start of execution of the control program and the relative time from the base operation as the timing to execute the operation. In the target, it is possible to describe the start-up end time of a function or a task that operates the function, and the destination where values such as variables and memory addresses are stored. Expected values include values according to the target, time information and relative time from the processing that is the base point for the start end time, values that would be recorded in variables, memory addresses, etc. Is described. The determination target indicates that the verification result is used when determining whether the verification result is normal or not when acquiring the execution result. By generating the result acquisition timing in this way, the verification apparatus 2 can specify a desired verification result for the program execution unit 304.
 結果取得指示701をテストシナリオ501の例から作成する方法を説明する。動作項目から、データ取得やそのほかの状態収集の動作を選択する。そして、実施条件を命令タイミングへと変換する。また、データ取得以外の動作の内、関数やタスクや割り込みなどの処理単位の開始、終了時刻のデータを取得する、結果取得タイミングデータを生成する。処理単位の開始、終了時刻を取得することで、後のタイミング調整が可能となる。 A method for creating the result acquisition instruction 701 from the example of the test scenario 501 will be described. Select data acquisition and other status collection operations from the action items. Then, the execution condition is converted into instruction timing. Further, among the operations other than data acquisition, result acquisition timing data for acquiring data of start and end times of processing units such as functions, tasks, and interrupts is generated. By acquiring the start time and end time of the processing unit, later timing adjustment can be performed.
 図8に結果取得指示701とテスト指示601に基づいてプログラム実行部304から取得された実行結果801を示す。実行結果801には、実行タイミングと、動作の対象と、実行値が記載される。動作の実行タイミングには、動作の対象が実行された絶対時間又は基点となる動作からの相対時間など、時間や順序を特定する情報が記載される。対象には、変数や、関数や、関数の終了時刻や開始時刻や、メモリ番地や、タスク(制御プログラムの実行単位)などが記載される。実行値には、対象に応じた値が記載され、数値や時間情報や真理値などが記載される。本実行結果を取得することで、本検証装置は制御プログラムの検証結果を判定できる。
ここで、本実施例では、仮想ECUを用いているため、プログラム実行部304から得られる実行値として、関数X開始後20μsec、30μsec、40μsecといった具体的なタイミングの結果値を得ることができるが、実際のECUを検証対象として用いた場合にはこのような具体的なタイミングの結果値を得ることはできない。 FIG. 8 shows an execution result 801 acquired from the program execution unit 304 based on the result acquisition instruction 701 and the test instruction 601. The execution result 801 describes the execution timing, the operation target, and the execution value. In the execution timing of the operation, information for specifying the time and the order such as the absolute time when the operation target is executed or the relative time from the operation as the base point is described. The target includes a variable, a function, a function end time or start time, a memory address, a task (control program execution unit), and the like. In the execution value, a value corresponding to the target is described, and a numerical value, time information, a truth value, or the like is described. By acquiring the execution result, the verification apparatus can determine the verification result of the control program.
Here, in this embodiment, since the virtual ECU is used, the result value of specific timing such as 20 μsec, 30 μsec, and 40 μsec after the start of the function X can be obtained as the execution value obtained from the program execution unit 304. When an actual ECU is used as a verification target, it is not possible to obtain a result value of such a specific timing.
 次に、テストシナリオ501の例からテスト指示601とデータ取得指示701を作成する方法を説明する。 Next, a method for creating the test instruction 601 and the data acquisition instruction 701 from the example of the test scenario 501 will be described.
 まず、テストシナリオ解釈部301は、動作のうちデータ取得以外の動作を選択する。そして、テスト指示に選択されていない動作を結果取得指示として選択する。次に、結果取得指示は、テスト指示の動作の対象が関数や割り込みやタスクなどの実行単位の場合、その開始時間と終了時間を取得する項目を生成する。 First, the test scenario interpretation unit 301 selects an operation other than data acquisition among the operations. Then, an operation not selected as the test instruction is selected as a result acquisition instruction. Next, the result acquisition instruction generates an item for acquiring the start time and the end time when the operation target of the test instruction is an execution unit such as a function, an interrupt, or a task.
 また、命令タイミングや期待値に記載された、動作の基点となる処理が関数や割り込みやタスクなどの実行単位の場合、その開始と終了時間を生成する。また、生成された項目の開始時刻の期待値は、テストシナリオ501に記載された命令タイミングを用いて記載する。例えば、割込みYの期待値は、テストシナリオ501に記載された命令タイミングを使用することで、命令タイミングどおりに動いたかを確かめることができる。 Also, if the processing that is the base point of the operation described in the instruction timing or expected value is an execution unit such as a function, interrupt, or task, its start and end times are generated. Further, the expected value of the start time of the generated item is described using the instruction timing described in the test scenario 501. For example, it is possible to confirm whether the expected value of the interrupt Y moves according to the instruction timing by using the instruction timing described in the test scenario 501.
