JP2011008702A - Fault processor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a fault processor that performs proper fault handling operation when a fault occurs.SOLUTION: A CPU 110 includes: three first registers 13, 23, 33 storing in advance first fault level information for defining a process when first software 11, 21, 31 disposed on first VCPUs 12, 22, 32 and operating thereon detect a fault; a fault level setting section 451 which, if any of the first softwares 11, 21, 31 detects a fault, reads from the first registers 13, 23, 33 the first fault level information corresponding to the first software that has detected the fault and sets the information as a fault level for defining the fault handling operation; and a process execution section 453 which executes the fault handling corresponding to the set fault level.

Description

  In the present invention, for example, in the case where two or more first virtual processors mounted on one physical processor detect a failure in any of the first number of first software operating respectively. Furthermore, the present invention relates to a failure processing apparatus mounted on the one physical processor, which performs processing corresponding to the first virtual processor in which the first software in which the failure has occurred operates. In particular, the present invention relates to a failure processing apparatus mounted on a vehicle. More specifically, the present invention relates to a failure processing apparatus that is provided when integrating an ECU (Electronic Control Unit) mounted on a vehicle.

  Conventionally, various devices mounted on a vehicle are controlled by an ECU. In recent years, the number of ECUs mounted on vehicles has increased along with the sophistication and complexity of control in various devices mounted on vehicles, and it is possible to reduce the number of ECUs by integrating their functions. It has been proposed (see, for example, Patent Document 1).

  Patent Document 1 describes an integrated electronic control device that integrates a plurality of electronic control units (corresponding to ECUs) that respectively control a plurality of devices mounted on an automobile. The integrated electronic control device is described below. It has the composition of. That is, the integrated electronic control device includes a substrate provided with integrated processing units of a plurality of electronic control units, an input / output unit provided with integrated input / output units and drive circuits of the plurality of electronic control units, The substrate processing unit, the input / output unit of the input / output unit, and the drive circuit include shift storage means provided on either the substrate or the input / output unit, and a dedicated circuit connected to the shift storage means The substrate and the input / output unit are connected via a wire constituting a dedicated line.

  According to the integrated electronic control device, the board having the arithmetic processing unit and the input / output unit are not connected by multiplex communication to transmit / receive signals, but transmit / receive signals via the shift storage means and the dedicated circuit. Therefore, it is not necessary to provide components for multiplex communication on the board and the input / output unit provided with the arithmetic processing unit, and the board and the input / output unit can be downsized.

JP 2008-296871 A

  However, it is difficult for the integrated electronic control device described in Patent Document 1 to operate while maintaining a failure level set in advance in each of a plurality of ECUs before function integration. That is, a failure level is set for each ECU, and a design corresponding to the set failure level is performed. Accordingly, when functions of a plurality of ECUs are integrated into one ECU, it is not appropriate to operate at the failure level of one integrated ECU when a failure occurs.

  For example, an ECU that controls a brake or the like that is required to be strong against a failure is designed as an ECU that can perform a minimum operation even when a failure occurs. On the other hand, in an ECU that controls a power seat or the like whose demand for strength against failure is relatively low, when a failure occurs, an alarm is displayed on an instrument panel or the like to stop the operation. The

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a failure processing apparatus capable of performing an appropriate failure processing operation when a failure occurs.

  In order to achieve the above object, the present invention has the following features. According to a first aspect of the present invention, in the first number of first virtual processors of two or more mounted on one physical processor, when any one of the first number of first software operating respectively detects a failure And a failure processing apparatus mounted on the one physical processor for performing processing corresponding to the first virtual processor on which the first software in which the failure has occurred operates, wherein the failure processing apparatus is mounted on the first number of virtual processors. A first number of first storage means for preliminarily storing first failure level information that defines the processing when the first software that is respectively disposed and operates on the first number of virtual processors detects a failure; When the first software detects a failure, first failure level information corresponding to the first software that has detected the failure is read from the first storage means, and the failure is detected. It includes a failure level setting means for setting as a failure level for defining the management operation, and process execution means for executing a fault handling operation corresponding to the failure level set by the failure level setting means.

  According to a second invention, in the first invention, the function of the first number of physical processors, in which the first number of first virtual processors are respectively function-integrated on the one physical processor, is simulated. Processor.

  In a third aspect based on the second aspect, the one physical processor and the first number of physical processors are each an ECU (Electronic Control Unit) mounted in a vehicle.

  In a fourth aspect based on the first aspect, the failure level setting means and the processing execution means are configured as a part of a second virtual processor mounted on the one physical processor. .

  In a fifth aspect based on the first aspect, the first storage means comprises a register.

  In a sixth aspect based on the fourth aspect, the second virtual processor preliminarily stores second failure level information defining a process when the second software operating on the second virtual processor detects a failure. A second storage means for storing, and the failure level setting means defines a failure processing operation based on the second failure level stored in the second storage means when the second software detects a failure. The failure execution level corresponding to the failure level set by the failure level setting unit is executed by the process execution unit.

  In a seventh aspect based on the sixth aspect, the failure level setting means is configured such that the first failure level read from the first storage means is a second failure level stored in the second storage means. Comparing circuit for determining whether or not they match, and when the processing execution means determines that the second failure level matches with the comparing circuit, executes the failure processing operation defined in the second software .

  In an eighth aspect based on the sixth aspect, the second storage means is constituted by a register.

  In a ninth aspect based on the first aspect, the failure level information indicates the first software in which a failure has occurred, the first virtual processor in which no failure has occurred among the first number of first virtual processors. The first specific failure level information corresponding to the first failure processing operation which is the failure processing operation operated above is included.

  In a tenth aspect based on the ninth aspect, when the failure level set by the failure level setting means is the first specific failure level, the first number of first virtual processors are selected. Selection means for selecting an alternative virtual processor which is one first virtual processor in which no failure has occurred to execute the first failure processing operation, and the processing execution means is the alternative selected by the selection means The first software in which the failure has occurred is operated on the virtual processor.

  In an eleventh aspect based on the tenth aspect, the selecting means selects the alternative virtual processor from the first number of first virtual processors based on a load factor of each first virtual processor. .

