JP2013143093A - Information processing apparatus and information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing apparatus that, even when an abnormality is detected in one of two or more applications, can continuously run the other application.SOLUTION: An information processing apparatus comprises plural applications, application monitoring means 60 that counts the number of notifications during operation by each application in a first count period, and application control means 32 for controlling the operation of the applications. When the application monitoring means detects a sign of application abnormality on the basis of the number of past notifications during operation by an application, the application control means stops the transmission of notifications during operation by an application with the lowest priority and allows an application with no sign of abnormality detected therein to send notifications during operation at a timing before detection of abnormality sign and at a timing of transmission of a notification during operation by the application with sign of abnormality detected therein or before or after that transmission.

Description

  The present invention relates to an information processing apparatus that detects an abnormality of a running application.

  Many in-vehicle devices controlled by a microcomputer are mounted on a vehicle, and it is common to mount a safety device together with the in-vehicle device in order to ensure the safety of the in-vehicle device. The safety device monitors whether the functions of the microcomputer and the in-vehicle device are operating according to the specification, and provides a fail-safe function such as stopping the function or notifying the outside when a failure or the like is detected. Such ensuring of safety and the obtained safety itself are called functional safety.

  The functional safety of vehicles is standardized in IEC61508 / ISO26262 and the like, and ASIL (Automotive Safety Integrity Level) is defined as an index for designating safety requirements and safety measures for automobiles. ASIL has a safety level of A to D and QM (D> C> B> A> QM), and the manufacturer determines which safety level each component should meet and the safety related to the component. Can be determined. For this reason, the ASIL of parts that have a significant impact on safety is high.

  For example, an ASIL can be determined for a processor in a microcomputer, and an ASIL can be determined for an application operating on the microcomputer. As a manufacturer, an ASIL having a high safety level can be designated to appeal that high functional safety is ensured, but monitoring corresponding to the safety level is required.

  For example, a plurality of applications 1 and 2 may operate on one microcomputer. In this case, the manufacturer can define the safety level of the application 1 that controls the in-vehicle device as ASIL A, and the safety level of the application 2 that is not directly related to the control of the in-vehicle device as QM.

  As a safety device, monitoring according to the safety level of ASIL is required. For example, when an abnormality is detected in a high-rank application, priority is given to processing for returning the application. However, if an anomaly is detected in a low-rank application, the safety device should not prioritize the return process for the low-rank application until it affects the behavior of the high-rank application.

  Here, WDT (Watch Dog Timer) is known as a mechanism for monitoring the operation of an application. However, since the WDT resets the microcomputer if the application does not reset the timer for a certain period of time, the microcomputer cannot be used during that time, and processing stops.

  As a method of continuing processing when an abnormality is detected in an application, there is a method of duplicating a processing system (see, for example, Patent Document 1). In Patent Document 1, the main processing unit and the auxiliary processing unit monitor the processing contents of each other, and when one processing unit performing data processing goes down during the processing, the switching unit connects the main processing to the line. A fault-tolerant calculator that switches between a unit and an auxiliary processing unit is disclosed.

  Further, a technique for detecting an abnormality by monitoring the presence / absence of a response to be monitored as in the case of WDT has been considered (for example, see Patent Document 2). Patent Document 2 discloses a diagnostic system that transmits a test signal to a communication device to be monitored and determines a communication abnormality based on whether or not a response is received within a predetermined time from when the test signal is transmitted.

JP 2001-290668 A JP 2011-040886 A

  However, as disclosed in Patent Document 1, the method of duplicating the system increases the cost. Therefore, even if the application can be monitored at a high safety level, it is difficult to adopt it for monitoring all the applications.

  Further, Patent Document 2 does not describe how to perform fail-safe control only by notifying a communication device related to an abnormality when it is determined as abnormal. That is, no consideration is given to continuing without stopping processing when an abnormality is detected.

  In view of the above problems, an object of the present invention is to provide an information processing apparatus that can continuously execute the other application even if an abnormality is detected in one of the two or more applications.

  The present invention provides a plurality of applications that periodically transmit an in-operation notification for notifying that it is in operation to the application monitoring unit, and an application monitoring unit that counts the number of in-operation notifications for each application in the first count period And an application control means for controlling the operation of the application, wherein the application monitoring means displays an abnormality sign of at least one application based on the number of in-operation notifications in the first count period in the past of each application. If detected, the application control means stops sending the operation notification of the application with the lowest priority, and the application in which no abnormal sign is detected is operating at the same timing as before the abnormal sign is detected. The timing at which an application whose notification transmission has been stopped transmits an operational notification or At a timing before and after, and transmits through the operation notification, characterized in that.

  Even if an abnormality is detected in one of two or more applications, an information processing apparatus capable of continuously executing the other application can be provided.

It is an example of the figure explaining the outline of the abnormality monitoring of the microcomputer by the monitoring microcomputer. An example of a schematic block diagram of a microcomputer system or a microcomputer is shown. It is an example of a functional block diagram of a microcomputer system or a microcomputer. It is an example of the figure which shows typically transmission of the response signal by a response transmission part, and monitoring of the response signal by a response monitoring part. It is an example of the figure explaining the transmission method of the response signal in a fail safe state. It is an example of the flowchart figure which shows the operation | movement procedure of a microcomputer or a microcomputer system. It is an example of the figure explaining the outline of a microcomputer or microcomputer system in case there are three applications. It is a figure which shows an example of the microcomputer system which monitors the application of a some microcomputer with one monitoring microcomputer. It is an example of the functional block diagram of a microcomputer or a microcomputer system (Example 2). (Example 2) which is an example of the figure explaining the transmission method of the response signal and operation state information in a fail safe state. It is an example of the figure explaining the transmission timing and the information transmitted. (Example 2) which is an example of the flowchart figure which shows the operation | movement procedure of a microcomputer or a microcomputer system.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.

  FIG. 1 is an example of a diagram for explaining an outline of microcomputer abnormality monitoring by a monitoring microcomputer. The abnormality monitoring of the present embodiment can be broadly described by being divided into a normal monitoring state and a fail-safe state.