 また、関数Xの開始時刻はテストシナリオで指定されていないため、未記載となる。終了時刻は、関数毎に任意の時間を設定する、又はランダムに指定することもできる。あらかじめ関数の動作を推測し、検証者が任意の時間を設定することで、より正確な実行結果が得られ、不具合の再現が素早く行える。また、ランダムに設定する場合でも、本発明は後記のタイミング調整により、不具合の再現が行うことができ、検証者は事前の準備を軽減することができる。 Also, since the start time of function X is not specified in the test scenario, it is not described. The end time can be set arbitrarily for each function, or can be specified at random. By presuming the operation of the function in advance and setting the arbitrary time by the verifier, a more accurate execution result can be obtained and the defect can be reproduced quickly. Even in the case of setting at random, the present invention can reproduce the defect by adjusting the timing described later, and the verifier can reduce preparations in advance.
 次に、タイミング調整部302が行うタイミング調整に関して説明する。図9にタイミング調整のフローチャートを示す。ステップ901で処理が開始される。ステップ902では、結果取得指示701に記載された判定対象である対象の期待値と実行結果801の対象の実行値を比較する。ステップ903で制御プログラムが不具合を起こしていたかを判定する。実行値と期待値が一致するとき制御プログラムは正常に動作していると判定され、不具合が発見されないため、次にステップ906を実行する。 Next, timing adjustment performed by the timing adjustment unit 302 will be described. FIG. 9 shows a flowchart of timing adjustment. In step 901, the process is started. In step 902, the target expected value that is the determination target described in the result acquisition instruction 701 is compared with the target execution value of the execution result 801. In step 903, it is determined whether the control program has failed. When the execution value matches the expected value, it is determined that the control program is operating normally, and no defect is found, so step 906 is executed next.
 一方、ステップ903において、実行値と期待値が一致しないとき、不具合が発生したと判定し、ステップ904を実行する。ステップ904では、不具合内容を解析できるように実行結果を出力しステップ905で終了する。 On the other hand, when the execution value does not match the expected value in step 903, it is determined that a failure has occurred, and step 904 is executed. In step 904, the execution result is output so that the contents of the defect can be analyzed, and the process ends in step 905.
 ステップ906では、処理の開始時刻から終了時刻までの実行時間を調整する。結果取得指示701では、割込みY開始時刻から終了時刻まで5μSECかかることを期待していたが、実際に実行したとき、実行時間は10μSEC必要になっていた。そこで、テストシナリオ解釈部301で生成する関数の終了時刻の設定値を10μSECに修正する。実行結果801を用いることで、実際の実行時間を使用しより確かな検証が可能になる。 In step 906, the execution time from the start time to the end time of the process is adjusted. The result acquisition instruction 701 was expected to take 5 μSEC from the interrupt Y start time to the end time, but when actually executed, the execution time required 10 μSEC. Therefore, the set value of the end time of the function generated by the test scenario interpretation unit 301 is corrected to 10 μSEC. By using the execution result 801, more accurate verification can be performed using the actual execution time.
 ステップ907では、処理の開始時刻を調整する。実行結果801では割込みYの開始時刻は120μSECとなっているが、結果取得指示701では割込みYの開始時刻の期待値は10μSECとなりずれが生じている。このようなずれは、事前のタイミング計算の見積もり時に簡易化した検証外の制御プログラムや実機の動作情報のずれや、割り込みなどの場合は割り込みを起こすトリガ情報をONにしてから、実際に割り込みが発生するまでのタイムラグなどから起こりうる。 In step 907, the processing start time is adjusted. In the execution result 801, the start time of the interrupt Y is 120 μSEC, but in the result acquisition instruction 701, the expected value of the start time of the interrupt Y is 10 μSEC, and there is a deviation. Such deviations are caused by deviations in the control information of the non-verified control that was simplified when estimating the timing calculation in advance or the actual machine operation information, and in the case of interrupts, etc. It can happen from the time lag until it occurs.
 そこで、タイミング調整部302は、開始時刻の実行値と期待値を合わせるためテスト指示601の命令タイミングを調整する。テスト指示601では割込みYは関数X開始後10μSEC後に開始するように指示しているが、実際には20μSEC後に開始されている。そこで、命令タイミングを調整し、関数X開始直後に割込みを動作させる命令タイミングへと修正する。ステップ908で処理を終了する。 Therefore, the timing adjustment unit 302 adjusts the instruction timing of the test instruction 601 to match the execution value at the start time with the expected value. In the test instruction 601, the interrupt Y is instructed to start 10 μSEC after the start of the function X, but actually starts after 20 μSEC. Therefore, the instruction timing is adjusted and corrected to an instruction timing for operating an interrupt immediately after the function X starts. In step 908, the process ends.
 タイミング調整部は新たなテスト指示タイミングと結果取得タイミングを用いて再度検証を行う。 The timing adjustment unit performs verification again using the new test instruction timing and result acquisition timing.