  In a twelfth aspect based on the tenth aspect, the selecting means sets the first failure level stored in the first storage means of each first virtual processor from the first number of first virtual processors. Based on this, the alternative virtual processor is selected.

  In a thirteenth aspect based on the tenth aspect, the process execution means includes a part of preset functions of the first software in which a failure has occurred on the alternative virtual processor selected by the selection means. To work.

  In a fourteenth aspect based on the tenth aspect, the processing execution unit operates a minimum necessary function in the first software in which the failure has occurred on the alternative virtual processor selected by the selection unit. .

  In a fifteenth aspect based on the first aspect, the failure level information repeatedly executes a reset of the first virtual processor corresponding to the first software in which the failure has occurred up to a predetermined number of times. If not solved, the second specific failure level information corresponding to the second failure processing operation that is the failure processing operation for stopping the execution of the first software is included.

  In a sixteenth aspect based on the first aspect, third failure level information corresponding to any one of the first number of first failure level information respectively stored in the first number of first storage means, Third storage means for storing in advance, and when the failure level setting means detects a failure in the first software, first failure level information corresponding to the first software that has detected the failure is stored in the first storage means. And the third failure level information is read from the third storage means, and a failure level that defines the failure processing operation is set based on the read first failure level information and third failure level information.

  In a seventeenth aspect based on the sixteenth aspect, the failure level setting means performs a failure processing operation on a failure level having a higher required level of the first failure level information and the third failure level information. Set as the specified failure level.

  In an eighteenth aspect based on the sixteenth aspect, the third storage means comprises a register.

  According to the first aspect of the present invention, the first and second virtual processors each disposed on two or more first virtual processors mounted on one physical processor and operating on the first virtual processors respectively. First failure level information that defines processing when software detects a failure is stored in advance in the first number of first storage means. Further, when the first software detects a failure, the failure level setting means reads out the first failure level information corresponding to the first software that has detected the failure from the first storage means, and performs the failure processing operation. It is set as the specified failure level. Then, a failure processing operation corresponding to the set failure level is executed by the processing execution means. Therefore, when a failure occurs, an appropriate failure processing operation can be performed.

  That is, the first failure level information corresponding to the first software that has detected the failure is read from the first storage means, set as the failure level that defines the failure processing operation, and the failure processing corresponding to the set failure level Since the operation is executed, an appropriate failure processing operation can be performed by storing appropriate failure level information in the first number of first storage means.

  According to the second aspect, each of the first number of first virtual processors is a processor simulating the function of the first number of physical processors, each function integrated on the one physical processor. . Therefore, when the first number of physical processors are functionally integrated on the one physical processor, an appropriate failure processing operation can be performed.

  That is, for example, by storing the failure level information set in the first number of physical processors in the first number of first storage means, it is possible to perform an appropriate failure processing operation. is there.

  According to the third aspect, each of the one physical processor and the first number of physical processors is an ECU mounted on a vehicle. Therefore, when the first number of ECUs are function-integrated on the one ECU, an appropriate failure handling operation can be performed.

  That is, for example, by storing the failure level information set in the first number of ECUs in the first number of first storage means, an appropriate failure processing operation can be performed. .

  According to the fourth aspect, the failure level setting means and the process execution means are configured as a part of the second virtual processor mounted on the one physical processor. Therefore, an appropriate failure handling operation can be performed with a simple configuration.

  According to the fifth aspect, the first storage means is constituted by a register. Therefore, the failure processing operation can be performed quickly with a simple configuration.

  According to the sixth aspect of the present invention, the second failure level information defining the processing when the second software operating on the second virtual processor detects a failure is stored in the second storage means of the second virtual processor. Stored in advance. Then, when the second software detects a failure, a failure level that defines a failure processing operation is set based on the second failure level stored in the second storage means. Further, a failure processing operation corresponding to the set failure level is executed. Therefore, even when the second software detects a failure, an appropriate failure processing operation can be performed.

  That is, when the second software detects a failure, a failure processing operation is executed based on the second failure level stored in the second storage means. Therefore, an appropriate failure level is set as the second failure level. By setting, even when the second software detects a failure, an appropriate failure processing operation can be performed.

  According to the seventh aspect, in the comparison circuit, it is determined whether or not the first failure level read from the first storage means matches the second failure level stored in the second storage means. Is done. When the comparison circuit determines that the second failure level matches, the failure processing operation defined in the second software is executed. Therefore, when a failure occurs, an appropriate failure processing operation can be performed quickly.

  According to the eighth aspect, the second storage means is constituted by a register. Therefore, the failure processing operation can be performed quickly with a simple configuration.

  According to the ninth aspect, the failure level information causes the first software in which a failure has occurred to operate on a first virtual processor in which no failure has occurred among the first number of first virtual processors. The first specific failure level information corresponding to the first failure processing operation which is the failure processing operation is included. Therefore, when the first virtual processor is required to be strong against a failure, an appropriate failure processing operation can be performed.

  That is, when a failure is detected in the first virtual processor that is required to be strong against a failure and the first specific failure level is set, the first software in which the failure has occurred Since it is operated on the first virtual processor that has not occurred, an appropriate failure processing operation can be performed.

  According to the tenth aspect, when the failure level set by the failure level setting means is the first specific failure level, the first number of the first virtual processors are selected from the first number of first virtual processors. An alternative virtual processor that is one first virtual processor in which no failure has occurred for executing the failure processing operation is selected. Then, the first software in which the failure has occurred is operated on the selected alternative virtual processor. Therefore, when the first virtual processor is required to be strong against a failure, a more appropriate failure processing operation can be performed.

  That is, when a failure is detected in the first virtual processor that is required to be strong against a failure and the first specific failure level is set, one first that has not failed. Since an alternative virtual processor that is a virtual processor is selected and the first software in which the failure has occurred is operated on the selected alternative virtual processor, more appropriate failure processing can be performed by appropriately selecting the alternative virtual processor. It can do the action.

  According to the eleventh aspect, the alternative virtual processor is selected from the first number of first virtual processors based on the load factor of each first virtual processor. Therefore, the alternative virtual processor can be appropriately selected.

