JP2014204315A - Relay device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To define a high-reliability device as an information storage destination while suppressing cost as further as possible in an on-vehicle system.SOLUTION: A relay device receiving a memory bank request from a memoryless control device in which write request data are generated, selects, as a write destination candidate, one control device with a storage function to which a safety request level equal to a request source level is allocated and which includes a storage section in which free capacity more than a data size of the write request data is present, from among control devices with storage functions (S220). A write request is outputted to the selected write destination candidate (S260). If a response from the write destination candidate acquiring the write request indicates that the write request data can be written (S270:YES), the write destination candidate is identified as a write destination device and the write request data are outputted (S280). Thus, the write request data are written and stored in the storage section of the write destination device.

Description

  The present invention relates to a relay device connected to an in-vehicle network.

  2. Description of the Related Art Conventionally, there is known an in-vehicle system that is mounted on an automobile and in which a plurality of electronic control devices are connected via an in-vehicle network and information communication is performed between the electronic control devices. Each of the electronic control devices controls various sensors and various devices connected to the electronic control device itself as a control target, and realizes a predefined function (hereinafter referred to as “realization request function”).

  The implementation request function normally needs to store information generated during the execution of the implementation request function in the nonvolatile storage device, but on the other hand, the implementation request function has a low need to store information in the nonvolatile storage device. Is also present. In an electronic control device that realizes a function that is less necessary to store information in the nonvolatile storage device, the nonvolatile storage device may be omitted. That is, in the in-vehicle system, both a memoryless control device that does not have a nonvolatile storage device and a device with a storage function that has a nonvolatile storage device are mixed as electronic control devices.

  By the way, when a failure occurs in the electronic control device itself or various sensors or devices that are controlled by the electronic control device, it is difficult to realize the realization request function defined in the electronic control device. Therefore, in order to elucidate the cause of the malfunction, the in-vehicle system is required to store log information regarding each electronic control device and the control target of the electronic control device.

  In an in-vehicle system that easily realizes storage of log information, information communication is performed with each electronic control device via an in-vehicle network as a device different from the electronic control device, and information acquired by the information communication It has been proposed to include an in-vehicle information collection device having a nonvolatile memory for storing (see Patent Document 1).

  In the in-vehicle information collecting apparatus in the in-vehicle system described in Patent Document 1, when a problem occurs in a specific realization request function, the electronic control apparatus itself is non-volatile with respect to the electronic control apparatus that detects the occurrence of the problem. Whether the log information can be stored in the sexual storage device. As a result of the inquiry, if the response from the electronic control device is unable to store the log information (for example, the memoryless control device itself), the in-vehicle information collecting device immediately acquires the log information from the electronic control device and installs the in-vehicle information. Store in the non-volatile memory of the information collection device. Further, if the response from the electronic control device can store the log information, the in-vehicle information collecting device holds the log information for a predetermined time in the electronic control device, and then acquires the log information to obtain the log information of the in-vehicle information collecting device. Store in non-volatile memory.

JP 2009-286295 A

  By the way, a safety requirement level representing the level of safety required for the realization of the realization requirement function is assigned to each realization requirement function. In contrast, the level of reliability required to ensure the safety requirement level is defined (for example, ASIL).

  The storage destination of log information is required to be a highly reliable device, and the safety requirement level that is equal to or higher than the safety requirement level assigned to the electronic control device that realizes the implementation requirement function in which a failure has occurred. It is required to have.

  In order to realize this in the in-vehicle system described in Patent Document 1, it is necessary to configure the in-vehicle information collection device itself so that the reliability is higher than the reliability of each electronic control device. Thus, in order to configure a highly reliable in-vehicle information collection device, it is necessary to configure using highly reliable components. Since this highly reliable component is expensive, there is a problem that the cost for constructing a highly reliable in-vehicle information collecting device becomes high.

That is, in the conventional technology, there is a problem that it is difficult for an in-vehicle system to store a highly reliable device as an information storage destination while suppressing cost as much as possible.
Therefore, an object of the present invention is to make a highly reliable device as a storage destination of information while suppressing the cost as much as possible.

  The present invention made to achieve the above object relates to a relay device that relays information communication between control devices in an in-vehicle network. The in-vehicle network includes at least one control device with a storage function, which is a control device having a non-volatile storage device, and a non-volatile storage as a plurality of control devices that realize a realization request function that is defined for each different function This is a mixture of at least one memoryless control device which is a control device having no device. Each control device is assigned a safety requirement level that represents the level of safety required for realizing the achievement requirement function. Note that the non-volatile storage device referred to here is a storage device that retains stored contents and can rewrite stored contents even when power supply is interrupted.

The relay apparatus of the present invention includes a request acquisition unit, a write destination specifying unit, and a data storage control unit.
Among these, the request acquisition unit acquires a memory bank request for requesting data writing to the nonvolatile storage device from the control device. Then, according to the storage destination management table that represents the safety requirement level assigned to each control device, the data requested to be written by the memory bank request is the write request data. Based on the acquired memory bank request, a controller with a storage function to which a safety requirement level higher than the safety requirement level assigned to the request source of the memory bank request (hereinafter referred to as “request source level”) is assigned. Identifies as a writing destination device. The data storage control means writes the write request data in the nonvolatile storage device of the specified writing destination device.

  According to such a relay device, a control device with a storage function assigned a safety request level higher than the request source level can be used as a write destination device, and the safety request level of the write destination device, The reliability of the nonvolatile storage device provided in the writing destination device can be ensured.

