JP2014193690A - Vehicle controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for maintaining the stable state of a system if illegal memory access occurs between software having different safety standards.SOLUTION: A vehicle controller 1 in which fail-safe processing programs controlling a safe state of a system, where different software safety standards are allocated to memory regions and programs and data are allocated thereto for the respective safety standards, are arranged in a distributed manner to the respective safety standards, comprises: a safety standard base illegal access detection unit 10324 detecting an illegal memory access among the memory regions having the different safety standards, and identifying the safety standard of the program of the memory region that causes an error and that makes the illegal memory access; and an overall error countermeasure instruction unit 10325 instructing implementation of the fail-safe processing program arranged for the safety standard that causes the error and instructing implementation of the fail-safe processing program of the memory region influenced by this fail-safe processing.

Description

  The present invention relates to a technique for maintaining a stable operation of a vehicle control device.

  Many vehicle control systems in recent years are composed of an electronic control unit (ECU) that operates electronic vehicle control equipment and an in-vehicle LAN (Local Area Network) that enables communication between a plurality of ECUs. In addition, the ECU that controls the sensor and the actuator controls the vehicle by performing a cooperative operation via the in-vehicle LAN. This system is developed in accordance with ISO 26262, an international standard for functional safety.

  In ISO 26262, it is necessary to develop vehicle control system software with a development technique / process of a predetermined level based on ASIL (Automotive Safety Integrity Level) determined by a calculation formula established in this standard.

  ASIL is a safety level indicating the degree of safety to be protected. This is determined by the magnitude of damage when the assigned function does not operate normally. For example, ASIL is defined in five stages from QM (Quality Management), which is the lowest safety level, to ASIL D, which is the highest safety level. The greater the damage when a function does not operate correctly, the higher the safety for that function. A level is assigned to a function. The higher the safety level, that is, the higher the ASIL, the more safety functions are required to detect that the function is not operating correctly and to transition the system to a safe state. Things are required. Basically, higher ASIL software requires more man-hours for development, and therefore, it is required to develop each software with the optimum ASIL.

  One technique for mounting a plurality of ASIL software in one ECU is a memory protection technique. The memory protection technology is a technology for setting access permission or access prohibition between specific software, and detecting unauthorized memory access when the ECU is executed based on the setting information. A unit for detecting illegal memory access is called a partition. The microcomputer mounted on the ECU of the vehicle control system can realize the above by utilizing an MPU (Memory Protection Unit) or the like.

  In the technique described in Patent Document 1, grouping is performed in units of processing such as tasks, and illegal memory accesses between the groups are detected. When illegal memory access is detected, software for each group is interrupted or the entire system is shut down. As a result, it is possible to interrupt the software that caused the illegal memory access or to stop the entire system, thereby ensuring a certain level of safety.

JP 2010-113488 A

  Since the ECU software of the vehicle control system operates in a complex manner, cooperation between partitions is essential. For example, when partitions are set for the engine control software and the injector control software, respectively, and an illegal memory access caused by the engine control software occurs, the engine control software is initialized and the injector control is degenerated. Need to be done at the same time. The initialization and degeneration processing is a countermeasure processing when an illegal memory access occurs, and is called fail-safe processing.

  In the techniques described in Patent Document 1 and Non-Patent Document 1, since only one partition can be interrupted, there is a problem that the safety of the system cannot be ensured and the safety level cannot be satisfied. For example, even if only engine control software is interrupted, the injector control software cannot be interrupted and the system does not operate safely. Also, even when the entire system is shut down, it is often difficult to terminate the system safely. Even if it can be safely terminated, system availability is significantly reduced.

  The present invention has been made to solve the above-described problems, and performs processing while satisfying the safety level when an illegal memory access occurs between software having different required safety levels. The purpose is to provide the technology.

