JP5633501B2 - Control apparatus and control method - Google Patents

Description

  The present invention relates to a control device mounted on a service robot, transportation equipment, and the like for ensuring functional safety, and more particularly to a control device using a computer system.

  Service robots must ensure functional safety by constantly monitoring the safety state with external sensors and self-diagnosis devices and executing appropriate safety control logic when any danger is detected.

  In addition to the service robots described above, IEC 61508 has been established as an international standard for functional safety for systems that operate on electrical principles such as transportation equipment. In IEC 61508, a system provided for ensuring functional safety is called a safety-related system. IEC 61508 defines various techniques for constructing a safety-related system using hardware such as a microprocessor and a PLC (Programmable Logic Controller) and a computer program (software). By using the technique defined in IEC 61508, it is possible to construct a safety-related system using a computer system.

  On the other hand, in recent years, the processing capability of programmable electronic devices such as microprocessors has improved. For this reason, a multi-task OS (Operating System) is used, and various application programs are executed in parallel on one computer system, thereby integrating multiple-use computer systems installed in service robots and automobiles. can do.

  For example, Patent Literature 1 discloses a technique for causing an application program (hereinafter referred to as a safety-related application) related to ensuring functional safety to operate on one computer system together with other application programs (hereinafter referred to as a non-safety-related application). Has been.

  When the technique defined in IEC 61508 is applied to the entire software including safety-related applications and non-safety-related applications, it is necessary to apply even to non-safety-related applications. For this reason, there is a problem that the software development cost increases.

  Therefore, in the technique disclosed in Patent Document 1, safety-related applications (safety monitoring program and safety control program) are made independent from non-safety-related applications (normal control program) by time partitioning of the system program. For this reason, the normal control program can be excluded from the safety-related system, which can contribute to the cost reduction of the safety-related system configured using the computer system.

JP 2010-271759 A

  However, the safety control device exemplified in Patent Document 1 has the following problems. The problem will be described below with reference to FIGS.

  In the functional safety standard IEC61508, an ECU (Electronic Control Unit) such as a service robot is required to monitor whether processing can be executed correctly within the scheduled time by the sequence monitor function. Yes.

  For example, in the control of a service robot or the like, there is a process that needs to be repeatedly executed at a constant cycle as illustrated in FIG. As such processing, there are processing for controlling an actuator of a service robot, processing for acquiring information from a sensor of the service robot, and monitoring the state of the service robot by confirming the acquired information. Here, in FIG. 22 and FIG. 23, “Partition 1” and “Partition 2” indicate time partitions, and “Task” indicates a task executed in Partition 1. The task executes a process that needs to be repeatedly executed at a constant cycle. In FIG. 22, the task is executed at a constant cycle by executing the task in Partition 1 that is active at a constant cycle. By doing in this way, for example, since control of the controlled object according to the monitoring result can be performed periodically, it becomes possible to perform more stable control of the controlled object.

  However, in the case illustrated in FIG. 22, in order to execute the task at a constant cycle, it is necessary to finish the task execution at every constant cycle. For example, as shown in FIG. 23, if the task has not finished executing within the time of Partition 1, the task will be interrupted at the end of the previous Partition 1 time when Partition 1 becomes active next time. The execution will continue from where it was done. That is, in this case, the task cannot be re-executed from the next time Partition 1 becomes active, and the task cannot be executed at a constant cycle. Therefore, in order to ensure that the task can be executed at a constant cycle, it is necessary to be able to monitor whether or not the task can be completed within the time partition.

  The present invention has been made based on the above-described knowledge, and provides a control device and a control method capable of monitoring whether or not the task can be completed within the time partition time. The purpose is to do.

  The control device according to the first aspect of the present invention provides the control-related according to scheduling information indicating scheduling contents of a plurality of time partitions including a control-related time partition in which a control-related task for performing processing related to control of a control target is executed. Scheduling means for scheduling and executing a task, and a storage unit for storing execution end information indicating execution end or non-execution end of the control related task, and the system program relates to the control related time partition The execution end information is updated to non-execution at the time partition switching, and the execution end information is updated to execution end at the end of execution of the control-related task, and the system program relates to the control-related time partition. And it detects the case where the execution end information indicates the execution unfinished before updating the execution end information at the time of switching the im partitions run unfinished.