Moreover, in the present invention, the safety requirement level used for selection of the write destination device is assigned in advance for each control device that realizes the achievement request function.
Therefore, in the present invention, for the purpose of ensuring the reliability of the writing destination device, a new configuration is added to the relay device or the control device (that is, the in-vehicle network), or the conventional parts are changed. There is no need. For this reason, in this invention, it can suppress that a cost increases as much as possible.

For these reasons, according to the present invention, it is possible to make the storage destination of information (write request data) a highly reliable device while suppressing the cost as much as possible.
Furthermore, the write destination specifying means in the present invention may comprise a selection means, a request output means, an availability confirmation means, and a reselection means.

  In this case, according to the storage destination management table, the selection means sequentially selects the storage function from the control device with storage function to which the safety requirement level (hereinafter referred to as “safety requirement same level”) that is the same level as the request source level is assigned. The attached control device is selected as a writing destination candidate. The request output means outputs a write request for inquiring whether or not the write request data can be written to the selected write destination candidate. If the response to the write request from the write destination candidate that is the output destination of the write request is writable in the write request data, the availability checking unit writes the write request that is the transmission destination of the write request. The destination candidate is specified as the writing destination device. In addition, if the response to the write request from the write destination candidate to which the write request is output cannot be written to the write request data, the reselection means selects a new write destination candidate as the selection means. Let

  According to the relay device of the present invention, selection of a write destination device can be repeatedly executed until an appropriate write destination device is identified. Thus, according to the present invention, an appropriate control device with a storage function can be specified as a write destination device, and write request data can be more reliably stored in the nonvolatile storage device of the write destination device. Can do.

By the way, in a general vehicle-mounted system, higher safety (reliability) is required for write request data from a control device that realizes a function requiring realization having a high safety requirement level.
For this reason, the reselection means according to the present invention writes one of the unselected control devices with a storage function if there is a control device with a storage function that is assigned the same level of safety requirement and is not selected. The selection means may be selected as the previous candidate. Furthermore, if there is no controller with storage function to which the same level of safety requirement is assigned, the reselection means writes from among the controllers with storage function to which a higher safety requirement level is assigned than the safety requirement level. The destination candidate may be selected by the selection means.

  According to the present invention as described above, the write request data requiring higher safety can be stored in the nonvolatile storage device of the control device with a storage function that realizes the realization request function having a higher safety request level. That is, according to the present invention, it is possible to determine a write destination suitable for the safety (reliability) required for the write request data, and to effectively use resources without waste.

It is a block diagram which shows schematic structure of a vehicle-mounted communication system. It is explanatory drawing which shows a memory | storage destination management table. It is a flowchart which shows the process sequence of the function implementation | achievement process which an electronic controller performs. It is a flowchart which shows the process sequence of the memory bank process which a relay apparatus performs. It is a flowchart which shows the process sequence of the write process which a write-destination apparatus performs. It is explanatory drawing explaining the operation | movement which writes write-request data in a write-destination apparatus.

Embodiments of the present invention will be described below with reference to the drawings.
<overall structure>
An in-vehicle communication system 1 shown in FIG. 1 is an in-vehicle system mounted in an automobile, and is a system that communicates necessary information between electronic control units (ECUs) 20 and 30.

The vehicle communication system 1 includes a plurality of sub-networks 10 _1, 10 _2, and ... 10 _n, the communication terminal 14, a connector (CNT) 16, a plurality of electronic control units 20 _1, 20 _2, and ... 20 _N, A plurality of electronic control devices 30 ₁ , 30 ₂ ,..., 30 _M and a relay device 40 are provided. In the present embodiment, one in-vehicle network 5 is configured by the plurality of sub-networks 10 and the relay device 40, and different protocols are used for each sub-network 10. In the present embodiment, the symbols “n”, “N”, and “M” represent natural numbers.

  Examples of protocols used in each sub-network 10 include CAN ("Controller Area Network" proposed by Robert Bosch), FlexRay, Lin (Local Interconnect Network), etc., which are generally used in in-vehicle LANs. Conceivable.

  The communication terminal 14 performs information communication with a device (hereinafter also referred to as “external device”) arranged outside the in-vehicle communication system 1. The external devices on which the communication terminal 14 performs information communication include an external server 80 including a storage 82 composed of a nonvolatile storage device.

  The connector 16 is a connector for connecting the external tool 84. The external tool 84 transmits an input receiving unit (not shown) that receives input of various types of information and various types of information received by the input receiving unit to the in-vehicle communication system 1 and acquires information from the in-vehicle communication system 1. A communication unit (not shown) and at least a notification unit (not shown) for notifying information acquired by the communication unit are provided.

Each of the sub-networks 10 ₁ , 10 ₂ ,... 10 _n has a bus-shaped transmission path.
The electronic control devices 20 and 30 are arranged at various locations on the vehicle and are connected to the sub-network 10. Each of the electronic control devices 20 and 30 realizes a function assigned in advance (hereinafter referred to as “realization request function”).

Among these, the electronic control unit 20 includes a communication unit 22, a control unit 24, and a storage unit 26, respectively.
The communication unit 22 includes a transceiver (not shown) and a controller (not shown). The transceiver of the communication unit 22 transmits data to the subnetwork 10 to which the transceiver 22 is connected and takes in data from the subnetwork 10 to which the transceiver is connected. Further, the controller of the communication unit 22 controls communication according to the protocol used in the subnetwork 10.

The control unit 24 is configured around a known microcomputer including at least a ROM, a RAM, and a CPU.
The storage unit 26 is a non-volatile storage device that retains stored contents and can rewrite stored contents even when power supply is interrupted (that is, when the power is turned off).

