JP2021082936A - Communication system - Google Patents

Abstract

To provide a technique for monitoring the operation of an electronic control device by communicating with a device outside the electronic control device.SOLUTION: A communication system 1 includes a first communication device 10 and a second communication device 20. The first communication device includes an information generation unit 52 configured to acquire at least one type of status information indicating the status of the first communication device, generate determination information including the acquired status information, and output the determination information to the second communication device. The second communication device includes a monitoring unit 63 configured to acquire determination information, compare predetermined normal information which is the state information when the first communication device is normal with state information included in the determination information, and determine an abnormality in the first communication device.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to a communication system mounted on a vehicle in which a plurality of communication devices are connected to each other by a communication line.

For example, in Patent Document 1 below, an electronic control device (hereinafter referred to as a communication device) mounted on a vehicle and having a communication function includes a control microcomputer for controlling the vehicle and the control microcomputer for monitoring the operation of the control microcomputer. Has been proposed to be equipped with another monitoring microcomputer.

Japanese Patent No. 4005421

On the other hand, there was no idea of monitoring the operation of the electronic control device by communicating with a device outside the electronic control device. The present disclosure provides a technique for monitoring the operation of an electronic control device by communicating with a device outside the electronic control device.

One aspect of the present disclosure is a communication system (1) mounted on a vehicle. The communication system includes a plurality of communication devices (10, 20). A plurality of communication devices are connected to each other so as to be able to communicate with each other by a communication line. The plurality of communication devices include a first communication device (10) and a second communication device (20). The first communication device acquires at least one type of state information indicating the state of the first communication device, generates determination information including the acquired state information, and outputs the determination information to the second communication device. It is provided with an information generation unit (52) configured in. The second communication device acquires the determination information, compares the predetermined normal information which is the state information when the first communication device is normal with the state information included in the determination information, and first A monitoring unit (63) configured to determine an abnormality in the communication device of the above is provided.

According to one aspect of the present disclosure, the first communication device determines an abnormality of the first communication device by communicating with a second communication device which is an external device of the first communication device. The second communication device for determining whether or not the first communication device is abnormal is a communication device provided in advance in the communication system. Therefore, it is possible to monitor whether or not the first communication device is abnormal with a simple configuration without increasing the number of components in the communication system.

The block diagram which shows the structure of the vehicle control system. The block diagram which shows the function of each ECU in a vehicle control system. A flowchart illustrating an information generation process. A flowchart illustrating an IT acquisition process. Explanatory drawing explaining an example of correspondence information. A flowchart illustrating the monitoring process. A flowchart illustrating a communication success / failure determination process. A flowchart illustrating an individual determination process. A flowchart illustrating an abnormality determination process. A timing chart that explains the operation. FIG. 3 is a block diagram showing a configuration of each ECU in the vehicle-mounted control system of the first modification. The block diagram which shows the structure of each ECU in the vehicle-mounted control system of the modification 2. The block diagram which shows the structure of each ECU in the vehicle-mounted control system of the modification 3.

Hereinafter, exemplary embodiments of the present disclosure will be described with reference to the drawings. The term "match" as used herein is not limited to a match in a strict sense, and may not be a strict match as long as it has the same effect.

[Embodiment]
[1. Constitution]
<Overall configuration>
First, the configuration of the vehicle-mounted control system 1 according to the present embodiment will be described with reference to FIG. The vehicle-mounted control system 1 according to the present embodiment is a system mounted on a vehicle. The in-vehicle control system 1 includes a plurality of electronic control devices (hereinafter referred to as ECUs). ECU is an abbreviation for Electronic Control Unit. The plurality of ECUs are connected to each other so as to be able to communicate with each other by the communication line 90. In addition, in FIG. 1, three ECUs are illustrated. However, the number of ECUs included in the vehicle-mounted control system 1 is not limited to this, and may be two or more.

In the present embodiment, the communication line 90 is a communication line common to a plurality of ECUs, and these plurality of ECUs are communication devices that perform communication according to a communication protocol such as CAN. CAN is an abbreviation for Controller Area Network and is a registered trademark. The present disclosure is not limited to this. The communication protocol may be a communication protocol other than CAN. Further, the communication line 90 does not have to be a communication line common to a plurality of ECUs, and the communication protocol in this case may be, for example, Ethernet or other. Ethernet is a registered trademark.

A vehicle information unit and a controlled object are connected to each of a plurality of ECUs included in the in-vehicle control system 1 by a communication line. The vehicle information unit includes various sensors that detect the state of the vehicle. The control target is a target controlled by the ECU based on the detection result by the vehicle information unit.

In the present embodiment, the vehicle-mounted control system 1 includes an engine ECU 10, a door ECU 20, and a brake ECU 30 as a plurality of ECUs.
The engine ECU 10 controls the controlled object 12 based on the detection result by the vehicle information unit 11. The vehicle information unit 11 may include, for example, a crank angle sensor for detecting a crank angle, a temperature sensor, and the like. The controlled object 12 may include, for example, an actuator for operating the fuel injection valve and the like.

The door ECU 20 controls the control target 22 based on the detection result by the vehicle information unit 21. The vehicle information unit 21 may include, for example, a touch sensor that detects a person's contact with the door. The control target 12 may include, for example, an actuator for opening and closing a door (hereinafter referred to as a door actuator).

The brake ECU 30 controls the control target 32 based on the detection result of the vehicle information unit 31. The vehicle information unit 31 may include, for example, a brake pedal sensor that detects the opening degree of the brake pedal. The control target 32 may include, for example, an actuator for driving the brake (hereinafter referred to as a brake actuator).

The first communication device referred to below is a communication device including an information generation unit (for example, an information generation unit 52) described later. On the other hand, the second communication device is a communication device including a monitoring unit (for example, monitoring unit 63) described later. In this embodiment, the engine ECU 10 corresponds to the first communication device, and the door ECU 20 corresponds to the second communication device.

<Engine ECU 10>
The engine ECU 10 as the first communication device includes a microcomputer (hereinafter, microcomputer) 101 including a semiconductor memory (hereinafter, memory) 103 such as a CPU 102, a ROM, a RAM, and a flash memory. The engine ECU 10 realizes each function as shown in FIG. 2 by executing a program stored in the non-transition tangible recording medium by the CPU 102. In the present embodiment, the memory 103 corresponds to a non-transition tangible recording medium for storing a program. In addition, by executing this program, the method corresponding to the program is executed.

As shown in FIG. 2, the engine ECU 10 has the functions of the control unit 51 and the information generation unit 52. The control unit 51 performs various controls on the engine as the control target 12 based on the detection result of the vehicle information unit 11.

The information generation unit 52 acquires at least one type of state information by executing the information generation process described later, generates the determination information, and outputs the determination information to the second communication device. The determination information is information including at least one type of acquired state information. The state information is information indicating the state of the first communication device (that is, the engine ECU 10), and is used by the second communication device to determine an abnormality of the first communication device.

