JP2018020609A - Vehicular control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a vehicular control system which can be restored to its normal operation possible state, even when abnormality has arisen in control of the vehicular control system after adding and/or changing a control function.SOLUTION: In the case where abnormality has arisen in control of a vehicular control system 100, control information in master domain control sections 11-14 is initialized by using initial control information saved in a B/U ECU 40. Then, the initialized control information is updated according to addition and change information that is related to control information of an added and/or changed control function and held in the master domain control sections 11-14. Accordingly, the vehicular control system 100 can be reliably restored to its normal operation possible state.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a vehicle control system that controls a plurality of in-vehicle devices mounted on a vehicle.

  For example, Patent Document 1 discloses a technique for safely updating a computer program in an in-vehicle computer system including a master unit that manages the entire in-vehicle device and a slave unit that is connected to the master unit and executes processing in charge. Is disclosed.

  Specifically, the master unit acquires an update program for updating each computer program through a connection means to a network outside the vehicle, and stores the update program in a nonvolatile storage means. Then, the master unit preferentially updates the computer program executed by the slave control unit in the lower layer in the hierarchical structure of the slave control unit with respect to the slave unit, and after the update, the slave control of the upper layer in the lower layer The computer program executed by the means is updated. After the computer program of the slave unit to be updated is updated, the master unit preferentially updates the computer program executed by the lower-level master control means in the hierarchical structure of the master control means. The computer program executed by the upper level master control means is updated.

JP 2010-195111 A

  In Patent Document 1 described above, the update program is temporarily stored in the non-volatile memory. For example, even when the program update is interrupted due to, for example, the power being cut off during the program update, the update is performed. It is possible to re-execute processing.

  However, the failure in the in-vehicle computer system is, for example, after the update of the computer program, for example, due to the malfunction of the updated program itself, or the execution of an existing program that is not the update target is inhibited by the updated program. There is no denying the possibility of this occurring when the program is executed.

  The present invention has been made in view of the above-described points, and even after a control function has been added and / or changed, even if an abnormality occurs in the control of the vehicle control system, the vehicle control system An object of the present invention is to provide a vehicle control system that can return the vehicle to a state in which it can operate normally.

In order to achieve the above-described object, a vehicle control system (100) for controlling a plurality of in-vehicle devices mounted on a vehicle according to the present invention includes:
A device control unit (16-19, 26-29, 36-39) for controlling the plurality of in-vehicle devices, and a domain control unit that supervises control by the device control unit based on the control information possessed ( 11-14, 21-24, 31-34),
In the vehicle control system in the initial state, the storage unit (41) that stores the initial control information necessary to control the control by the device control unit is replaced with the ECU (10) in which the device control unit and the domain control unit are constructed. , 20, 30) provided in a separate backup ECU (40),
In the vehicle control system, in order to enable the addition and / or change of the control function, the domain control unit acquires additional change information regarding the control function to be added and / or changed, and holds the change function based on the additional change information. Updating the control information
An initialization unit (S460, S470) is provided for initializing control information in the domain control unit using initial control information stored in the storage unit of the backup ECU when an abnormality occurs in control in the vehicle control system. .

  Since the vehicle control system according to the present invention has the above-described configuration, when any abnormality occurs in the control in the vehicle control system, the device control unit and the domain control unit are constructed by the initialization unit. The control information in the domain control unit can be initialized using the initial control information stored in the storage unit of a backup ECU different from the ECU. For this reason, the control information by a domain control part can be reliably returned to the control information corresponding to the vehicle control system in an initial state. Then, from this state, for example, it is possible to update the control information regarding the control functions other than the added and changed control functions that are likely to cause the abnormality. Therefore, according to the present invention, it is possible to reliably return the vehicle control system to a state where it can operate normally.

  The reference numerals in the parentheses merely show an example of a correspondence relationship with a specific configuration in an embodiment described later in order to facilitate understanding of the present invention, and are intended to limit the scope of the present invention. Not intended.

  Further, the technical features described in the claims of the claims other than the features described above will become apparent from the description of embodiments and the accompanying drawings described later.

It is the block diagram which showed an example of the whole structure of the control system for vehicles. It is a figure which shows the example which divided | segmented the vehicle into three areas, a front area, a middle area, and a rear area. It is a figure for demonstrating the example of arrangement | positioning to each area of an apparatus control part. It is a flowchart which shows an example of the control processing of the master domain control part in each domain. Regarding the control information of the monitoring domain, what information each B / UECU, master domain control unit, and local domain control unit possess, and what processing is executed when a control function is added or changed It is the figure which showed an example. After the control function is added and / or changed, the control is executed by the B / U ECU in order to return the vehicle control system to a state in which the vehicle control system can operate normally when an abnormality occurs in the control in the vehicle control system. It is a flowchart which shows a process. After the control function is added and / or changed, when an abnormality occurs in the control in the vehicle control system, a process executed in the master ECU is performed to return the vehicle control system to a state in which it can operate normally. It is a flowchart to show. It is a flowchart which shows processes, such as initialization of structure information performed in each domain control part of master ECU, and the combination with addition / change structure information. It is a flowchart which shows processes, such as a combination with initialization of state transition information, addition / change structure information, etc. which are performed in each domain control part of master ECU. It is the figure which showed notionally an example of the transition of the control state before and after a control state was added by the update of state transition information. It is a flowchart which shows the safety process when abnormality arises at the time of starting while starting master ECU, area ECU, and B / UECU. It is a flowchart which shows the detail of the process at the time of abnormality of the flowchart of FIG. It is a figure for demonstrating the delivery process of a part of control function performed between a master domain control part and a local domain control part.

  An embodiment of a vehicle control system according to the present invention will be described with reference to the drawings. In the embodiments described below, the vehicle control system according to the present invention is applied to various in-vehicle devices mounted on a hybrid vehicle having an engine and an electric motor (motor generator) as a vehicle driving source. An example will be described. However, the vehicle control system according to the present invention is not only applied to control of in-vehicle devices in a hybrid vehicle, but also for control of various in-vehicle devices of a normal vehicle having only an engine and an electric vehicle having only an electric motor. May be applied. In addition, although the domain division is described, since this domain division is closely related to the control structure of the control system, it is not always necessary to perform the same domain division as the example described below. Just do it.

  FIG. 1 is a block diagram showing an example of the overall configuration of a vehicle control system 100 for various in-vehicle devices in the hybrid vehicle described above. The vehicle control system 100 according to the present embodiment is divided into a plurality of domains as control logic structures according to functions (roles) of a plurality of in-vehicle devices to be controlled. In the plurality of domains, device control units 16 to 19, 26 to 29, and 36 to 39 for controlling in-vehicle devices, and domain control units 11 to 14, and 21 to 24 that control the device control units, respectively. , 31-34.

  In the vehicle control system 100 according to the present embodiment, as will be described in detail later, the domain control unit calculates a control target for the entire domain, and area control targets for each area for achieving the control target for the entire domain. The master domain control units 11 to 14 for calculating the control targets of the corresponding device control units 16 to 19, 26 to 29, and 36 to 39 so as to achieve the given area control targets The local domain control units 21 to 24 and 31 to 34 are arranged. These domain control units are connected so as to be able to communicate with each other. Furthermore, in the vehicle control system 100 according to the present embodiment, when a plurality of master domain control units 11 to 14 perform cooperative control, or when the control by each master domain control unit 11 to 14 competes, control that competes. Is also provided.

  As a specific example of domain division, in the example shown in FIG. 1, the vehicle control system 100 is divided into four domains: a chassis domain, a powertrain domain, a body domain, and a monitoring domain. Based on the domains defined in this way, a large number of in-vehicle devices mounted on a hybrid vehicle are grouped together in terms of functions.