  That is, for example, by selecting the first virtual processor with the lowest load factor as the alternative virtual processor, the first software in which a failure has occurred can be smoothly operated on the alternative virtual processor.

  According to the twelfth aspect, the alternative virtual processor is selected from the first number of first virtual processors based on the first failure level stored in the first storage means of each first virtual processor. Is done. Therefore, the alternative virtual processor can be appropriately selected.

  That is, for example, by selecting a first virtual processor that has the same (or similar) first failure level as the first software in which a failure has occurred as the alternative virtual processor, One software can be properly operated on the alternative virtual processor.

  According to the thirteenth aspect, some preset functions of the first software in which the failure has occurred operate on the selected alternative virtual processor. Therefore, when the first virtual processor is required to be strong against a failure, a more appropriate failure processing operation can be performed.

  That is, when a failure is detected in the first virtual processor that is required to be strong against a failure and the first failure level is set, a failure has occurred on the selected alternative virtual processor Since some functions set in advance operate in the first software, it is possible to suppress an increase in the load on the alternative virtual processor associated with executing the process corresponding to the first software in which the failure has occurred. is there.

  According to the fourteenth aspect, the minimum necessary functions of the first software in which a failure has occurred operate on the selected alternative virtual processor. Therefore, when the first virtual processor is required to be strong against a failure, a more appropriate failure processing operation can be performed.

  That is, when a failure is detected in the first virtual processor that is required to be strong against a failure and the first failure level is set, a failure has occurred on the selected alternative virtual processor Since the minimum necessary functions of the first software operate, it is possible to further suppress an increase in the load on the alternative virtual processor associated with executing the process corresponding to the first software in which the failure has occurred.

  According to the fifteenth aspect of the present invention, when the failure level information indicates that the first virtual processor corresponding to the first software in which the failure has occurred is repeatedly reset a predetermined number of times and the failure is not resolved. Includes second specific failure level information corresponding to a second failure processing operation that is a failure processing operation that stops execution of the first software. Therefore, an appropriate failure processing operation can be performed when the demand for strength against failure is relatively moderate for the first virtual processor.

  That is, when a failure is detected in the first virtual processor in which the demand for strength with respect to the failure is relatively moderate and the second specific failure level is set, it corresponds to the software in which the failure has occurred. If the reset of the first virtual processor is repeatedly executed up to a preset predetermined number of times and the failure is not resolved, the execution of the software is stopped, so that an appropriate failure processing operation can be performed.

  For example, when the predetermined number of times is 3, the reset of the first virtual processor is repeatedly executed up to 3 times, and when the failure is solved during that time, execution of the software in which the failure has occurred is executed. Resumed. On the other hand, if the failure is not resolved even after the first virtual processor is reset three times, the execution of the software in which the failure has occurred is stopped. Therefore, an appropriate failure handling operation can be performed when the strength demand for failure is relatively moderate.

  According to the sixteenth aspect of the present invention, the third failure level information corresponding to any one of the first number of first failure level information respectively stored in the first number of first storage means is the third storage means. Stored in advance. When the first software detects a failure, the first failure level information corresponding to the first software detecting the failure is read from the first storage unit, and the third failure level information is stored in the third storage unit. The failure level that defines the failure processing operation is set based on the read first failure level information and third failure level information. Accordingly, it is possible to simplify the processing of the processing execution means by appropriately setting the third failure level.

  According to the seventeenth aspect, the higher failure level of the first failure level information and the third failure level information is set as the failure level that defines the failure processing operation. Therefore, the processing execution means can be simplified by appropriately setting the third failure level.

  According to the eighteenth aspect, the third storage means is constituted by a register. Therefore, the failure processing operation can be performed quickly with a simple configuration.

The block diagram which shows an example of a structure of the failure processing apparatus which concerns on 1st Embodiment of this invention. Chart showing examples of failure levels The flowchart which shows an example of operation | movement of the failure processing apparatus which concerns on 1st Embodiment. Detailed flowchart showing an example of the first failure processing executed in step S109 of the flowchart shown in FIG. Detailed flowchart showing an example of the second failure process executed in step S113 of the flowchart shown in FIG. Detailed flowchart showing an example of the third failure process executed in step S115 of the flowchart shown in FIG. The block diagram which shows an example of a structure of the failure processing apparatus which concerns on 2nd Embodiment of this invention. The flowchart which shows an example of operation | movement of the failure processing apparatus which concerns on 2nd Embodiment (the first half part) The flowchart which shows an example of operation | movement of the failure processing apparatus which concerns on 2nd Embodiment (second half part) Block diagram showing an example of the state before function integration

  Embodiments of a failure processing apparatus according to the present invention will be described below with reference to the drawings. In the following embodiments (first embodiment, second embodiment), a case will be described in which the failure processing apparatus according to the present invention is mounted on a vehicle. In addition, the failure processing apparatus according to the present invention integrates a first number (here, three) ECU (Electronic Control Unit) (corresponding to a physical processor) mounted on a vehicle on one ECU. The case will be described.

  In other words, before the function integration, the first number of first software programs each operate on the first number of ECUs. FIG. 10 is a block diagram illustrating an example of a state before function integration. As shown in FIG. 10, the first software 101 is executed on the CPU 102 mounted on the ECU 10 before function integration. The first software 201 is executed on the CPU 202 mounted on the ECU 20. Further, the first software 301 is executed on the CPU 302 mounted on the ECU 30.

  After function integration, for example, as shown in FIG. 1, in one ECU 100, the first number (here, three) of the first software 11, 21, 31 is the first number, respectively. It is executed on the first number of first VCPUs (virtual CPUs: Virtual Central Processing Units) respectively corresponding to (here, three) CPUs (CPUs 102, 202, and 302 shown in FIG. 10). For example, as shown in FIG. 1, the failure processing apparatus according to the present invention is any one of the first number of first software 11, 21, and 31 operating in the first number of first VCPUs 12, 22, and 32. When a failure is detected, failure processing corresponding to the first VCPUs 12, 22, and 32 in which the first software 11, 21, and 31 in which the failure has occurred operates is performed.