 本実施例により、検証者はテストシナリオを設計し、検証装置に入力することで、タイミング調整部により、必ず想定どおりのテストシナリオを実行できる。即ち、検証シナリオを実行結果から補正し、再検証を繰り返し行うことで、想定する不具合を確実に実現し、不具合発生時の状況を特定することができる。また、もし実現できない場合には想定する不具合が発生しないことを確認若しくは証明できる。 This embodiment allows the verifier to design a test scenario and input it to the verification device, so that the timing adjustment unit can always execute the test scenario as expected. That is, by correcting the verification scenario from the execution result and repeatedly performing re-verification, it is possible to reliably realize the assumed failure and specify the situation when the failure occurs. In addition, if it cannot be realized, it can be confirmed or proved that the expected failure does not occur.
 次に、実施例1のステップ907におけるタイミング調整手段に関する第2の実施例を示す。第1の実施例との違いは、タイミング調整の方法にあり、より効率的に不具合を再現することができる。本実施例では、指示生成部は、実行結果に基づく新たな実行タイミングを設定する実行タイミング設定動作を繰り返し実行可能に構成され、実行タイミング設定動作の繰り返し回数が多くなる程、最初の実行タイミングとの差が大きくなるように新たな実行タイミングを設定する。具体的には、不具合が発生しなかった際に、一定間隔ごとに処理の実行タイミングをずらすことで不具合を再現する。 Next, a second embodiment relating to the timing adjustment means in Step 907 of Embodiment 1 will be described. The difference from the first embodiment lies in the timing adjustment method, and the defect can be reproduced more efficiently. In the present embodiment, the instruction generation unit is configured to be able to repeatedly execute an execution timing setting operation for setting a new execution timing based on the execution result, and as the number of repetitions of the execution timing setting operation increases, A new execution timing is set so that the difference between the two increases. Specifically, when a problem does not occur, the problem is reproduced by shifting the execution timing of processing at regular intervals.
 図10に本実施例におけるタイミング調整方法を示す。本処理はステップ907で行われる。ステップ1001で本処理を開始する。ステップ1002では、タイミング調整回数が偶数回か整数回かを確認している。これは、後段のステップで補正値の正負を切り替えることで、基点となるタイミング前後のタイミングを指定できるようにするためである。次にステップ1003では、処理の開始時刻を補正する値であるタイミング補正値に、補正単位分の値を加える。 FIG. 10 shows a timing adjustment method in this embodiment. This processing is performed in step 907. In step 1001, this process is started. In step 1002, it is confirmed whether the number of timing adjustments is an even number or an integer number. This is because the timing before and after the base timing can be designated by switching between positive and negative correction values in the subsequent steps. Next, in step 1003, a correction unit value is added to the timing correction value that is a value for correcting the processing start time.
 ここでタイミング補正値は、分や時間などの時間情報や、数値情報など、実行タイミングを調整可能な値を用いる。また、補正単位とは、タイミングをずらすための最小の幅であり、分や時間などの時間情報や、数値情報など、実行タイミングを調整可能な値を用いる。タイミング補正値を加えることで、一定間隔で幅を切り替えることができる。 Here, the timing correction value is a value that can adjust the execution timing, such as time information such as minutes and hours, or numerical information. The correction unit is a minimum width for shifting the timing, and uses a value that can adjust the execution timing, such as time information such as minutes and hours, and numerical information. By adding the timing correction value, the width can be switched at regular intervals.
 ステップ1004ではタイミング補正値の符号を正にすることで、未来方向へのタイミングを指定できる。ステップ1005ではタイミング補正値の符号を負にすることで、過去方向のタイミングを指定する。ステップ1006でテスト指示601の実行タイミングにタイミング補正値を加算する。本補正処理は、任意の回数もしくは任意の時間経過後処理をやめ、判定結果として不具合が再現されなかったと出力する。 In step 1004, the timing in the future direction can be specified by making the sign of the timing correction value positive. In step 1005, the timing of the past direction is designated by making the sign of the timing correction value negative. In step 1006, the timing correction value is added to the execution timing of the test instruction 601. This correction processing stops processing after an arbitrary number of times or an arbitrary time, and outputs that the defect has not been reproduced as a determination result.
 本実施例を用いることで、事前の計算と実際の処理のずれにより、不具合を起こす処理タイミングの指定が困難な検証において、タイミングをずらすことで補正が可能になるため、検証者はずれの補正を行うことなく、不具合の再現が可能になる。 By using this example, in verification where it is difficult to specify the processing timing that causes a malfunction due to a deviation between the previous calculation and the actual processing, correction can be performed by shifting the timing, so the verifier can correct the deviation. The failure can be reproduced without doing it.
 次に、タイミング調整部302が生成するテスト指示601の調整方法に関する第2の実施例を示す。本実施例の検証システムでは、所定のテスト条件には、予め基準として設定される基準実行タイミングが含まれ、指示生成部306は、基準実行タイミングに基づいて異なる複数の実行タイミングを設定する。具体的には、本実施例では、テストシナリオで指定する処理である割込みYを複数回実行するようにすることで、不具合の再現を行う。 Next, a second embodiment relating to the adjustment method of the test instruction 601 generated by the timing adjustment unit 302 will be described. In the verification system of this embodiment, the predetermined test condition includes a reference execution timing set in advance as a reference, and the instruction generation unit 306 sets a plurality of different execution timings based on the reference execution timing. Specifically, in this embodiment, the failure is reproduced by executing the interrupt Y, which is the process specified in the test scenario, a plurality of times.