  The control unit 24 of the electronic control device 20 performs a function realization process for realizing the realization request function assigned to the electronic control device 20 itself, a communication process for executing communication with the other electronic control devices 20 and 30, The write processing for storing the write request data from the electronic control devices 20 and 30 in the storage unit 26 is executed.

  For this reason, the ROM of the control unit 24 is an electrically rewritable storage area, and is provided with a rewritable area in which various processing programs are stored. In this rewritable area, each processing program for the control unit 24 to execute the function realizing process, the communication process, and the writing process is stored.

  In other words, in the present embodiment, as one of the electronic control devices 20, an engine ECU to which a function for controlling an internal combustion engine is assigned as an achievement request function and a function for controlling a powertrain mechanism are realized according to detection results of various sensors. Includes a powertrain ECU assigned as a required function. Furthermore, in the present embodiment, the electronic control device 20 includes a navigation ECU, etc., in which each part constituting a known navigation device is a control target, and a function for guiding a route to a destination is assigned as a realization request function.

Hereinafter, the electronic control device 20 is also referred to as a control device with a storage function 20.
On the other hand, each electronic control unit 30 includes a communication unit 32 and a control unit 34.
The communication unit 32 includes a transceiver (not shown) and a controller (not shown). The transceiver of the communication unit 32 transmits data to the subnetwork 10 to which the transceiver 32 is connected and takes in data from the subnetwork 10 to which the transceiver 32 is connected. The controller of the communication unit 32 controls communication according to a protocol used in the subnetwork 10.

  The control unit 34 is configured around a known microcomputer including at least a ROM, a RAM, and a CPU. This control unit 34 performs function realization processing for realizing the realization request function assigned to the electronic control device 30 itself, communication processing for executing communication with other electronic control devices 20 and 30, and writing generated by various processing. Write request processing for outputting a memory bank request for requesting writing of requested data is executed.

  For this reason, the ROM of the control unit 34 is an electrically rewritable storage area, and is provided with a rewritable area in which various processing programs are stored. In this rewritable area, each processing program for the control unit 34 to execute the function realizing process, the communication process, and the write request process is stored.

In other words, the electronic control device 30 is an electronic control device in which the storage unit 26 is omitted from the components constituting the control device with storage function 20.
As one of such electronic control devices 30, an anti-lock brake system that controls the brake mechanism according to the detection results of various sensors, an ABS electronic control device assigned as a function that requires realization, and a lock provided on the door The door ECU to which the function of locking / unlocking as the control target is assigned as the realization request function is included. Further, as one of the memoryless control devices 30, a window ECU in which a function for controlling a power window as a control target is assigned as a realization request function, and a function for controlling an electric mirror as a control target is assigned as a realization request function. The mirror ECU includes a wiper ECU to which a function for controlling the wiper mechanism as a control target is assigned as a realization request function. Furthermore, as one of the electronic control devices 30, an air conditioner ECU to which a function for controlling an air conditioner mounted on the own vehicle as a control target is assigned as a realization request function, or a seat (seat) is controlled as a control target A seat ECU to which the function is assigned as the realization request function may be included.

Hereinafter, the electronic control device 30 is also referred to as a memoryless control device 30.
Each control device with storage function 20 and each memoryless control device 30 in the present embodiment has identification information for identifying each electronic control device together with the name of the electronic control device itself (hereinafter referred to as “ECU name”). (Hereinafter referred to as “ECUID”) is defined in advance.

Further, in the present embodiment, a storage function control device 20 and a memoryless control device 30 that realize an implementation request function classified into the same type of category are connected to one subnetwork 10. That is, each sub-network 10 is prepared for each category such as a powertrain system, a chassis (safety) system, a body system, and a multimedia system, which are well-known in automobiles. Less control device 30 is mixed.
<Safety requirement level>
In an automobile, a safety requirement level that represents a level of safety required for each realization requirement function is defined. This safety requirement level is also defined for the electronic control devices 20 and 30 that realize each of the achievement requirement functions.

  Specifically, the safety requirement level in the present embodiment is an ASIL (Automatic Safety Integrity Level) class that is an index defined by ISO26262.

  This ASIL class is a required level of safety measures according to the risk of each expected failure. The ASIL class is a controllability (S) that indicates the magnitude of damage caused by a failure, the frequency of encountering the failure (E), and the ease of action that avoids the danger when a failure occurs ( Determined in combination with C).

  Specifically, the risk (S) and controllability (C) are evaluated in three stages, and the frequency (E) is evaluated in four stages. Then, the ASIL class is determined according to a matrix represented by the risk (S), controllability (C), and frequency (E). The ASIL class is expressed as QM (Quality Management: A system is in a safe state), A, B, C, and D in order from the lowest level of required safety.

Furthermore, each part constituting each electronic control device 20, 30, a processing program executed by the electronic control device 20, 30 and each control target controlled by the electronic control device 20, 30 are part of the ASIL class. The reliability level required to secure the ASIL class is set. This reliability level includes the probability of occurrence of a malfunction in each part constituting each electronic control unit 20, 30, a processing program executed by electronic control unit 20, 30 and a control target controlled by electronic control unit 20, 30. Is included.
<Relay device>
The relay device 40 is a device having a gateway function for relaying information communication between the electronic control devices 20 and 30 connected to the sub-networks 10 ₁ , 10 ₂ ,... 10 _n , that is, a central gateway device.