<First Embodiment>
FIG. 1 is a block diagram showing an example of the configuration of the failure processing apparatus according to the first embodiment of the present invention. As shown in FIG. 1, the ECU 100 includes a CPU 110. In addition, a CPU (Central Processing Unit) 110 (corresponding to a failure processing device) includes first VCPUs 12, 22, 32 and a second VCPU 42. Further, the first VCPUs 12, 22, and 32 include first registers 13, 23, and 33, respectively.

  The first VCPU 12 is a virtual CPU that is virtually mounted on the CPU 110 and executes the first software 11. In other words, the first software 11 and the first VCPU 12 are virtual ECUs 1 that virtually realize the functions of the ECU 10 shown in FIG. Here, the first failure level of the first software 11 is set to “5”, for example. The first register 13 (corresponding to the first storage means) indicates that the first failure level is “5” as the first failure level information that defines the processing when the first software 11 detects a failure. It is a register for storing information (see FIG. 2) in advance.

  The first VCPU 22 is a virtual CPU that is virtually mounted on the CPU 110 and executes the first software 21. In other words, the first software 21 and the first VCPU 22 are virtual ECUs 2 that virtually realize the functions of the ECU 20 shown in FIG. Here, the first failure level of the first software 21 is set to “3”, for example. The first register 23 (corresponding to the first storage means) indicates that the first failure level is “3” as the first failure level information that defines the processing when the first software 21 detects a failure. It is a register for storing information (see FIG. 2) in advance.

  The first VCPU 32 is a virtual CPU that is virtually mounted on the CPU 110 and executes the first software 31. In other words, the first software 31 and the first VCPU 32 are virtual ECUs 3 that virtually realize the functions of the ECU 30 shown in FIG. Here, the first failure level of the first software 31 is set to “1”, for example. The first register 33 (corresponding to the first storage means) indicates that the first failure level is “1” as the first failure level information that defines the processing when the first software 31 detects a failure. It is a register for storing information (see FIG. 2) in advance.

  FIG. 2 is a chart showing an example of the failure level. Here, a case where the failure level includes failure level 5, failure level 3, and failure level 1 will be described. The failure level 5, the failure level 3, and the failure level 1 are failure levels with a high demand for strength in this order. Here, as shown in FIG. 1, a case will be described in which the first software 11, 21, and 31 are set to failure level 5, failure level 3, and failure level 1, respectively.

  The failure level 5 (corresponding to the first specific failure level) is a failure level set in the ECU 10 (see FIG. 10) that controls a brake or the like that is required to be very strong against the failure. The minimum necessary functions of the first software 11 in which the occurrence of the error occurred on the first VCPU 22 (or the first VCPU 32) in which no failure has occurred among the first number (here, three) of the first VCPUs 12, 22, 32. The failure processing operation (hereinafter, referred to as the first failure processing operation) to be executed in step 1 is a specified failure level.

  The failure level 3 (corresponding to an example of the second specific failure level) is a failure level set in the ECU 20 (see FIG. 10) that is required to be moderately strong against the failure. The resetting of the first VCPU 22 corresponding to the first software 21 is repeatedly executed up to a predetermined number of times (here, three times), and if the failure is not resolved, the execution of the first software 21 is stopped. This is a failure level in which a failure handling operation (hereinafter referred to as a second failure handling operation) is specified.

  The failure level 1 (corresponding to an example of the second specific failure level) is a failure level set in the ECU 30 (see FIG. 10) that controls a power seat or the like that has a relatively low demand for failure. If the reset of the first VCPU 32 corresponding to the generated first software 31 is executed only once and the failure is not resolved, a failure processing operation for stopping the execution of the first software 31 (hereinafter referred to as a second failure) This is a specified failure level.

  Returning to FIG. 1 again, the configuration of the CPU 110 will be described. The second VCPU 42 is a virtual CPU that is virtually mounted on the CPU 110 and executes the second software 41. The second VCPU 42 includes a second register 43, a comparison circuit 44, and a failure control circuit 45. Here, the second failure level of the second software 41 is set to “3”, for example. The second register 43 (corresponding to the second storage means) indicates that the second failure level is “3” as the second failure level information that defines the processing when the second software 41 detects a failure. It is a register for storing information (see FIG. 2) in advance.

  The second software 41 (corresponding to a part of the failure level setting means and a part of the processing execution means) is used when the first software 11, 21, 31 or the second software 41 detects a failure. The processing corresponding to the failure is executed via the comparison circuit 44 and the failure control circuit 45.

  The comparison circuit 44 (corresponding to a part of the failure level setting means) receives the first failure from the corresponding first register 13, 23, 33 when any of the first software 11, 21, 31 detects a failure. This circuit reads out the level and reads out the second failure level from the second register 43. Then, the comparison circuit 44 determines whether or not the first failure level read from the first registers 13, 23 and 33 matches the second failure level stored in the second register 43.

  The failure control circuit 45 (corresponding to a part of the failure level setting means and a part of the processing execution means) sets and sets the failure level that defines the failure processing operation based on the determination result of the comparison circuit 44. This is a circuit for executing a fault processing operation corresponding to the fault level. The failure control circuit 45 includes a failure level setting unit 451, a selection unit 452, and a process execution unit 453.

  The failure level setting unit 451 (corresponding to a part of the failure level setting means) is a first failure level read from the first registers 13, 23, 33, and a second failure level read from the second register 43. Is a circuit for setting a failure level that defines a failure processing operation.

  Specifically, when the comparison circuit 44 determines that the first failure level read from the first registers 13, 23, and 33 matches the second failure level stored in the second register 43, The failure level setting unit 451 sets a second failure level (here, failure level 3) as a failure level that defines the failure processing operation. Here, since the first failure level stored in the first register 23 is the failure level 3, the comparison circuit 44 determines that the first failure level matches the second failure level, and the failure level that defines the failure processing operation is the failure level. Level 3 is set.