The state information can be information that quantitatively represents the state of the first communication device. Quantitative expression means expression as a numerical value. Specifically, the state information may include TS, WDG output, IT, ID, interrupt occurrence count M, task omission count N, and the like, as will be described later. However, the state information is not limited to these. The state information may be various information representing the state of the first communication device. Further, the state information may be any information that represents the state of the first communication device, and may not be information that quantitatively represents the state of the first communication device.

<Door ECU 20>
The door ECU 20 as the second communication device includes a microcomputer (hereinafter, microcomputer) 201 including a semiconductor memory (hereinafter, memory) 203 such as a CPU 202, a ROM, a RAM, and a flash memory. The door ECU 20 realizes each function as shown in FIG. 2 by executing a program stored in the non-transition tangible recording medium by the CPU 202. In the present embodiment, the memory 203 corresponds to a non-transition tangible recording medium for storing a program. In addition, by executing this program, the method corresponding to the program is executed.

As shown in FIG. 2, the door ECU 20 has the functions of the control unit 61 and the monitoring unit 63. The control unit 61 performs various controls on the door actuator as the control target 22 based on the detection result of the vehicle information unit 21.

The monitoring unit 63 acquires determination information from the first communication device (that is, the engine ECU 10) by executing the monitoring process described later, and based on the above-mentioned state information included in the determination information, the first communication Judge an abnormality in the device.

<Brake ECU 30>
The brake ECU 30 includes a microcomputer (hereinafter, microcomputer) 301 including a semiconductor memory (hereinafter, memory) 303 such as a CPU 302, a ROM, a RAM, and a flash memory. The brake ECU 30 realizes each function as shown in FIG. 2 by executing a program stored in the non-transition tangible recording medium by the CPU 302. In the present embodiment, the memory 303 corresponds to a non-transition tangible recording medium for storing a program. In addition, by executing this program, the method corresponding to the program is executed.

As shown in FIG. 2, the brake ECU 30 has the function of the control unit 71. The control unit 71 performs various controls on the brake actuator as the control target 32 based on the detection result of the vehicle information unit 31.

[2. processing]
<Information generation processing>
Next, the information generation process executed by the first communication device (that is, the information generation unit 52 of the engine ECU 10) will be described with reference to the flowchart of FIG. The information generation process is repeatedly executed in a predetermined cycle by the microcomputer 101 (that is, the CPU 102) included in the first communication device. The CPU 102 acquires a plurality of types of state information in S110-S160, and generates determination information including the acquired state information in S170. The acquired state information and determination information are stored in the memory 103.

First, in S110, the CPU 102 acquires a time stamp (hereinafter, TS) as state information. The TS is information representing the time, and the TS acquired in this step represents the time when the determination information is generated. For example, the first communication device may be configured to acquire the absolute time by a process different from the information generation process, and the TS may be represented by the absolute time. However, the present disclosure is not limited to this. The TS may be any information representing time that is commonly used in the vehicle control system 1.

The CPU 102 executes the IT acquisition process in S120. The IT acquisition process is a process for determining the interval time (that is, IT). IT is an abbreviation for Interval Time. The IT is a cycle in which determination information is transmitted from the first communication device to the second communication device (that is, the door ECU 20) (that is, a transmission cycle of the determination information). In the present embodiment, the IT is a numerical value determined so that the larger the load (that is, the processing load) of the first communication device (that is, the CPU 102 of the engine ECU 10), the larger the value. The IT acquisition process will be described later.

The CPU 102 acquires an ID in S130. The ID referred to here is information for identifying the source of the determination information. The ID is represented by a predetermined number of bits. For example, in the present embodiment in which the first communication device is the engine ECU 10, the ID may be information representing the engine ECU 10 that is the source of the determination information. Further, for example, the ID may be information indicating that the first communication device to be monitored is the engine ECU 10 and the second communication device to be monitored is the door ECU 20. However, the ID is not limited to these modes, and may be set in various modes.

The CPU 102 generates a watchdog (hereinafter, WDG) output in S140. The microcomputer 101 has a WDG function, and a WDG circuit (not shown) monitors whether or not the control unit 51 of the first communication device (that is, the engine ECU 10) is operating normally based on the output of the WDG pulse. There is.

The output of the WDG pulse means whether the output is “H” or “L”, and the output pattern of the WDG pulse is predetermined. For example, in the present embodiment, a pattern in which "H" and "L" alternate, such as "H", "L", "H", and "L", is predetermined as an output pattern of the WDG pulse. There is. The output pattern of the WDG pulse is not limited to this, and can be set arbitrarily. The WDG output refers to the output of such a WDG pulse.

The WDG pulse is output every predetermined period (for example, 1 msec). For example, if the WDG output is different from the predetermined output pattern of the WDG pulse, the microcomputer 101 may be abnormal. In other words, the first communication device including the microcomputer 101 may be abnormal.

In S150, the CPU 102 acquires the number of interrupt occurrences M. The number of interrupt occurrences M means the number of times an interrupt has occurred within a predetermined time (for example, 1 msec). The interrupt means, for example, that a predetermined signal is input from a specific sensor connected to the microcomputer 101. The microcomputer 101 is configured to execute a predetermined process when this interrupt occurs.

In the present embodiment in which the engine ECU 10 is the first communication device, for example, the crank angle sensor corresponds to a specific sensor. Then, a crank angle signal indicating a predetermined crank angle corresponds to a predetermined signal. The number of interrupts that can be processed by the microcomputer 101 within a predetermined time (hereinafter, the number of interrupts at the maximum load M _max ) is predetermined. In other words, if the number of interrupts M _{exceeds the maximum} number of interrupts M max, the microcomputer 101 may be abnormal.

In S160, the CPU 102 acquires the task omission count N. The task omission number N means the number of times a task omission occurs within a predetermined time (for example, 1 msec). The number of task omissions that can be tolerated within a predetermined time in the microcomputer 101 (hereinafter, the number of task omissions at maximum load N _max ) is predetermined. In other words, if the number of task omissions N exceeds the maximum number of task omissions N _max at the time of maximum load, the microcomputer 101 may be abnormal.

The CPU 102 generates determination information in S170. The determination information includes at least one state information acquired in S110-S160. In the present embodiment, the determination information includes all the state information acquired in S110-S160.

In S180, the CPU 102 generates a communication frame including the determination information. For example, a communication frame that is a CAN communication frame and includes determination information in a data field is generated. Then, the CPU 102 outputs the generated communication frame to the communication line 90. With the above, the CPU 102 ends the information generation process.

<IT acquisition process>
Subsequently, the IT acquisition process executed by the CPU 102 in S120 of the information generation process will be described with reference to the flowchart shown in FIG.