The relay device 40 includes a storage unit 42, a communication unit 44, and a control unit 46.
The storage unit 42 is a non-volatile memory that retains stored contents and can rewrite the stored contents even when the power is turned off. In the storage unit 42, a routing information storage area for storing the routing information RI and a management table storage area for storing the storage destination management table MI are secured.

  The routing information RI referred to here is information representing a data frame communication path between a plurality of electronic control devices 20 and 30 connected to different sub-networks 10. The storage destination management table MI will be described later in detail.

  The communication unit 44 relays information communication between the electronic control devices 20 and 30 connected to the subnetwork 10. Specifically, the communication unit 44 in the present embodiment transmits / receives data frames between the plurality of electronic control devices 20 and 30 connected to different sub-networks 10 and stores routing information stored in the storage unit 42. Execute based on RI.

  That is, the communication unit 44 outputs the data frame from the electronic control device to the subnetwork 10 to which the reception destination of the data frame is connected based on the routing information RI. If the protocol is different between the subnetwork 10 to which the transmission source of the data frame is connected and the subnetwork 10 to which the reception destination of the data frame is connected, the protocol is converted to the subnetwork 10 to which the reception destination is connected. Is output. Thereby, the relay apparatus 40 functions as a well-known gateway apparatus.

The control unit 46 is configured around a known microcomputer having at least a ROM, a RAM, and a CPU. In the ROM of the control unit 46, a processing program for executing memory bank processing for storing write request data corresponding to a memory bank request from the memoryless control device 30 in the control device with storage function 20 satisfying a specific condition Is stored. In the ROM, an area in which a processing program for executing memory bank processing is stored is an electrically rewritable nonvolatile storage area.
<Storage destination management table>
Next, the storage destination management table MI stored in the storage unit 42 of the relay device 40 includes ECU information and stored data information as shown in FIG.

Among these, the ECU information is information related to the electronic control devices 20 and 30 constituting the in-vehicle communication system 1.
The ECU information includes the ECU name of each of the electronic control devices 20 and 30, the ECU ID, and the safety requirement level (ASIL class) assigned to each of the electronic control devices 20 and 30. Further, the ECU information includes a storable size (that is, a free capacity) of the storage unit 26 included in the control device with storage function 20.

  In the present embodiment, the external server 80 and the relay device 40 are defined as one of the storage function control devices 20. Therefore, the names, identification information, safety requirement level (ASIL class) of the external server 80 and the relay device 40, and the free capacity of the nonvolatile storage device (storage 82, storage unit 42) included in the external server 80 and the relay device 40 are displayed. The included information is created as ECU information regarding the external server 80 and the relay device 40. Note that the ASIL class (B) is assigned to the relay device 40 of the present embodiment. Further, a safety requirement level (that is, ASIL class (QM)) representing the lowest safety level is assigned to the external server 80 of the present embodiment.

The ECU information related to the external server 80 and the relay device 40 is included in the storage destination management table MI.
On the other hand, the storage data information is information on write request data stored in the storage unit 26 of the control device with storage function 20 that satisfies the specific condition by executing the memory bank process. Specifically, the stored data information of each write request data includes the name of the requesting ECU that has requested writing of the write request data (requesting ECU in FIG. 2), and data that identifies the write request data. ID and the data size of the write request data are included. Further, the stored data information of each write request data includes an encryption flag indicating whether or not the write request data needs to be encrypted, and a key ID for identifying a key used for encryption.
<Write request processing>
Next, the write request process executed by the control unit 34 of each memoryless control device 30 will be described.

The write request process is started when a start command is input. The activation command is, for example, an ignition signal generated when an ignition switch is turned on.
When this write request process is executed, as shown in FIG. 3, it is first determined whether or not write request data has been generated as a result of executing various processes including the function execution process (S120).

The write request data is data that is generated by executing various processes in the memoryless control device 30 and needs to be stored in the nonvolatile storage device.
The data generated as the write request data includes a well-known diagnosis result and failure information generated as a result of a well-known failure diagnosis process for the control target. For example, if the memoryless control device 30 is an ABS electronic control device, failure information indicating failure of parts constituting the ABS electronic control device or failure of the brake mechanism is generated and generated as write request data. The data generated as the write request data may be various histories, backup data, and various settings in the realization request function realized by the memoryless control device 30 executing the function realization process.

  If the result of determination in S120 is that write request data has not occurred (S120: NO), the process waits until write request data is generated. When the write request data is generated (S120: YES), the generated write request data is stored in a main storage device (RAM) provided in the control unit 24 (S130).

  Subsequently, the memory bank request is output to the relay device 40 (S140). The memory bank request is a request signal for requesting writing of write request data to the storage unit 26 included in the control device with storage function 20. In addition to the write request data itself, the memory bank request includes an ECU ID (hereinafter also referred to as “transmission source ID”) assigned to the output source of the memory bank request (the memoryless control device 30), The security request level assigned to the output source of the memory bank request and the encryption flag are included.

  Further, in the write request process, it is determined whether or not a completion notification from the relay device 40 has been received (S150). The completion notification referred to here is a signal indicating that writing of the write request data included in the memory bank request output in S140 is completed.

  If the completion notification is not received (S150: NO), the process waits until the completion notification is received. When the completion notification is received (S150: YES), the write request data stored in the main storage device (RAM) of the control unit 34 is deleted in the previous S130 (S160).

Thereafter, the process returns to S120.
That is, in the write request process executed by the memoryless control device 30, when write request data is generated, the write request data is stored in the main storage device in the control unit 24 of the memoryless control device 30 and relayed. A memory bank request is output to the device 40.
<Memory bank processing>
Next, the memory bank process executed by the control unit 46 of the relay device 40 will be described.