  For example, in the chassis domain, in order to operate the hydraulic brakes provided on each wheel, the brake actuator that drives the components of the hydraulic brake device such as a hydraulic pump and an electromagnetic valve, the damping force provided on each wheel can be adjusted. A damper, an air pressure sensor that is provided on the tires of each wheel and wirelessly communicates air pressure detection signals, an electric power steering, a transmission that transmits the rotation of the engine and the electric motor at an appropriate speed ratio to the drive shaft, and a brake by the driver In-vehicle devices such as a negative pressure pump that generates a negative pressure for amplifying the pedal effort and transmitting it to the master cylinder belong.

  The chassis domain is provided with chassis device control units 16, 26, and 36 for controlling the above-described in-vehicle devices. For example, the chassis domain controller 16, 26, 36 includes a brake actuator controller, damper controller, air pressure detection controller, electric power steering controller, transmission controller, negative pressure pump controller, etc. It is done. The hydraulic brake device is configured so that the hydraulic pressure can be adjusted independently on the front wheel side and the rear wheel side, and the brake actuator is a front wheel side brake that can individually adjust the brake hydraulic pressure of the left and right front wheels. It is divided into an actuator and a rear-wheel brake actuator that can individually adjust the brake hydraulic pressure of the left and right rear wheels. For this reason, the front wheel side brake actuator control unit and the rear wheel side brake actuator control unit are also provided as the brake actuator control unit.

  In principle, these chassis device control units 16, 26, and 36 are individually provided corresponding to the in-vehicle devices belonging to the chassis domain. However, a common chassis device control unit can be provided for a plurality of in-vehicle devices. It is. Furthermore, the chassis equipment control units 16, 26, and 36 are each configured by an electronic control unit (ECU). At this time, the respective chassis device control units 16, 26, 36 may be configured by individual ECUs, or the plurality of chassis device control units 16, 26, 36 may be configured by a common ECU. Further, the ECU constituting the device control unit may be shared with the device control unit of another domain.

  Then, the chassis device control units 16, 26, and 36 control the corresponding in-vehicle devices in accordance with the control targets given from the corresponding chassis domain control units 11, 21, and 31.

  The chassis domain control units 11, 21, and 31 are composed of a master chassis domain control unit 11 as a master domain control unit and local chassis domain control units 21 and 31 as local domain control units. As will be described later, the master chassis domain control unit 11 and the local chassis domain control units 21 and 31 are distributed in three areas when the vehicle is partitioned into three areas. The master chassis domain control unit 11 has a function as a master domain control unit and a function as a local domain control unit.

  As the master domain control unit, the master chassis domain control unit 11 determines a control target for the entire chassis domain according to the state of the vehicle and the operation state of the driver, and further, each area is realized based on the control target for the entire domain. Define area control objectives to be achieved. The area control target determined by the master chassis domain control unit 11 is given to the local chassis domain control units 21 and 31. The local chassis domain control units 21 and 31 calculate a control target for controlling the chassis device control units 26 and 36 based on the given area control target, and output the control target to the chassis device control units 26 and 36. At this time, the master chassis domain control unit 11 also calculates, as the local domain control unit, a control target for controlling the chassis device control unit 16 based on the area control target in the area to which the master chassis domain control unit 11 belongs. Output.

  In the power train domain, for example, an engine and a motor generator (MG), an engine and / or an MG that play a role of accelerating or decelerating the vehicle or applying power for keeping the speed constant to the vehicle are generated. Driving force distribution mechanism responsible for allocating the torque (driving force) to each wheel of the four wheels, high voltage battery responsible for supplying driving power to MG and storing power generated by MG, low voltage battery In-vehicle devices such as a DCDC converter that steps down a high voltage generated by a high-voltage battery for charging the battery and supplies the low-voltage battery to the low-voltage battery, and a charger interface (IF) for charging the high-voltage battery by an external charging facility belong. Furthermore, in the power train domain, in-vehicle devices such as a low voltage battery and a junction box (JB) for switching on / off of power supply from the low voltage battery to various in-vehicle devices may belong.

  The low voltage battery includes a plurality of batteries such as a main low voltage battery installed in the engine room of the vehicle and a sub low voltage battery installed under the floor of the luggage space (or trunk room) of the vehicle. In addition, the junction box includes a front junction box (JB) for switching on / off of power feeding to an in-vehicle device mounted in and near the engine rule, and an in-vehicle device mounted mainly in and near the vehicle interior. Including a center JB for switching on / off of the power supply and a rear JB for switching on / off of power supply to the in-vehicle device mounted in or near the luggage space. Each of these junction boxes is configured such that either a main low voltage battery or a sub low voltage battery can be selected as a power source for supplying power to each on-vehicle device.

  In the power train domain, power train device control units 17, 27, and 37 for controlling the above-described in-vehicle devices are provided. For example, in the power train domain, as the power train device control units 17, 27, 37, an engine control unit, an MG control unit, a driving force distribution mechanism control unit, a high voltage battery control unit, a DCDC converter control unit, a charger IF control unit A main low voltage battery control unit, a sub low voltage battery control unit, a front JB control unit, a center JB control unit, a rear JB control unit, and the like are provided. And the power train apparatus control part 17,27,37 controls a corresponding vehicle equipment according to the control target given from the corresponding power train domain control part 12,22,32.

  The power train domain control units 12, 22, and 32 include a master power train domain control unit 12 as a master domain control unit and local power train domain control units 22 and 32 as local domain control units. When the vehicle is divided into three areas, the master power train domain control unit 12 and the local power train domain control units 22 and 32 are distributed and arranged in the three areas. The master powertrain domain control unit 12 has a function as a master domain control unit and a function as a local domain control unit. As a master domain control unit, the master power train domain control unit 22 determines a control target for the entire power train domain, and further determines an area control target to be realized by each area based on the control target for the entire domain. The area control target determined by the master powertrain domain control unit 12 is given to each local powertrain domain control unit 22, 32.

  In the body domain, for example, front lights such as headlights and position lamps, external airbags provided in the hood to protect pedestrians, shutters that open and close the outside air introduction holes to the engine room, door locks, Motor for switching unlock, motor for opening / closing the window, motor for adjusting the seat position, air conditioner for air conditioning in the passenger compartment, passenger airbag for protecting passengers in the vehicle, motor for automatically opening and closing the rear gate, brake lamp In-vehicle devices such as rear lights belong. Therefore, in this body domain, as the body equipment control units 18, 28, 38, the front lighting control unit, the external airbag control unit, the shutter control unit, the door control unit, the seat control unit, the air conditioner control unit, the occupant airbag control A rear gate control unit, a rear lighting control unit, and the like. Then, the body device control units 18, 28, and 38 control the corresponding in-vehicle devices according to the control target given from the corresponding body domain control units 13, 23, and 33.

  The body domain control units 13, 23, 33 are composed of a master body domain control unit 13 as a master domain control unit and local body domain control units 23, 33 as local domain control units. When the vehicle is divided into three areas, the master body domain control unit 13 and the local body domain control units 23 and 33 are arranged in three areas. The master body domain control unit 13 has a function as a master domain control unit and a function as a local domain control unit. As the master domain control unit, the master body domain control unit 13 determines a control target for the entire body domain, and further determines an area control target to be realized by each area based on the control target for the entire domain. The area control target determined by the master body domain control unit 13 is given to the local body domain control units 23 and 33.

  In the monitoring domain, for example, a laser radar and a millimeter wave radar installed on a front grill or a front bumper to detect an obstacle in front of the vehicle, an outside air temperature sensor for detecting an outside air temperature, and an image behind the vehicle The rear camera installed inside the rear glass, the millimeter-wave radar installed in the rear bumper to detect obstacles behind the vehicle, and whether the portable key held by the occupant is genuine Therefore, in-vehicle equipment such as a communication device that communicates with the portable key belongs. Therefore, in the monitoring domain, the monitoring equipment control units 19, 29, 39 include a laser radar control unit, a front millimeter wave radar control unit, a temperature sensor control unit, a rear camera control unit, a rear millimeter wave radar control unit, a communication device control unit ( An authentication device). Then, the monitoring device control units 19, 29, and 39 control the corresponding in-vehicle devices according to the control target given from the corresponding monitoring domain control units 14, 24, and 34.