Normal monitoring state (Fig. 1 (a))
The normal monitoring state is a state of the microcomputer 50 in which no abnormality sign is detected in the operation of an application (hereinafter simply referred to as an application), and is used in contrast to the fail-safe state. The microcomputer 50 and the monitoring microcomputer 60 are communicably connected. In the microcomputer 50, the application 1 and the application 2 are operating, and the response transmission unit is requested to transmit the response signals 1 and 2 almost regularly. The transmission timing 1 in the figure is the transmission timing of the response signal 1 of the application 1, and the transmission timing 2 is the transmission timing of the response signal 2 of the application 2. The response transmission unit transmits the response signals 1 and 2 to the monitoring microcomputer 60 in the same manner as when the conventional application resets WDT (Watch Dog Timer).

The response monitoring unit of the monitoring microcomputer 60 monitors the response signal 1 and the response signal 2 separately, and calculates the number of receptions for each statistical interval. The response monitoring unit stores the number of receptions in time series, and detects an abnormal sign based on the fluctuation before the apps 1 and 2 are stopped. For example, as shown in the figure, when the number of receptions of the application 1 is stable while the number of receptions of the application 2 tends to decrease, the response monitoring unit detects an abnormality sign of the application 2. Thus, one of the features of the present embodiment is that it is possible to detect that the application is unstable before the application is completely stopped. The unstable state means a state where it is predicted that it will eventually stop or stop responding. In this embodiment, the unstable state is referred to as an “abnormal sign”. • Fail-safe state (FIG. 1B)
When the monitoring microcomputer 60 detects an abnormality sign of the application 2, the microcomputer 50 enters a fail safe state. In the fail-safe state, the application 2 with low priority is stopped, for example, and the application 1 continues to operate. Here, in this embodiment, it demonstrates on the assumption that the application 2 with a low priority tends to produce an abnormality sign. The priority is determined by, for example, ASIL.

  The application 1 continuously requests the response transmission unit to transmit the response signal 1. Since the application 2 is stopped, the response transmission unit does not need to transmit the response signal 2 of the application 2 to the monitoring microcomputer 60. For this reason, the transmission process of the response signal 2 becomes unnecessary. Therefore, the application 1 transmits the response signal 1 of the application 1 to the monitoring microcomputer 60 using the transmission timing 2 of the response signal 2. That is, the application 1 transmits the response signal 1 to the monitoring microcomputer 60 at both the transmission timing 1 and the transmission timing 2.

  Since the transmission frequency of the response signal 1 is doubled, the response monitoring unit of the monitoring microcomputer 60 can strengthen the monitoring of the microcomputer 50. That is, the response monitoring unit monitors the number of receptions of the response signal 1 transmitted with high frequency and determines whether or not the number of receptions is stable, so that the tendency of the number of receptions can be easily grasped with high accuracy. This makes it easier to detect abnormal signs of the app 1.

  As described above, the monitoring microcomputer 60 does not reset immediately even if a part of the functions of the microcomputer 50 becomes unstable, so that the microcomputer 50 can continue processing. In addition, after abnormal signs are detected in some apps, monitoring of other apps can be strengthened, so even if abnormalities occur in unstable apps or in unstable apps due to their stoppage, they can be detected early and handled it can.

  It supplements about the high priority application 1 and the low priority application 2. FIG. The high-priority application 1 and the low-priority application 2 are systems that operate independently, and the low-priority application 2 tends to be more unstable than the high-priority application 1. Even if the high-priority app 1 appears to be unstable, there is a high possibility that it is caused by the low-priority app 2. For this reason, the monitoring microcomputer 60 of the present embodiment stops the low priority application 2 regardless of the unstable application. Finally, when the high-priority application 1 becomes unstable, the fail-safe process is performed on the high-priority application 1 as before.

[Microcomputer configuration example]
FIG. 2 shows an example of a schematic configuration diagram of the microcomputer system 100 or the microcomputer 50 of the present embodiment. The abnormality monitoring method of this embodiment can be applied to either the aspect in which the monitoring microcomputer 60 in FIG. 2A monitors the microcomputer 50 or the aspect in which one microcomputer 50 in FIG. 2B monitors itself. First, FIG. 2A will be described.

  The microcomputer 50 includes a CPU 11, a RAM 12, a flash memory 13 and a WDT 14 connected to the system bus 9, and a CAN controller 16, an ADC (A / D controller) 17 and an I / O channel 18 connected to the peripheral bus 10. The system bus 9 and the peripheral bus 10 are connected by a bridge 15.

  The CPU 11 executes a program stored in the flash memory 13 using the RAM 12 as a working memory. The CPU 11 may be a multi-core or a single core. The programs stored in the flash memory 13 include programs 1 and 2 that are used for abnormality monitoring, OS (Operating System), middleware, device drivers, and the like in addition to the apps 1 and 2 that the microcomputer 50 controls the in-vehicle device.

  The WDT 14 has a timer for periodically resetting the apps 1 and 2 executed by the CPU 11 as in the prior art, and detects the runaway of the app 1 or the app 2 because the timer is not reset. In this embodiment, since the same function as that of the WDT 14 is obtained by the monitoring microcomputer 60, the WDT 14 is not necessary. On the other hand, it is also effective to install the WDT 14 in the case where an abnormality occurs in the monitoring microcomputer 60. In this case, the WDT 14 detects an abnormality when there is no response from either of the applications 1 and 2 for a longer time than when the monitoring microcomputer 60 detects the abnormality of both the applications 1 and 2.

  The bridge 15 absorbs a difference in frequency and voltage between the system bus 9 and the peripheral bus 10 and connects a circuit connected to the system bus 9 and a circuit connected to the peripheral bus 10 so that they can communicate with each other. The CAN controller 16 is a communication circuit for communicating with other ECUs when the microcomputer 50 and the monitoring microcomputer 60 are mounted on an ECU (Electronic Control Unit). The ADC 17 converts an analog signal of a sensor connected to the microcomputer 50 into a digital signal. In addition to the ADC 17, there may be a DAC (D / A controller). Other microcomputers, actuators, sensors, switches, and the like are connected to the I / O channel 18.