This memory bank process is activated by an interrupt when the communication unit 44 receives a memory bank request from the memoryless control device 30.
When this memory bank process is activated, as shown in FIG. 4, first, from the memory bank request that is the activation factor of the memory bank process, the safety requirement level (that is, the ASIL class) included in the memory bank request. (Hereinafter, also referred to as “request source level”) (S210).

  Subsequently, based on the request source level acquired in S210 and the storage destination management table MI stored in the storage unit 42, one of the control devices with storage function 20 is selected as a write destination candidate (S220). In S220, in the ECU information included in the storage destination management table MI, the control device with storage function 20 whose safety request level (ASIL class) is equal to or higher than the request source level is selected as a write destination candidate.

  Specifically, when the process first shifts to S220, first, the controller with storage function 20 to which the safety requirement level (hereinafter referred to as “safety requirement same level”) equal to the request source level is assigned. And the control device with storage function 20 having the storage unit 26 having a free space larger than the data size of the write request data is selected as a write destination candidate.

In the present embodiment, the storage function control device 20 to be selected as a write destination candidate in S220 includes the external server 80 and the relay device 40 itself.
Further, in the memory bank process, it is determined whether or not the write request data needs to be encrypted based on the memory bank request that is the activation factor of the memory bank process (S230). Specifically, in S230 of the present embodiment, if the encryption flag included in the memory bank request is set, it is determined that the write request data needs to be encrypted, and the encryption flag is cleared. If so, it is determined that the encryption for the write request data is unnecessary.

  As a result of the determination in S230, if the write request data needs to be encrypted (S230: YES), the write request data is encrypted (S240). The encryption in S240 may be performed by common key encryption using a key selected based on a predetermined condition.

Thereafter, the process proceeds to S250.
On the other hand, as a result of the determination in S230, if the write request data need not be encrypted (S230: NO), the process proceeds to S250 without executing S240.

  In S250, it is determined whether the write destination candidate selected in the previous S220 is the relay device 40 itself or an external device. The external device referred to here is the control device with storage function 20 or the external server 80.

  As a result of the determination in S250, if the write destination candidate selected in S220 is an external device, a write request for inquiring whether the write request data can be written is output to the write destination candidate ( S260). Subsequently, it is determined whether or not the response from the write destination candidate that has output the write request in S260 is a content indicating that the write request data can be written (S270).

  As a result of the determination in S270, if the response from the write destination candidate indicates that the write request data cannot be written (S270: NO), the process returns to S220. In S220, if there is a control device with storage function 20 that is assigned the same level as the safety request and is not selected, the data size of the write request data is selected from the control devices with storage function 20 that are not selected. One control device 20 with a storage function having the storage unit 26 having a larger free space is selected as a new write destination candidate. On the other hand, if there is no control device with storage function 20 to which the same level of safety requirement is assigned, write request data is selected from the control devices with storage function 20 to which a higher safety requirement level is assigned than the same level of safety requirement. One control device 20 with a storage function having a storage unit 26 having a free space larger than the data size is selected as a new write destination candidate. Thereafter, the process proceeds to S230.

That is, in S220, according to the storage destination management table MI, write destination candidates are selected in order from the control device with storage function 20 to which the same level of safety requirement is assigned.
On the other hand, as a result of the determination in S270, if the response from the write destination candidate indicates that the write request data can be written (S270: YES), the write destination candidate is set as the write destination device. And write request data is transmitted to the writing destination device (S280). The write destination device that has received the write request data stores the write request data in the storage unit 26 provided in the write destination device itself. Thereafter, the process proceeds to S300.

  By the way, as a result of the determination in S250, if the write destination candidate selected in S220 is the relay device 40 itself, the relay device 40 itself is specified as the write destination device, and the write request data is stored in the storage unit 42. Store (S290). Thereafter, the process proceeds to S300.

  In S300, it is determined whether or not the writing of the write request data to the nonvolatile storage device is finished. Specifically, if the write destination device is an external device, it is determined that writing of the write request data to the non-volatile storage device is completed when an end notification is received from the write destination device. . On the other hand, if the write destination device is the relay device 40 itself, it is determined that the writing of the write request data to the nonvolatile storage device is completed according to the end notification notified inside the relay device 40. Note that the end notification referred to here is a signal indicating that writing of the write request data has ended.

  As a result of the determination in S300, if writing of the write request data to the nonvolatile storage device is not completed (S300: NO), the process waits until writing of the write request data to the nonvolatile storage device is completed. . Then, when the writing of the write request data to the nonvolatile storage device is completed (S300: YES), the storage destination management table MI stored in the storage unit 42 is updated (S310).

  In the update of the storage destination management table MI in S310, the storable size of the storage unit 26 in the control device with storage function 20 storing the write request data is changed to the storable size after storing the write request data. And rewrite. That is, the storable size of the storage unit 26 in the storage destination management table MI is reduced by the data size of the write request data.

  Further, in the update of the storage destination management table MI in S310, the storage data information related to the write request data is stored in association with the control device with storage function 20 that stores the write request data. That is, storage data information is added to the storage destination management table MI.

Subsequently, a completion notification is output to the memoryless control device 30 that is the output source of the memory bank request (S320). Thereafter, the memory bank process is terminated.
That is, in the memory bank process executed by the relay device 40, the control device with storage function 20 whose safety requirement level (ASIL class) is equal to or higher than the request source level is selected as a write destination candidate, and the write destination candidate is selected. A write request is output for. If the response to the write request is that the write request data cannot be written, one of the control functions with storage function 20 having a safety request level equal to or higher than the request source level is provided. The controller 20 is selected as a new write destination candidate and a write request is output.