  The control method according to the second aspect of the present invention provides the control-related according to scheduling information indicating scheduling contents of a plurality of time partitions including a control-related time partition in which a control-related task that performs a process related to control of a control target is executed. A control method for scheduling and executing a task by a processor, wherein the processor executes execution end information indicating execution end or non-execution end of the control related task when switching the time partition related to the control related time partition Updating to non-finished, the processor updating the execution end information to end of execution at the end of execution of the control-related task, and the processor to the time partition related to the control-related time partition. The execution end information at the time of switching the emissions before updating to perform non-completion of the control-related tasks, in which a step of detecting if the execution end information indicates the execution unfinished.

  According to each aspect of the present invention described above, it is possible to provide a control device and a control method capable of monitoring whether or not the task can be completed within the time partition.

It is a block diagram which shows the structural example of the safety control apparatus concerning Embodiment 1 of invention. It is a figure for demonstrating the concept of the time partitioning in Embodiment 1 of invention. It is a conceptual diagram for demonstrating the concept of the resource partitioning in Embodiment 1 of invention. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 1 of invention. It is a figure which shows the specific example of a scheduling pattern. It is a figure which shows the specific example of a scheduling pattern. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning Embodiment 1 of invention. It is a flowchart which shows the specific example of the process sequence of API function wai_psw concerning Embodiment 1 of invention. In Embodiment 1 of this invention, it is a figure which shows the specific example of the execution condition of a task when execution of a task is completed within the time of TP. In Embodiment 1 of invention, it is a figure which shows the specific example of the execution condition of a task in case the execution of a task is not completed within the time of TP. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 2 of invention. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning Embodiment 2 of invention. It is a flowchart which shows the specific example of the process sequence of API function wai_psw concerning Embodiment 2 of invention. In Embodiment 2 of invention, it is a figure which shows the specific example of the execution condition of a task in case the execution of a task is completed within the time of TP. In Embodiment 2 of invention, it is a figure which shows the specific example of the execution condition of a task when a task does not complete | finish within the time of TP. It is a figure which shows the relationship between the partition scheduler and task in Embodiment 3 of invention. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning Embodiment 3 of invention. It is a flowchart which shows the specific example of the process sequence of API function wai_psw concerning Embodiment 3 of invention. In Embodiment 3 of invention, it is a figure which shows the specific example of the execution condition of a task when execution of a task is completed within the time of TP. In Embodiment 3 of invention, it is a figure which shows the specific example of the execution condition of a task when execution of a task is completed within the time of TP. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure for demonstrating a subject. It is a figure for demonstrating a subject.

  Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings. In the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted as necessary for the sake of clarity.

<Embodiment 1 of the Invention>
The safety control device 1 according to the present embodiment is mounted on a service robot, a transportation device, or the like, and executes safety control for ensuring functional safety. The safety control device 1 is configured to execute a safety-related application and a non-safety-related application on the same computer system. FIG. 1 is a block diagram illustrating a configuration example of the safety control device 1 according to the present embodiment.

  The processor 10 performs calculation processing according to acquisition of a program (instruction stream), instruction decoding, and instruction decoding result. Although only one processor 10 is shown in FIG. 1, the safety control device 1 may have a multiprocessor configuration having a plurality of processors 10. The processor 10 may be a multi-core processor. The processor 10 provides a multiprogramming environment by executing an operating system (OS) 100 as a system program. A multi-programming environment is an environment in which multiple programs are executed in parallel by periodically switching and executing multiple programs, or by switching the programs to be executed in response to the occurrence of a certain event. means.

  Multiprogramming is sometimes called multiprocess, multithread, multitask, and the like. A process, a thread, and a task mean a program unit that is executed in parallel in a multiprogramming environment. The multi-programming environment included in the processor 10 of the present embodiment may be a multi-process environment or a multi-thread environment.

  The execution memory 11 is a memory used for program execution by the processor 10. The execution memory 11 stores programs (such as the OS 100 and applications 101 to 103) loaded from the nonvolatile memory 13, input / output data of the processor 10, and the like. The processor 10 may directly execute these programs from the nonvolatile memory 13 without loading the programs from the nonvolatile memory 13 to the execution memory 11.

  Specifically, the execution memory 11 may be a random accessible volatile memory such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory). The execution memory 11 in FIG. 1 represents a logical unit. That is, the execution memory 11 may be, for example, a combination of a plurality of SRAM devices, a combination of a plurality of DRAM devices, or a combination of an SRAM device and a DRAM device.