  The monitoring domain controllers 14, 24, and 34 are composed of a master monitoring domain controller 14 as a master domain controller and local monitoring domain controllers 24 and 34 as local domain controllers. When the vehicle is divided into three areas, the master monitoring domain control unit 14 and the local monitoring domain control units 24 and 34 are distributed in the three areas. The master monitoring domain control unit 14 has both a function as a master domain control unit and a function as a local domain control unit. As the master domain control unit, the master monitoring domain control unit 14 determines a control target for the entire monitoring domain, and further determines an area control target that each area should realize based on the control target for the entire domain. The area control target determined by the master monitoring domain control unit 14 is given to each local monitoring domain control unit 24, 34.

  Next, the arrangement | positioning to the vehicle of the vehicle equipment mentioned above, the apparatus control parts 16-19, 26-29, 36-39, and the domain control parts 11-14, 21-24, 31-34 is demonstrated.

  The various vehicle-mounted devices described above are arranged in each part such as a front portion, a central portion, and a rear portion of the vehicle because of the role required for each vehicle-mounted device and the space on the mounting. For this reason, when the domain controllers 11 to 14, 21 to 24, and 31 to 34 are intensively arranged at predetermined locations of the vehicle, the length of the communication wiring to each in-vehicle device becomes longer as a whole. There is a concern that the internal handling becomes complicated.

  Therefore, in the vehicle control system 100 according to the present embodiment, the vehicle is divided into at least two areas. For example, FIG. 2 shows an example in which the vehicle is divided into three areas: a front area 50, a middle area 60, and a rear area 70. However, the number of divisions is not limited to three as in the example of FIG. For example, the vehicle may be divided into two areas such as a front area and a rear area. Further, it may be divided into four areas such as a front right area, a front left area, a rear right area, and a rear left area. In the case of division into four areas, the front area may be further divided into two areas on the left and right in the division example shown in FIG. Further, it may be divided into five areas or six areas according to the size of the vehicle.

  In this manner, by dividing the vehicle into at least two areas, the plurality of in-vehicle devices are distributed to any of the divided areas according to the arrangement location. According to the distribution of the in-vehicle devices, the device control units 16 to 19, 26 to 29, and 36 to 39 that control the corresponding in-vehicle devices are also distributed and arranged so as to belong to the same area. Furthermore, the master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34, which are constituent elements of the domain control units 11 to 14, 21 to 24, and 31 to 34, also output control targets. The device control units 16 to 19, 26 to 29, and 36 to 39 corresponding to power should be distributed and arranged so as to belong to the same area.

  As a result, related local domain control units (including a master domain control unit having a function of a local domain control unit) 11 to 14, 21 to 24, 31 to 34, and device control units 16 to 19, 26 to 29, and 36. To 39 and the in-vehicle device can be arranged in the same area. Therefore, it is possible to reduce the length of the communication wiring that connects the local domain control unit-device control unit-vehicle-mounted device having a large number of wires. As a result, the complexity of handling the communication wiring in the vehicle can be reduced.

  In the example shown in FIG. 1, the master domain controllers 11 to 14 of each domain are constructed in a common master ECU 10 arranged in the middle area 60 of the vehicle, and are configured to be able to communicate with each other. Further, an integrated control unit 15 is also built in the master ECU 10 and configured to be communicable with each master domain control unit 11-14.

  Moreover, the local domain control units 21 to 24 of each domain are constructed in a common front area ECU 20 arranged in the front area 50 of the vehicle, and are configured to be able to communicate with each other. Similarly, the local domain controllers 31 to 34 of each domain are constructed in a common rear area ECU 30 disposed in the rear area 70 of the vehicle, and are configured to be able to communicate with each other.

  In FIG. 3, the example of arrangement | positioning to each area 50, 60, 70 of the apparatus control parts 16-19, 26-29, 36-39 is shown.

  In the example shown in FIG. 3, in the chassis domain, in the front area 50, as the equipment control unit 26, the front wheel side brake actuator control unit, the front wheel damper control unit that controls the damping force of the left and right front wheel dampers, and the left and right front wheel air pressure detection A front wheel air pressure detection control unit, an electric power steering control unit, a transmission control unit, and the like are arranged.

  In the middle area 60 of the chassis domain, a negative pressure pump control unit is arranged as the device control unit 16. Further, in the rear area 70 of the chassis domain, a rear wheel side brake actuator control unit, a rear wheel damper control unit, and a rear wheel air pressure detection control unit are arranged as the device control unit 36.

  In the power train domain, an engine control unit, an MG control unit, a main low voltage battery control unit, and a front JB control unit are arranged as the device control unit 27 in the front area 50. In the middle area 60, as the device control unit 17, a driving force distribution mechanism control unit and a center JB control unit are arranged. In the rear area 70, as a device control unit 37, a high voltage battery control unit, a DCDC converter control unit, a charger IF control unit, a sub low voltage battery control unit, and a rear JB control unit are arranged.

  In the body domain, a front lighting control unit, a front external airbag control unit, and a shutter control unit are arranged as a device control unit 28 in the front area 50. In the middle area 60, as a device control unit 18, a door control unit, a seat control unit, an air conditioner control unit, and an occupant airbag control unit are arranged. In the rear area 70, as a device control unit 38, a rear gate control unit, a rear lighting control unit, and a rear external airbag control unit are arranged.

  In the monitoring domain, a laser radar control unit and a front millimeter wave radar control unit are arranged as a device control unit 29 in the front area 50. In the middle area 60, a temperature sensor control unit and a communication device control unit are arranged as the device control unit 19. In the rear area 70, as a device control unit 39, a rear camera control unit and a rear millimeter wave radar control unit are arranged.

  Next, an example of control processing of the master domain control units 11 to 14 in each domain will be described with reference to the flowchart of FIG. The process shown in the flowchart of FIG. 4 is repeatedly executed every predetermined time.

  In step S100 of the flowchart of FIG. 4, the master domain control unit detects the state of the vehicle and the operation state of various operation devices by the occupant (driver) based on signals from various sensors and operation switches. In subsequent step S110, a domain control target is calculated based on the detection result in step S100. In addition, the integrated control unit 15 provided above each master domain control unit calculates control targets for all domains, and further calculates control targets for each domain to achieve the control targets for all the domains. Then, it may be configured to be provided to each master domain control unit.

  In step S120, an area control target indicating control to be executed (shared) in each area is calculated based on the domain control target calculated in step S110. As a result, even when local domain controllers are distributed in each area, it is possible to achieve overall matching of control in each area of the same domain.

  At this time, the master domain control unit transmits the control target to other master domain control units as necessary. For example, when the driver of the vehicle operates the brake pedal, the master power train domain control unit 12 of the power train domain considers the chargeable amount of the high voltage battery in order to generate the braking torque according to the brake pedal operation. Meanwhile, the target brake torques of the hydraulic brake and the regenerative brake are calculated. Then, the master power train domain control unit 12 transmits the calculated target brake torque of the hydraulic brake to the master chassis domain control unit 11 of the chassis domain. Then, the master chassis domain control unit 11 calculates an area control target including a control instruction for generating the received target brake torque.

  In step S130, the amount of power that can be used in its own domain is calculated in accordance with the amount of charge (SOC) of the main low-voltage battery and sub-low-voltage battery that are on-vehicle power supplies. Specifically, for example, the amount of electric power that can be used in its own domain is calculated by multiplying the stored amount (SOC) of the in-vehicle power source by a predetermined ratio determined for each domain. The predetermined ratio may be changed according to the situation of the vehicle. At that time, the situation of the vehicle can be classified into, for example, stop, start, acceleration, constant travel, deceleration, and stop. This is because, in each situation, the control content in each domain changes, or the execution or stop of the control is switched. Also, instead of calculating the amount of power that can be used in each domain by each master domain control unit, it is calculated by the integrated control unit described above, and the calculation result is notified to the master domain control unit of each domain. Anyway.