Further, in the memory bank processing, if the response to the write request is that the write request data can be written, the write destination candidate is specified as the write destination device, and the write destination device is written. Send request data. The write destination device that has received the write request data stores the write request data in the nonvolatile storage device of the write destination device itself.
<Write processing>
Next, the writing process executed by the control device with storage function 20 will be described.

This writing process is started by interruption when the communication unit 22 receives a write request from the relay device 40.
When this write process is started, as shown in FIG. 5, first, write request data corresponding to the write request that caused the write process to be started can be written to the storage unit 26. It is determined whether or not (S410). In S410, for example, when the data size of the write request data is smaller than the free capacity of the storage unit 26, and the control device with storage function 20 is not in a situation in which a process other than the write process should not be executed, the write request data is written. It may be determined that the write request data can be written to the storage unit 26.

  If the result of determination in S410 is that writing request data cannot be written to the storage unit 26 (S410: NO), a response indicating that is returned to the relay device 40 (S420). Then, the writing process is terminated.

  On the other hand, if the result of determination in S410 is that the write request data can be written to the storage unit 26 (S410: YES), a response indicating that the write request data can be written to the storage unit 26 is relayed. A response is made to the device 40 (S430). Subsequently, it is determined whether write request data has been received from the relay device 40 (S440).

  If the write request data has not been received as a result of the determination in S440 (S440: NO), the process waits until it is received. When the write request data is received (S440), the received write request data is written and stored in its own storage unit 26 (S450). Further, when the storage of the write request data in the storage unit 26 in S450 is completed, an end notification is output to the relay device 40 (S460). Thereafter, the writing process is terminated.

In other words, in the writing process executed by the control device with storage function 20, if write request data based on the write request cannot be written to the storage unit 26, a response indicating that the write request data cannot be written is possible. If so, it responds that it is possible. In the writing process, when the write request data is received, the write request data is written and stored in the nonvolatile storage device (storage unit 26) included in the control device with storage function 20.
<Operation example>
Here, an operation example of the in-vehicle communication system 1 will be described.

  As shown in FIG. 6, when write request data is generated in the memoryless control device 30, the memoryless control device 30 outputs a memory bank request to the relay device 40 in the write request processing.

  The relay device 40 that has received the memory bank request activates memory bank processing. The control device with storage function 20 is assigned the safety request level that is the same level as the request source level, and has one storage unit 26 that has a free space larger than the data size of the write request data. The control device with storage function 20 is selected as a write destination candidate (hereinafter referred to as “first write destination candidate”). Further, a write request is output for the selected first write destination candidate.

  If the first write destination candidate that has acquired the write request can write the write request data to the storage unit 26, the first write destination candidate responds to the relay device 40 with a response indicating that the write request data can be written. To do. The relay device 40 that has received the response identifies the first write destination candidate as the write destination device, and outputs write request data to the write destination device. Then, the write destination device (first write destination candidate) that has received the write request data writes the write request data in the storage unit 26 and stores it, and outputs an end notification to the relay device 40.

The relay device 40 that has acquired the completion notification outputs a completion notification to the memoryless control device 30 that has output the memory bank request.
If the first write destination candidate cannot write the write request data to the storage unit 26, a response indicating that the write request data cannot be written is returned to the relay device 40. The relay device 40 that has received the response is assigned the same level as the safety requirement and if there is an unselected control device 20 with storage function, the relay device 40 can write a write request from the unselected control device 20 with storage function. One control device with storage function 20 having a storage unit 26 having a free space larger than the data size of the request data is selected as a new write destination candidate. On the other hand, if there is no control device with storage function 20 to which the same level of safety requirement is assigned, write request data is selected from the control devices with storage function 20 to which a higher safety requirement level is assigned than the same level of safety requirement. One control device 20 with a storage function having a storage unit 26 having a free space larger than the data size is selected as a new write destination candidate. Hereinafter, the new write destination candidate selected in this way is referred to as a second write destination candidate.

  The relay device 40 outputs a write request to the second write destination candidate. If the second write destination candidate that has acquired the write request can write the write request data to the storage unit 26, the second write destination candidate returns a response indicating that the write request data can be written to the relay device 40. To do. The relay device 40 that has received the response identifies the second write destination candidate as the write destination device, and outputs write request data to the write destination device. Then, the write destination device (second write destination candidate) that has received the write request data writes the write request data in the storage unit 26 and stores it, and outputs an end notification to the relay device 40.

The relay device 40 that has acquired the completion notification outputs a completion notification to the memoryless control device 30 that has output the memory bank request.
[Effect of the embodiment]
As described above, the relay device 40 repeatedly selects a write destination device until an appropriate write destination device is specified as the write destination of the write request data based on the memory bank request. The selection of the write destination device is the control device with storage function 20 to which the same safety requirement level as the request source level is assigned until the control device with storage function 20 suitable as the write destination is specified, and This is implemented by selecting as a write destination candidate in order from one control device with storage function 20 having a storage unit 26 having a free space larger than the data size of the write request data.

  Therefore, according to the relay device 40, it is possible to specify the control device 20 with a storage function in which the safety requirement level of the write destination device, and thus the reliability of the nonvolatile storage device, is ensured as the write destination device.