  The I / O port 12 is used for data transmission / reception with an external device. For example, when the safety control device 1 is mounted on a service robot, the external device is various sensors and actuators that operate the service robot. In this case, the various sensors include, for example, a visual sensor capable of measuring obstacles around the service robot, a posture sensor for detecting the posture of the service robot, and a rotation center for detecting the state of the actuator of the service robot. It includes a sensor that detects the internal and external status of the service robot.

  The non-volatile memory 13 is a memory device capable of maintaining stored contents more stably than the execution memory 11 without receiving power supply. For example, the nonvolatile memory 13 is a ROM (Read Only Memory), a flash memory, a hard disk drive or an optical disk drive, or a combination thereof. The nonvolatile memory 13 stores the OS 100 and the applications 101 to 103. Note that at least a part of the nonvolatile memory 13 may be configured to be removable from the safety control device 1. For example, the memory storing the applications 101 to 103 may be removable. Further, at least a part of the nonvolatile memory 13 may be disposed outside the safety control device 1.

  The OS 100 is executed by the processor 10 to use task resources including task scheduling, interrupt management, time management, resource management using hardware resources such as the processor 10, the execution memory 11, and the nonvolatile memory 13. Provides inter-task synchronization and inter-task communication mechanism.

  Further, in order to increase the independence of the safety monitoring application 101 and the safety control application 103 related to ensuring functional safety from the normal control application 102, the OS 100 has a function of protecting hardware resources temporally and spatially. . Here, the hardware resources include the processor 10, the execution memory 11, and the I / O port 12.

  Of these, temporal protection is performed by partitioning a temporal resource called the execution time of the processor 10. Specifically, temporal protection is performed by partitioning the execution time of the processor 10 and assigning a task (process or thread) to each partition (referred to as a time partition). The scheduling function (partition scheduler 21) of the OS 100 guarantees the use of resources including the execution time of the processor 10 for tasks assigned to each time partition (hereinafter sometimes referred to as TP).

  FIG. 2 is a conceptual diagram related to time partitioning. In the example of FIG. 2, an example in which a predetermined cycle time is divided into three TP1, TP2, and TP3 is shown. For example, when one cycle time is 100 Tick, the first 20 Tick is defined as TP1, the middle 30 Tick is defined as TP2, and the second 50 Tick is defined as TP3.

  In the example of FIG. 2, the first application (APL1) to the fourth application (APL4) are assigned to any one of TP1 to TP3. The scheduling function (partition scheduler 21) of the OS 100 selects / determines which of TP1 to TP3 is activated as time elapses. Then, the application assigned to the active TP is executed by the processor 10.

  On the other hand, spatial protection is performed by partitioning fixed resources including the execution memory 11 and the I / O port 12 and assigning tasks to each partition (referred to as a resource partition). The scheduling function (partition scheduler 21) of the OS 100 prohibits a task from accessing other resources beyond a pre-assigned resource partition (hereinafter sometimes referred to as RP).

  FIG. 3 is a conceptual diagram related to resource partitioning. In the example of FIG. 3, two RPs (RP1 and RP2) are shown. A part of the execution memory 11 and the nonvolatile memory 13 (A area) and a part of the I / O port 12 (port A) are allocated to RP1. Further, another part (B area) of the execution memory 11 and the nonvolatile memory 13 and another part (port B) of the I / O port 12 are allocated to RP2. Access from RP1 to the resource assigned to RP2 is prohibited, and access from RP2 to the resource assigned to RP1 is prohibited.

  Note that not all resources need to be exclusively assigned to any RP. That is, there may be a resource shared by a plurality of RPs. For example, when performing safety control of a service robot, the actuator needs to be accessible from both the normal control application 102 and the safety control application 103. Therefore, the I / O port for controlling the actuator may be shared by the RP to which the normal control application 102 belongs and the RP to which the safety control application 103 belongs.

  Returning to FIG. The applications 101 to 103 are executed in a multiprogramming environment provided by the OS 100 and the processor 10. Among these, the safety monitoring application 101 executes the processor 10 to monitor the execution status of the normal control application 102, monitor the execution status of the safety control application 103, and monitor input / output data to the I / O port 12. Instruction code to make it Further, the safety monitoring application 101 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety monitoring application 101 is a safety related application.

  Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a control procedure for causing a control target such as a service robot to perform a normal function / operation. Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the normal control application 102 is a non-safety related application.

  Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a control procedure determined to ensure functional safety in response to a case where some abnormality is detected. Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety control application 103 is a safety-related application.

  The reset circuit 14 resets the microcontroller 15 based on a signal from the OS 100. A transmission signal is periodically transmitted from the partition scheduler 21 to the reset circuit 14, and the reset circuit 14 resets the microcontroller 15 when the transmission signal from the partition scheduler 21 is interrupted. For example, as will be described later, the partition scheduler 21 transmits a transmission signal at a timing that operates every 1 tick. Further, when an abnormality is detected by the OS 100 or when a result notification indicating an abnormality is received from any of the applications 101 to 103, the partition scheduler 21 transmits a reset signal to the reset circuit 14 and responds accordingly. Thus, the reset circuit 14 may reset the microcontroller 15. In this way, when a failure occurs in the microcontroller 15, the microcontroller 15 can be reset and recovered.

  Subsequently, the relationship between the partition scheduler 21 and the tasks generated by the activation of the applications 101 to 103 will be described with reference to FIG. FIG. 4 is a diagram showing the relationship between the partition scheduler 21 and the tasks 24, 26, and 28 that are activated in the multiprogramming environment provided by the OS 100.

  The microcontroller 15 includes a processor 10, an execution memory 11, an I / O port 12, a nonvolatile memory 13, and the like. 4 illustrates a configuration in which the reset circuit 14 is provided outside the microcontroller 15, but a configuration in which the reset circuit 14 is included in the microcontroller 15 may be employed.

  The microcontroller 15 is supplied with a clock signal from an external clock source, and the processor 10 and the like operate at a predetermined timer period based on this clock signal. In the present embodiment, the predetermined timer cycle is described as 1 Tick. For this reason, when the processor 10 executes the OS 100, the partition scheduler 21 operates every 1 Tick, and at each TP, the task schedulers 23, 25, 27 and tasks (safety monitoring task 24, normal control task 26, safety The control task 28) operates every 1 Tick.

  The partition scheduler 21 operates every 1 tick and performs TP switching (partition scheduling). The partition scheduler 21 selects and determines which of TP1 to TP3 is activated during the next 1 Tick. Furthermore, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP.

  More specifically, partition scheduling by the partition scheduler 21 refers to the scheduling table 22 and performs partition scheduling according to a scheduling pattern that defines TP settings.

  The scheduling table 22 holds a scheduling pattern that defines the TP switching order and timing. For example, the scheduling table 22 is stored in advance in the execution memory 11. The scheduling table 22 holds at least two different scheduling patterns. One is a scheduling pattern that is applied when abnormality detection by the safety monitoring task 24 is not performed (that is, during normal time). The other is a scheduling pattern applied when an abnormality is detected by the safety monitoring task 24. Hereinafter, the scheduling pattern applied in the normal time is referred to as “normal control scheduling pattern”. A scheduling pattern applied at the time of detecting an abnormality is called a “safe control scheduling pattern”.

  FIG. 5A shows a specific example of the normal control scheduling pattern. In FIG. 5A, TP2 to which the normal control task 26 belongs is assigned to the first half (T1) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T2) of one cycle time. According to the scheduling pattern of FIG. 5A, the normal control task 26 and the safety monitoring task 24 are repeatedly scheduled.

  FIG. 5B shows a specific example of the safety control scheduling pattern. In FIG. 5B, TP3 to which the safety control task 28 belongs is assigned to the first half (T3) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T4) of one cycle time. According to the scheduling pattern of FIG. 5B, the safety control task 28 and the safety monitoring task 24 are repeatedly scheduled.

  Returning to FIG. The task schedulers 23, 25, and 27 perform task scheduling in the TP to which each belongs. For scheduling tasks in each TP, general priority-based scheduling may be applied. In FIG. 4, each TP is illustrated as including only one task, but one or more tasks may be included. For example, the normal control task A and the normal control task B may be included in the normal control TP2.