  In step S140, the master domain control unit calculates the amount of distributed power to be distributed to each area based on the amount of power available in its own domain. For example, the distribution power amount can be calculated by multiplying the power amount usable in its own domain by a predetermined ratio determined for each area. The predetermined ratio may be changed according to the situation of the vehicle, the presence or absence of execution of control in each area, and the like.

  In step S150, the master domain control unit transmits the area control target calculated in step S120 and the distributed power amount of each area calculated in step S140 to the local domain control unit of each area.

  Here, the master domain control unit executes the control process described above based on the control information that it holds. The control information held by the master domain control unit includes configuration information including information related to control functions held by the domain control unit and device control unit belonging to its own domain, information related to in-vehicle devices, information related to equipment such as sensors, etc. It is. In addition, when performing master control with another domain, a master domain control part inquires of the master domain control part of another domain whether it is equipped with the structure which can perform joint control. At this time, the master control unit of the other domain confirms whether or not it has a configuration capable of performing cooperative control based on the control information held by itself, and replies with the confirmation result.

  As the control function possessed by the domain control unit, for example, a so-called auto-cruise function that causes the vehicle to travel at a constant speed, a so-called adaptive cruise function that causes the vehicle to travel following a preceding vehicle within a limited speed range, or For example, a cruise function with a full-speed tracking function that has a function to follow the preceding vehicle at vehicle speed. Moreover, as a control function which an apparatus control part has, the vehicle running function by a motor independent, the regeneration function by a generator, etc. are mentioned, for example. Information on the in-vehicle device includes information indicating the type and performance of the in-vehicle device. Information relating to equipment includes information indicating equipment such as sensors, switches, and cameras that can be used when the domain control unit or the device control unit executes a control function.

  In addition, the control information held by the master domain control unit includes state transition information corresponding to the configuration information described above, including information on a plurality of control states in the corresponding domain, and information on transitions between the plurality of control states. included. For example, the powertrain domain control units 12, 22, and 32 control the power in the vehicle, and the control states include start, acceleration, steady travel, deceleration (regeneration), and stop. Further, the information related to the transition between the plurality of control states includes a transitionable state from each state and a transition condition at that time. The meaning that the control state corresponds to the configuration information is because, for example, when the generator is not provided as the in-vehicle device, the state of deceleration (regeneration) cannot be taken.

  Furthermore, the control information held by the master domain control unit includes distribution information related to power distribution to the domain control unit, the device control unit, and the in-vehicle device in each of the plurality of control states described above. This is because, depending on the control state, the control unit and the in-vehicle device that require power change or the amount of power to be supplied also changes.

  The control information held by the master domain control unit also includes communication information related to communication data communicated between the domain control units and between the domain control unit and the device control unit. Specific examples of this communication information include, for example, definition information of communication packets used when performing communication between domain control units and between domain control units and device control units, that is, types of data included in communication packets, Definition information such as the length of data, information indicating a transmission / reception destination, and the like can be given.

  The control information held by the master domain control unit also includes determination information for determining whether the control is normal or abnormal when an in-vehicle device belonging to the domain is controlled. For example, when the powertrain domain control unit 12, 22, 32 controls the engine or the motor generator or requests the chassis domain control unit 11, 21, 31 to perform cooperative brake control, the control is normally performed. The upper and lower limits of the acceleration / deceleration of the vehicle that cannot be generated when it is broken can be used as the determination information.

  In addition to the master domain control unit, the local domain control unit arranged in each area also holds the control information described above. Therefore, the master domain control unit can accurately calculate the control target and the distributed power amount of each area based on the control information that it holds. Furthermore, the local domain control unit can appropriately control the corresponding in-vehicle device according to the control target of each area.

  An example of specific control will be described. For example, the power train domain control units 12, 22, and 32 select a vehicle-mounted device to be driven in each control state described above based on the control information that is held, and the vehicle-mounted Calculate the control target for the device. For example, when starting, a motor generator is selected as a vehicle-mounted device to be driven, and a motor torque is calculated in accordance with the accelerator depression amount by the driver. Further, during steady running, an engine is selected as an on-vehicle device to be driven, and an engine torque necessary for maintaining the vehicle speed is calculated.

  At that time, the master domain control unit 12 determines a control state and calculates a target of the entire domain in the control state (for example, generation of positive torque or negative torque). Further, the master domain control unit 12 calculates a control target (for example, engine generation torque, motor generation torque, power regeneration amount by a generator, etc.) for each area based on the overall domain target. The local domain controllers 22 and 32 calculate a control target to be given to each device controller in order to achieve the area target. In this manner, the master domain control unit 12 and the local domain control units 22 and 32 can perform appropriate control using the control information that is held.

  By the way, in recent years, when a vehicle is brought to the dealer for inspection etc. after being put on the market, the control function of the device control unit can be made more advanced by updating the software, or a new control function can be added. There are cases where equipment control units possessed and equipment necessary for realizing the control functions are added. When no device control unit or equipment needs to be added and only the control function of the existing device control unit is to be enhanced, for example, software is updated online.

  When changes to improve control functions or additions of new functions are made due to such software updates or addition of device control units, for example, due to defects in updated software or updates There is no denying the possibility that some abnormality will occur when the control is actually executed, for example, the execution of the existing software is obstructed by the software that has been executed.

  Therefore, in the vehicle control system 100 according to the present embodiment, when an abnormality occurs in the control in the vehicle control system 100 after the control function is added and / or changed, the vehicle control system 100 can operate normally. It is characterized in that it can be returned to the correct state. Hereinafter, a configuration for returning the vehicle control system 100 to a state in which the vehicle control system 100 can operate normally, a procedure thereof, and the like will be described in detail with reference to the drawings.

  As shown in FIG. 1, the vehicle control system 100 according to the present embodiment includes a backup (B / U) ECU 40. The B / U ECU 40 includes an ECU in which the device control units 16 to 19, 26 to 29, and 36 to 39 are constructed, and an ECU 10, 20, and 30 in which the domain control units 11 to 14, 21 to 24, and 31 to 34 are constructed. It is provided separately. However, for example, the power supply system and the communication IF may be separated and combined with the other ECUs 10, 20, and 30.

  The B / UECU 40 is connected to the master ECU 10, the front area ECU 20, and the rear area ECU 30 via a communication line, and can communicate with each other. Further, the B / UECU 40 has a non-volatile memory 41, and the control information of each domain is stored in the non-volatile memory 41. The control information held by the B / UECU 40 is not rewritten even if the control function is changed or added in each domain, and the control information corresponding to the initial state of the vehicle control system 100 (initial control information). ) Is maintained.

  On the other hand, when a control function is changed or added, the master domain control units 11 to 14 acquire additional change information that is control information related to the added and / or changed control function for each domain. And store it in its own non-volatile memory. This additional change information can be included as information in the added or replaced device control unit or updated software. In this case, the master domain control units 11 to 14 acquire the additional change information from the added or replaced device control unit, or acquire from the device control unit or domain control unit having the updated software. Can do. In addition, in order for the master domain control units 11 to 14 to acquire additional change information, an operator who has made additional changes connects the external device to the vehicle communication network and adds the external device to the master domain control unit. Change information may be sent.

  The additional change information includes control information related to the added and / or changed control function and built-in information for incorporating the control information into the control information held by the master domain control units 11 to 14. For example, the embedded information indicates whether a control function is newly added or has been changed from an existing control function. Information for specifying an existing control function is included. In addition, when a new control state is set as a control function is added or changed, the embedded information includes information indicating the relationship between the new control state and the existing control state.