  In the vehicle control device according to the present invention, different software safety levels are assigned to memory areas, programs and data are assigned to each safety level, and fail-safe processing programs for controlling to a safe state are distributed to each safety level. A safety level-based unauthorized access detection unit that detects unauthorized memory access between memory areas of different safety levels and identifies the safety level of the error source program that performed unauthorized memory access, and an error Provided with an overall error countermeasure instruction unit that instructs execution of a fail-safe processing program arranged at the original safety level and instructs execution of a fail-safe processing program affected by the fail-safe processing. The overall error countermeasure instruction unit is responsible for illegal memory access between memory areas of different safety levels. There occurrence, executes the fail-safe processing programs arranged in the area of the different security levels simultaneously.

  The vehicle control apparatus according to the present invention selects the fail-safe process of the software affected by the fail-safe process according to the content of the fail-safe process to the error source that caused the illegal memory access. It is possible to ensure the safety of a system composed of software that has been partitioned.

It is a lineblock diagram of engine ECU concerning an embodiment. It is a block diagram of a vehicle control system. It is a memory map of the memory of engine ECU. It is a figure which shows the example of a safety level management table. It is a figure which shows the example of an error origin countermeasure table. It is a figure which shows the example of an error influence destination countermeasure table. It is a figure which shows the example of an error frequency holding table. It is a figure which shows the example of an error log buffer. It is a figure which shows the processing flow of an engine control part. It is a figure which shows the processing flow of an engine initialization process part. It is a figure which shows the processing flow of an engine degeneration control part. It is a figure which shows the processing flow of a crank angle sensor control part. It is a figure which shows the processing flow of an injector control part. It is a figure which shows the processing flow of an injector degeneration control part. It is a figure which shows the processing flow of a safe level base unauthorized memory access detection part. It is a figure which shows the processing flow of a whole error countermeasure instruction | indication part. It is a figure which shows the processing flow of a communication control part.

  FIG. 2 shows an overall configuration diagram of a vehicle control system 1000 according to the embodiment of the present invention. The vehicle control system 1000 includes an engine control ECU 1 connected to a CAN (Controller Area Network) 2 of an in-vehicle network and other ECUs.

  The engine control ECU 1 grasps the state of the crank angle with the crank angle sensor 11 and controls the engine by injecting fuel with the injector 12.

  FIG. 1 is a configuration diagram of the engine control ECU 1. The engine control ECU 1 includes an arithmetic device 101, a memory 102, an input / output circuit 105, and a memory protection unit (MPU) 106.

  The arithmetic device 101 is a processor (CPU: Central Processing Unit) that executes each program stored in the memory 102. Functions equivalent to those of the arithmetic unit 101 can also be configured using hardware such as a circuit device.

  The memory 102 is provided with a program area 103 and a data storage area 104. The program area 103 represents a state in which the MPU 106 is used to divide a partition 1031 having a safety level of QM and a partition 1032 having a safety level of ASIL D. The QM partition 1031 includes an engine control unit 10311, an engine initialization processing unit 10312, and an engine degeneration control unit 10313. The ASIL D partition 1032 includes a crank angle sensor control unit 10321, an injector control unit 10322, and an injector degeneration control unit 10323. , A safety level-based illegal memory access detection unit 10324, an overall error countermeasure instruction unit 10325, and a communication control unit 10326. The data storage area 104 is divided into a partition 1041 having a security level of QM and an ASIL D partition 1042 by using the MPU 106. The QM partition 1041 includes a crank angle sensor value buffer 10411 and a fuel injection amount buffer 10412. The ASIL D partition 1042 includes a fuel injection amount previous value buffer 10421, a safety level management table 10422, an error source countermeasure table 10423, An error influence destination countermeasure table 10424, an error count holding table 10425, and an error log buffer 10426 are provided.

  The crank angle sensor value buffer 10411 is a buffer that stores a crank angle sensor value. The fuel injection amount buffer 10412 is a buffer that stores the fuel injection amount. The fuel injection amount previous value buffer 10421 is a buffer for storing the previous value of the fuel injection amount.