  The safety monitoring task 24 is a task generated when the safety monitoring application 101 is activated. In the example of FIG. 4, the safety monitoring task 24 is assigned to TP1 and RP1. The safety monitoring task 24 monitors the execution status of the normal control task 26 that is a non-safety related application, monitors the execution status of the safety control task 28 that is a safety related application, and monitors input / output data of the I / O port 12. To do. Furthermore, the safety monitoring task 24 notifies the partition scheduler 21 of the task execution status.

  The normal control task 26 is a task generated when the normal control application 102 is activated. In the example of FIG. 4, the normal control task 26 is assigned to TP2 and RP2. The normal control task 26 performs control for causing a control target such as a service robot to perform a normal function / operation. Further, the normal control task 26 notifies the partition scheduler 21 of the task execution status.

  The safety control task 28 is a task generated when the safety control application 103 is activated. In the example of FIG. 4, the safety control task 28 is assigned to TP3 and RP3. The safety control task 28 performs control determined to ensure functional safety in response to any abnormality being detected. Further, the safety control task 28 notifies the partition scheduler 21 of the task execution status.

  Various methods can be adopted as a specific configuration for notifying the result from each task to the partition scheduler 21. For example, a task can call a system call (service call) of the OS 100 and notify the partition scheduler 21 of the result via the OS 100. Specifically, for example, a system call for performing communication between tasks is called. Also, for example, assuming that a flag related to the task execution status is stored in the execution memory 11, the task sets a flag value according to the execution status, and the partition scheduler 21 executes the task according to the flag set value. The situation can also be judged.

  Here, the OS 100 provides an API (Application Program Interface) function that causes each task 24, 26, and 28 to end execution and sleep until the time partition to which the task belongs next becomes active. Therefore, a task belonging to a TP that becomes active at a constant cycle can be made to execute at a constant cycle by calling this API function to sleep. Hereinafter, this API function is referred to as “wai_psw”.

  A plurality of wai_psw flags 29 are prepared so as to correspond to the tasks 24, 26, and 28, respectively. The wai_psw flag 29 is stored in the execution memory 11, for example. The wai_psw flag 29 is a variable that takes a value indicating either “OK” or “NG”. If the wai_psw flag 29 is OK, it means that the task corresponding to the wai_psw flag 29 has been executed. On the other hand, if the wai_psw flag 29 is NG, it means that the task corresponding to the wai_psw flag 29 has not finished executing.

  The initial value of the wai_psw flag 29 is a value indicating OK. When the TP becomes active, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to the TP to NG. Each of the tasks 24, 26, and 28 sleeps and updates the wai_psw flag 29 to OK by calling wai_psw when the processing to be executed in the TP is finished. That is, wai_psw includes processing for updating the wai_psw flag 29 corresponding to the caller task to OK. According to these processes, if the wai_psw flag 29 is OK when the TP becomes active next, it means that the task has been executed within the time of the previous TP, and the TP becomes active next. If the wai_psw flag 29 is NG at this time, it is understood that the task has not been completed within the time of the previous TP.

  Here, for example, the wai_psw flag 29 may have a value indicating OK as 0, a value indicating NG as 1, a value indicating OK as 1, and a value indicating NG as 0. The wai_psw flag 29 is not limited to binarized information as long as it is information indicating OK or NG.

  A plurality of wake-up flags 30 are prepared so as to correspond to the tasks 24, 26, and 28, respectively. The wakeup flag 30 is stored in the execution memory 11, for example. The wake-up flag 30 is a variable that takes a value indicating either “E_OK” or “E_TMOUT”. When the wakeup flag 30 is E_OK, it means that the task corresponding to the wakeup flag 30 has been completed within the time of the TP to which the task belongs. When the wakeup flag 30 is E_TMOUT, it means that the task corresponding to the wakeup flag 30 has not been completed within the time of the TP to which the task belongs.

  The initial value of the wake-up flag 30 is a value indicating E_OK. If the wai_psw flag 29 corresponding to the task belonging to the TP is NG when the TP becomes active, the partition scheduler 21 updates the wake-up flag 30 corresponding to the task to E_TMOUT. As a result, when the wakeup flag 30 is updated to E_TMOUT, it can be seen that the task corresponding to the wakeup flag 30 has not been completed within the TP time.