  Further, when the comparison circuit 44 determines that the first failure level read from the first register 13, 23, 33 does not match the second failure level stored in the second register 43, the failure level The setting unit 451 sets the first failure level read from the first registers 13, 23, and 33 as the failure level that defines the failure processing operation. Here, since the first failure level stored in the first register 13 is the failure level 5, the comparison circuit 44 determines that the first failure level does not coincide with the second failure level. Failure level 5 is set. Further, since the first failure level stored in the first register 33 is the failure level 1, the comparison circuit 44 determines that the first failure level does not coincide with the second failure level, and the failure level that defines the failure processing operation is the failure level. Level 1 is set.

  When the failure level set by the failure level setting unit 451 is the first failure level (= failure level 5), the selection unit 452 (corresponding to a part of the processing execution means) Then, among the three first VCPUs 12, 22, and 32, there is one first VCPU in which no failure has occurred so as to execute the first failure processing operation (= the failure processing operation corresponding to the failure level 5). This circuit selects an alternative virtual processor.

  Specifically, here, the selection unit 452 selects the alternative virtual processor based on the load factor of the first VCPUs 22 and 23 in which no failure has occurred. For example, the selection unit 452 selects, as the alternative virtual processor, the one having the lowest load factor among the first VCPUs 22 and 23 in which no failure has occurred. Note that the load factor may be a load factor estimated in advance when the three ECUs 10, 20, and 30 shown in FIG. 10 are functionally integrated into one ECU 100 according to the present invention. It may be a load factor of a later record.

  The process execution unit 453 (corresponding to a part of the process execution means) is a circuit that executes a failure processing operation corresponding to the failure level set by the failure level setting unit 451. Specifically, when the failure level setting unit 451 sets the failure level 5, the process execution unit 453 causes a failure in the alternative virtual processor (for example, the first VCPU 22) selected by the selection unit 452. The minimum necessary functions of the first software 11 are executed.

  When the failure level setting unit 451 sets the failure level 3, the process execution unit 453 causes the first VCPU 22 (or the second software 41) corresponding to the first software 21 (or the second software 41) in which the failure has occurred. 2VCPU 42) is repeatedly executed up to a preset predetermined number of times (here, 3 times). If the failure is not resolved, the first VCPU 22 (or the second VCPU 42) is instructed to the first software 21 (or The execution of the second software 41) is stopped.

  Further, when the failure level setting unit 451 sets the failure level 1, the process execution unit 453 executes the reset of the first VCPU 32 corresponding to the first software 31 in which the failure has occurred only once, and the failure is detected. If not resolved, the first VCPU 22 is stopped from executing the first software 31.

  In this way, when a failure is detected in the first VCPU 12 that is required to be strong against failure and the failure level 5 is set, the first software 11 that has failed has failed. Since it is operated on the first VCPU 22 (or the first VCPU 32) that is not present, an appropriate failure processing operation can be performed.

  Further, when a failure is detected in the first VCPU 12 that is required to be strong against a failure and the failure level 5 is set, an alternative virtual processor (for example, one first VCPU in which no failure has occurred) The first VCPU 22) is selected, and the first software 11 in which the failure has occurred is operated on the selected alternative virtual processor. Therefore, by appropriately selecting the alternative virtual processor, a more appropriate failure processing operation can be performed. It can be carried out.

  In the first embodiment, when the failure level is set to the failure level 5 by the failure level setting unit 451, the processing execution unit 453 has the function of the first software 11 in which a failure has occurred in the alternative virtual processor selected by the selection unit 452. However, the processing execution unit 453 may execute a function of the first software 11 in which a failure occurs in a preset alternative virtual processor (for example, the first VCPU 22). In this case, the process is simplified.

  Further, by selecting the first VCPU (for example, the first VCPU 22) having the lowest load factor as the alternative virtual processor, the first software 11 in which the failure has occurred can be smoothly executed on the alternative virtual processor (here, the first VCPU 22). Can be operated.

  In the first embodiment, a case where the selection unit 452 selects the replacement virtual processor based on a load factor will be described. However, the selection unit 452 may select the replacement virtual processor by another method. For example, the selection unit 452 performs the replacement based on the first failure level (here, failure level 3 and failure level 1) stored in the first registers 23 and 33 of the first VCPUs 22 and 32 in which no failure is detected. It is also possible to select a virtual processor. Specifically, the selection unit 452 may select the first VCPU in which the first failure level that requires a high level for failure is set. In this case, the first software 11 in which the failure has occurred can be properly operated on the alternative virtual processor (here, the first VCPU 22).

  In addition, when a failure is detected in the first VCPU 12 that is required to be strong against the failure and the failure level 5 is set, the failure is performed on the selected alternative virtual processor (here, the first VCPU 22). Since the minimum necessary functions are operated in the first software 11 in which the failure has occurred, it is possible to suppress an increase in the load on the alternative virtual processor associated with executing the process corresponding to the first software 11 in which the failure has occurred. it can.

  In the first embodiment, when a failure is detected in the first VCPU 12 in which the failure level 5 is set, the process execution unit 453 causes the first virtual CPU (here, the first VCPU 22) to generate a failure. The case where the minimum necessary functions are executed in the software 11 will be described. The process execution unit 453 executes a part of the first software 11 in which a failure has occurred in the alternative virtual processor (here, the first VCPU 22). Any form can be used. For example, the processing execution unit 453 may set the range of the first software 11 to be executed on the alternative virtual processor according to the load factor of the alternative virtual processor. That is, as the load factor of the alternative virtual processor is lower, the range of the first software 11 executed on the alternative virtual processor may be expanded.

  In addition, when a failure is detected in the first VCPU 22 (or the second VCPU 42) in which the request for strength with respect to the failure is relatively moderate and the failure level 3 is set, the first software 21 ( Alternatively, if the reset of the first VCPU 22 (or the second VCPU 42) corresponding to the second software 41) is repeatedly executed up to a predetermined number of times (here, three times) and the failure is not resolved, the first VCPU 22 (or the second VCPU 42) Since the execution of the first software 21 (or the second software 41) is stopped, an appropriate failure processing operation can be performed.