 図11に本実施例の複製例を示す。割込みY1101は図4の割込みY403と同様の関数であり、そのタイミングチャートを示す。また、関数X1103は、図4の関数X402であり、そのタイミングチャートを示す。図4で示すように、割り込みY1101は処理A402-1と402-3の間に実施されなければならない。しかし、図11のように、実際の割り込み1102は上手く処理Aと処理Bの間に収まるとは限らない。そこで、割込みY1101を複製の割り込み1102-1として複数回行うことで処理Aと処理Bの間に割り込みを発生させる。 FIG. 11 shows a copy example of this embodiment. The interrupt Y1101 is a function similar to the interrupt Y403 in FIG. 4, and its timing chart is shown. A function X1103 is the function X402 in FIG. 4 and shows a timing chart thereof. As shown in FIG. 4, the interrupt Y1101 must be executed between the processes A 402-1 and 402-3. However, as shown in FIG. 11, the actual interrupt 1102 does not always fit between the process A and the process B. Therefore, an interrupt is generated between the process A and the process B by performing the interrupt Y1101 a plurality of times as the duplicate interrupt 1102-1.
 また、本実施例の検証システムでは、指示生成部306は、新たなテスト指示を生成する際、実行結果をもたらした実行タイミングに基づいて新たな実行タイミングを設定する。図12を用いて、命令タイミングの指示方法を説明する。まず、複製間隔1201を設定する。本間隔は検証者の任意の間隔を指定する。次に、複製する本数又は、検証間隔1202を設定する。本数を指定する場合は、指定した命令タイミングを中心として前後に等間隔の本数を配置する。検証間隔1202を指定した場合は検証間隔1202内に収まるだけの複製割り込み1102-1を生成する。 Also, in the verification system of the present embodiment, when generating a new test instruction, the instruction generation unit 306 sets a new execution timing based on the execution timing that brought the execution result. The instruction timing instruction method will be described with reference to FIG. First, the replication interval 1201 is set. This interval specifies an arbitrary interval of the verifier. Next, the number of copies or the verification interval 1202 is set. When the number is designated, the number is arranged at regular intervals around the designated instruction timing. When the verification interval 1202 is designated, duplicate interrupts 1102-1 that are within the verification interval 1202 are generated.
 本実施例により、複数のタイミングを一度に試行するため、より少ない再検証回数で不具合の再現が可能になる。 に よ り According to the present embodiment, since a plurality of timings are tried at a time, it is possible to reproduce the defect with a smaller number of re-verifications.
 次に、複製タイミング指定時における、ステップ907におけるタイミング調整手段に関する第4の実施例を示す。第3の実施例との違いは、タイミング調整と複製を同時に行える点である。 Next, a fourth embodiment relating to the timing adjustment means in Step 907 when the replication timing is designated will be described. The difference from the third embodiment is that timing adjustment and replication can be performed simultaneously.
 第二の実施例において、タイミング調整部は補正単位を加えることで、タイミングをずらして行くことができる。図13にタイミング調整部302における本実施例の処理を示す。STEP1301で処理を開始する。STEP1302において、実施例2のタイミング補正を行うこの時、補正単位を検証間隔1202とする。STEP1303において命令タイミングの複製を行う。STEP1304において、タイミング調整部302以降の検証を行う。STEP1305において、判定結果がすべて正常値の場合再検証と判定する。STEP1307において、複製タイミングを破棄し、再度STEP1302を実施する。STEP1306で検証を終了する。 In the second embodiment, the timing adjustment unit can shift the timing by adding a correction unit. FIG. 13 shows processing of this embodiment in the timing adjustment unit 302. Processing is started in STEP1301. In STEP1302, the timing correction of the second embodiment is performed. At this time, the correction unit is set as a verification interval 1202. In STEP 1303, the instruction timing is duplicated. In STEP 1304, verification after the timing adjustment unit 302 is performed. In STEP 1305, when all the determination results are normal values, it is determined to be re-verification. In STEP 1307, the duplication timing is discarded and STEP 1302 is executed again. In step 1306, the verification ends.
 本実施例により、複製タイミングを重複させることなく、タイミング調整とタイミング複製が行い、高速かつ確実に不具合の再現を行う。 に よ り According to the present embodiment, timing adjustment and timing duplication are performed without duplicating the duplication timing, so that the defect can be reproduced quickly and reliably.
 次に、第5の実施例を示す。第1の実施例との違いは、タイミング調整部と結果取得部がECU2に配置される点である。この実施例では、ECU2として、実ECUを対象としており、ECU2には、検証システムと、制御プログラムとが実装され、所定のテスト条件を出力する検証装置と接続可能に構成される。 Next, a fifth embodiment will be shown. The difference from the first embodiment is that the timing adjustment unit and the result acquisition unit are arranged in the ECU 2. In this embodiment, an actual ECU is used as the ECU 2, and a verification system and a control program are mounted on the ECU 2 so as to be connectable to a verification device that outputs a predetermined test condition.