  Although the monitoring microcomputer 60 has the same configuration as the microcomputer 50, it is not necessarily the same. The monitoring microcomputer 60 includes a CPU 21, a RAM 22, a flash memory 23, and an I / O channel 24. In addition, the monitoring microcomputer 60 includes a general circuit. The program stored in the flash memory 13 of the monitoring microcomputer 60 is a program for monitoring the microcomputer 50, but may include an OS, middleware, and a device driver, and the monitoring microcomputer 60 controls the control device. An app to do so may be included.

  The microcomputer 50 and the monitoring microcomputer 60 are connected via the I / O channels 18 and 24 of each other. The I / O channels 18 and 24 communicate with each other in accordance with serial communication standards such as I2C (Inter-Integrated Circuit) and USART (Universal Synchronous Asynchronous Receiver Transmitter).

  As shown in FIG. 2B, when the abnormality monitoring circuit 19 is arranged in the microcomputer, the monitoring microcomputer 60 is not necessary. The abnormality monitoring circuit 19 is a circuit that provides a function of the monitoring microcomputer 60 described later. In this case, the CPU 11 and the abnormality monitoring circuit 19 are the same as in FIG. 2A except that the CPU 11 and the abnormality monitoring circuit 19 communicate via the bridge 15.

  In the following, it is not particularly limited whether the microcomputer 50 performs abnormality monitoring of the microcomputer 50 or the microcomputer 50. However, in the mode of FIG. 2A, the monitoring microcomputer 60 can detect and reset not only the application 1 and the application 2 but also the entire microcomputer as well as an abnormality, and the reliability is improved. More improved. In the mode of FIG. 2B, the abnormality monitoring circuit 19 is included in one chip, which is advantageous in terms of cost and mounting space.

  Note that it is assumed that the microcomputer 50 or the microcomputer system 100 of this embodiment is mainly mounted on the ECU of the vehicle. In-vehicle ECUs include an engine ECU, a brake ECU, a body ECU, a navigation ECU (AV / information processing ECU), a gateway ECU, and the like depending on the main functions. The microcomputer 50 or the microcomputer system 100 of the present embodiment can be mounted without being affected by the difference in the functions of the ECU.

  FIG. 3 is an example of a functional block diagram of the microcomputer system 100 or the microcomputer 50. The microcomputer 50 or the microcomputer system 100 includes an application 1, an application 2, a response transmission unit 31, a response monitoring unit 33, and a mode switching unit 32.

<About ASIL>
First, ASIL will be described. Application 1 is designated with an ASIL A safety level, and application 2 is designated with an ASIL QM safety level. ASIL is the level of safety that must be achieved to avoid hazards. In determining the ASIL, for example, the magnitude of damage caused by the hazard, the frequency of occurrence of the hazard, and the control difficulty level when the hazard occurs are examined for each hazard. Accordingly, safety is affected, and the more frequently used apps tend to have higher ASIL. For example, an application for controlling a brake, an application for controlling a power steering, etc. have a high ASIL, and an ASIL for a navigation or AV-type application that does not directly affect the traveling control is low. From such a viewpoint, each application is given a safety level of QM and A to D, and is designed according to the safety level.

  In the present embodiment, it is assumed that if the ASIL of the application 2 in which an abnormality sign is detected is QM, there is no major problem even if the operation of only the application 1 is continued without attempting to return the application 2. In general, when a plurality of applications having different ASIL are executed, it is an application having a low ASIL that tends to be relatively unstable.

  Therefore, the ASIL of the application 1 may be any of A to D. Further, the ASIL of the application 2 may not be QM, and may be lower than the ASIL of the application 1. In this case, whether or not only the operation of the application 1 should be continued in a state where the abnormality sign is detected and stopped in the application 2 is a design policy determined for each application. That is, only the app 1 continues to operate in a state where the abnormal sign of the app 2 is detected and stopped, or the return of the app 2 may be attempted when the abnormal sign of the app 2 is detected. As a return method for each application, for example, there are methods such as assigning an application to a new core, resetting by a core, or resetting the microcomputer itself.

  An application having a low ASIL is likely to become unstable, but the ASIL of the application 1 and the application 2 may be the same. In this case, whether or not only the operation of the application 1 should be continued while the abnormality sign is detected in the application 2 is a design policy determined for each application.

  If ASIL of app 1> ASIL of app 2, it is considered that abnormal signs are not detected in app 1. In this case, in the present embodiment, it is determined that the abnormality sign is detected in the app 1 due to the app 2, and the app 2 is stopped. As a result, if the abnormality sign is still detected in the application 1, the application 1 is often attempted to return by detecting the abnormality sign of the application 1.

  Further, when an abnormality sign of the application 1 is detected, the operation of only the application 2 may be continued. Such a situation occurs, for example, in a situation where the ASIL of the app 1 is not so high and the app 1 is not used.

<About each function>
The CPU 11 executes the applications 1 and 2. When the CPU 11 is multi-core, a certain core continuously executes the app 1 and another core continuously executes the app 2 (or may be periodically executed by using a timer interrupt or the like). When the CPU 11 is a single core, one core executes the applications 1 and 2 in a time division manner. In any case, the applications 1 and 2 periodically send response signals 1 and 2 to the response transmission unit 31 in addition to specific processing such as controlling the actuator, acquiring a signal from the sensor, and turning on / off the switch. Processing to request transmission of.

  The response transmission unit 31, the response monitoring unit 33, and the mode switching unit 32 are functions provided by, for example, an OS or middleware, or functions provided by an application different from the applications 1 and 2.

  When the response transmission unit 32 acquires the transmission request for the response signal 1 from the application 1, the response transmission unit 32 transmits the response signal 1 to the response monitoring unit 33. When the response transmission unit 32 acquires the transmission request for the response signal 2 from the application 2, the response transmission unit 32 responds to the response monitoring unit 33. Signal 2 is transmitted. The response monitoring unit 33 detects an abnormality sign of the app 1 or the app 2 based on the monitoring result of the response signals 1 and 2.