  In the first embodiment, a case where the predetermined number of times that is the maximum number of resets when the failure level 3 is set is three will be described. However, the predetermined number may be two or more times. . The greater the predetermined number of times, the higher the possibility that the failure will be resolved, so the strength against failure increases.

  Furthermore, when a failure is detected in the first VCPU 32 in which the demand for strength against the failure is moderate and failure level 1 is set, the reset of the first VCPU 32 corresponding to the first software 31 in which the failure has occurred is When the failure is not resolved only once, the execution of the first software 31 is stopped, so that an appropriate failure processing operation can be performed.

  FIG. 3 is a flowchart showing an example of the operation of the failure processing apparatus (mainly the CPU 110) according to the first embodiment. First, the comparison circuit 44 determines whether any of the first software 11, 21, 31 has detected a failure (S101). If it is determined that no failure has been detected (NO in S101), the process is set to a standby state. If it is determined that a failure has been detected (YES in S101), the comparison circuit 44 reads the first failure level L1 from the first registers 13, 23, 33 (S103). Then, the second failure level L2 is read from the second register 43 by the comparison circuit 44 (S105). Next, the comparison circuit 44 determines whether or not the first failure level L1 read in step S103 matches the second failure level L2 read in step S105 (S107).

  When it is determined that the first failure level L1 matches the second failure level L2 (YES in S107), the failure level that defines the failure processing operation is set to the failure level 3 by the failure level setting unit 451. The execution unit 453 executes the first failure process, which is the failure process corresponding to the failure level 3 (S109), and the process ends. When it is determined that the first failure level L1 does not match the second failure level L2 (NO in S107), the failure level setting unit 451 determines whether the first failure level L1 is the failure level 1 or not. Is performed (S111). When it is determined that the first failure level L1 is the failure level 1 (YES in S111), the failure level that defines the failure processing operation is set to the failure level 1, and the processing execution unit 453 corresponds to the failure level 1 The second failure process, which is the failure process to be performed, is executed (S113), and the process ends. If it is determined that the first failure level L1 is not the failure level 1 (= failure level 5) (NO in S111), the failure level that defines the failure processing operation is set to the failure level 5, and the process is executed. The fifth failure process that is the failure process corresponding to the failure level 5 is executed by the unit 453 or the like (S115), and the process is terminated.

  FIG. 4 is a detailed flowchart showing an example of the first failure process executed in step S109 of the flowchart shown in FIG. The following processes are all executed by the process execution unit 453. First, the first VCPU 22 is reset (S201). Then, it is determined whether or not the failure in the first software 21 has been recovered (S203). If it is determined that the failure has been recovered (YES in S203), the process ends. If it is determined that the failure has not been recovered (NO in S203), it is determined whether or not the number N of resets executed is 3 or more (S205). If it is determined that the number of resets N is less than 3 (NO in S205), the process returns to step S201, and the processes after step S201 are repeatedly executed. If it is determined that the reset count N is 3 or more (YES in S205), an alarm is output (S207), the operation of the first VCPU 22 is stopped (S209), and the process is terminated.

  FIG. 5 is a detailed flowchart showing an example of the second failure process executed in step S113 of the flowchart shown in FIG. The following processes are all executed by the process execution unit 453. First, the first VCPU 32 is reset (S301). Then, it is determined whether or not the failure in the first software 31 has been recovered (S303). If it is determined that the failure has been recovered (YES in S303), the process ends. If it is determined that the failure has not been recovered (NO in S303), an alarm is output (S305), the operation of the first VCPU 32 is stopped (S307), and the process is terminated.

  FIG. 6 is a detailed flowchart showing an example of the third failure process executed in step S115 of the flowchart shown in FIG. First, the selection unit 452 obtains the load factor of the first VCPUs 22 and 32 in which no failure has occurred (S401). Then, the first VCPU (for example, the first VCPU 22) having the lowest load factor obtained in step S401 is selected as an alternative virtual processor (herein referred to as an alternative VCPU for convenience) (S403). Next, the process execution unit 453 outputs instruction information indicating that the alternative VCPU selected in step S403 is prepared to execute the minimum necessary functions of the first software 11 in which the failure has occurred (S405). ). Next, the process execution unit 453 stops the operation of the first software 11 by the first VCPU 12 in which the failure has occurred (S407). Then, the process execution unit 453 outputs instruction information indicating that execution of the minimum necessary functions in the first software 11 in which the failure has occurred is started for the alternative VCPU selected in step S403 (S409). The process is terminated.

  In this way, the first failure level L1 corresponding to the first software 11, 21, 31 that has detected the failure is read from the first registers 13, 23, 33, and is set as the failure level that defines the failure processing operation. Since the failure processing operation corresponding to the set failure level is executed, appropriate failure level information is stored in the first number (here, 3) of the first registers 13, 23, 33, An appropriate failure handling operation can be performed.

Second Embodiment
FIG. 7 is a block diagram showing an example of the configuration of the failure processing apparatus according to the second embodiment of the present invention. As shown in FIG. 7, the ECU 100A includes a CPU 110A instead of the CPU 110 of the ECU 100 according to the first embodiment. In addition, a CPU (Central Processing Unit) 110A (corresponding to a failure processing device) includes first VCPUs 12A, 22A, and 32A instead of the first VCPUs 12, 22, and 32 according to the first embodiment, and is related to the first embodiment. Instead of the second VCPU 42, a second VCPU 42A is provided. Further, the first VCPUs 12A, 22A, and 32A include third registers 14, 24, and 34 in addition to the first registers 13, 23, and 33, respectively. The second VCPU 42A includes a comparison circuit 44A in place of the comparison circuit 44.

  That is, the CPU 110A according to the second embodiment is different from the CPU 110 according to the first embodiment in that it includes the third registers 14, 24, and 34 and includes a comparison circuit 44A instead of the comparison circuit 44. It is different. In the following description, differences from the CPU 110 according to the first embodiment will be described, and the same components as those of the CPU 110 according to the first embodiment will be denoted by the same reference numerals and description thereof will be omitted.