  When the master domain control unit 11-14 acquires such additional change information, the master domain control unit 11-14 incorporates the control information included in the additional change information into the control information held by the master domain control unit 11 using the embedded information. Combine information. For example, if the control information is newly added, the master domain control units 11 to 14 add the additional control information to the control information that is currently held, and the control information is a part of the existing control information. Is changed, a part of the existing control information is replaced by the change control information. Each time this additional change information is incorporated, the domain control units 11 to 14 store the update information of the control information as a history.

  As a result, even when a control function is added or changed, the master domain control units 11 to 14 can hold control information reflecting the addition or change of the control function. Based on the information, various functions including added and changed control functions can be executed.

  FIG. 5 shows what information the B / UC ECU 40, the master domain control unit 14, and the local domain control units 24 and 34 have about the control information of the monitoring domain, and also when the control function is added or changed. An example of whether such processing is executed is shown.

  As shown in FIG. 5, the B / UECU 40 holds monitoring domain configuration information in the vehicle control system 100 in the initial state as configuration information management. For example, in the example shown in FIG. 5, in the initial state, the master domain control unit 14 does not have a function of following the preceding vehicle, and does not have a camera that is a device for supplementing the preceding vehicle. . As state transition information management, the B / UECU 40 holds initial state transition information including a plurality of control states corresponding to the initial configuration and transition permission / non-permission conditions between the plurality of control states. For example, in the example shown in FIG. 5, key switch and vehicle speed information used as a transition permission / non-permission condition between control states is held as the initial state transition information.

  The B / USEC 40 holds distribution information for an initial configuration including distribution start conditions, distribution end conditions, distribution amount, and the like as distribution information management. As communication information management, the B / UECU 40 holds communication data used in the initial configuration and communication information of the transmission / reception destination of the communication data. And B / UECU40 is holding | maintaining the determination value for abnormal behavior estimation as safety information in an initial structure as safety information management. For example, in the example shown in FIG. 5, the B / UECU 40 holds the upper and lower limits of the acceleration / deceleration of the vehicle as the determination value.

  It should be noted that the B / UECU 40 uses the held determination information as a safety information management function to determine whether an abnormal behavior has occurred in the vehicle, that is, an abnormality has occurred in the control by the vehicle control system 100. And a proxy control function for giving control targets to the local domain controllers 21 to 24 and 31 to 34 of the front area ECU 20 and the rear area ECU 30 instead of the master ECU 10 when the master ECU 10 is abnormal. ing. However, in the proxy control function, a control target is given to each of the local domain controllers 21 to 24 and 31 to 34 based on the initial control information in the initial state. It is preferable that the speed and acceleration / deceleration are limited to such an extent that retreat travel in limp home mode is possible.

  As described above, the master domain control unit 14 includes control information related to the added and / or changed control function, and embedded information for incorporating the control information into the control information held by the master domain control units 11 to 14. Additional change information including and is held. Actually, as shown in FIG. 5, the additional change information is divided into configuration information, state transition information, power distribution information, communication information, and safety information, similar to the initial control information held in the B / UECU 40. And held in the master domain control unit 14. Hereinafter, it will be described in detail with reference to FIG.

  The master domain control unit 14 holds configuration information that has been added and / or changed as configuration information management. Furthermore, it also holds embedded information for incorporating the added and / or changed configuration information into the currently held configuration information. For example, in the example shown in FIG. 5, the master domain control unit 14 holds configuration information including a preceding vehicle following function as a control function and a camera for supplementing the preceding vehicle as equipment, and further, as embedded information, It holds information that these control functions and equipment have been newly added. Then, the master domain control unit 14 incorporates the added and / or changed configuration information as one function of the configuration information management into the held configuration information (initial configuration information) using the embedded information. It also has a function to combine both pieces of configuration information. Furthermore, as a function of configuration information management, the master domain control unit 14 reduces the amount of information from the initial configuration information in case the B / USECU 40 fails and the initial configuration information cannot be acquired from the B / USECU 40. It also holds minimum configuration information.

  As the state transition information management, the master domain control unit 14 indicates information indicating a new or changed control state when a new control state is set or a control state is changed with the addition or change of a control function. And differential state transition information including embedded information indicating the relationship between the control state and the existing control state. For example, FIG. 5 shows that the newly set control state is the “follow-up” state and the relationship between the new control state and the existing control state (transition permission conditions, transition destination, etc.) It is shown that information is held as difference state transition information. Then, the master domain control unit 14 incorporates the newly set control state or the changed control state into the held state transition information using the built-in information as one function of the state transition information management. Therefore, it also has a function of combining both state transition information. Furthermore, the master domain control unit 14 also holds minimum state transition information corresponding to the above-described minimum configuration information as a function of state transition information management.

  As the distribution information management, the master domain control unit 14 holds the distribution information for the added or changed configuration including the distribution start condition, the distribution end condition, the distribution amount, and the like. For example, in the example shown in FIG. 5, when the follow switch is turned on, the distribution start condition that power is supplied to the camera provided in the central area is held. As one function of distribution information management, the master domain control unit 14 incorporates distribution information for the added or changed configuration into the distribution information that is held, and combines both distribution information. If there are any restrictions or the like in this incorporation, the master domain control unit 14 holds the information as incorporation information of power distribution information. Furthermore, as a function of distribution information management, the master domain control unit 14 reviews the control contents of each control unit and in-vehicle device in the domain when the amount of power allocated to the domain is lower than the required power amount. In addition, due to a delay in the control start timing, etc., the power consumption interchange process is performed so as to be within the range of the allocated power amount.

  The master domain control unit 14 holds communication data used in the added or changed configuration and communication information of the transmission / reception destination of the communication data as communication information management. The master domain control unit 14 holds, as safety information, a determination value for estimating an abnormal behavior when an added or changed configuration is included as safety information management. For example, in the example shown in FIG. 5, the master domain control unit 14 holds the upper and lower limits of the acceleration / deceleration of the vehicle corrected according to the added or changed configuration as the determination value.

  Note that the master domain control unit 14 uses, as a function of safety information management, whether or not an abnormal behavior has occurred in the vehicle using the determination information that is held, that is, the control by the vehicle control system 100 is abnormal. It has a function to determine whether it has occurred. Further, the master domain control unit 14 is a part of the control function between the local domain control units 24 and 34 as one function of safety information management, for example, when the processing load increases due to the addition of the control function. The function of executing the delivery process is provided.

  Similarly to the master domain control unit 14, the local domain control units 24 and 34 also have control information related to their own areas. However, when the control information is changed, the local domain control units 24 and 34 do not update the control information independently, but the control information (updated in the master domain control unit 14 (see FIG. 5)). From the configuration information, state transition information, power distribution information, communication information, safety information), updated control information related to its own area is acquired. However, in each of the local domain control units 24 and 34, as with the master domain control unit 14 described above, the control information may be independently updated.

  Next, a processing procedure for returning the vehicle control system 100 to a state in which the vehicle control system 100 can operate normally when an abnormality occurs in the control in the vehicle control system 100 after the control function is added and / or changed. This will be described with reference to the flowcharts of FIGS. Note that the flowchart of FIG. 6 shows processing executed by the B / UECU 40, and the flowchart of FIG. 7 shows processing executed by the master ECU 10. Further, the flowchart of FIG. 8 illustrates processing such as initialization of configuration information and combination with addition / change configuration information, which is executed in each domain control unit 11 to 14 of the master ECU 10. The flowchart in FIG. 9 illustrates processing such as initialization of state transition information and combination with addition / change configuration information, which is executed in each domain control unit 11 to 14 of the master ECU 10.

  In addition, although mentioned later in detail, in this embodiment, the domain control parts 11-14 of each domain are constructed | assembled in common master ECU10, and when abnormality in control in the vehicle control system 100 arises, whichever Regardless of whether it is caused by the control by the domain, the control information of each of the master domain control units 11 to 14 is initialized using the initial control information held by the B / UC ECU 40.