  The input / output circuit 105 appropriately executes necessary processing such as digital conversion of the analog value of the crank angle sensor 11. Further, necessary processes such as controlling the injector 12 with current are appropriately executed. Further, necessary processes such as transmission to CAN2 and reception from CAN2 are appropriately executed. The MPU 106 monitors memory access between the set memory address ranges, detects memory access when memory access occurs between the memory address ranges, and performs prescribed processing such as execution of error interrupt processing. I do. In addition, even if it is between memory address ranges, a mechanism for permitting access is facilitated by following a predetermined procedure. For example, there is a method that prevents unauthorized memory access from being detected by temporarily turning off the memory protection function, or a method that performs unauthorized memory access by using privileged mode temporarily, that is, a method that performs unauthorized memory access. is there.

  FIG. 3 is a diagram illustrating an example of a memory map of the memory 102 provided in the engine control ECU 1. The QM partitions 1031 and 1041 and the ASIL D partitions 1032 and 1042 are completely separated and placed in the memory. In this example of the memory map, the QM partitions 1031 and 1041 are arranged between the address a and the address b, and the ASIL D partitions 1032 and 1042 are arranged between the address c and the address d.

  FIG. 4 is a diagram showing a configuration of a safety level management table 10422 provided in the engine control ECU 1. The safety level management table 10422 is a table for managing a memory address range in which a partition is set and its safety level, and has an index field 104221, a memory address start point 104222, a memory address end point 104223, and a safety level 104224.

  The index field 104221 holds a number that identifies each partition. The memory address start point 104222 holds the memory address at the start of the partition. The memory address end point 104223 holds the memory address at the end of the partition. The safety level 104224 is a column that holds the safety level of the partition.

  FIG. 5 is a diagram showing a configuration of the error source countermeasure table 10423 provided in the engine control ECU 1. The error source countermeasure table 10423 is a table used by a safe level partition (error source) that has caused an illegal memory access to execute fail-safe processing as an error countermeasure, and includes an index field 104231, an error source 104232, an error count threshold value. 104233, fail safe processing address 104234, and fail safe processing ID 104235.

  The index field 104231 holds a number for identifying a record provided corresponding to the fail safe process at each error source. The error source 104232 holds the safety level of the error source. The error count threshold value 104233 holds a threshold value of the error count that serves as the index selection criterion. The fail-safe processing address 104234 holds the address of a fail-safe processing unit that performs countermeasure processing against illegal memory access (in the example of FIG. 5, the address of a function that executes fail-safe processing). The fail safe process ID 10435 holds an identifier for distinguishing the fail safe process.

  FIG. 6 is a diagram showing a configuration of the error affected party countermeasure table 10424 provided in the engine control ECU 1. The error affected party countermeasure table 10424 is a table used to select and execute the affected failsafe process according to the failsafe process performed by the error source, and includes an index field 104241, an error source failsafe process ID 104242, It has an influence destination 104243 and an influence destination fail-safe processing address 104244.

  The index field 104241 holds a number for identifying a record provided corresponding to each affected fail-safe process corresponding to the fail-safe process performed by each error source. The error-source fail-safe process ID 104242 holds an identifier that can distinguish the fail-safe process executed by the error source. The affected party 104243 has information on a safe level partition that is affected by the fail safe process executed by the error source. The affected failsafe processing address 104244 holds the address of the failsafe processing unit executed by the affected party based on the failsafe processing executed by the error source.

  FIG. 7 is a diagram showing a configuration of the error count holding table 10425 provided in the engine control ECU 1. The error count holding table 10425 is a table used for holding the number of times illegal memory access has occurred for each safety level, and has an index field 104251, a safety level 104252, and an error count 104253. The index field 104251 holds a number that identifies each safety level. The safety level 104252 holds information indicating the safety level of the error source that caused the illegal memory access. The error count 104253 holds the number of times that an illegal memory access has occurred.