  When the wakeup flag 30 corresponding to the caller task is E_OK, wai_psw returns a value indicating E_OK to the caller task as a return value. On the other hand, when the wakeup flag 30 corresponding to the caller task is E_TMOUT, wai_psw returns a value indicating E_TMOUT to the caller task as a return value. This return value is returned to a task that has been sleeping by calling wai_psw and wakes up and returns from wai_psw. As a result, when the return value from wai_psw is E_OK, the calling task can recognize that it has finished executing within the time of TP. Conversely, when the return value from wai_psw is E_TMOUT, the caller task can recognize that it has not completed execution within the TP time.

  Then, the caller task executes processing according to the return value from wai_psw. For example, when the return value from wai_psw is E_OK, the calling task executes normal processing. On the other hand, when the return value from wai_psw is E_TMOUT, the calling task executes an abnormality treatment. Here, the abnormality treatment may be any treatment as long as it is a treatment for moving the controlled object in a safe direction. For example, when operating according to the normal control scheduling pattern shown in FIG. 5A, the calling task notifies the partition scheduler 21 that the task execution status is abnormal. Then, the partition scheduler 21 may switch the scheduling pattern to the safety control scheduling pattern shown in FIG. 5B according to the notification. Further, the partition scheduler 21 may forcibly switch TP to TP3 at the next operation timing according to the notification. Then, after switching to TP3, for example, the control target is stopped by the safety control task 28. Further, the partition scheduler 21 may control the partition scheduler 21 to stop the control target when notified from the safety control task 28 that the task execution status is abnormal.

  Here, for each of the wake-up flag 30 and the return value, for example, the value indicating E_OK may be 0, the value indicating E_TMOUT may be 1, the value indicating E_OK may be 1, and the value indicating E_TMOUT may be 0. . Further, each of the wakeup flag 30 and the return value is not limited to the binarized information as long as it is information indicating E_OK or E_TMOUT. Further, the value indicating E_OK and the value indicating E_TMOUT may be defined as different values for the wakeup flag 30 and the return value.

  As described above, the partition scheduler 21 operates every 1 Tick, and selects and determines which of TP1 to TP3 is activated. Further, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP. Then, task scheduling is performed by the task schedulers 23, 25, and 27 starting operations, and the processor 10 executes the tasks in the TP according to the order scheduled by the task schedulers 23, 25, and 27. Go. As a result, the application assigned to the active TP is executed by the processor 10.

  Subsequently, partition scheduling processing and flag control processing by the partition scheduler 21 will be described below with reference to FIG. FIG. 6 is a flowchart showing a specific example of the processing procedure of the partition scheduler 21 according to the first embodiment of the invention.

  Note that FIG. 6 illustrates an example in which scheduling is performed according to a normal control scheduling pattern (for example, FIG. 5A) or a safety control scheduling pattern (for example, FIG. 5B). That is, when the next TP following TP2 or TP3 is TP1, and when an abnormality in TP2 is detected in TP1, the next TP selected and determined based on the result from TP1 is TP3 Will be described as an example.

  The OS 100 starts the partition scheduler 21 every time one tick elapses (S11) (S12). The partition scheduler 21 refers to the scheduling pattern and determines whether or not it is TP switching timing (S13).

  When it is determined that it is not the TP switching timing (No in S13), the partition scheduler 21 continues the operation for the same TPX and proceeds to S19. For this reason, the processes of S11 to S13, S19, and S20 are repeated until the TP switching timing is reached. Here, the variable X indicates the number of TP, and X is any one of 1 to 3. That is, when partition scheduling is performed according to the normal control scheduling pattern, either TP2 or TP1 except for TP3 for safety control is operated.

  On the other hand, when it is determined that it is TP switching timing (Yes in S13), the partition scheduler 21 executes TP switching (S14). Thus, when the partition scheduler 21 changes the TP to be activated next (Yes in S13), the task execution status is normal according to the notification result from the task belonging to the TP before switching. It is determined whether or not. If the task execution status is abnormal as a result of the determination, the partition scheduler 21 selects and determines a TP to be activated during the next 1 Tick according to the safety control scheduling pattern. Then, the partition scheduler 21 determines whether or not the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is OK (S15).

  When the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is OK (Yes in S15), when the switching destination TP was last active, the wai_psw flag 29 is supported within the time of the TP. This means that the task to be executed has ended. Therefore, the partition scheduler 21 updates the wakeup flag 30 corresponding to the task to E_OK (S16). Then, the partition scheduler 21 proceeds to S18.