  However, when an abnormality occurs in the control, the domain control units 11 to 14 that have performed the abnormal control are specified using different types of determination values for the domain control units 11 to 14, and the specified domain control is performed. Only the units 11 to 14 may be targeted for initialization of the control information.

  In step S200 of the flowchart of FIG. 6, the actual acceleration / deceleration of the vehicle is detected. For example, the B / UECU 40 can acquire information indicating the actual acceleration / deceleration of the vehicle by communicating with the monitoring domain control unit 14. In subsequent step S210, the upper and lower limits of the vehicle acceleration / deceleration held as safety information are read. In step S220, the actual acceleration / deceleration is compared with the upper and lower limits of the acceleration / deceleration as a determination value to determine whether or not the actual acceleration / deceleration is within the upper and lower limits. The upper and lower limits of the acceleration / deceleration as the determination value are when the power train domain control units 12, 22, and 32 control the engine and the motor generator, or when the chassis domain control units 11, 21, and 31 control the brake. When the control is normally performed, a range in which the actual acceleration / deceleration is accommodated is defined. Therefore, when it is determined in step S220 that the actual lower limit speed is out of the upper and lower limits, it can be determined that some abnormality has occurred in the control of the vehicle control system 100.

  In addition, in order to determine control abnormality in the vehicle control system 100, based on parameters other than acceleration / deceleration, for example, control output from each domain control unit, the magnitude of the change, the output timing of the control output, etc. The control abnormality in the vehicle control system 100 may be determined.

  If it is determined in step S220 that the actual acceleration / deceleration is within the upper and lower limits as the determination value, the processing shown in the flowchart of FIG. On the other hand, if it is determined that the actual acceleration / deceleration is outside the upper and lower limits, the process proceeds to step S230. In step S230, the B / UECU 40 instructs the master ECU 10 to stop control. In step S240, the B / UECU 40 controls the local domain control units 21 to 24 and 31 to 34 of the front area ECU 20 and the rear area ECU 30 on behalf of the master ECU 10 based on the initial control information held by itself. Execute proxy control that gives

  At the start of this proxy control, the B / UECU 40 stores and holds information related to the control that was executed when an abnormality occurred and the vehicle operating status when the abnormality occurred in a nonvolatile failure information storage unit (not shown). May be. By storing and holding such information, it is possible to contribute to the investigation of the cause of what failure occurred in which domain control unit and the abnormality occurred in the control in the vehicle control system 100 later.

  In step S250, it is determined whether the vehicle has stopped. In this determination process, when it is determined that the vehicle has not yet stopped, the proxy control in step S240 is continued. On the other hand, if it determines with the vehicle having stopped, it will progress to the process of step S260. In step S260, the B / UECU 40 instructs the master ECU 10 to initialize the control information. In step S270, the initial control information held by itself is transmitted to master ECU 10.

  Next, the process shown in the flowchart of FIG. 7 will be described. The processing shown in the flowchart of FIG. 7 is executed by the master ECU 10, but may be performed by the monitoring domain control unit 14 as described above, or a safety control unit may be provided separately from the domain control units 11-14. It may be provided and performed by the safety control unit.

  In step S300, the actual acceleration / deceleration of the vehicle is detected. In subsequent step S310, the upper and lower limits of the acceleration / deceleration of the vehicle, which are held as determination values and corrected according to the added or changed configuration, are read. In step S320, the actual acceleration / deceleration is compared with the upper and lower limits of the acceleration / deceleration as a determination value, and it is determined whether or not the actual acceleration / deceleration is within the upper and lower limits.

  If it is determined in step S320 that the actual acceleration / deceleration is within the upper and lower limits as the determination value, the processing shown in the flowchart of FIG. 7 is terminated. On the other hand, if it is determined that the actual acceleration / deceleration is outside the upper and lower limits, the process proceeds to step S330. In step S330, the master ECU 10 requests the B / UECU 40 to execute proxy control. In step S340, the control of the master ECU 10 is stopped.

  In step S350, it is determined whether or not an instruction to initialize control information is received from B / UECU 40. If it is determined that the initialization instruction has been received, the process proceeds to step S360 to execute processing such as initialization of control information and combination with addition / change configuration information. This initialization and combination processing will be described based on the flowcharts of FIGS.

  The flowchart of FIG. 8 shows processing related to configuration information among control information initialization and combining processing, which is performed in each master domain control unit 11 to 14 of the master ECU 10. Thus, each master domain control part 11-14 performs initialization and a joint process for every composition information, state transition information, power distribution information, communication information, and safety information included in control information.

  In the flowchart of FIG. 8, first, in step S400, the added and / or changed configuration information is read. In the subsequent step S410, initial configuration information is acquired from the initial control information transmitted from the B / UECU 40. In step S420, it is determined whether or not the communication with the B / UECU 40 has been normally performed and the initial configuration information has been acquired. If it is determined that the initial configuration information has been acquired, the process proceeds to step S430. On the other hand, when the communication with the B / UECU 40 cannot be performed and the initial configuration information cannot be acquired, the determination result in step S420 is “NO”, and the process proceeds to step S440.

  In step S430, the configuration information read out in step S400 is added to the initial configuration information acquired from the B / UECU 40, and the configuration information is combined. On the other hand, in step S440, since the initial configuration information is not obtained, the configuration information added and / or changed is incorporated into the minimum configuration information held by the domain controllers 11 to 14 itself, and both configuration information is combined. Update control information. However, in this case, since the minimum configuration information with a smaller amount of information than the initial control information is used, only retreat travel in limp home mode is possible.

  In step S450, each master domain control unit 11-14 transmits configuration information related to each area based on the updated configuration information to the local domain control units 21-24, 31-34 of each area.

  The flowchart of FIG. 9 shows processing related to state transition information among control information initialization and combining processing, which is performed in each master domain control unit 11 to 14 of the master ECU 10. As shown in FIG. 9, since the state transition information is also updated in the same manner as the configuration information described above, detailed description thereof is omitted.

  FIG. 10 conceptually shows an example in which a control state is added by updating the state transition information. FIG. 10A shows an initial control state transition. The vehicle control system 100 in the initial state does not have a function of following the preceding vehicle. Therefore, the control state only changes depending on the vehicle speed or the driving operation of the driver. FIG. 10B shows the control state transition when the tracking function is added by adding the control function. Since the function of following the preceding vehicle can be started at any time regardless of the state of the vehicle, in FIG. 10 (b), the initial control state is set to the normal state, and when the follow is instructed, Transition from the state to the follow-up state is made.

  In the process of combining control information including the configuration information and state transition information described above, the control information of all the control functions that have been added and / or changed are not combined, but combined so that no abnormality occurs again after combining. The control information to be selected may be selected or the order of combination may be changed.

  Specifically, for example, when an abnormality occurs in the control in the vehicle control system 100 during execution of the added and / or changed control function, the master domain control units 11 to 14 cause the abnormality. Only the control information related to the control function, excluding the added and / or changed control function, may be combined. Thereby, it can be expected that the control information is updated so that the abnormality does not occur again.

  Alternatively, the master domain control units 11 to 14 store the update information of the control information as a history, and when the control information of the added and / or changed control function is combined with the initial control information and updated. Alternatively, the control information may be updated in ascending order of update amount based on the stored update information. This is because the smaller the update amount, the smaller the possibility that a problem occurs in the update process.

  Alternatively, when the master domain control unit 11-14 updates the initial control information by combining the control information of the added and / or changed control function, based on the history of the stored update information, The control information may be updated in an order different from the order in the history. This is because the occurrence of problems may be avoided by changing the update order.