In S210, the CPU 102 acquires the load information of the first communication device. The load information is information that quantitatively represents the magnitude of the load of the first communication device. In the present embodiment in which the first communication device is the engine ECU 10 (that is, the CPU 102), the CPU 102 acquires the engine speed as load information. The engine speed is calculated based on the detection value of the crank angle sensor provided in the vehicle information unit 11. The CPU 102 may be configured to calculate the engine speed by a process separate from the information generation process, or may be configured to acquire the engine speed from another ECU via the communication line 90. Good.

The CPU 102 acquires the correspondence information in S220. The correspondence information is information indicating the correspondence between the load information and the IT (that is, the transmission cycle of the determination information), and is stored in the memory 103 in advance. In the correspondence information, the load information and the IT are associated with each other so that the IT becomes longer as the load increases. For example, in the corresponding information of the present embodiment shown in FIG. 5, the engine speed and the IT are associated with each other so that the IT becomes longer as the engine speed increases. In the correspondence information, each of the associated ITs may be set to match the cycle obtained by multiplying the output cycle of the WDG signal.

In S230, the CPU 102 determines the IT based on the corresponding information and ends the IT acquisition process. Thereby, the IT is determined so that the load on the first communication device becomes larger.

For example, the information generation process may be started for each IT according to the load information. Then, the communication frame including the determination information is transmitted to the second communication device for each IT by the information generation process.

<Monitoring process>
The monitoring process executed by the microcomputer 201 (that is, the CPU 202) included in the door ECU 20 as the second communication device will be described with reference to the flowchart shown in FIG. The monitoring process is started when the second communication device acquires the determination information addressed to the second communication device via the communication line 90.

The CPU 202 acquires the determination information in S310.
In S320-340, the CPU 202 compares the normal information with the state information included in the determination information for each type of state information included in the determination information. The state information referred to here is information that is quantitatively expressed, and normal information is also information that is quantitatively expressed. The normal information is state information when the first communication device is normal, and a predetermined value is set for each type of state information. The normal information is stored in advance in the memory 203 of the second communication device (that is, the door ECU 20).

First, in S320, the CPU 202 executes a communication success / failure determination process described later. The state information to be compared is the TS, specifically, the time interval between the TS included in the latest determination information and the TS included in the latest past determination information.

In S330, the CPU 202 executes the individual determination process described later. The state information to be compared is WDG output, the number of interrupt occurrences M, and the number of task omissions N.
In S340, the CPU 202 executes an abnormality determination process described later. In S340, the CPU 202 determines the abnormality of the first communication device based on the result of comparison between the four types of state information and the normal information by S320-S330. In S340, a communication frame including a determination result regarding an abnormality of the first communication device is generated.

In S350, the CPU 202 transmits the communication frame generated in S340 via the communication line 90. The communication frame may include a recovery instruction described later. Further, the communication frame may include a determination result regarding an abnormality of the first communication device. Then, the CPU 202 ends the main monitoring process. The monitoring information referred to below refers to a communication frame including a recovery instruction and a determination result.

<Communication success / failure judgment processing>
Next, the communication success / failure determination process executed by the CPU 202 in the monitoring process S320 will be described with reference to the flowchart shown in FIG. 7.

In S410, the CPU 202 acquires TS and IT included in the determination information.
In S420, the CPU 202 calculates the determination information output interval P. The determination information output interval P means the time interval at which the determination information is output from the first communication device. Specifically, the determination information output interval P is calculated as the difference between the TS included in the determination information received this time and the past TS (hereinafter, PTS) included in the determination information received last time. The PTS is stored in the memory 203 as described later.

By calculating the judgment information output interval P based on the TS acquired by the first communication device in this way, the transmission cycle of the judgment information in the first communication device (regardless of the delay due to the communication line 90, etc.) That is, IT) is estimated.

In S430, the CPU 202 determines whether or not the determination information output interval P matches within a predetermined range of IT. For example, the CPU 202 determines whether or not the determination information output interval P is IT-α≤P≤IT + α. α can be set to any value to the extent that IT and P are considered to match. As described above, IT is a transmission cycle of determination information preset in the first communication device.

That is, when the determination information output interval P is within the predetermined range of IT, the CPU 202 transmits the determination information from the first communication device at the transmission cycle as set, and the first communication device transmits the determination information. It is determined that the transmission cycle of the determination information is normal. The CPU 202 shifts the process to S450 when the determination information output interval P matches within the predetermined range of IT, and shifts the process to S440 when the determination information output interval P does not match within the predetermined range of IT.

In S440, the CPU 202 counts up the first evaluation value JIC by one and shifts the processing to S440. The first evaluation value JIC is a numerical value for evaluating an abnormality of the first communication device. The first evaluation value JIC is a new first evaluation value JIC in which a predetermined additional value is added each time the state information included in the judgment information is determined to be abnormal (that is, abnormal). Is calculated as. That is, the added value is the first evaluation value JIC that has already been calculated in order to generate a new first evaluation value JIC each time the state information included in the judgment information is determined to be abnormal. It is a value to be added, for example, 1 in the present embodiment. However, the added value can be set arbitrarily.

In S450, the CPU 202 stores the TS acquired in S410 in S450 as PTS in the memory 203. The CPU 202 completes the communication success / failure determination process.
As described above, in the communication success / failure judgment process, the judgment information output interval P calculated based on the TS included in the judgment information is used as the state information, and the judgment information output interval P is compared with the IT which is the normal information. The evaluation value JIC of 1 is calculated. In other words, in the communication success / failure determination process, TS is used as state information, and the value obtained by adding IT to PTS is used as normal information. By comparing these, TS, which is state information, is normal when they match. It can be said that it is judged.

<Individual judgment processing>
Next, the individual determination process executed by the CPU 202 in the monitoring process S330 will be described with reference to the flowchart shown in FIG.

In S510, the CPU 202 acquires the WDG output, which is the state information included in the determination information.
In S520, the CPU 202 determines whether or not the WDG output is normal. The output pattern of the WDG pulse in the first communication device is stored in advance in the memory 203 of the second communication device as normal information. Further, in the memory 203, the past WDG output when the determination information is received is continuously stored every time the determination information is received.

Based on the past WDG output, the CPU 202 has an output (that is, "H" or "L") in which the newly received WDG output (that is, "H" or "L") is inferred from the pattern as normal information. ), It is determined that the WDG output is normal. The CPU 202 stores the determination result in the memory 203. In this step, a new determination result is stored in the memory 203 together with the past determination result.

The CPU 202 shifts the process to S530 when it is determined that the WDG output is not normal, and shifts the process to S540 when it is determined that the WDG output is normal.
In S530, the CPU 202 counts up the first evaluation value JIC by one and shifts the processing to S570.

In S540-560, the CPU 202 detects the normal continuous number of times for each state information. The normal continuous number of times is the number of times that the same type of state information is continuously determined to be normal. Then, when the normal continuous number of times is equal to or greater than a predetermined number of times threshold value, the CPU 202 subtracts a predetermined subtraction value from the first evaluation value JIC to calculate a new first evaluation value JIC.