  FIG. 8 is a diagram showing a configuration of the error log buffer 10426 provided in the engine control ECU 1. The error log buffer 10426 is a buffer used for recording the instructed safety level and error countermeasure processing log. The error source 104261, the error source execution fail-safe processing ID 104262, the influence destination 104263, and the influence destination execution fail-safe processing address 104264. Have

  The error source 104261 holds information that can identify the safety level of the instructed error source. The error source execution failsafe process ID 104262 holds information indicating the failsafe process ID of the failsafe process performed by the error source. The influence destination 104263 holds information that can identify the safety level of the specified influence destination. The affected execution failsafe process address 104264 holds information indicating the address of the failsafe processing unit performed by the affected party.

  In the above, each component of engine control ECU1 with which the vehicle control system 1000 is provided was demonstrated. In the following, when the engine control ECU 1 performs engine control using the crank angle sensor 11 and the injector 12, an example in which fail safe processing is performed in cooperation between partitions of different safety levels when an illegal memory access occurs. The processing flow will be described.

  FIG. 9 is a diagram showing a processing flow of the engine control unit 10311 provided in the engine control ECU 1. The engine control unit 10311 acquires the crank angle sensor value from the crank angle sensor value buffer 10411 (S103110). Then, the fuel injection amount is calculated from the acquired crank angle sensor value and other information (S103111), and the calculated fuel injection amount is written in the fuel injection amount buffer 10412 (S103112). Then, the engine control unit 10311 activates the injector control unit 10322 and ends a series of processing flows. The activation method of the injector control unit 10322 may be a function call, a task activation, a software interrupt, or another method. The same applies to the activation of other processing units.

  FIG. 10 is a diagram showing a processing flow of the engine initialization processing unit 10312 provided in the engine control ECU 1. The engine control unit 10311 initializes the crank angle sensor value buffer 10411, the fuel injection amount buffer 10412, and the like (S103120). This initialization may include not only the process of returning the software variables to the initial values as shown in the embodiment but also the initialization process of the microcomputer device.

  FIG. 11 is a diagram illustrating a processing flow of the engine degeneration control unit 10313 included in the engine control ECU 1. The engine control unit 10311 acquires the crank angle sensor value from the crank angle sensor value buffer 10411 (S103130). Next, a fuel injection amount for degeneration control is calculated from the acquired crank angle sensor value and other information (S103131). Then, the fuel injection amount is written in the fuel injection amount buffer 10412 (S103132). Thereafter, the injector control unit 10322 is activated (S103133), fuel injection is performed in the degeneration control, and this processing flow ends. As described above, the injector control unit 10322 may be activated by function call, task activation, software interruption, or other methods.

  FIG. 12 is a diagram illustrating a processing flow of the crank angle sensor control unit 10321 included in the engine control ECU 1. The engine control unit 10311 acquires a crank angle sensor value from the input / output circuit 105 (S103210). Then, it is determined whether or not the acquired crank angle sensor value is equal to the specified value (S103211). If they are equal, the process proceeds to step S103212. If they are not equal, the process flow ends.

  If the crank angle sensor value is equal to the specified value, the MPU 106 is controlled to obtain access permission to the crank angle sensor value buffer 10411 (S103212). When access permission is obtained from the MPU 106, the acquired crank angle sensor value is written in the crank angle sensor value buffer 10411 (S103213). When the writing of the crank angle sensor value is completed, the MPU 106 is controlled to end the access to the crank angle sensor value buffer 10411 (S103214). Thereafter, the engine control unit 10311 activates the engine control unit 10311 (S103215), and ends this processing flow.

  FIG. 13 is a diagram illustrating a processing flow of the injector control unit 10322 included in the engine control ECU 1. The engine control unit 10311 controls the MPU 106 to obtain access permission to the fuel injection amount buffer 10412 (S103220). When access permission is obtained, the fuel injection amount is acquired from the fuel injection amount buffer 10412 (S103221). Thereafter, the engine control unit 10311 controls the MPU 106 to end access to the fuel injection amount buffer 10412 (S103222). Then, the injector 12 is controlled based on the acquired fuel injection amount (S103223). Further, the acquired fuel injection amount is written into the fuel injection amount previous value buffer 10421 (S103224), and the processing flow is ended.