  Moreover, in the in-vehicle communication system 1, the safety requirement level used for selecting the writing destination device is assigned in advance for each electronic control device that realizes the achievement request function. That is, in the in-vehicle communication system 1, in order to ensure the safety level (reliability) of the writing destination device, a new configuration is added to the in-vehicle communication system, or conventional parts are changed to highly reliable parts. There is no need to

In other words, in the in-vehicle communication system 1, the write request data is written to the nonvolatile storage device whose reliability is ensured, so that an increase in cost can be suppressed as much as possible.
From the above, according to the relay device 40, the information storage destination can be a highly reliable device while suppressing the cost as much as possible.

By the way, in a general in-vehicle communication system, higher security is required for write request data from an electronic control device that realizes a realization requirement function having a high safety requirement level.
Therefore, in the memory bank processing of the above embodiment, when selecting a write destination device, first, the control device with storage function 20 that is at the same level as the safety requirement is selected as a write destination candidate. Then, when there is no unselected control device with storage function 20 that is at the same level as the safety requirement, the write destination is selected from among the control devices with storage function 20 to which a higher safety requirement level than the safety requirement level is assigned. A candidate is selected.

  Therefore, according to the relay apparatus 40, the write destination apparatus according to the safety | security requested | required with respect to write request data can be determined. Thereby, the resources in the in-vehicle communication system 1 can be effectively used without waste.

  In the memory bank processing of the above embodiment, the control device with storage function 20 including the storage unit 26 having a free capacity larger than the data size of the write request data is specified as a write destination candidate. As a result, according to the relay device 40, the write request data can be stored in one write destination without being distributed to a plurality of write destinations.

  Further, in the memory bank process, if the encryption flag included in the memory bank request indicates that encryption is necessary, the write request data is encrypted and written to the write destination device.

  For this reason, according to the in-vehicle communication system 1, even if the data written in each writing destination device is illegally acquired, the content of the data can be prevented from being recognized by an illegally acquired person.

  In addition, since the necessity of encryption is determined based on the encryption flag included in the memory bank request, according to the in-vehicle communication system 1, it is possible to prevent the data that does not need to be encrypted from being encrypted. It is possible to prevent various processes from being executed.

  Further, in the memory bank processing, when the writing of the write request data to the nonvolatile storage device of the write destination device is completed, the storage data information regarding the write request data is stored as the write request as the storage destination management table MI. The data is stored in association with the control device with storage function 20 that stores the data.

  According to the relay device 40, the write request data written in the nonvolatile storage device of each write destination device can be read according to such a storage destination management table MI. For this reason, according to the relay apparatus 40, the processing amount at the time of reading the said data can be reduced.

In the memory bank process, the relay device 40 itself and the external server 80 can be specified as the write destination device. Since the storage unit 42 included in the relay device 40 and the storage 82 included in the external server 80 have a large storage area, the processing program executed in the electronic control device and various setting information in the processing program are the latest. Can be used as a save destination for old processing programs and setting information. And if the old processing program and setting information are saved by executing memory bank processing, even if the update to the new processing program and various setting information fails, the old processing program and setting information can be restored. Can do.
[Other Embodiments]
As mentioned above, although embodiment of this invention was described, this invention is not limited to the said embodiment, In the range which does not deviate from the summary of this invention, it is possible to implement in various aspects.

  For example, the relay device 40 may be configured to rewrite the storage destination management table MI stored in the storage unit 42 when a command is input via the external tool 84, or in the ROM of the control unit 46. The processing program stored in the rewritable area may be rewritten. That is, the relay device 40 may include at least one of the first rewriting means and the second rewriting means described in the claims.

  If it is the former, when the apparatus configuration of the in-vehicle communication system 1 is changed, it can be easily changed to a new storage destination management table MI. In the latter case, the processing program can be easily changed to the latest one.

  In the above embodiment, the memory bank request output source is the memoryless control device 30, but the memory bank request output source is not limited to the memoryless control device 30. For example, the output source of the memory bank request may be the control device with storage function 20 or another in-vehicle device. That is, the electronic control device that executes the write request process is not limited to the memoryless control device 30, and the control device with storage function 20 may execute the write request process.

  Furthermore, in the selection of the write destination candidate in the memory bank processing of the above embodiment, based on the safety request level included in the memory bank request, the control device with storage function 20 to which the safety request level or higher is assigned is written to Although selected as a candidate, the selection of the write destination candidate may be performed based on the transmission source ID included in the memory bank request. That is, the transmission destination ID may be collated with the storage destination management table MI, the safety requirement level of the memoryless control device 30 corresponding to the transmission source ID may be acquired from the storage destination management table MI, and the storage destination candidate may be selected. .

  In the above-described embodiment, the storage destination management table MI includes ECU information related to the memoryless control device 30, but the storage destination management table MI includes ECU information related to the memoryless control device 30. Not necessary.

  By the way, in the said embodiment, engine ECU, powertrain ECU, ABS ECU, door ECU, etc. were assumed as each electronic control apparatus 20 and 30, However, The control apparatus in this invention was assumed in the said embodiment. The present invention is not limited to an electronic control device that implements a request realization function.

  Further, the ASIL class (B) is assigned to the relay device 40 in the above embodiment, and the safety requirement level (that is, the ASIL class (QM)) indicating the lowest safety level is assigned to the external server 80. However, the safety requirement level assigned to the relay device 40 and the external server 80 is not limited to this. For example, the safety requirement level assigned to each of the relay device 40 and the external server 80 may be the safety requirement level (ASIL class (D)) representing the highest safety level, or the second highest safety requirement. May be a safety requirement level (ASIL class (C)) that represents the level of the above, or a safety requirement level that represents another safety level.