This is because even if the first evaluation value JIC has been added in the past, if it is continuously determined to be normal after that, the addition of the first evaluation value JIC in the past is affected by noise and the like. This is because it is considered to be temporary and not an abnormality of the first communication device. In this embodiment, the number of times threshold is 3 and the subtraction value is 1. However, the number threshold value and the subtraction value can be set arbitrarily. The normal number of consecutive times is reset when it is determined that the state information is abnormal.

First, in S540, the CPU 202 continuously determines that the WDG output, which is the state information, is normal based on the new determination result and the past determination result stored in the memory 203 (that is, normal). It is determined whether or not (the number of consecutive times) is equal to or greater than the number threshold value. The CPU 202 counts the number of normal continuous times of WDG output. The CPU 202 shifts the process to S550 when the number of normal consecutive times is equal to or greater than the number threshold value, and shifts the process to S570 when the number of normal consecutive times is less than the number of times threshold value.

In S550, the CPU 202 determines whether or not the first evaluation value JIC is 1 or more. This step is a process for preventing the first evaluation value JIC from becoming a negative value. The CPU 202 shifts the process to S560 when the first evaluation value JIC is 1 or more, and shifts the process to S570 when the first evaluation value JIC is less than 1 (that is, 0).

In S560, the CPU 202 counts down the first evaluation value JIC by one and shifts the processing to S570.
In S570-S620, the CPU 202 makes the same determination as above for the interrupt occurrence number M which is the state information, and in S630-S680, makes the same determination as above for the task omission number N which is the state information.

That is, in S570, the CPU 202 acquires the interrupt occurrence number M, which is the state information included in the determination information.
In S580, the CPU 202 determines whether or not the interrupt occurrence number M is normal. The CPU 202 compares the number of interrupt occurrences M, which is the state information, with the maximum load interrupt count M _max , which is normal information (that is, the upper limit of the normal information), and the interrupt occurrence count M is the maximum load interrupt count M. _When it is max or less, it is determined that the interrupt occurrence count M is normal. The CPU 202 stores the determination result in the memory 203. The CPU 202 shifts the process to S590 when the number of interrupt occurrences M is not normal, and shifts the process to S600 when the number of interrupt occurrences M is normal.

In S590, the CPU 202 counts up the first evaluation value JIC by one and shifts the processing to S630.
In S600, the CPU 202 determines whether or not the normal continuous number of times is equal to or greater than the number of times threshold value based on the determination result stored in the memory 203. The normal continuous number of times referred to here is the number of times that the interrupt occurrence number M, which is the state information, is continuously determined to be normal. The CPU 202 counts the normal continuous number of interrupt occurrence times M. The CPU 202 shifts the process to S610 when the normal continuous number of interrupt occurrence times M is equal to or greater than the number threshold value, and shifts the process to S630 when the normal continuous number of times is less than the number of times threshold value.

In S610, the CPU 202 determines whether or not the first evaluation value JIC is 1 or more. The CPU 202 shifts the process to S620 when the first evaluation value JIC is 1 or more, and shifts the process to S630 when the first evaluation value JIC is less than 1.

In S620, the CPU 202 counts down the first evaluation value JIC by one and shifts the processing to S630.
In S630, the CPU 202 acquires the task omission count N, which is the state information included in the determination information.

In S640, the CPU 202 determines whether or not the task omission count N is normal. The CPU 202 compares the _{number of task omissions N, which is state information, with the number of task omissions N max} , which is normal information (that is, the upper limit of normal information) at the time of maximum load. _{When the task omission count N is equal to or less than the task omission count N max} at the maximum load, the CPU 202 determines that the task omission count N is normal. The CPU 202 stores the determination result in the memory 203. The CPU 202 shifts the process to S650 when the task omission count N is not normal, and shifts the process to S660 when the task omission count N is normal.

In S650, the CPU 202 counts up the first evaluation value JIC by one, and ends this process.
In S660, the CPU 202 determines whether or not the normal continuous number of times of task omissions N, which is the state information, is equal to or greater than the number threshold value, based on the determination result stored in the memory 203. The normal continuous number of times referred to here is the number of times that the task omission count N, which is the state information, is continuously determined to be normal. The CPU 202 counts the normal continuous number of times of task omission N. The CPU 202 shifts the process to S670 when the normal continuous number of times of task omission N is equal to or greater than the number threshold, and ends this process when the normal continuous number is less than the number threshold.

In S670, the CPU 202 determines whether or not the first evaluation value JIC is 1 or more. The CPU 202 shifts the process to S680 when the first evaluation value JIC is 1 or more, and ends this process when the first evaluation value JIC is less than 1.

In S680, the CPU 202 counts down the first evaluation value JIC by one. The CPU 202 completes this process.
<Abnormality judgment processing>
Next, the abnormality determination process executed by the CPU 202 in S340 of the monitoring process will be described with reference to the flowchart shown in FIG. The CPU 202 determines the abnormality of the first communication device based on the size of the first evaluation value JIC generated in the monitoring process S320-S330 (that is, the above-mentioned communication success / failure process and individual determination process). ..

In this abnormality determination process, when the first evaluation value JIC is equal to or higher than the predetermined evaluation threshold value, the CPU 202 adds a predetermined predetermined value to the second evaluation value ACC to obtain a new second evaluation value. Generate an evaluation value ACC. Then, the CPU 202 determines the abnormality of the first communication device based on the magnitude of the second evaluation value ACC.

The evaluation threshold is a state in which it is presumed that some abnormality has occurred in the first communication device based on the first evaluation value JIC, and a temporary abnormality has occurred in the state information due to the influence of noise or the like. It is a threshold value for distinguishing from the state presumed to be. The second evaluation value ACC is a numerical value indicating how long the state in which the first evaluation value JIC is equal to or higher than the evaluation threshold value continues, and is an abnormality presumed to occur in the first communication device. It is a numerical value for expressing the magnitude (that is, the degree of abnormality) of. It is determined that the larger the second evaluation value ACC, that is, the longer the state in which the first evaluation value JIC is equal to or higher than the evaluation threshold value, the greater the degree of abnormality of the first communication device.

First, in S710, the CPU 202 acquires the generated first evaluation value JIC.
In S720, the CPU 202 determines whether or not the first evaluation value JIC is equal to or higher than a predetermined evaluation threshold value. The evaluation threshold value is, for example, 3 in the present embodiment and is stored in advance in the memory 203. However, the evaluation threshold value can be set arbitrarily.

The CPU 202 shifts the process to S730 when it is determined that the first evaluation value JIC is equal to or higher than the evaluation threshold, and performs the process when it is determined that the first evaluation value JIC is less than the evaluation threshold. Move to S740.