  FIG. 14 is a diagram illustrating a processing flow of the injector degeneration control unit 10323 included in the engine control ECU 1. In the injector degeneration control, an operation for maintaining the previous fuel injection charge is performed. Therefore, the engine control unit 10311 acquires the fuel injection amount from the fuel injection amount previous value buffer 10421 (S103230). Then, the injector 12 is controlled based on the acquired fuel injection amount (S103231).

  FIG. 15 is a diagram illustrating a processing flow of the safety level based illegal memory access detection unit 10324 included in the engine control ECU 1. The engine control unit 10311 identifies the memory address where the error has occurred using the MPU, and identifies the safety level of the error source from the safety level management table (S103240). Then, the entire error countermeasure instruction unit 10325 is called with the error source safety level as an argument (S103241).

  FIG. 16 shows a processing flow of the overall error countermeasure instruction unit 10325 provided in the engine control ECU 1. The engine control unit 10311 increments the error count 104253 of the error count holding table 10425 corresponding to the safety level of the error source of the argument (S103250). Then, using the error source safety level given by the argument and the error count 104253 generated at the corresponding safety level in the error count holding table 10425, the error count is calculated from the error source countermeasure table 10423. The fail-safe processing address 104234 of the fail-safe processing to be performed when it is within the error count threshold is specified and executed (S103251).

  For example, when the error source safety level of the argument is “QM” and the error count 104253 is “1”, in the example of the error source countermeasure table 10423 shown in FIG. 5, the error count 104253 is the error source safety level “QM”. The index 104231 corresponding to “0” is larger than 0 of the error count threshold 104233 in the record “0”, and the index 104231 is less than “3” of the error count threshold 104233 in the record “1”. The address of the processing unit is specified and executed.

  In the case of an illegal memory access due to a program defect, even if initialization is performed, the fundamental problem is not solved, and illegal memory access occurs many times. However, the occurrence of such illegal memory access can be prevented by preparing a mechanism for recording the number of errors and switching the fail-safe process based on the number of errors as in the present invention.

The engine control unit 10311 uses the fail-safe process ID 104235 of the index 104231 that is the same as the fail-safe process address 104234 of the fail-safe process executed in S103251, and the safety level of the affected party 104243 and the affected party's fail-safe from the error affected party countermeasure table 10424. The processing address 104244 is identified and executed (S103252). Then, the error source safety level of the argument, the fail safe process ID of the fail safe process executed by the error source, the affected safety level, and the affected fail safe process address are respectively stored in the error log buffer 10426. 104261, the error source execution fail-safe process ID 104262, the affected destination 104263, and the affected destination execution fail-safe process address 104264 are stored (S103253).
In addition, the communication control unit 10326 is called with the safety level of the error source, the face-safe process ID of the fail-safe process executed by the error source, the affected safety level, and the affected fail-safe process address as arguments. (S103254), this processing flow ends.

  FIG. 17 is a diagram illustrating a processing flow of the communication control unit 10326 included in the engine control ECU 1. The communication control unit 10326 transmits the data received as an argument to the CAN 2 (S103250).

  In the present embodiment, it is assumed that a memory protection unit (MPU) is used to implement a partition in the memory, but the present invention is not limited to this. For example, an MMU (Memory Management Unit) may be used, or other methods may be used. In the present embodiment, the case where the number of partitions is two is described, but the present invention is not limited to this. For example, the number of partitions may be three, four, or more.

  Furthermore, in the present embodiment, it is assumed that the safety level-based illegal memory access detection unit and the overall error countermeasure instruction unit are assigned to a partition whose safety level is ASIL D. However, the present invention is not limited to this. For example, it may be assigned to an ASIL C partition. However, it is basically desirable to be assigned to the partition with the highest safety level in the ECU.