  Alternatively, when the master domain control unit 11-14 updates the initial control information by combining the control information of the added and / or changed control function, based on the history of the stored update information, The control information may be updated by combining only the control information related to the control function, excluding the control function last updated in the history. This is because when control information related to a plurality of control functions is combined at different timings, the control information combined last is likely to cause an abnormality.

  As described above, the vehicle control system 100 according to the present embodiment uses the initial control information stored in the B / UECU 40 to obtain the control information in the master domain control units 11 to 14 when any abnormality occurs in the control. It can be initialized. That is, it is possible to reliably return the control information by the master domain control units 11 to 14 to the control information corresponding to the vehicle control system 100 in the initial state. Then, from this state, for example, it is possible to update the control information related to the control function excluding the added and / or changed control function which is highly likely to cause an abnormality. Therefore, it is possible to reliably return the vehicle control system 100 to a state where it can operate normally.

  Next, with reference to the flowcharts of FIG. 11 and FIG. 12, what kind of safety processing is performed when abnormality occurs in the startup processing of the master ECU 10, the area ECU 20, 30 and the B / UECU 40. . When the key switch of the vehicle is turned on, the master ECU 10, the area ECUs 20, 30, and the B / UC ECU 40 are activated. If some abnormality occurs in this starting process and one abnormal ECU does not start normally, normal control cannot be performed. Even in such a case, the vehicle control system 100 according to the present embodiment executes the processes shown in the flowcharts of FIGS. 11 and 12 so that the control can be started as safely as possible. 11 and 12 is executed by a power supply ECU (not shown) that is activated first, except for the ECUs 10, 20, 30, and 40.

  First, in step S600 of the flowchart of FIG. 11, the activation process of the B / UECU 40 is executed. In the vehicle control system 100 according to the present embodiment, each of the ECUs 10, 20, 30, 40 can be appropriately dealt with when any of the ECUs 10, 20, 30, 40 does not start normally. Are activated simultaneously in the order of the B / UECU 40, the master ECU 10, and the area ECUs 20 and 30.

  In step S610, it is determined whether or not the first predetermined time has elapsed without starting the B / USECU 40 after the start processing of the B / UECU 40 has been started. When the activation process of the B / USEC 40 is normally performed, the B / USECU 40 completes the activation within the first predetermined time. In other words, if the activation of the B / USECU 40 is not completed even after the first predetermined time has elapsed, it can be considered that some abnormality has occurred in the activation processing of the B / USECU 40. Therefore, in the determination process of step S610, when it is determined that the first predetermined time has elapsed, the process proceeds to step S630, and abnormality of the B / UC ECU 40 is determined. Thereafter, the process proceeds to step S640.

  If it is determined in step S610 that the first predetermined time has not elapsed, the process proceeds to step S620. In step S620, it is determined whether or not the activation of the B / UECU 40 has been completed. If it is determined in this determination process that the activation has not yet been completed, the process returns to the process of step S600 and the activation process of the B / UECU 40 is continued. On the other hand, if it is determined that the activation of the B / UECU 40 is completed, the process proceeds to step S640.

  In step S640, a startup process of the master ECU 10 is executed. In the subsequent step S650, it is determined whether or not the second predetermined time has passed without starting the master ECU 10 after starting the starting process of the master ECU 10. When the activation process of the master ECU 10 is normally performed, the master ECU 10 completes the activation within the second predetermined time. Therefore, if the activation of the master ECU 10 is not completed even after the second predetermined time has elapsed, it can be considered that some abnormality has occurred in the activation process of the master ECU 10. Therefore, if it is determined in step S650 that the second predetermined time has elapsed, the process proceeds to step S670 to determine whether the master ECU 10 is abnormal. Thereafter, the process proceeds to step S680.

  If it is determined in step S650 that the second predetermined time has not elapsed, the process proceeds to step S660. In step S660, it is determined whether activation of master ECU 10 is completed. In this determination process, if it is determined that the activation has not been completed yet, the process returns to the process of step S640, and the activation process of the master ECU 10 is continued. On the other hand, if it determines with starting of master ECU10 having been completed, it will progress to the process of step S680.

  In step S680, activation processing of the area ECUs 20 and 30 is executed. In the subsequent step S690, it is determined whether or not the third predetermined time has passed without starting the area ECUs 20 and 30 after starting the start processing of the area ECUs 20 and 30. When the activation process of the area ECUs 20 and 30 is normally performed, the area ECUs 20 and 30 complete the activation within the third predetermined time. Therefore, if the activation of the area ECUs 20 and 30 is not completed even after the third predetermined time has elapsed, it can be considered that some abnormality has occurred in the activation processing of the area ECUs 20 and 30. Therefore, in the determination process of step S690, when it is determined that the third predetermined time has elapsed, the process proceeds to step S710, and abnormality of the area ECUs 20 and 30 that are not activated is determined. Thereafter, the process proceeds to step S720.

  If it is determined in step S690 that the third predetermined time has not elapsed, the process proceeds to step S700. In step S700, it is determined whether the activation of the area ECUs 20 and 30 has been completed. If it is determined in this determination process that the activation has not yet been completed, the process returns to step S680, and the activation process of the area ECUs 20 and 30 is continued. On the other hand, if it determines with starting of area ECU20 and 30 having been completed, it will progress to the process of step S720.

  In step S720, it is determined whether all the ECUs 10, 20, 30, and 40 have been normally activated. In this determination process, when it is determined that all the ECUs 10, 20, 30, 40 are normally activated, the process proceeds to step S730 to allow each ECU 10, 20, 30, 40 to execute normal control, and the master ECU 10 The master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34 of the area ECUs 20 and 30 permit part of the control function delivery process as necessary. On the other hand, if it is determined in step S720 that all the ECUs 10, 20, 30, and 40 have not started up normally, the process proceeds to step S740 to execute an abnormality process.

  The flowchart of FIG. 12 shows the details of the abnormal time processing in step S740. In this abnormal process, first, in step S800, it is determined whether there is one ECU or two or more ECUs in which an abnormality has occurred. If it is determined that there are two or more, the process proceeds to step S810. However, in this case, since it is difficult to perform control, it is determined that control is impossible, and control is not performed. On the other hand, when it is determined that one ECU has an abnormality, the process proceeds to step S820, and the type of ECU in which the abnormality has occurred is determined.

  In step S820, when it is determined that the ECU in which the abnormality has occurred is the area ECU 20, 30, the process proceeds to step S830, and the supplementary control using another area ECU is set to be executed. For example, when an abnormality occurs in the front area ECU 20, when a situation where a braking force should be generated on the front wheel by the front wheel brake actuator occurs, the braking force is also increased by the rear wheel side brake actuator in consideration of the amount of the front wheel braking force. Complement control is performed so that it is generated.

  When the ECU in which the abnormality has occurred is the master ECU 10, the process proceeds to step S840, and the B / U ECU 40 replaces the master ECU 10 with the local domain controllers 21 to 24, 31 to 34 of the front area ECU 20 and the rear area ECU 30. Set to perform proxy control to give control targets to If the ECU in which the abnormality has occurred is the B / UECU 40, the process proceeds to step S850, and if the abnormality occurs in the control of the vehicle control system 100 and processing such as initialization of control information becomes necessary, the master It is set to use the minimum configuration information held by each master domain control unit 11 to 14 of the ECU 10.

  Next, referring to FIG. 13, a part of the control function delivery process performed as necessary between the master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34. explain. For example, when a control function is added to the master domain control units 11 to 14 and the processing load increases, the master domain control units 11 to 14 transfer the control function to the local domain control units 21 to 24 and 31 to 34. Execute delivery process to deliver a part. Part of the control function may be transferred from the local domain control units 21 to 24 and 31 to 34 to the master domain control units 11 to 14.