  On the other hand, if the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is not OK (No in S15), when the switching destination TP was previously active, the wai_psw flag 29 is set within the time of the TP. This means that the corresponding task has not finished executing. Therefore, the partition scheduler 21 updates the wakeup flag 30 corresponding to the task to E_TMOUT (S17). That is, when the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is NG, S17 is executed. Then, the partition scheduler 21 proceeds to S18.

  In S18, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to the switching destination TP to NG (S18). According to this, when the wai_psw is called and the wai_psw flag 29 is not updated to OK because the task finishes executing at the switching destination TP, the wai_psw flag 29 remains NG. That is, it is possible to determine from the value of the wai_psw flag 29 when the switching destination TP becomes active next time that the task has not finished executing within the time of the switching destination TP (S15). . Then, the partition scheduler 21 proceeds to S19. Note that when a plurality of tasks belong to the TP, the processes of S15 to S18 are performed for each of the wai_psw flag 29 and the wake-up flag 30 corresponding to the plurality of tasks.

  In S19, the partition scheduler 21 operates the task scheduler of the currently active TPX (S19). The task scheduler of TPX that started the operation in S19 executes the task in TPX according to the priority (S20).

  Specifically, the task scheduler of TPX wakes up the tasks in TPX that have been sleeping in the order corresponding to the priority. The task that wakes up returns from wai_psw. At this time, the task that wakes up executes processing according to the return value of wai_psw as described above. That is, when the return value from wai_psw is E_OK, the wake-up task has been completed within the time of TP, so normal processing is executed. Conversely, if the return value from wai_psw is E_TMOUT, it means that the task that woke up has not finished executing within the time of TP, so the partition scheduler 21 is notified that the task execution status is abnormal. Execute the process. When the processing to be executed in these TPs is completed, the task calls wai_psw and sleeps again. Note that the processing procedure of the flag control processing in wai_psw will be described later with reference to FIG.

  When 1 Tick elapses (S11), the partition scheduler 21 starts TP scheduling again (S12). That is, the partition scheduler 21 selects and determines which TP is to be activated during the next 1 Tick according to the scheduling pattern.

  Subsequently, the flag control process in the task will be described with reference to FIG. FIG. 7 is a flowchart showing a specific example of the processing procedure of the API function wai_psw according to the first embodiment of the invention.

  The task executed by the task scheduler calls wai_psw when it sleeps to the next TP after completing the processing to be executed in the TP (S21). The called wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Then, wai_psw determines whether or not the wakeup flag 30 corresponding to the caller task is E_TMOUT (S23).

  If the wakeup flag 30 corresponding to the caller task is not E_TMOUT (No in S23), wai_psw sets E_OK as the return value of wai_psw (S24), and proceeds to S26. That is, when the wakeup flag 30 corresponding to the caller task is E_OK, S24 is executed. On the other hand, when the wakeup flag is E_TMOUT, wai_psw sets E_TMOUT as the return value of wai_psw (S25), and proceeds to S26.

  The wai_psw causes the task scheduler to execute a sleep process that causes the calling task to sleep (S26). In other words, the task scheduler finishes executing the caller task, and transitions to the sleep state. As a result, the execution time of the processor 10 assigned to the caller task is released. Note that, as described above, a task that sleeps due to wai_psw continues to sleep until the TP to which the task belongs becomes active next. Then, when the TP becomes active next and the execution time of the processor 10 is allocated by the task scheduler, the task receives the return value set at the time of sleep from wai_psw and returns from wai_psw. That is, the task wakes up and the task execution is started. Then, when the return value from wai_psw is E_OK, the task executes normal processing, and when the return value from wai_psw is E_TMOUT, the task executes an abnormality treatment.

  Here, the method of putting a task to sleep until the TP to which the task belongs becomes active next may be realized by, for example, the method described below. It is not limited. Specifically, a wakeup suppression flag corresponding to each task is prepared on the execution memory 11, and when the task sleeps, the wakeup suppression flag corresponding to the task is updated to a valid value. For example, it is updated by wai_psw. When the wakeup suppression flag indicates a valid value, it is only necessary to prevent the task corresponding to the wakeup suppression flag from waking up again in the same TP. In this case, if the wakeup suppression flag is updated to an invalid value by the OS 100 or the partition scheduler 21 or the like after the TP time has expired and before the next TP becomes active. Good.