When the mode switching unit 32 receives a notification from the application 2 that an abnormality sign has been detected, the mode switching unit 32 switches the microcomputer 50 in the normal monitoring state to the fail-safe state. For this switching, the mode switching unit 32 performs the following processing.
-Referring to the application ASIL information 36, it is confirmed that the priority (ASIL) of the application 2 is lower than that of the other applications 1. That is, it is confirmed that the application has the lowest priority. Or, even if the priority is not lowest, it is confirmed that the priority is equal to or lower than a predetermined priority.
Even if any abnormal sign of the application 1 or the application 2 is detected, the application 2 is stopped or the application 2 is excluded from the monitoring target (the application 2 stops transmission of the response signal 2 or the application 2 The response signal 2 is not transmitted even if the response signal 2 transmission request is received from
Informing the application 1 and the monitoring microcomputer 60 that the fail-safe state has been established In this embodiment, the application 1 in the fail-safe state transmits the response signal 1 also using the transmission timing of the application 2. For example, when the applications 1 and 2 transmit response signals with the same cycle, the transmission cycle of the response signal 1 of the app 1 is ½ compared to the normal execution state. Since the transmission cycle is shortened in this way, the number of response signals 1 per statistical period increases, and the monitoring accuracy of the application 1 by the response monitoring unit 33 is improved. Further, since the transmission frequency of the response transmission unit 31 does not change, the load on the microcomputer 50 or the microcomputer system 100 can be hardly changed.

[Detection of abnormal signs by response monitoring unit]
FIG. 4 is an example of a diagram schematically illustrating transmission of response signals 1 and 2 by the response transmission unit 31 and monitoring of the response signals 1 and 2 by the response monitoring unit 33. FIG. 4A shows a case where both apps 1 and 2 are normal. The application 1 requests the response transmission unit 31 to transmit the response signal 1 every cycle of the application 1. The application 2 requests the response transmission unit 31 to transmit the response signal 2 every cycle of the application 2. The response signals 1 and 2 are signals indicating that the application 1 and the application 2 are operating, and may be any signals as long as they include information that can distinguish them.

  The response transmission unit 31 transmits the response signals 1 and 2 to the response monitoring unit 33 at the timing requested by the applications 1 and 2. Since the applications 1 and 2 request transmission at a fixed cycle (for example, 100 milliseconds), the timing does not collide, but if there is a collision, the response transmission unit 31 gives priority to the application 1 with a high ASIL. Adjust with.

  The response monitoring unit 33 identifies the response signals 1 and 2 and individually counts them. For example, the number of times the response signal 1 is received per second and the number of times the response signal 2 is received are counted and recorded as the statistical period. In this way, the number of times received per second can be monitored in time series. If the period is 100 milliseconds, the response signals 1 and 2 are received 10 times per second. For this reason, in FIG. 4A, the number of receptions of the apps 1 and 2 is approximately 10.

  On the other hand, FIG. 4B shows a case where an abnormal sign is seen in the application 2. When the application 2 becomes unstable, the application 2 may not periodically output a transmission request for the response signal 2 (the response signal 2 surrounded by a dotted line in the figure indicates the response signal 2 that is not transmitted). Since the response monitoring unit 33 counts the number of times the response signals 1 and 2 are received per second, the number of times the response signal 2 is received gradually decreases or greatly fluctuates. The response monitoring unit 33 calculates the inclination of several count values in the past, for example, and determines that an abnormal sign of the application 2 is detected when the inclination exceeds a threshold value. This threshold can be, for example, a slope at which the number of receptions becomes zero within a few seconds.

  In addition, the response monitoring unit 33 determines whether or not the application 2 is unstable by calculating the variance of several past count values and comparing it with a threshold value. Although there is no certain tendency in the number of receptions, the variance increases when the increase / decrease is severe, so that it is determined that an abnormal sign of the application 2 has been detected.

  Further, the response monitoring unit 33 may detect that the application 2 is unstable based on, for example, the amount of deviation from the ideal number of receptions. Since the ideal number of receptions is determined for each application (for example, 10 times per second), if the average number of receptions in the past is extremely small (for example, 5 times or less), the application 2 is abnormal. Can detect signs.

[Operation of fail-safe microcomputer]
FIG. 5 is an example of a diagram illustrating a method of transmitting the response signal 1 in the fail safe state.

The mode switching unit 32 causes the application 2 to operate as follows.
-When the application 2 is stopped or when the application 2 stops the transmission of the response signal 2 Since the CPU 11 does not execute the application 2, the application 2 does not request the transmission of the response transmission 2.
When the transmission request for the response signal 2 is received from the application 2 but the response signal 2 is not transmitted The response transmission unit 31 ignores the transmission request for the response transmission 2 by the application 2.

  In any case, the response transmission unit 31 does not transmit the response signal 2 to the response monitoring unit 33 in the fail-safe state.

  When the application 1 enters the fail safe state, the application 1 uses the transmission timing 2 of the application 2 in addition to the transmission timing 1 of the application 1 so far, and requests the response transmission unit 31 to transmit the response signal 1. The transmission timing in the fail-safe state is set in advance in the application 1, and the transmission cycle can be switched only by obtaining a notification that the fail-safe state has been entered. Since the response signal 2 is simply switched to the response signal 1, the load on the response transmission unit 31 and the response monitoring unit 33 is almost unchanged.

  The transmission timing 2 replaced from the response signal 2 to the response signal 1 does not have to be the same as the transmission timing 2 in the normal execution state, and is replaced from the transmission frequency of the response signal 2 in the normal execution state and the response signal 2. It is only necessary that the transmission frequency of the response signal 1 is the same. That is, it is sufficient that the transmission frequency of the response transmitter 31 is not substantially changed between the normal execution state and the fail safe state.