  In the present embodiment, the processing is described for the case where it is assumed that the QM partition performs unauthorized memory access. However, the present invention is not limited to this. For example, it can be detected that an ASIL D partition makes an illegal memory access to a QM partition.

  In the present embodiment, it is assumed that CAN is used for the network, but the present invention is not limited to this. For example, FlexRay may be used or Ethernet may be used. Other networks may also be used.

  In the present embodiment, only one set of data is stored in the error log buffer, but the present invention is not limited to this. Similarly, only one set of data is transmitted over the network, but the present invention is not limited to this. For example, a plurality of data may be used.

  In this embodiment, information that can identify the safety level of the error source in the error log buffer, information that can identify the fail-safe process executed by the error source, information that can identify the safety level of the affected party, and the affected party The address of the fail-safe process executed by is stored, but is not limited to this. For example, time information at which an error has occurred may be stored at the same time. Similarly, the data to be transmitted is not limited to this embodiment.

  As described above, according to the present embodiment, when an unauthorized memory access occurs between different safety levels, the engine control ECU 1 responds to the number of times fraud is detected with respect to the error source based on the safety level. It is possible to instruct a fail-safe process, specify an affected destination affected by the execution of the fail-safe process, and select and instruct the affected fail-safe process according to the fail-safe process performed under an error. As a result, it is possible to perform fail-safe processing in cooperation between partitions while partitioning based on the safety level, so that the safety of the ECU can be ensured.

1: Engine control ECU
101: arithmetic unit 102: memory 105: input / output circuit 106: memory protection unit 11: crank angle sensor 12: injector 2: CAN

Claims (5)

A system in which programs and data that operate in each area are allocated to areas in memory to which two or more different software safety levels are assigned. In the vehicle control device distributed in the area,
Safety level management information in which addresses of memory areas allocated to the safety level are recorded;
Based on the address recorded in the safety level management information, the unauthorized memory access between the memory areas of different safety levels is detected, and the safety level of the error source program that made the unauthorized memory access is specified. A safety level based unauthorized access detection unit;
An overall error countermeasure instruction unit that instructs execution of a fail-safe processing program arranged at a safety level that is an error source, and that instructs execution of a fail-safe processing program that is affected by the fail-safe processing;
With
The overall error countermeasure instructing unit simultaneously executes a fail-safe processing program arranged in different safety level areas when an illegal memory access occurs between different safety level memory areas. Vehicle control device. The vehicle control device according to claim 1,
Error source countermeasure information that specifies a program that performs error processing according to the safety level of the error source program,
An area of the safety level affected by the execution of the program that performs the error processing, and error influence destination countermeasure information that stores the specification of the error processing program executed in the affected area,
The overall error countermeasure instruction unit instructs execution of a fail-safe processing program arranged at a safety level that is an error source based on the error countermeasure information and the error-affected-destination countermeasure information. A vehicle control device that instructs execution of a program of an affected fail-safe process that is affected. The vehicle control device according to claim 2,
It has an error count holding buffer that records the number of illegal memory accesses to memory areas of different safety levels,
When the overall error countermeasure instruction unit detects an illegal memory access between memory areas of different safety levels, the overall error countermeasure instruction unit updates the number of illegal memory accesses in the error count holding buffer, and based on this error count , And selecting an error source fail-safe process to be executed. The vehicle control apparatus according to claim 1, wherein the safety level based illegal memory access detection unit does not detect an illegal memory access between memory areas having the same safety level. A plurality of vehicle control devices according to claim 1,
Information that can identify the safety level of the error source program when the occurrence of an illegal memory access is detected, information that can identify fail-safe processing at the safety level of the executed error source, and the safety level of the affected party The vehicle control system is characterized by transmitting information capable of identifying the information and information capable of identifying the fail-safe processing performed at the safety level of the affected party to the network.