In S730, the CPU 202 counts up the second evaluation value ACC by one and shifts the processing to S740.
In S740, the CPU 202 determines whether or not the second evaluation value ACC is equal to or greater than the first abnormality threshold value. Here, when the second evaluation value ACC is less than the first abnormal threshold value, the CPU 202 determines that the first communication device is normal, and shifts the process to S750. On the other hand, when the second evaluation value ACC is equal to or higher than the first abnormality threshold value, the CPU 202 determines that some abnormality has occurred in the first communication device, and shifts the process to S770.

The first abnormality threshold is a state in which the first communication device is presumed to be normal based on the second evaluation value ACC, and it is presumed that some abnormality has occurred in the first communication device. It is a threshold value for distinguishing between a state and a state. For example, in the present embodiment, the first abnormality threshold value is 1, which is stored in the memory 203 in advance. However, the first abnormality threshold value can be set arbitrarily.

The CPU 202 sets a recovery instruction in S750 in which the first communication device is determined to be normal and the transition is made. The recovery instruction is an instruction for recovering an abnormality of the first communication device, and is an instruction transmitted from the second communication device to the first communication device. In this step, since it is determined that the first communication device is normal, the CPU 202 sets the recovery instruction to "no instruction". Setting "no instruction" is equivalent to not giving a recovery instruction.

In S760, the CPU 202 generates a communication frame whose transmission destination is the first communication device. The communication frame includes the recovery instruction set in S750 and the determination result that the first communication device is determined to be normal. Then, the CPU 202 ends the present abnormality determination process.

In S770-S830, which shifts when the second evaluation value ACC is equal to or greater than the first abnormality threshold value, the CPU 202 determines the degree of abnormality of the first communication device according to the magnitude of the second evaluation value ACC. Judgment is made, and a recovery instruction for recovering the abnormality of the first communication device is determined.

First, in S770, the CPU 202 determines whether or not the second evaluation value ACC is equal to or greater than the first abnormal threshold value and less than or equal to the second abnormal threshold value. Here, when the second evaluation value ACC is the first abnormal threshold value abnormality and less than the second abnormal threshold value, the CPU 202 determines that the first communication device is a minor abnormality, and performs the process S780. Move to. On the other hand, when the second evaluation value ACC is equal to or higher than the second abnormality threshold value, the CPU 202 determines that a serious abnormality has occurred in the first communication device, and shifts the process to S800. ..

The second abnormality threshold is for distinguishing between a state in which a minor abnormality has occurred and a state in which a severe abnormality has occurred in the first communication device based on the second evaluation value ACC. It is a threshold. That is, the second abnormality threshold value is a numerical value for estimating the degree of abnormality of the first communication device. For example, in the present embodiment, the second abnormality threshold value is 3, which is stored in the memory 203 in advance. However, the second abnormality threshold value can be set arbitrarily.

The CPU 202 sets a recovery instruction in S770 in which the first communication device is determined to have a slight abnormality and shifts. In this step, the refresh instruction is set as the recovery instruction. The refresh instruction is an instruction for refreshing the microcomputer 101 of the first communication device (that is, the engine ECU 10).

In S790, the CPU 202 generates a communication frame whose transmission destination is the first communication device. The communication frame includes the recovery instruction set in S780. Further, the communication frame includes a determination result in which the first communication device is determined to have a slight abnormality. Then, the CPU 202 ends the present abnormality determination process.

The CPU 202 sets a recovery instruction in S800 in which the first communication device is determined to be a serious abnormality and shifts. In this step, the reset instruction is set as the recovery instruction. The reset instruction is an instruction for resetting the microcomputer 101 of the first communication device (that is, the engine ECU 10).

In S810, the CPU 202 generates a communication frame whose transmission destination is the first communication device. The communication frame includes a recovery instruction set in S800. In addition, the communication frame includes a determination result in which the first communication device is determined to be a serious abnormality.

The CPU 202 initializes the second evaluation value ACC in S820. That is, the second evaluation value ACC is set to 0.
In S830, the CPU 202 initializes the first evaluation value JIC. That is, the first evaluation value JIC is set to 0. Then, the CPU 202 ends the present abnormality determination process.

<Operation>
The operation of the vehicle-mounted control system 1 configured as described above will be described with reference to FIG. In FIG. 10, it is assumed that IT is set to 1 msec. Further, FIG. 10 shows an example in which the determination information is received in the second communication device at a normal cycle (that is, coincides with IT).

At time t ₀ , the first evaluation value JIC and the second evaluation value ACC are 0.
At time t ₁ , the WDG output as state information is "H", which is normal. _{The number of interrupt occurrences M is less than the maximum} number of interrupts M max at the time of maximum load, which is the upper limit of the normal value, and is normal. _{The number of task omissions N exceeds the maximum} number of task omissions N max at the time of maximum load, which is the upper limit of the normal value, and the number of task omissions N is determined to be abnormal. 1) Add to 1 to get 1. The second evaluation value ACC is 0.

At time t ₂ , the WDG output as state information is “L”, which is normal. Since the number of interrupt occurrences M _{exceeds M max} and the number of interrupt occurrences M is determined to be abnormal, the first evaluation value JIC is incremented by 1 to become 2. The number of task omissions N is _{less than N max,} which is normal. The second evaluation value ACC is 0.

At time t _3, WDG output as the state information is normal in "H". The number of interrupt occurrences M is _{less than M max} and is normal. The number of task omissions N is _{less than N max,} which is normal. Here, since it is determined that the WDG output is continuously normal for the number of times threshold value or more, the first evaluation value JIC is subtracted by a subtraction value (that is, 1) to become 1. The second evaluation value ACC is 0.

At time t ₄ , the WDG output as the state information is "H", which is abnormal, and the first evaluation value JIC is added by 1 to become 2. The number of interrupt occurrences M is _{less than M max} and is normal. Since the number of task omissions N _{exceeds N max} and is determined to be abnormal, the first evaluation value JIC is incremented by 1 to become 3. Then, since the first evaluation value JIC is equal to or higher than the evaluation threshold value (that is, 3), the second evaluation value ACC is added by a predetermined value (that is, 1) to become 1. The second evaluation value ACC is 1 or more, which is the first abnormal threshold value, and less than 3, which is the second abnormal threshold value.

As a result, the second communication device (that is, the door ECU 20) determines that the first communication device (that is, the engine ECU 10) is in a state in which a slight abnormality has occurred. The second communication device uses the refresh instruction as a recovery instruction, and transmits a communication frame including the recovery instruction and the determination result to the first communication device. As a result, the first communication device is refreshed.

At time t ₅ , the WDG output as state information is abnormal at “L”, and the first evaluation value JIC is incremented by 1 to become 4. The number of interrupt occurrences M is _{less than M max,} which is normal. Here, since the number of interrupt occurrences M is continuously determined to be normal for the number of times threshold value (that is, 3) or more, the first evaluation value JIC is subtracted by 1 to become 3. The number of task omissions N is _{less than N max,} which is normal. Then, since the first evaluation value JIC is equal to or higher than the evaluation threshold value (that is, 3), the second evaluation value ACC is added by 1 to become 2. The second evaluation value ACC is 1 or more, which is the first abnormal threshold value, and less than 3, which is the second abnormal threshold value.