  The response monitoring unit 33 counts the response signal 1 as in the normal execution state. When the transmission frequency of the response signal 1 and the response signal 2 is the same, the transmission frequency of the response signal 1 is doubled in the fail-safe state. Therefore, if the transmission frequency of the response signal 1 in the normal execution state is 10 times per second, the transmission frequency of the response signal 1 in the fail-safe state is 20 times per second. In FIG. 5, two reception times are illustrated, but the left-side response signal 1 is received approximately 20 times.

  In the fail-safe state, it is preferable that the statistical period of the response monitoring unit 33 is not set to 1 second, but is shorter than the normal execution state. For example, if the transmission frequency is doubled, the same number of receptions can be obtained even if the statistical period is halved. Since the same number of receptions can be acquired at shorter time intervals, it becomes easier to detect minute fluctuations. The app 1 is considered to be easily affected by the instability of the app 2, but the abnormal signs of the app 1 can be accurately detected by strengthening the monitoring in this way.

  The response monitoring unit 33 in the fail-safe state notifies the mode switching unit 32 when detecting an abnormal sign of the application 1 based on the monitoring result of the response signal 1 transmitted frequently. Therefore, since an abnormal sign is detected before the operation of the app 1 stops, the mode switching unit 32 restores the app 1 before the app 1 stops (for example, when the app 1 is newly started, Appropriate response such as stopping the stable application 1) becomes possible. That is, it is possible to appropriately cope with the ASIL safety level of the application 1.

[Operation procedure]
FIG. 6 is an example of a flowchart illustrating an operation procedure of the microcomputer 50 or the microcomputer system 100. This procedure is repeatedly executed while the microcomputer 50 or the microcomputer system 100 is activated.

  The application 1 requests the response transmission unit 31 to transmit the response signal 1 at a determined cycle, and the application 2 requests the response transmission unit 31 to transmit the response signal 2 at a determined cycle (S1, S2).

  The response transmission unit 31 transmits the response signal 1 to the response monitoring unit 33 in response to the transmission request of the application 1, and transmits the response signal 2 to the response monitoring unit 33 in response to the transmission request of the application 2 (S3, S4).

  The response monitoring unit 33 separately counts the number of times the response signal 1 and the response signal 2 are received per statistical period (S5 and S6).

  The response monitoring unit 33 determines whether or not an abnormality sign is detected based on the number of receptions of the response signal 1 and the number of receptions of the response signal 2 (S7). If no abnormality sign is detected in either reception count (No in S7), the response monitoring unit 33 does nothing and the process returns to Step S1 ("A" in the figure).

  When an abnormal sign is detected in either reception count (Yes in S7), the response monitoring unit 33 notifies the mode switching unit 32 that the abnormal sign is detected together with the identification information of the response signal (S8).

  The mode switching unit 32 switches from the normal execution state to the fail safe state when an abnormality sign is detected in the application 1 or the pre 2 (S9). It is confirmed that the priority (ASIL) of the application 2 is the lowest among the applications to be monitored or is equal to or lower than a predetermined priority. By confirming the priority (ASIL) of the application 2, it is possible to prevent the application having a high priority from being stopped. Note that, when an abnormality sign of the application 1 is detected, the mode switching unit 32 performs a predetermined process on the abnormality sign of the application 1 according to the ASIL of the application 1.

  Further, the mode switching unit 32 stops the application 2 having the lowest priority or the priority equal to or lower than a predetermined value (S9-1). As described above, there is no direct relationship between an application in which an abnormal sign is detected and an application to be stopped. Further, the application 1 and the response monitoring unit 33 are notified of switching to the fail-safe state (S9-2, S9-3).

  By switching to the fail-safe state, the application 1 requests the response transmission unit 31 to transmit the response signal 1 at the transmission timing 2 of the application 2 in addition to the transmission timing 1 of the application 1 so far (S10, S11).

  The response transmission unit 31 transmits the response signal 1 to the response monitoring unit 33 in response to the transmission request of the application 1 (S12, S13).

  The response monitoring unit 33 counts the number of times the response signal 1 is received per statistical period (S14, 15). By switching to the fail-safe state, the statistical period of S14 and S15 is shorter than S5 and 6.

  The response monitoring unit 33 determines whether an abnormality sign is detected from the number of times the response signal 1 is received (S16). Since the transmission frequency is higher than that in the normal execution state and the statistical period is also shortened, the presence / absence of an abnormality sign can be determined with high accuracy.

  If no abnormality sign is detected in the number of receptions of the response signal 1 (No in S16), the response monitoring unit 33 does nothing and the process returns to Step S10 ("B" in the figure).

  When an abnormal sign is detected in the number of receptions of the response signal 1 (Yes in S16), the response monitoring unit 33 notifies the mode switching unit 32 that the abnormal sign is detected together with the identification information of the response signal (S17). The mode switching unit 32 performs a predetermined process in response to the ASIL such as attempting to return the application 1 for the abnormality sign of the application 1 (S18).

  As described above, the microcomputer 50 or the microcomputer system 100 according to the present embodiment detects the abnormal sign before one or more of the plurality of applications are stopped, so that the microcomputer 50 is not reset. Can run the app. On the other hand, if even one application becomes unstable, there is a high possibility that the entire microcomputer becomes unstable. Therefore, in the fail-safe state, monitoring is strengthened to detect abnormal signs of the remaining applications with high accuracy. In either case, the app is not completely stopped, so it is possible to take appropriate action while the app is running even though it is unstable. Further, even if the monitoring is strengthened in the fail-safe state, the transmission frequency of the microcomputer 50 and the entire microcomputer system is not substantially changed, so that an increase in the load on the microcomputer 50 and the entire microcomputer system can be suppressed.

[Modification]
FIG. 7 is an example of a diagram for explaining the outline of the microcomputer 50 or the microcomputer system 100 when there are three applications.

  FIG. 7A schematically shows the response signals 1 to 3 in the normal execution state. The three applications 1 to 3 transmit response signals 1 to 3 to the monitoring microcomputer 60 at their respective periods. For example, when an abnormality sign is detected in the application 3 with the lowest priority (ASIL), the microcomputer 50 enters a fail-safe state, and the application 3 is stopped or excluded from monitoring. Even when abnormal signs are detected in the apps 1 and 2, the app 3 with the lowest priority is stopped or excluded from monitoring. Since the application 3 does not transmit the response signal 3, the applications 1 and 2 transmit the response signals 1 and 2 using the transmission timing 3 of the application 3.