 図14に本実施例の構成を示す。検証装置1はテストシナリオ解釈部301を有する。ECU2はプログラム実行部304と結果取得部305とタイミング調整部302とテスト指示部303とを有する。テスト指示部303は、テストシナリオ解釈部301からテスト指示を受け取り、プログラム実行部へ指令する。タイミング調整部302は結果取得部305が取得した実行結果に基づいてタイミングを調整し、テスト指示部303は、再度プログラム実行部304へテスト指示を入力する。 FIG. 14 shows the configuration of this embodiment. The verification apparatus 1 has a test scenario interpretation unit 301. The ECU 2 includes a program execution unit 304, a result acquisition unit 305, a timing adjustment unit 302, and a test instruction unit 303. The test instruction unit 303 receives the test instruction from the test scenario interpretation unit 301 and instructs the program execution unit. The timing adjustment unit 302 adjusts the timing based on the execution result acquired by the result acquisition unit 305, and the test instruction unit 303 inputs the test instruction to the program execution unit 304 again.
 図15に本構成時の動作を示す。検証装置1はECU2に対してテスト実施要求を出力する。テスト指示要求はテスト指示601を含み、さらにプログラム実行部304内の制御プログラム(OS)に対してテストを実施する要求情報を出力する。テスト実施要求はタイミング調整部302と制御プログラム(OS)304-1に出力される。 Fig. 15 shows the operation in this configuration. The verification device 1 outputs a test execution request to the ECU 2. The test instruction request includes a test instruction 601 and further outputs request information for performing a test on the control program (OS) in the program execution unit 304. The test execution request is output to the timing adjustment unit 302 and the control program (OS) 304-1.
 制御プログラム(OS)304-1は、アクチュエータを制御する制御プログラムなどが実行される制御プログラム(タスク)の起動終了処理を管理する機能を持つ。制御プログラム(OS)304-1はテスト実施要求を受けると制御プログラムの動作をテストモードへと移行する。テストモードには、例えば、「指定された割り込み関数以外を起動させない」、「センサ入力の値を制限する」、「起動させるタスクを指定する」、「変数の状態を一時退避させる」など、検証に関連するデータや処理のみを起動させる機能が実行される。 The control program (OS) 304-1 has a function of managing the start / end processing of a control program (task) for executing a control program for controlling the actuator. When receiving the test execution request, the control program (OS) 304-1 shifts the operation of the control program to the test mode. Test modes include, for example, “Do not activate any other than the specified interrupt function”, “Limit the sensor input value”, “Specify the task to activate”, “Temporarily save the variable state”, etc. A function that activates only data and processing related to the is executed.
 テストモード遷移後、制御プログラム(OS)304-1は、制御プログラム(タスク)304-2を起動させる。制御プログラム(タスク)304-2は、テスト実施要求に含まれる変数や定数などの状態を用いて初期化を行う。初期化後タスクに登録されている各関数を実行する。制御プログラム(タスク)304-2実行中、制御プログラム(OS)はテスト実施要求時従って割り込みYを実行する。 After the test mode transition, the control program (OS) 304-1 starts the control program (task) 304-2. The control program (task) 304-2 performs initialization using the state of variables and constants included in the test execution request. Execute each function registered in the task after initialization. During execution of the control program (task) 304-2, the control program (OS) executes the interrupt Y according to the test execution request.
 制御プログラム(タスク)304-2終了後、制御プログラム(タスク)304-2の変数情報を制御プログラム(OS)304-1はデータ取得部305に通知する。データ取得部305は、タイミング調整部から受け取ったテスト実施要求内の変数の期待値を用いて、制御プログラム304より受け取った結果を判定する。 After the control program (task) 304-2 ends, the control program (OS) 304-1 notifies the data acquisition unit 305 of the variable information of the control program (task) 304-2. The data acquisition unit 305 determines the result received from the control program 304 using the expected value of the variable in the test execution request received from the timing adjustment unit.
 判定結果が再検証を要求する時、つまり本発明の課題においては結果と期待値が全て一致し不具合を再現できなかった場合に、データ取得部305はタイミング調整部302に再テスト要求を出力する。 The data acquisition unit 305 outputs a retest request to the timing adjustment unit 302 when the determination result requests re-verification, that is, in the problem of the present invention, when the result and the expected value all match and the failure cannot be reproduced. .
 タイミング調整部302は実施例1から4までに記載のタイミング調整を行うことで、テストシナリオを修正する。タイミング調整部302はテストシナリオ修正後制御プログラム304-1に対してテスト実施要求を出力する。 The timing adjustment unit 302 corrects the test scenario by performing the timing adjustment described in the first to fourth embodiments. The timing adjustment unit 302 outputs a test execution request to the control program 304-1 after the test scenario correction.
 本実施例の構成を採ることで、不具合の恐れがある動作に関するテスト指示を入力することで検証装置なしに確認できる。従って、大きな装置がなくとも検証を容易に行うことができる。 By adopting the configuration of the present embodiment, it is possible to confirm without inputting a verification device by inputting a test instruction regarding an operation that may cause a failure. Therefore, verification can be easily performed without a large apparatus.
 次に、各データ構成に関する第6の実施例を示す。第1の実施例と異なる点は、結果取得タイミング及び実行結果に命令タイミング及び実行タイミング情報がない点である。 Next, a sixth embodiment regarding each data structure will be shown. The difference from the first embodiment is that there is no instruction timing and execution timing information in the result acquisition timing and execution result.