  The third registers 14, 24, and 34 (corresponding to the third storage means) function as so-called mask registers (registers that perform masking processing), and are the first number (here, three) of the first registers. The third failure level L3 information corresponding to any of the three first failure levels (here, failure level 5, failure level 3, failure level 1) respectively stored in one register 13, 23, 33 is stored in advance. A register to store.

  Specifically, for example, the third registers 14, 24, and 34 store in advance the first failure level (= failure level 3) stored in the first register 23. In the third registers 14, 24, 34, the first failure level L1 stored in the first registers 13, 23, 33 is the first failure level L3 stored in the third registers 14, 24, 34. If it is lower, the first failure level L3 is output. On the other hand, in the third registers 14, 24, 34, the first failure level L1 stored in the first registers 13, 23, 33 is the first failure level L3 stored in the third registers 14, 24, 34. If it is higher, the first failure level L1 is output.

  When any of the first software 11, 21, 31 detects a failure, the comparison circuit 44A obtains the first failure level L1 (or the first failure level L3) from the corresponding third register 14, 24, 34. In addition to reading, the second failure level L2 is read from the second register 43. Then, the comparison circuit 44 determines that the first failure level L1 (or the first failure level L3) read from the third registers 14, 24, 34 is the second failure level L2 stored in the second register 43. It is determined whether or not they match.

Here, the case where the third registers 14, 24, and 34 store the failure level 3 will be described. When a failure is detected in the first software 11, the failure level 5 stored in the first register 13 is higher than the failure level 3 stored in the third register 14. The failure level 5 stored in is output.
If a failure is detected in the first software 21, the failure level 3 stored in the first register 23 is the same as the failure level 3 stored in the third register 24. The failure level 3 stored in the first register 23 is output. Further, when a failure is detected in the first software 31, since the failure level 1 stored in the first register 33 is lower than the failure level 3 stored in the third register 34, the third register 34 to the third register The failure level 3 stored in the register 24 is output.

  8 and 9 are flowcharts showing an example of the operation of the failure processing apparatus (CPU 110A) according to the second embodiment. In the flowcharts shown in FIGS. 8 and 9, a case where the first failure level stored in the third registers 14, 24, and 34 is the failure level L3 (L3 = 1, 3, 5) will be described for the sake of convenience. . First, as shown in FIG. 8, the comparison circuit 44A determines whether any of the first software 11, 21, and 31 has detected a failure (S501). If it is determined that a failure has not been detected (NO in S501), the process enters a standby state. If it is determined that a failure has been detected (YES in S501), the comparison circuit 44A reads the first failure level L1 from the first registers 13, 23, and 33 (S503). In the third registers 14, 24, 34, the first failure level L1 stored in the first registers 13, 23, 33 is equal to or higher than the first failure level L3 stored in the third registers 14, 24, 34. It is determined whether or not (S505).

  When it is determined that the first failure level L1 is less than the first failure level L3 (NO in S505), the determination failure level LD that is the failure level output from the third registers 14, 24, 34 is the third failure level LD. The failure level L3 is set (S507). On the other hand, when it is determined that the first failure level L1 is equal to or higher than the first failure level L3 (YES in S505), the determination failure level LD that is the failure level output from the third registers 14, 24, and 34 is set. The first failure level L1 is set (S509). When the process of step S507 is completed, or when the process of step S509 is completed, the second failure level L2 is read from the second register 43 by the comparison circuit 44A (S511). Next, as shown in FIG. 9, the comparison circuit 44A determines whether or not the determination failure level LD set in step S507 or step S509 matches the second failure level L2 read in step S511. Performed (S513).

  If it is determined that the determined failure level LD matches the second failure level L2 (YES in S513), the failure level setting unit 451 sets the failure level that defines the failure processing operation to the failure level 3, and executes the process. The first failure processing that is the failure processing corresponding to failure level 3 is executed by the unit 453 (S515), and the processing is terminated. If it is determined that the determined failure level LD does not match the second failure level L2 (NO in S513), the failure level setting unit 451 determines whether the determined failure level LD is the failure level 1. (S517). If it is determined that the determined failure level LD is failure level 1 (YES in S517), the failure level that defines the failure processing operation is set to failure level 1, and the processing execution unit 453 corresponds to failure level 1 A second failure process, which is a failure process, is executed (S519), and the process ends. When it is determined that the determined failure level LD is not the failure level 1 (= failure level 5) (NO in S517), the failure level that defines the failure processing operation is set to the failure level 5, and the process execution unit A fifth failure process that is a failure process corresponding to the failure level 5 is executed by 453 or the like (S115), and the process is terminated.

  In this way, since the failure level that defines the failure processing operation is set based on the first failure level L1 and the third failure level L3, the processing is executed by appropriately setting the third failure level L3. The processing of the unit 453 can be simplified. For example, when the third failure level L3 is set to the failure level 3, the processing execution unit 453 performs failure processing corresponding to the failure level 3 or the failure level 5, and therefore corresponds to the failure level 1. There is no need to perform fault handling.

Note that the failure processing apparatus according to the present invention is not limited to the CPU 110 according to the first embodiment and the CPU 110A according to the second embodiment, and may be the following form.
(A) In the first and second embodiments, a case has been described in which the first number (here, three) of ECUs mounted on the vehicle is functionally integrated on one ECU 100, 100A. Two or more first number of physical processors may be integrated into one physical processor. Further, the present invention is not limited to the case where two or more first number of physical processors are integrated into one physical processor, but one physical processor may have a form in which two or more first number of virtual processors are mounted. It ’s fine.

  (B) In the first and second embodiments, the CPUs 110 and 110A have been described as being mounted on the ECU. However, the CPUs 110 and 110A are mounted on other types of control units and the like. But it ’s okay. For example, the CPU 110 and 110A may be mounted on a personal computer or the like.

  (C) In the first embodiment and the second embodiment, the case where the first storage means, the second storage means, and the third storage means are each configured by a register has been described. However, the first storage means, The second storage means and the third storage means may be configured by other types of memory. For example, the first storage unit, the second storage unit, and the third storage unit may each be constituted by a ROM (Read Only Memory) or a RAM (Random Access Memory).