  Even if the applications 1 and 2 know the transmission timing 3 and period of the application 3, only one of the response signals 1 and 2 can be transmitted at one transmission timing 3 of the application 3. In this case, complicated processing such as communication between the applications 1 and 2 determining the transmission timing is required, which is not preferable. Therefore, instead of using the transmission timing 3 of the application 3 as it is, the applications 1 and 2 transmit at the transmission timing for the fail-safe state.

  FIG. 7B schematically shows the response signals 1 to 3 in the fail-safe state. On the upper side of the arrow in FIG. 7B, the transmission timings of the application 1 and the application 2 are changed between the normal execution state and the fail-safe state. However, when the apps 1 and 2 transmit at the transmission timing for the fail-safe state, the apps 1 and 2 can transmit the response signals 1 and 2 alternately. In addition, the transmission frequency of the application 1 and the application 2 does not need to be the same, For example, the transmission frequency of an application with high ASIL can be enlarged.

  Alternatively, the application 1 requests the response transmission unit 31 to transmit the response signal 1 at the transmission timing of the application 1 and the application 3, and the application 2 transmits the response signal 2 at the transmission timing of the application 2 and the application 3. 31 may be requested. The response transmission unit 31 acquires the transmission requests of the application 1 and the application 2, and discards some transmission requests so that the transmission frequency does not increase more than the normal execution state. As shown below the arrow in FIG. 7B, in this case, the transmission timing of the application 1 and the application 2 remains substantially the same in the normal execution state and the fail-safe state, and the response signal 1 or the response is transmitted at the transmission timing of the application 3. Signal 2 can be transmitted. Although the response signals 1 and 2 do not always alternate, the transmission frequencies of the response signals 1 and 2 are similar.

  The total transmission frequency of the response signals 1 and 2 in the fail-safe state is the same as the total transmission frequency of the response signals 1 to 3 in the normal execution state. Thereby, it can suppress that the load of the response transmission part 31 changes with a fail safe function and a normal execution state.

  As described above, the abnormality monitoring method of the present embodiment can be similarly applied to the microcomputer 50 or the microcomputer system 100 in which three or more applications operate.

  FIG. 8A is a diagram illustrating an example of a microcomputer system 100 that monitors an application of a plurality of microcomputers 50 with a single monitoring microcomputer 60. In the above description, a plurality of applications are operating on one microcomputer 50. However, even if there are a plurality of microcomputers 50 and each microcomputer 50 executes the applications 1 and 2, the abnormality monitoring method of this embodiment Can be suitably applied. In the illustrated form, the applications 1 and 2 only need to transmit the response signals 1 and 2 to the monitoring microcomputer 60, respectively, which is almost the same as when the applications 1 and 2 operate in one microcomputer.

  In this case, one microcomputer 1 or microcomputer 2 may execute a plurality of applications. Therefore, although the number of applications is three or more, the abnormality monitoring method is the same even when the number of applications is three or more as described in FIG.

  FIG. 8B is a diagram illustrating an example of a microcomputer system 100 that monitors the applications 1 and 2 executed by the plurality of ECUs 1 and 2 using a single monitoring microcomputer 60. The ECUs 1 to 3 are connected via an in-vehicle network such as CAN.

  As shown in the drawing, even when there are a plurality of ECUs 1 and 2 and the microcomputers 1 and 2 execute the applications 1 and 2, the abnormality monitoring method of this embodiment can be suitably applied. In the form shown in the figure, the applications 1 and 2 only need to transmit response signals 1 and 2 via the in-vehicle network to the ECU on which the monitoring microcomputer 60 is mounted, and the applications 1 and 2 operate within one microcomputer. It will be almost the same. In this case, the microcomputers of the ECUs 1 and 2 may execute a plurality of applications.

  As shown in FIGS. 8A and 8B, in the abnormality monitoring method according to the present embodiment, in a mode in which one monitoring microcomputer 60 monitors a plurality of applications, a plurality of applications are included in one microcomputer. Whether it is in a microcomputer (in one ECU) or in a plurality of ECUs.

  In the first embodiment, monitoring is strengthened by increasing the transmission frequency of the response signal 1 by the application 1 in the fail-safe state. In the present embodiment, a microcomputer 50 or a microcomputer system 100 that enhances monitoring by transmitting an operation state in addition to the response signal 1 of the application 1 will be described.

  FIG. 9 shows an example of a functional block diagram of the microcomputer 50 or the microcomputer system 100. 9, the same parts as those in FIG. 3 are denoted by the same reference numerals, and the description thereof is omitted. The microcomputer 50 or the microcomputer system 100 according to the present embodiment newly includes an operation state transmission unit 34 and an altitude monitoring unit 35. Note that the processing up to the fail-safe state is the same as in the first embodiment.

On the other hand, when the mode switching unit 32 of the present embodiment obtains the abnormality sign detection notification, it performs the following processing.
-Referring to the application ASIL information 36, it is confirmed that the priority (ASIL) of the application 2 is lower than that of the other applications 1. That is, it is confirmed that the application has the lowest priority. Or, even if the priority is not lowest, it is confirmed that the priority is equal to or lower than a predetermined priority.
-Stop the application 2 or exclude the application 2 from monitoring (the application 2 stops transmission of the response signal 2 or transmits the response signal 2 even if the application 2 receives a transmission request for the response signal 2 Not performed)
Notifying the application 1 and the monitoring microcomputer 60 that the fail safe state has been established. Activating the operation state transmitting unit 34 Activating the altitude monitoring unit 35 The operation state transmitting unit 34 provides the operation state information and the response transmitting unit 31. The altitude monitoring unit 35 monitors the application 1 operating in the fail-safe state based on the operation state information.

  The operating state information is, for example, CPU load, API usage frequency, specific API usage count, and the like. The CPU load is the ratio of the execution time of the app 1 to the total of the idle time in which an empty instruction such as NOP is repeatedly executed and the execution time of the app 1.