 図16に本実施例で用いるデータ構成を示す。図16(a)は本実施例におけるテスト指示1601である。テスト指示1601には実行対象と実行タイミングが記載されており、実行対象はタスクや割り込みなどのオペレーティングシステムが動作可能な単位で指定される。 FIG. 16 shows the data structure used in this embodiment. FIG. 16A shows a test instruction 1601 in this embodiment. The test instruction 1601 describes the execution target and execution timing, and the execution target is specified in units in which the operating system such as a task or an interrupt can operate.
 図16(b)は、初期化設定テーブル1602である。初期化設定テーブル1602には変数やメモリ番地などの値が格納される初期化対象と、その初期値が指定できる。初期化設定テーブル1602は、テスト指示1601に含まれても良い。 FIG. 16B shows an initialization setting table 1602. The initialization setting table 1602 can specify an initialization target in which values such as variables and memory addresses are stored, and the initial value. The initialization setting table 1602 may be included in the test instruction 1601.
 図16の(c)は、結果取得指示1603を表す。この結果取得指示1603は取得対象と期待値が記載される。取得対象は、変数名やメモリ番地など値を格納することができるものを記載する。期待値は、数値や変数型に応じた数値を指定し、単一の値だけでなく、範囲を指定しても良い。 (C) of FIG. 16 represents the result acquisition instruction 1603. This result acquisition instruction 1603 describes the acquisition target and the expected value. The acquisition target is an item that can store a value such as a variable name or a memory address. As the expected value, a numerical value corresponding to a numerical value or a variable type is specified, and not only a single value but also a range may be specified.
 結果取得部305は、本結果取得指示1603に記載されている期待値と実行値の数値情報を比較することで実行結果を判定し、タイミング調整部302は実施例2から4を用いてタイミング調整を行う。 The result acquisition unit 305 determines the execution result by comparing the expected value described in the result acquisition instruction 1603 with the numerical information of the execution value, and the timing adjustment unit 302 adjusts the timing using the second to fourth embodiments. I do.
 本実施例は実施例1の結果取得指示701やテスト実行結果801と同じ情報を用いているが、結果取得指示のタイミング指定がない点が異なる。これは、システムによっては関数などの詳細な実行時間を記録する処理の負荷のために、検証対象となる制御プログラムが想定する動作をしない場合がある。例えば、仮想ECUではなく、実ECUを検証対象とした場合などである。このような場合にも、本実施例を用いることで、詳細な実行時間を記録できない制御プログラムにおいても、不具合を再現することが可能になる。 This example uses the same information as the result acquisition instruction 701 and test execution result 801 of Example 1, but is different in that there is no timing specification for the result acquisition instruction. Depending on the system, there is a case where the operation assumed by the control program to be verified may not be performed due to a processing load for recording a detailed execution time such as a function. For example, this is a case where the actual ECU is a verification target instead of the virtual ECU. Even in such a case, the use of the present embodiment makes it possible to reproduce the problem even in a control program in which a detailed execution time cannot be recorded.
1 検証装置
2 ECU
201 通信装置
202 ROM
203 CPU
204 RAM
205 入出力装置
301 テストシナリオ解釈部
302 タイミング調整部
303 テスト指示部
304 プログラム実行部
305 結果取得部
401 呼び出し関数
402 関数X
402-1 関数Xの処理A
402-2 関数Xの処理B
403 割込みY
501 テストシナリオ
601 テスト指示タイミング
701 結果取得タイミング
801 実行結果
901 タイミング調整処理開始
902 判定対象比較処理
903 判定結果確認
904 判定結果出力処理
905 処理終了
906 実行時間調整処理
907 開始時刻調整処理
908 処理終了
1001 タイミング調整処理開始
1002 タイミング調整回数確認
1003 タイミング補正値加算処理
1004 タイミング補正値符号変更処理
1005 タイミング補正値符号変更処理
1006 命令タイミング補正処理
1007 処理終了
1101 割込みYタイムチャート
1102 割込みY割込みタイミング
1102-1 割込みY複製タイミング
1103 関数Xタイムチャート
1201 複製間隔
1202 検証間隔
1301 処理開始
1302 タイミング補正処理
1304 タイミング複製処理
1305 検証処理
1305 検証結果判定
1306 処理終了
1307 複製タイミング破棄
1601 テスト指示タイミング
1602 初期化テーブル
1603 結果取得テーブル 1 Verification device 2 ECU
201 Communication device 202 ROM
203 CPU
204 RAM
205 Input / Output Device 301 Test Scenario Interpretation Unit 302 Timing Adjustment Unit 303 Test Instruction Unit 304 Program Execution Unit 305 Result Acquisition Unit 401 Call Function 402 Function X
402-1 Function A Processing A
402-2 Function X Processing B
403 Interrupt Y
501 Test scenario 601 Test instruction timing 701 Result acquisition timing 801 Execution result 901 Timing adjustment processing start 902 Determination target comparison processing 903 Determination result confirmation 904 Determination result output processing 905 Processing end 906 Execution time adjustment processing 907 Start time adjustment processing 908 Processing end 1001 Timing adjustment processing start 1002 Timing adjustment count confirmation 1003 Timing correction value addition processing 1004 Timing correction value code change processing 1005 Timing correction value code change processing 1006 Instruction timing correction processing 1007 Processing end 1101 Interrupt Y time chart 1102 Interrupt Y interrupt timing 1102-1 Interrupt Y duplication timing 1103 Function X time chart 1201 Duplication interval 1202 Verification interval 1301 Processing start 1302 Timing compensation Process 1304 timing replication process 1305 verification process 1305 verification result determining 1306 processing end 1307 replication timing destroyed 1601 test command timing 1602 initialization table 1603 result acquiring table