As a result, the second communication device (that is, the door ECU 20) determines that the first communication device (that is, the engine ECU 10) is in a state in which a slight abnormality has occurred. The second communication device uses the refresh instruction as a recovery instruction, and transmits a communication frame including the recovery instruction and the determination result to the first communication device. As a result, the first communication device is refreshed.

At time t ₆ , the WDG output as state information is "L", which is normal. The number of interrupt occurrences M _{exceeds M max} and is determined to be abnormal, and the first evaluation value JIC is incremented by 1 to become 4. The number of task omissions N is _{less than N max,} which is normal. Then, since the first evaluation value JIC is equal to or higher than the evaluation threshold value (that is, 3), the second evaluation value ACC is added by 1 to become 3. The second evaluation value ACC is 3 or more, which is the second abnormal threshold value.

As a result, the second communication device (that is, the door ECU 20) determines that the first communication device (that is, the engine ECU 10) is in a state in which a serious abnormality has occurred. The second communication device uses the reset instruction as a recovery instruction, and transmits a communication frame including the recovery instruction and the determination result to the first communication device. As a result, the first communication device is reset. Then, the first evaluation value JIC and the second evaluation value ACC are initialized.

[3. effect]
According to the embodiment described in detail above, the following effects are obtained.
(1) The information generation unit 52 included in the engine ECU 10 as the first communication device acquires at least one type of state information, in S170, the determination information including the acquired state information is generated, and in S180, it is generated. The determination information is output to the second communication device. The monitoring unit 63 included in the door ECU 20 as the second communication device compares the state information included in the determination information with the normal information which is the state information when the first communication device is normal, and performs the first communication. Judge an abnormality in the device.

As a result, the first communication device determines the abnormality of the first communication device by communicating with the second communication device which is an external device of the first communication device. The second communication device for determining whether or not the first communication device is abnormal is not a newly provided control device, but an ECU provided in advance in the vehicle-mounted control system 1. That is, it is possible to monitor whether or not the first communication device is abnormal with a simple configuration without increasing the number of components in the in-vehicle control system 1.

(2) In S320-S330, the monitoring unit 63 compares the normal information and the state information for each type of state information included in the determination information, and in S340, determines an abnormality of the first communication device. In this embodiment, a plurality of types of state information are used. Therefore, the accuracy of determining the abnormality of the first communication device can be improved as compared with the case of using one state information.

Further, the state information is quantitatively represented, the normal information is quantitatively represented, and the monitoring unit 63 detects an abnormality in the first communication device by comparing the quantitatively represented status information with the normal information. You may judge. Since the determination is made based on the comparison between the state information as a numerical value and the normal information as a numerical value, the threshold value for determination is clarified, and the accuracy of determining the abnormality of the first communication device can be improved.

(3) In S440, S530, S590, and S650, the monitoring unit 63 adds a predetermined addition value to the first evaluation value JIC every time it is determined that the state information included in the determination information is abnormal. Then, a new first evaluation value JIC is generated. The monitoring unit 63 determines the abnormality of the first communication device based on the size of the first evaluation value JIC.

As a result, even if any one of the plurality of state information temporarily indicates an inaccurate state, the first state information is based on the first evaluation value JIC, which is the number of cases where the state information is determined to be abnormal. The abnormality of the communication device is determined. Therefore, the temporary influence of noise and the like can be suppressed, and the accuracy and reliability of determining the abnormality of the first communication device can be improved.

(4) In S440, S530, S590, and S650, the monitoring unit 63 newly determines that the same type of state information is normal when the number of consecutive normal times determined to be normal is equal to or greater than a predetermined number threshold value. First evaluation value JIC is generated. Here, a predetermined subtraction value is subtracted from the above-mentioned first evaluation value JIC, and a new first evaluation value JIC is generated. As a result, the temporary influence of noise and the like can be suppressed, and the accuracy and reliability of determining the abnormality of the first communication device can be improved.

(5) In S730, when the monitoring unit 63 determines in S720 that the first evaluation value JIC is equal to or higher than the evaluation threshold value, the monitoring unit 63 adds a predetermined value predetermined to the second evaluation value ACC. Generate a new second evaluation value ACC. In S740, the monitoring unit 63 determines that the first communication device is abnormal when the second evaluation value is equal to or higher than the first abnormality threshold value.

That is, the monitoring unit 63 states that some abnormality has occurred in the first communication device when the state in which the first evaluation value JIC is determined to be equal to or higher than the evaluation threshold value is continuous for at least the first abnormality threshold value. judge. Therefore, the temporary influence of noise and the like can be further suppressed, and the accuracy and reliability of determining the abnormality of the first communication device can be further improved.

(6) In S780 and S800, when the second evaluation value ACC is equal to or higher than the first abnormality threshold value, the monitoring unit 63 receives the first communication according to the magnitude of the second evaluation value ACC. Determine recovery instructions to recover from device anomalies. Thereby, the recovery instruction can be determined according to the degree of continuation of the abnormality. The recovery instruction may be a refresh instruction to the first communication device, or may be a reset instruction to the first communication device if the abnormality continues.

(7) The determination information generated by the information generation unit 52 includes time information (that is, TS). TS represents the time when the judgment information was generated. As a result, the second communication device, which is an external device of the first communication device, sets the determination information output interval P based on the TS acquired by the first communication device regardless of the delay due to the communication line 90 or the like. Can be calculated. That is, the second communication device can accurately estimate the transmission cycle (that is, IT) of the determination information in the first communication device regardless of the delay due to the communication line 90 or the like.

(8) The determination information generated by the information generation unit 52 includes the transmission cycle (that is, IT) of the determination information as the state information. Thereby, it is possible to compare the determination information output interval P based on the TS specified in the second communication device with the IT which is the transmission cycle preset in the first communication device.

(9) The monitoring unit 63 compares the judgment information output interval P calculated based on the TS included in the judgment information with the IT included in the judgment information, and determines an abnormality of the first communication device. As a result, for example, when the determination information output interval P and IT match, it is determined that the first communication device is normal, and when they do not match, it is determined that an abnormality has occurred in the first communication device. Is possible.

Further, even if the IT is changed in the first communication device, the second communication device can recognize the latest IT in the first communication device by the IT included in the received determination information. That is, in the second communication device, even if the judgment information output interval P does not match the IT before the change, if the judgment information output interval P matches the changed IT included in the newly received judgment information, , It can be determined that the determination information output interval P is normal.

That is, the second communication device can distinguish whether the change in the determination information output interval P is an intentional change by the first communication device or a change due to an abnormality in the first communication device. Therefore, it is possible to accurately determine the abnormality of the first communication device.