  The API usage frequency is a value obtained by quantifying the frequency at which the application 1 calls an API such as an OS. The application 1 uses a function such as an OS through the API. If there is no abnormality in the app 1, the API usage frequency will not change greatly, and if an abnormality occurs in the app 1, the API usage frequency used until then will decrease or it will not be used much until then. API usage frequency increases. For this reason, the API usage frequency correlates with the stability of the application 1.

  The specific API use count is the number of times that a function of the OS is called using a specific API within a predetermined time. When the CPU load is high or a predetermined situation occurs, the application 1 records status information at that time and records a log. It is known that such API is closely related to abnormality. Therefore, if some APIs that are likely to be abnormally connected are specified in advance, the specific API usage count that is the API usage count is an index for monitoring the stability of the application 1.

  The operation state transmission unit 34 transmits the CPU load, the API usage frequency of the application 1, and the specific API usage count to the response transmission unit 31. The response transmission unit 31 transmits the response signal 1 and the operation state information from the application 1 to the response monitoring unit 33. The response transmitter 31 transmits the response signal 1 at the same transmission timing 1 as in the normal execution state, and transmits the operation state information at the transmission timing 2.

  The altitude monitoring unit 35 monitors the operation state information and determines whether or not an abnormality sign is detected in the application 1. If the altitude monitoring unit 35 determines that the application 1 is unstable, the altitude monitoring unit 35 notifies the mode switching unit 32. As a result, the mode switching unit 32 can perform processing according to the ASIL of the application 1, such as attempting to return the application 1. As described above, the operation state transmission unit 34 detects the operation state of the application 1 and transmits it to the altitude monitoring unit 35, so that the altitude monitoring unit 35 grasps the state of the application 1 from other than the number of receptions of the response signal 1. Can be analyzed.

[Transmission of operation status information]
FIG. 10 is an example of a diagram illustrating transmission of a response signal and operation state information in the fail-safe state according to the present embodiment.
As in the first embodiment, in the fail-safe state, the application 2 is stopped or is not monitored by the response monitoring unit 33, so that the response transmission unit 31 transmits the response signal 2 to the response monitoring unit 33. Absent.
The application 1 requests the response transmission unit 31 to transmit the response signal 1 in the same cycle as that in the normal execution state even when the application 1 enters the fail-safe state.
For example, when a change is found in the operation state information, the operation state transmission unit 34 requests the response transmission unit 31 to transmit the operation state information.
The response transmission unit 31 transmits the operation state information to the response monitoring unit 33 using the transmission timing of the application 2. The square “d” in FIG. 10 indicates the operation state information. Since the total transmission frequency of the response signal 1 and the operation state information is the same as the transmission frequency of the response signals 1 and 2 in the normal execution state, the load on the microcomputer 50 and the microcomputer system 100 is hardly changed.

  The altitude monitoring unit 35 monitors the CPU load, the API usage frequency, and the specific API usage count in time series, and determines whether or not an abnormal sign is detected. For example, in the case of a CPU load, the CPU load inclination is calculated, and if the inclination is equal to or greater than a threshold, it is determined that there is an abnormal tendency. You may pay attention to the absolute value of CPU load.

  In addition, the altitude monitoring unit 35 determines whether the app 1 is unstable by calculating the variance of the past several API usage frequencies and comparing it with a threshold value. Further, the altitude monitoring unit 35 calculates the inclination of the specific API usage count, and determines that there is an abnormal tendency if the inclination is more than a threshold value. You may pay attention to the absolute value of the specific API usage count.

  By the way, although there are three pieces of operation state information in FIG. 5, if there are many types as described above, there is a possibility that not all operation state information can be transmitted (in time) at one transmission timing 2. In such a case, it is effective not to transmit the operation state information at one transmission timing 2 but to distribute it to a plurality of transmission timings 2.

  Fig.11 (a) is an example of the figure explaining the transmission timing and the operation state information transmitted. Similar to FIG. 10, the transmission timing of the response signal 1 is the same in the normal execution state and the fail-safe state. On the other hand, at the transmission timing 2 at which the operation state information is transmitted, the CPU load, the application usage frequency, and the specific API usage count are transmitted in order. Since the CPU load, the application usage frequency, and the number of specific API usages do not fluctuate rapidly in a short time, there is no significant inconvenience in monitoring abnormal signs even if transmission is not performed at all transmission timings 2.

  Therefore, the load of the microcomputer 50 or the microcomputer system 100 is not kept substantially the same by not increasing the transmission frequency of the fail-safe state with respect to the normal execution state.

  In addition, there may be a case where one type of operation state information exceeds the amount of data that can be transmitted at one transmission timing 2. FIG. 11B is another example of a diagram illustrating transmission timing and transmitted operation state information. In FIG. 11B, one API usage frequency is divided into two (API usage frequency 1 and API usage frequency 2). Thus, even if the data amount of one type of operation state information is large, it can be transmitted at a plurality of transmission timings 2, so that the operation state information can be transmitted without greatly changing the load on the microcomputer 50 or the microcomputer system 100.

[Operation procedure]
FIG. 12 is an example of a flowchart showing an operation procedure of the microcomputer 50 or the microcomputer system 100 of the present embodiment. In FIG. 12, the procedure up to step S9 in which the microcomputer 50 or the microcomputer system 100 is in the fail-safe state is the same as that in FIG.

  The mode switching unit 32 switches from the normal execution state to the fail-safe state when an abnormality sign is detected in the application 1 or the application 2 (S9). It is confirmed that the priority (ASIL) of the application 2 is the lowest among the applications to be monitored or is equal to or lower than a predetermined priority. In addition, the mode switching unit 32 stops the application 2 having the lowest priority or a predetermined priority or lower (S9-1). Further, the application 1 and the response monitoring unit 33 are notified of switching to the fail-safe state (S9-2, S9-3). In addition, the mode switching unit 32 activates the operation state transmission unit 34 (S9-4). Although the mode switching unit 32 also activates the altitude monitoring unit 35, the illustration is omitted.