  When a part of the control function is handed over from the master domain control unit 11-14 to the local domain control unit 21-24, 31-34, as shown in FIG. 13, first, in step S900, master domain control of the master ECU 10 is performed. The units 11 to 14 notify the local domain control units 21 to 24, 31 to 34 and the B / UECU 40 of the corresponding area ECUs 20 and 30 of the start of a delivery process of a part of the control function. In response to this notification, the corresponding local domain control units 21 to 24, 31 to 34 prepare for receiving a part of the control function as shown in step S910, and prepare when the preparation is completed. Output completion notification. Using the preparation completion notification as a trigger, the master domain control units 11 to 14 start a release process of a part of the control function in step S920. In a part of the release process of the control function, information such as the type of the control process to be released, the content of the control process, the control start condition, and the control end condition is output to the local domain control units 21 to 24 and 31 to 34. Further, the master domain control units 11 to 14 set stop of execution of the released control processing.

  On the other hand, the local domain controllers 21 to 24 and 31 to 34 start receiving processing for a part of the control function in step S930. In this receive process, the information output from the master domain control units 11 to 14 is received, and the control process included in the information is set to be executed when the control start condition is satisfied.

  Note that control functions to be delivered are determined in advance between the master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34, and both have data for executing these control functions. If configured to be provided, the release process and the receive process can be performed simply by transmitting and receiving information indicating the control function to be delivered.

  Release processing in the master domain control units 11 to 14 and receive processing in the local domain control units 21 to 24 and 31 to 34 are monitored in the B / USECU 40 in step S940. In the monitoring of the release process and the receive process, if the B / USEC 40 determines that no abnormality has been found and the delivery has been normally performed, the master domain control units 11 to 14 and the local domain control units 21 to 24, 31 to 34, the delivery completion notification is output. Upon receiving this delivery completion notification, the master domain control units 11 to 14 confirm that delivery has been completed in step S960. Also, the local domain control units 21 to 24 and 31 to 34 make settings so that the delivered processing can be started in step S970.

  On the other hand, if any abnormality is detected in the delivery process of a part of the control function of the B / UECU 40, in step S980, initialization of the sharing of the control function is instructed. In response to the initialization instruction, the master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34 perform processing for initializing sharing of control functions (steps S990 and S1000). It should be noted that the initialization of the sharing of control functions can also be executed by referring to the initial control information held by the B / UECU 40.

  The preferred embodiments of the present invention have been described above. However, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention. It is.

  For example, in the above-described embodiment, the B / USEC 40 determines that an abnormality has occurred in the control by the vehicle control system 100 and instructs the master domain control units 11 to 14 to initialize the control information. Configured. That is, processing for initializing the control information held by each of the master domain control units 11 to 14 is performed by the B / UECU 40. However, the master ECU 10 and the area ECUs 20 and 30 determine the abnormality of the vehicle control system 100 and request the provision of initial control information when the abnormality is determined. Only a function of providing initial control information may be provided. By configuring in this way, it is possible to reduce the possibility that the initial control information held by the B / UECU 40 is unintentionally altered.

  Further, in the above-described embodiment, the example in which the domain control unit includes the master domain control units 11 to 14 and the local domain control units 21 to 24 and 31 to 34 has been described. However, the area control may not be performed as in the above-described embodiment, and each device control unit may be arranged in the domain control unit of each domain as a control logical structure.

  Furthermore, in the above-described embodiment, an example in which any local domain control unit has a function as a master domain control unit has been described. However, the master domain control unit may be provided separately from the local domain control unit provided in each area.

DESCRIPTION OF SYMBOLS 10 Master ECU, 11 Master chassis domain control part, 12 Master power train domain control part, 13 Master body domain control part, 14 Master monitoring domain control part, 20 Front area ECU, 21 Local chassis domain control part, 22 Local power train domain Control unit, 23 local body domain control unit, 24 local monitoring domain control unit, 30 riato area ECU, 31 local chassis domain control unit, 32 local powertrain domain control unit, 33 local body domain control unit, 34 local monitoring domain control unit, 40 Backup ECU

Claims (14)

A vehicle control system (100) for controlling a plurality of in-vehicle devices mounted on a vehicle,
The vehicle control system includes a device control unit (16-19, 26-29, 36-39) for controlling a plurality of the vehicle-mounted devices, and the device control unit based on the control information held. It is hierarchized into domain control units (11-14, 21-24, 31-34) that supervise control,
In the vehicle control system in the initial state, the device control unit and the domain control unit are constructed as a storage unit (41) that stores initial control information necessary to control the control by the device control unit. Provided in a backup ECU (40) separate from the ECU (10, 20, 30)
In the vehicle control system, in order to enable addition and / or change of a control function, the domain control unit acquires additional change information regarding the control function to be added and / or changed, and based on the additional change information , To update the control information we have,
An initialization unit (S460, which initializes control information in the domain control unit using the initial control information stored in the storage unit of the backup ECU when an abnormality occurs in the control in the vehicle control system S470) A vehicle control system.   The vehicle control system according to claim 1, wherein the initialization unit is provided in the backup ECU.   When an abnormality occurs in the control in the vehicle control system during the execution of the added and / or changed control function, the domain control unit adds the added and / or changed control function that caused the occurrence of the abnormality. The vehicle control system according to claim 1 or 2, wherein the initialized control information is updated based on the additional change information regarding the control function.   The domain control unit stores the update information every time the control information is updated based on the additional change information, and updates the initialized control information based on the stored update information. The vehicle control system according to claim 1, wherein control information is updated in ascending order of update amount.   The domain control unit saves the update information as a history each time the control information is updated based on the additional change information, and updates the initialized control information. The vehicle control system according to claim 1, wherein the control information is updated in an order different from the order in the history based on the history.   The domain control unit saves the update information as a history each time the control information is updated based on the additional change information, and updates the initialized control information. 3. The vehicle control system according to claim 1, wherein the control information is updated based on additional change information related to the control function, excluding the last updated control function in the history, based on the history.   The control information held by the domain control unit includes configuration information including information related to control functions in the device control unit and the domain control unit, information related to the in-vehicle device, and information related to equipment available for control, and the configuration The vehicle according to any one of claims 1 to 6, including state transition information including information on a plurality of control states in a corresponding domain and information on transitions between the plurality of control states corresponding to the information. Control system.   The control information held by the domain control unit further includes power distribution information related to power distribution to the domain control unit, the device control unit, and the in-vehicle device in each of the plurality of control states. 8. The vehicle control system according to 7. The vehicle control system is provided with a plurality of the domain controllers,
9. The control information held by the domain control unit further includes information on communication data communicated between the domain control units and between the domain control unit and the device control unit. Vehicle control system.   The control information held by the domain control unit includes determination information for determining whether the control is normal or abnormal when an in-vehicle device belonging to the corresponding domain is controlled. The vehicle control system according to any one of 7 to 9. The domain control unit holds emergency control information for when the backup ECU becomes abnormal,
If the initialization unit cannot execute initialization of control information using the initial control information stored in the storage unit of the backup ECU, the domain control unit uses the emergency control information held by the domain control unit. The vehicle control system according to claim 1, wherein control by the device control unit is executed to enable limp home traveling of the vehicle.   The said backup ECU makes the said apparatus control part perform control using the initial control information memorize | stored in the said memory | storage part, when the failure of the said domain control part generate | occur | produces. Vehicle control system.   2. The backup ECU includes a failure information storage unit that stores and holds information related to control that was executed when a failure occurred and a vehicle driving situation at the time of the failure when the domain control unit failed. The vehicle control system according to any one of 1 to 12. The vehicle control system is provided with a plurality of the domain control ECUs,
When one of the plurality of domain control ECUs updates the control information based on the additional change information, it decides to hand over a part of its control function to the other domain control unit. When a part of the control function delivery process is performed with the control unit, the backup ECU monitors whether the delivery process has been performed according to a predetermined procedure and determines an abnormality in the delivery process. The vehicle control system according to claim 1, wherein the sharing of control functions of each of the domain control units is initialized using the initial control information.

Images