(10) In S320, the information generation unit 52 determines the transmission cycle (that is, IT) of the determination information based on the load information that quantitatively indicates the magnitude of the load of the first communication device. The information generation unit 52 determines that the transmission cycle of the determination information becomes longer as the load on the first communication device increases. The load information is, for example, the engine speed in the above-described embodiment in which the first communication device is the engine ECU 10.

The information generation unit 52 may acquire the correspondence information corresponding to the engine speed and the IT, specify the IT corresponding to the engine speed based on the correspondence information, and transmit the determination information by the specified IT. .. Correspondence information is predetermined information that associates load information with IT according to the magnitude of load information, and is information that is associated so that the higher the load, the longer the IT.

As a result, in the engine ECU 10 which is the first communication device, IT is set to a large value when the load is large. Therefore, the engine ECU 10 can spend the processing capacity of the engine ECU 10 other than transmitting the determination information. That is, the processing capacity of the first communication device can be efficiently used.

In the above-described embodiment, the in-vehicle control system 1 corresponds to a communication system, the engine ECU 10 and the door ECU 20 correspond to a plurality of communication devices, the engine ECU 10 corresponds to the first communication device, and the door ECU 20 corresponds to the second communication device. Corresponds to the communication device of. Further, the monitoring unit 63 corresponds to a determination execution unit, a type-specific determination unit, and an addition unit. S340 corresponds to the processing as the determination execution unit, S430, S520, S580, and S640 correspond to the processing as the type-specific determination unit, and S440, S530, S590, and S650 correspond to the processing as the addition unit. The determination information output interval P corresponds to the determination information transmission interval, TS corresponds to the time information, and IT corresponds to the determination information transmission cycle determined by the first communication device.

[4. Modification example]
A modified example of the in-vehicle control system 1 is shown below.
<Modification example 1>
In the vehicle-mounted control system 1, the engine ECU 10 was the first communication device, and the door ECU 20 was the second communication device. On the other hand, in the vehicle-mounted control system 2 of the modification 1 shown in FIG. 11, the engine ECU 10 may be the first communication device, and both the engine ECU 10 and the brake ECU 30 may be the second communication device.

That is, the engine ECU 10 includes a control unit 51 and an information generation unit 52, as in the above-described embodiment. The information generation unit 52 executes the information generation process and transmits the determination information to both the door ECU 20 and the brake ECU 30 as the second communication device. The door ECU 20 as the second communication device includes a control unit 61 and a monitoring unit 63, as in the above-described embodiment. The brake ECU 30 as another second communication device includes a control unit 71 and a monitoring unit 73. The monitoring unit 73 is configured in the same manner as the monitoring unit 63.

Thereby, the presence or absence of abnormality of the engine ECU 10 as the first communication device can be monitored by the plurality of second communication devices (that is, the door ECU 20 and the brake ECU 30). That is, the in-vehicle control system 2 can be provided with a redundant configuration for obtaining an abnormality determination result and a recovery instruction (that is, monitoring information) for the engine ECU 10 as the first communication device.

Here, the door ECU 20 and the brake ECU 30 as the plurality of second communication devices may be configured to execute the monitoring process each time the determination information is received. The engine ECU 10 receives monitoring information from both the door ECU 20 and the brake ECU 30, and operates according to the recovery instruction assuming that the determination result is true only when the determination results included in both monitoring information match. It may be configured in. As a result, it is suppressed that the engine ECU 10 operates according to the recovery instruction accompanying the erroneous determination by the door ECU 20 or the brake ECU 30.

The door ECU 20 and the brake ECU 30 as the plurality of second communication devices may be configured to alternately execute the monitoring process at a predetermined cycle (for example, every 100 msec). Thereby, the processing load of the door ECU 20 and the brake ECU 30 can be reduced. Further, if one of the door ECU 20 and the brake ECU 30 fails, the determination of the abnormality of the engine ECU 10 can be continued.

<Modification 2>
In the vehicle-mounted control system 3 of the second modification shown in FIG. 12, the engine ECU 10 is the first communication device, and the door ECU 20 is the second communication device for the engine ECU 10. Further, the door ECU 20 is the first communication device, and the engine ECU 10 is the second communication device for the door ECU 20.

That is, the engine ECU 10 further includes a monitoring unit 53 in addition to the control unit 51 and the information generation unit 52. The monitoring unit 53 is configured in the same manner as the monitoring unit 63. However, the monitoring unit 53 executes the monitoring process and determines the abnormality of the door ECU 20 as the first communication device based on the determination information transmitted from the door ECU 20 as the first communication device.

Further, the door ECU 20 further includes an information generation unit 62 in addition to the control unit 61 and the monitoring unit 63. The information generation unit 62 is configured in the same manner as the information generation unit 52. However, the information generation unit 62 executes the information generation process and transmits the determination information to the engine ECU 10.

As a result, in the vehicle-mounted control system 3, in addition to determining the abnormality of the engine ECU 10 by the door ECU 20, the abnormality of the door ECU 20 can be determined by the engine ECU 10. That is, they can monitor each other.

Specifically, the engine ECU 10 or the door ECU 20 can compare the diagnosis result of the abnormality by the own device (for example, the diagnosis result based on the WDG pulse) with the determination result of the own device included in the monitoring information. Become. Here, for example, when the diagnosis result of the abnormality by the own device and the determination result of the own device included in the monitoring information are different, the own device and the second communication device when the own device is used as the first communication device. It is possible to detect that one of the microcomputers may have an abnormality.

<Modification example 3>
In the vehicle-mounted control system 4 of the third modification shown in FIG. 13, the engine ECU 10 is the first communication device, and the door ECU 20 is the second communication device. Further, the door ECU 20 is a first communication device, and the brake ECU 30 is a second communication device.

That is, the door ECU 20 further includes an information generation unit 62 in addition to the control unit 61 and the monitoring unit 63. The information generation unit 62 is configured in the same manner as the information generation unit 52. However, the information generation unit 62 executes the information generation process and transmits the determination information to the brake ECU 30.

Further, the brake ECU 30 further includes a monitoring unit 73 in addition to the control unit 71. The monitoring unit 73 is configured in the same manner as the monitoring unit 63. However, the monitoring unit 73 executes the monitoring process and determines the abnormality of the door ECU 20 as the first communication device based on the determination information transmitted from the door ECU 20 as the first communication device.

As a result, in the vehicle-mounted control system 4, in addition to determining the abnormality of the engine ECU 10 by the door ECU 20, the abnormality of the door ECU 20 can be determined by the brake ECU 30. Further, the in-vehicle control system 4 includes a brake ECU 30 for monitoring an abnormality of the door ECU 20 for monitoring an abnormality of the engine ECU 10. By this. When the door ECU 20 is determined to be normal by the brake ECU 30, it can be guaranteed that the abnormality determination result of the engine ECU 10 by the door ECU 20 is normal.