  The activated operation state transmission unit 34 starts monitoring the application 1 (S20). The monitoring target is the CPU load of the CPU 11 that executes the application 1, the API usage frequency, the specific API usage count, and the like.

  Even if the application 1 is switched to the fail safe state, the application 1 requests the response transmission unit 31 to transmit the response signal 1 at the same transmission timing 1 as in the normal execution state (S10).

  The response transmitter 31 transmits the response signal 1 to the response monitor 33 in response to the transmission request of the application 1 (S12).

  The response monitoring unit 33 counts the number of times the response signal 1 is received per statistical period (S14). Even when switching to the fail-safe state, the statistical period of S14 and the statistical period of S5 are the same.

  The operation state transmission unit 34 determines whether or not the operation state of the application 1 has changed (S21). By this determination, the operation state information can be transmitted only when the operation state of the application 1 is changed (S22). In addition, you may transmit operation state information, without performing determination of step S21.

  The response monitoring unit 33 determines whether or not an abnormality sign is detected in the number of times the response signal 1 is received (S16).

  If no abnormality sign is detected in the number of times the response signal 1 is received (No in S16), the altitude monitoring unit 35 determines whether or not an abnormal tendency is detected from the operation state information (S23).

  If no abnormal tendency is detected from the operating state information (No in S23), the altitude monitoring unit 35 does nothing and the process returns to step S10.

  When an abnormal sign is detected in the number of times the response signal 1 is received (Yes in S16), or when an abnormal tendency is detected from the operation state information (Yes in S23), the response monitoring unit 33 or the altitude monitoring unit 35 responds. Abnormal sign detection is notified to the mode switching unit 32 together with the signal identification information (S17). The mode switching unit 32 performs a predetermined process in response to the ASIL such as attempting to return the application 1 for the abnormality sign of the application 1 (S18).

  In the present embodiment, the transmission frequency of the response signal 1 in the fail-safe state is lower than that in the first embodiment. However, the altitude monitoring unit 35 detects an abnormal sign based on the operation state information of the app 1, and therefore, based on more diverse information. App 1 abnormal signs can be detected.

DESCRIPTION OF SYMBOLS 19 Abnormality monitoring circuit 31 Response transmission part 32 Mode switching part 33 Response monitoring part 34 Operation | movement state transmission part 35 Altitude monitoring part 50 Microcomputer 60 Monitoring microcomputer 100 Microcomputer system

Claims (9)

A plurality of applications that periodically send an in-operation notification to the app monitoring means to notify that it is in operation;
Application monitoring means for counting the number of notifications during operation for each application in the first count period;
Application control means for controlling the operation of the application,
When the application monitoring means detects an abnormal sign of at least one application based on the number of notifications during operation in the past first count period of each application,
The application control means stops sending an operational notification of the application with the lowest priority,
An application for which no abnormal sign is detected is in-service notification at the same timing as before the abnormal sign is detected, and at the timing at which the application for which the operation notification is stopped is transmitted or before or after the operation notification is transmitted. Send,
An information processing apparatus characterized by that. When the application monitoring means detects an abnormal sign of the application, the application monitoring means has an operating state detecting means for detecting an operating state of the application in which no abnormal sign is detected,
Applications that have not detected any abnormal signs will only send an operational notification at the same time as before the abnormal signs were detected,
The operation state detection unit transmits operation state information to the application monitoring unit at a timing at which an application in which an abnormal sign is detected is transmitted during operation or at a timing before and after the operation notification.
The information processing apparatus according to claim 1. The application monitoring means indicates that the application has an abnormal sign when the number of notifications during operation of the application in the first count period is decreasing or when the fluctuation amount of the number of notifications during operation is equal to or greater than a threshold value. Detect
The information processing apparatus according to claim 1. When the application monitoring unit detects an abnormal sign of the application, the application monitoring unit counts the number of notifications during operation of the application in which no abnormal sign is detected in the second count period shorter than the first count period,
Detecting an abnormal sign of an application in which no abnormal sign is detected based on the number of operating notifications in the second count period;
The information processing apparatus according to claim 1 or 3,   The operation state information is one or more of the CPU load of the CPU that executes the application, the usage frequency of the OS or middleware API called by the application, or the number of times of use of a specific API that is predetermined as an API that is called when an abnormality occurs. The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus. The application monitoring means detects abnormal signs of each application based on the past CPU load, API usage frequency, or specific API usage frequency.
The information processing apparatus according to claim 5. The operation state detection means transmits any one of the past CPU load, API usage frequency, or specific API usage count to the application monitoring means at two or more transmission timings.
The information processing apparatus according to claim 5 or 6. A plurality of applications that periodically send an in-operation notification to the app monitoring means to notify that it is in operation;
Application monitoring means for counting the number of notifications during operation for each application in the first count period;
Application control means for controlling the operation of the application,
When the application monitoring means detects an abnormal sign of at least one application based on the number of notifications during operation in the past first count period of each application,
The application control means confirms that the priority of the application in which the abnormal sign is detected is lower than that of the application in which the abnormal sign is not detected, and then stops sending the operational notification of the application in which the abnormal sign is detected. ,
An application in which no abnormal sign is detected transmits an operational notification at the same timing as before the abnormal sign is detected, and at the timing at which the application in which the abnormal sign is detected transmits an operational notification ,
An information processing apparatus characterized by that. A plurality of applications that periodically send an in-operation notification to the app monitoring means to notify that it is in operation;
A first information processing apparatus having application control means for controlling the operation of the application;
An information processing system comprising: an application monitoring unit that counts the number of notifications during operation for each application in the first count period;
When the application monitoring means detects an abnormal sign of at least one application based on the number of notifications during operation in the past first count period of each application,
The application control unit stops sending an operation notification of the application with the lowest priority,
An application for which no abnormal sign is detected is in-service notification at the same timing as before the abnormal sign is detected, and at the timing at which the application for which the operation notification is stopped is transmitted or before or after the operation notification is transmitted. Send,
An information processing system characterized by this.

Images