  (D) In the first and second embodiments, the case where the second VCPUs 42 and 42A include the comparison circuits 44 and 44A and the failure control circuit 45 has been described. However, the second VCPUs 42 and 42A include the comparison circuits 44 and 44A. Alternatively, a configuration including a functional unit having the function of the failure control circuit 45 may be employed. That is, the ECU 100 (or the ECU 100A) causes the CPU 110 (or the CPU 110A) to execute a control program stored in advance in a ROM (Read Only Memory) or the like disposed at an appropriate position of the ECU 100 (or the ECU 100A). The CPU 110 (or the CPU 110A) may be functionally functioned as functional units having the functions of the comparison circuit 44 (or the comparison circuit 44A) and the failure control circuit 45, respectively.

  (E) In the first and second embodiments, the case where the first number is three has been described, but the first number may be two or more. The effect of the present invention becomes more obvious as the first number increases.

  In the present invention, for example, in the case where two or more first virtual processors mounted on one physical processor detect a failure in any of the first number of first software operating respectively. In addition, the present invention can be applied to a failure processing apparatus mounted on the one physical processor that performs processing corresponding to the first virtual processor in which the first software in which the failure has occurred operates.

100, 100A ECU
110, 110A CPU (fault processing device)
11, 21, 31 First software 12, 22, 32 First VCPU (first virtual processor)
12A, 22A, 32A First VCPU (first virtual processor)
13, 23, 33 First register (first storage means)
14, 24, 34 Third register (third storage means)
41 Second software (part of failure level setting means, part of processing execution means)
42, 42A Second VCPU (second virtual processor)
43 Second register (second storage means)
44, 44A comparison circuit (part of failure level setting means)
45 Failure control circuit 451 Failure level setting section (part of failure level setting means)
452 Selection part (part of selection means)
453 process execution unit (part of process execution means)

Claims (18)

A failure has occurred in any one of the first number of first virtual processors mounted on one physical processor when any one of the first number of first software operating respectively detects the failure. A failure processing apparatus mounted on the one physical processor that performs processing corresponding to the first virtual processor on which the first software operates;
The first failure level information that preliminarily stores the first failure level information that defines the processing when the first software that is disposed on each of the first number of virtual processors and that respectively operates on the first number of virtual processors detects a failure is stored in advance. A first number of first storage means;
When the first software detects a failure, failure level setting for reading out first failure level information corresponding to the first software that has detected the failure from the first storage means and setting the failure level as a failure level that defines the failure processing operation Means,
A failure processing apparatus comprising: a processing execution unit that executes a failure processing operation corresponding to the failure level set by the failure level setting unit.   2. The fault processing according to claim 1, wherein each of the first number of first virtual processors is a processor simulating the function of the first number of physical processors, each function integrated on the one physical processor. apparatus.   The failure processing apparatus according to claim 2, wherein each of the one physical processor and the first number of physical processors is an ECU (Electronic Control Unit) mounted on a vehicle.   The failure processing apparatus according to claim 1, wherein the failure level setting unit and the process execution unit are configured as a part of a second virtual processor mounted on the one physical processor.   The failure processing apparatus according to claim 1, wherein the first storage unit includes a register. The second virtual processor comprises second storage means for preliminarily storing second failure level information that defines processing when the second software operating on the second virtual processor detects a failure,
The failure level setting means sets a failure level that defines a failure processing operation based on a second failure level stored in the second storage means when the second software detects a failure,
The failure processing apparatus according to claim 4, wherein the processing execution unit executes a failure processing operation corresponding to the failure level set by the failure level setting unit. The failure level setting means includes a comparison circuit that determines whether or not the first failure level read from the first storage means matches the second failure level stored in the second storage means,
The fault processing apparatus according to claim 6, wherein the processing execution unit executes a fault processing operation defined in the second software when the comparison circuit determines that the second fault level matches the second fault level.   The failure processing apparatus according to claim 6, wherein the second storage unit includes a register.   The failure level information is a first failure process that is a failure processing operation that causes the first software in which a failure has occurred to operate on a first virtual processor in which no failure has occurred among the first number of first virtual processors. The failure processing apparatus according to claim 1, comprising first specific failure level information corresponding to an operation. When the failure level set by the failure level setting means is the first specific failure level, a failure that causes the first failure processing operation to occur from the first number of first virtual processors occurs. A selection means for selecting an alternative virtual processor that is not one first virtual processor;
The failure processing apparatus according to claim 9, wherein the process execution unit operates the first software in which a failure has occurred on the alternative virtual processor selected by the selection unit.   The failure processing apparatus according to claim 10, wherein the selection unit selects the alternative virtual processor from the first number of first virtual processors based on a load factor of each first virtual processor.   The selection means selects the alternative virtual processor from the first number of first virtual processors based on a first failure level stored in a first storage means of each first virtual processor. 10. The failure processing apparatus according to 10.   The failure processing apparatus according to claim 10, wherein the processing execution unit operates a part of preset functions of the first software in which a failure has occurred on the alternative virtual processor selected by the selection unit. .   The failure processing apparatus according to claim 10, wherein the process execution unit operates a minimum necessary function in the first software in which a failure has occurred on the alternative virtual processor selected by the selection unit.   The failure level information is obtained by repeatedly resetting the first virtual processor corresponding to the first software in which the failure has occurred until a predetermined number of times set in advance. The failure processing apparatus according to claim 1, comprising second specific failure level information corresponding to a second failure processing operation that is a failure processing operation to be stopped. Third storage means for storing in advance third failure level information corresponding to any of the first number of first failure level information respectively stored in the first number of first storage means;
When the first software detects a failure, the failure level setting means reads out the first failure level information corresponding to the first software that has detected the failure from the first storage means and outputs the third failure level information. The failure processing apparatus according to claim 1, wherein a failure level that defines a failure processing operation is set based on the first failure level information and the third failure level information read from the third storage unit.   The failure level setting means sets a failure level having a higher required level of the first failure level information and the third failure level information as a failure level that defines a failure processing operation. Failure handling equipment.   The failure processing apparatus according to claim 16, wherein the third storage unit includes a register.

Images