Claims (6)

  1.  制御プログラムの実行タイミングに起因する不具合を検証する検証システムであって、
     所定のテスト条件に基づいて前記制御プログラムへのテスト指示を生成する指示生成部と、
     前記テスト指示に従って前記制御プログラムが実行した実行結果を取得する結果取得部と、を備え、
     前記テスト指示には、前記制御プログラムの実行タイミングが含まれ、
     前記指示生成部は、前記所定のテスト条件に基づいて設定される比較値と比較して前記実行結果が異常でないと判断される場合には、前記実行タイミングを変更した新たなテスト指示を生成する検証システム。     A verification system for verifying defects caused by the execution timing of a control program,
    An instruction generating unit that generates a test instruction to the control program based on a predetermined test condition;
    A result acquisition unit that acquires an execution result executed by the control program according to the test instruction,
    The test instruction includes the execution timing of the control program,
    The instruction generation unit generates a new test instruction in which the execution timing is changed when it is determined that the execution result is not abnormal as compared with a comparison value set based on the predetermined test condition. Verification system.
  2.  請求項1に記載の検証システムにおいて、
     前記指示生成部は、前記実行結果に基づく新たな実行タイミングを設定する実行タイミング設定動作を繰り返し実行可能に構成され、
     前記実行タイミング設定動作の繰り返し回数が多くなる程、最初の実行タイミングとの差が大きくなるように前記新たな実行タイミングを設定する検証システム。     The verification system according to claim 1,
    The instruction generation unit is configured to repeatedly execute an execution timing setting operation for setting a new execution timing based on the execution result,
    A verification system that sets the new execution timing so that the difference from the first execution timing increases as the number of repetitions of the execution timing setting operation increases.
  3.  請求項1に記載の検証システムにおいて、
     前記所定のテスト条件には、予め基準として設定される基準実行タイミングが含まれ、
     前記指示生成部は、前記基準実行タイミングに基づいて異なる複数の実行タイミングを設定する検証システム。     The verification system according to claim 1,
    The predetermined test condition includes a reference execution timing set in advance as a reference,
    The instruction generation unit is a verification system that sets a plurality of different execution timings based on the reference execution timing.
  4.  請求項1に記載の検証システムにおいて、
     前記指示生成部は、前記新たなテスト指示を生成する際、前記実行結果をもたらした実行タイミングに基づいて新たな実行タイミングを設定する検証システム。     The verification system according to claim 1,
    The verification system that sets a new execution timing based on the execution timing that brought the execution result when the instruction generation unit generates the new test instruction.
  5.  請求項1に記載の検証システムを備え、
     前記制御プログラムが実装される車両制御装置と接続可能に構成される検証装置。     A verification system according to claim 1,
    A verification device configured to be connectable to a vehicle control device on which the control program is mounted.
  6.  請求項1に記載の検証システムと、前記制御プログラムとが実装され、
     前記所定のテスト条件を出力する検証装置と接続可能に構成される車両制御装置。     The verification system according to claim 1 and the control program are mounted,
    A vehicle control device configured to be connectable to a verification device that outputs the predetermined test condition.
PCT/JP2016/071474 2015-08-31 2016-07-22 Verification system, verification device, and vehicle control device WO2017038290A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015169981A JP2017049627A (en) 2015-08-31 2015-08-31 Verification system, verification device, and vehicle controller
JP2015-169981 2015-08-31