  In the in-vehicle communication system 1 in the above embodiment, a different protocol is used for each sub-network 10, but in the in-vehicle communication system 1, a protocol common to the plurality of sub-networks 10 may be used. A common protocol may be used in all the sub-networks 10.

  Moreover, although the vehicle-mounted communication system 1 of the said embodiment was provided with the communication terminal 14 and the connector 16, in this invention, it is not necessary to provide these communication terminals 14 and the connector 16. FIG.

  In addition, the aspect which abbreviate | omitted a part of structure of the said embodiment as long as the subject could be solved is also embodiment of this invention. Further, an aspect configured by appropriately combining the above embodiment and the modification is also an embodiment of the present invention. Moreover, all the aspects which can be considered in the limit which does not deviate from the essence of the invention specified by the wording described in the claims are the embodiments of the present invention.

  The reference numerals used in the description of the above embodiments are also used in the claims as appropriate, but they are used for the purpose of facilitating the understanding of the invention according to each claim, and the technical aspects of the invention according to each claim. It is not intended to limit the scope.

  DESCRIPTION OF SYMBOLS 1 ... In-vehicle communication system 5 ... In-vehicle network 10 ... Sub network 14 ... Communication terminal 16 ... Connector 20, 30 ... Electronic control device (control device with memory function, memoryless control device) 22, 32 ... Communication unit, 24, 34 ... Control unit 26 ... Storage unit 40 ... Relay device 42 ... Storage unit 44 ... Communication unit 46 ... Control unit 80 ... External server 82 ... Storage 84 ... External tool

Claims (11)

As a plurality of control devices (20, 30, 40) that are defined in each and realize a realization request function that is a different function,
At least one control device with storage function (20), which is the control device having a nonvolatile storage device (26) that retains stored contents even when power supply is interrupted;
At least one memoryless control device (30) that is the control device not having the nonvolatile storage device is mixed,
Relaying information communication between the control devices in an in-vehicle network in which a safety requirement level indicating the level of safety required for the realization of the realization request function is assigned to each control device that realizes the realization request function Relay device (40)
Request acquisition means (44) for acquiring a memory bank request for requesting writing of data to the nonvolatile memory device from the control device;
The memory bank request acquired by the request acquisition unit according to a storage destination management table representing the safety request level assigned to each control device, with the data requested to be written by the memory bank request as write request data A write destination that identifies the control device with a storage function assigned a safety request level higher than the request source level that is a safety request level assigned to the request source of the memory bank request as a write destination device based on Specifying means (46, S210 to S270);
A relay apparatus comprising: data storage control means (46, S280, S290) for writing the write request data in a nonvolatile storage device included in the write destination device specified by the write destination specifying means. The writing destination specifying means includes
According to the storage destination management table, the control device with storage function is selected as a write destination candidate in order from the control device with storage function to which the same safety requirement level as the request source level is assigned. Selecting means (46, S220) to perform,
Request output means (46, S260) for outputting a write request for inquiring whether or not the write request data can be written to the write destination candidate selected by the selection means;
If the response to the write request from the write destination candidate to which the write request is output by the request output means can be written to the write request data, the write request transmission destination A possibility confirmation means (46, S270) for specifying a write destination candidate as the write destination device;
If the response to the write request from the write destination candidate to which the write request is output by the request output means is not writable to the write request data, a new write destination candidate is sent to the selection means. The relay device according to claim 1, further comprising: a reselecting unit (46, S270) for selecting The reselection means includes
If there is a control device with a storage function that is assigned the same level as the safety requirement and is not selected, one of the control devices with a storage function that is not selected is selected as the write destination candidate by the selection means. Let
If the control device with storage function to which the same level as safety requirement is assigned does not exist, the write destination candidate from among the control devices with storage function to which a higher safety requirement level than the safety requirement level is assigned The relay apparatus according to claim 2, wherein the selection unit selects the relay apparatus. The storage destination management table is:
The free capacity of the non-volatile storage device included in each control device with storage function is associated with each control device with storage function,
The selection means includes
The control apparatus with a storage function having the non-volatile storage device having a free space larger than the data size of the write request data is selected as the write destination candidate. 3. The relay device according to 3. The relay device itself
The nonvolatile memory device (42);
The writing destination specifying means includes
The relay device according to any one of claims 1 to 4, wherein the relay device itself is specified as one of the control devices with a storage function and the writing destination device is specified. The data storage control means includes
The relay apparatus according to any one of claims 1 to 5, wherein the write request data is encrypted and written to the write destination apparatus. The memory bank request includes
The necessity of encryption for the write request data is included,
The data storage control means includes
If the necessity of encryption included in the memory bank request indicates that the encryption is necessary, the write request data corresponding to the memory bank request is encrypted. The relay apparatus according to claim 6. A completion receiving means (46, S300) for receiving from the writing destination device a completion notification indicating that the writing of the write request data to the writing destination device by the data storage control means has been completed;
When the completion notification is received by the completion receiving means, a table updating means (46, 46) for adding information related to the write request data written to the write destination device by the data storage control means to the storage destination management table. The relay apparatus according to any one of claims 1 to 7, further comprising: S310). A data storage device (42) as the nonvolatile storage device;
The data storage device stores the storage destination management table,
The apparatus according to any one of claims 1 to 8, further comprising a first rewriting unit that rewrites the storage destination management table stored in the data storage device when an external command is input. Relay device. Each means is realized by the relay device executing a processing program,
The relay device according to any one of claims 1 to 9, further comprising second rewriting means for rewriting the processing program when an external command is input. The relay device according to any one of claims 1 to 10, wherein the output source of the memory bank request is the memoryless control device.