Further, it is also possible to have the brake ECU 30 monitored by another ECU (not shown).
[5. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments, and can be implemented in various modifications.

(1) In the above embodiment, the monitoring unit 63 determines whether or not the state information is normal for each of a plurality of types of state information, and if it is abnormal, the first evaluation value JIC is added, and further. Using the second evaluation value ACC based on the first evaluation value JIC, it was determined that the first communication device is abnormal. However, the present disclosure is not limited to this.

For example, the monitoring unit 63 may be configured to determine that the first communication device is abnormal when it is determined that at least one type of state information to be acquired is abnormal. .. Alternatively, the monitoring unit 63 may be configured to determine that the first communication device is abnormal when it is determined that all the state information among the plurality of acquired state information is abnormal.

(2) In the above-described embodiment, the monitoring unit 63 detects the number of normal consecutive times determined to be normal for the same type of state information, and when the number of normal continuous times is equal to or greater than the number threshold value, the first A new first evaluation value JIC was generated by subtracting the subtraction value from the evaluation value JIC of 1. However, the present disclosure is not limited to this. For example, when a predetermined number (for example, 3) or more of the state information among the plurality of state information is normal, the monitoring unit 63 subtracts the subtraction value from the first evaluation value JIC to perform a new first evaluation. It may be configured to generate a value JIC. For example, in FIG. 8, when all three state information such as WDG output, interrupt occurrence count M, and task omission count N are normal, after S650 and after S680, from the first evaluation value JIC. A process of subtracting the subtracted value may be added. As a result, the temporary influence of noise and the like can be further suppressed.

(3) The engine ECU 10, the door ECU 20, and the door ECU 20 described in the present disclosure are provided by configuring a processor and a memory programmed to execute one or a plurality of functions embodied by a computer program. It may be realized by a dedicated computer. Alternatively, the engine ECU 10, the door ECU 20, the door ECU 20, and the method thereof described in the present disclosure may be realized by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits. Alternatively, the engine ECU 10, the door ECU 20, the door ECU 20, and the method thereof described in the present disclosure are composed of a processor and a memory programmed to execute one or a plurality of functions and one or more hardware logic circuits. It may be realized by one or more dedicated computers configured in combination with a processor. The computer program may also be stored on a computer-readable non-transitional tangible recording medium as an instruction executed by the computer. The method of realizing the functions of each part included in the engine ECU 10, the door ECU 20, and the door ECU 20 does not necessarily include software, and all the functions are realized by using one or more hardware. You may.

(4) A plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or one function possessed by one component may be realized by a plurality of components. .. Further, a plurality of functions possessed by the plurality of components may be realized by one component, or one function realized by the plurality of components may be realized by one component. Further, a part of the configuration of the above embodiment may be omitted. In addition, at least a part of the configuration of the above embodiment may be added or replaced with the configuration of the other above embodiment.

(5) In addition to the above-mentioned engine ECU 10, door ECU 20, door ECU 20, in-vehicle control system 1-4, microcomputer 101, 201, 301, CPU 102, 202, 302, the engine ECU 10, the door ECU 20, and the door ECU 20 for functioning. The present disclosure can also be realized in various forms such as a program, a non-transitional tangible recording medium such as a semiconductor memory in which this program is recorded, and a monitoring method.

1 In-vehicle control system, 10 engine ECU, 20 door ECU, 101 microcomputer, 201 microcomputer.

Claims (10)

A communication system (1) mounted on a vehicle.
The communication system includes a plurality of communication devices (10, 20) that are communicably connected to each other by a communication line, and the plurality of communication devices include a first communication device (10) and a second communication device (20). ) And
The first communication device is
It is configured to acquire at least one type of state information indicating the state of the first communication device, generate determination information including the acquired state information, and output the determination information to the second communication device. Information generation unit (52)
With
The second communication device is
The determination information is acquired, and the predetermined normal information when the first communication device is normal, which is the state information, is compared with the state information included in the determination information, and the first state information is compared. Monitoring unit (63) configured to determine an abnormality in a communication device
Communication system including. The communication system according to claim 1.
In the second communication device,
The monitoring unit is a communication system that determines an abnormality of the first communication device by comparing the normal information with the state information for each type of the state information included in the determination information. Claim The communication system according to claim 1 or 2.
The monitoring unit
Upon receiving the determination information, the normal information and the state information are compared for each type of the state information included in the determination information, and whether or not the state information included in the determination information is abnormal. (S430, S520, S580, S640) and a type-specific determination unit (S430, S520, S580, S640) configured to determine
Each time the type-specific determination unit determines that the state information included in the determination information is abnormal, the first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. An addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value, and
A determination execution unit (S340) configured to determine an abnormality of the first communication device based on the magnitude of the first evaluation value generated by the addition unit.
Communication system including. The communication system according to claim 3.
The addition unit detects the number of normal consecutive times that the same type of state information is continuously determined to be normal by the type-specific determination unit, and the number of normal continuous times is equal to or greater than a predetermined number of times threshold value. A communication system that generates a new first evaluation value by subtracting a predetermined subtraction value from the first evaluation value. The communication system according to claim 3 or 4.
The determination execution unit acquires the first evaluation value generated by the addition unit, determines whether or not the first evaluation value is equal to or higher than a predetermined evaluation threshold value, and determines whether or not the first evaluation value is equal to or higher than a predetermined evaluation threshold value. When it is determined that the evaluation value is equal to or higher than the evaluation threshold value, a predetermined predetermined value is added to the second evaluation value, which is a numerical value for expressing the magnitude of the abnormality of the first communication device. A communication system that generates a new second evaluation value and determines that the first communication device is abnormal when the second evaluation value is equal to or higher than a predetermined first abnormality threshold value. The communication system according to claim 5.
When the second evaluation value is equal to or higher than the first abnormality threshold value, the determination execution unit recovers the abnormality of the first communication device according to the magnitude of the second evaluation value. A communication system that determines a recovery instruction and transmits the determined recovery instruction to the first communication device. The communication system according to any one of claims 1 to 6.
In the first communication device,
The information generation unit is a communication system that generates the determination information including the time information representing the time when the determination information is generated. The communication system according to claim 7.
In the first communication device,
The information generation unit is a communication system that outputs the determination information including the transmission cycle of the determination information as the state information in the transmission cycle. The communication system according to claim 8.
In the second communication device,
The monitoring unit
The transmission cycle included in the determination information is defined as the normal information, and the transmission interval of the determination information calculated based on the time information included in the two determination information continuously transmitted from the first communication device. Is the state information, the normal information is compared with the state information, and an abnormality of the first communication device is determined based on whether or not the normal information and the state information match. The communication system according to claim 8 or 9.
The information generation unit is a communication system that determines the transmission cycle of the determination information to be longer as the load is larger, based on the load information that quantitatively indicates the magnitude of the load of the first communication device.

Images