Publications (1)

Publication Number Publication Date
WO2017038290A1 true WO2017038290A1 (en) 2017-03-09

Family

ID=58187196

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/071474 WO2017038290A1 (en) 2015-08-31 2016-07-22 Verification system, verification device, and vehicle control device

Country Status (2)

Country Link
JP (1) JP2017049627A (en)
WO (1) WO2017038290A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6626064B2 (en) 2017-10-31 2019-12-25 ファナック株式会社 Testing device and machine learning device
JP7134903B2 (en) * 2019-03-05 2022-09-12 株式会社日立製作所 Bug Reproduction Support System, Bug Reproduction Support Method
KR102202739B1 (en) * 2019-08-07 2021-01-12 주식회사 한화 Apparatus and method determining abnormal situation in connection with simulator for verifying guidance control system of object
JP7377456B2 (en) * 2020-01-10 2023-11-10 マツダ株式会社 Equipment verification device and verification method
KR102440254B1 (en) * 2020-09-23 2022-09-06 주식회사 다산네트웍스 System for testing electronic control unit
KR102586820B1 (en) * 2023-06-27 2023-10-11 주식회사 드림에이스 System for verifying virtual ecu and method for correcting error thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005309800A (en) * 2004-04-22 2005-11-04 Matsushita Electric Ind Co Ltd Software verification method and method for forming verification data
JP2007246040A (en) * 2006-03-17 2007-09-27 Fujitsu Ten Ltd Electronic control device, simulation device, testing device, and testing method
WO2011118014A1 (en) * 2010-03-25 2011-09-29 富士通株式会社 Verification support program, control program, verification support device, multi-core processor system, verification support method, and control method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005309800A (en) * 2004-04-22 2005-11-04 Matsushita Electric Ind Co Ltd Software verification method and method for forming verification data
JP2007246040A (en) * 2006-03-17 2007-09-27 Fujitsu Ten Ltd Electronic control device, simulation device, testing device, and testing method
WO2011118014A1 (en) * 2010-03-25 2011-09-29 富士通株式会社 Verification support program, control program, verification support device, multi-core processor system, verification support method, and control method

Also Published As

Publication number Publication date
JP2017049627A (en) 2017-03-09

Similar Documents

Publication Publication Date Title
WO2017038290A1 (en) Verification system, verification device, and vehicle control device
JP5897068B2 (en) Method and apparatus for upgrading and providing control redundancy in a process plant
US20030051235A1 (en) Method and apparatus for verifying and analyzing computer software installation
US10459435B2 (en) Test manager for industrial automation controllers
JP6404292B2 (en) System and method for protecting a technical system from cyber attacks
EP3151071B1 (en) System for updating a control program while actively controlling an industrial process
US20230244765A1 (en) Embedded processing system with multi-stage authentication
US20160026166A1 (en) Method and apparatus for controlling a physical unit in an automation system
JP2016081341A (en) Electronic control device
US9703672B2 (en) Method for verifying the processing of software
EP3196718A1 (en) Embedded emulation modules in industrial control devices
US20220308859A1 (en) Method for Real-Time Updating of Process Software
JP6434840B2 (en) Electronic control unit
JP2016024798A (en) Redundant controller system and standby system controller
JP2001195110A (en) Numerical controller
KR102002545B1 (en) Code test automatic proceeding method through virtualixation and appratus for the same
JP6874462B2 (en) Information processing equipment, memory control system, memory control method and memory control program
US20190302739A1 (en) Program verification system, control apparatus, and program verification method
KR102368559B1 (en) Method of testing an OHT software
WO2022176054A1 (en) Data comparison device, data comparison system, and data comparison method
JP5505990B2 (en) Network equipment
JP6609235B2 (en) Electronic control unit
JP2010244183A (en) Device inspection system, device inspection method, device inspection program
JPWO2021172429A5 (en) Verification control device, system, method and verification control program
JP2019152946A (en) Numerical control system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16841322

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16841322

Country of ref document: EP

Kind code of ref document: A1