  A specific example of partition scheduling will be described with respect to the processing shown in FIGS. First, according to the normal control scheduling pattern illustrated in FIG. 5A, the case where scheduling is started from the active state of TP2 in S19 will be described. In this case, TPX = TP2 is started in S19, and TPX = TP2 remains even in subsequent S20 and S11 to S13. And as long as No continues in S13, the state of TPX = TP2 is maintained. If S13 is Yes and TP2 is changed to TP1 in S14, TP1 remains in S15 to S20 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When TP1 is active, it is determined in S20 that the execution status (data input / output, etc.) related to TP2 is normal, and the task execution status related to TP1 is normal (return value is E_OK) If so, in the next S14, TPX = TP2 (that is, the normal control scheduling pattern starting from TP2 is continued). On the other hand, when the execution status (data input / output, etc.) related to TP2 is determined to be abnormal in S20, or the task execution status related to TP1 is determined to be abnormal (return value is E_TMOUT) In this case, TPX = TP3 in the next S14 (that is, the safety control scheduling pattern starts from TP3).

  Further, a case will be described in which scheduling is started from the active state of TP3 in S19 according to the safety control scheduling pattern illustrated in FIG. 5B. In this case, TPX = TP3 is started in S19, and TPX = TP3 remains even in subsequent S20 and S11 to S13. And as long as No continues in S13, the state of TPX = TP3 is maintained. If it is Yes in S13 and changed from TP3 to TP1 in S14, it remains TP1 over the subsequent S15 to S20 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When TP1 is active, it is determined in S20 that the execution status (data input / output, etc.) related to TP3 is normal, and the task execution status related to TP1 is normal (return value is E_OK) If it has been done, TPX = TP2 may be set in the next S14 (that is, switching to the normal control scheduling pattern starting from TP2). However, depending on the state of the control target, the scheduling pattern may not be switched, and the abnormal process may be continued to stop the control target. On the other hand, if it is determined in S20 that the execution status (data input / output, etc.) related to TP3 is abnormal, or the task execution status related to TP1 is determined to be abnormal (return value is E_TMOUT) In this case, TPX = TP3 in the next S14 (that is, the safety control scheduling pattern starting from TP3 is continued).

  Next, a specific example of task execution status monitoring by the flag control process described with reference to FIGS. 6 and 7 will be described with reference to FIGS. FIG. 8 is a diagram showing a specific example of the task execution status when the task is completed within the time of TP, and FIG. 9 is the task execution when the task is not completed within the time of TP. It is a figure which shows the specific example of a condition. 8 and 9, “Partition 1” and “Partition 2” indicate time partitions, and “Task” indicates a task belonging to Partition 1. For example, when operating according to the normal control scheduling pattern shown in FIG. 5A, “Partition 1” and “Partition 2” correspond to TP1 and TP2.

  First, with reference to FIG. 8, the case where the task has been executed within the time of TP will be described. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up flag 30 is E_OK. FIG. 8 is illustrated from the time when the partition scheduler 21 activated after 1 tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 21 updates the wake-up flag 30 corresponding to the task belonging to Partition 1 to E_OK (S16). ). Further, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag corresponding to the caller task to OK (S22). Since the wake-up flag 30 is E_OK in S16 (No in S23), wai_psw sets E_OK as the return value (S24). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 21 next activates Partition 1 (S11 to S14), since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 21 changes to Partition 1. The wakeup flag 30 corresponding to the task to which it belongs is updated to E_OK (S16). That is, the wake-up flag 30 remains E_OK. Further, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task receives E_OK set during sleep from wai_psw as a return value and returns from wai_psw. When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Further, since the wakeup flag 30 is E_OK in S16, wai_psw sets E_OK as the return value (S24). Then, wai_psw causes the calling task to sleep (S26).

  Next, when Partition 1 becomes active, E_OK is set in the wai_psw flag 29 and E_OK is set in the return value of wai_psw, so the same processing is repeated. In this way, when the task is finished executing within the time of Partition 1, it recognizes that the task may execute normal processing based on the return value of wai_psw being E_OK. Is possible.

  Next, with reference to FIG. 9, a case where the task has not finished executing within the time of TP will be described. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up flag 30 is E_OK. FIG. 9 is shown from the time when the partition scheduler 21 activated after 1 Tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 21 updates the wake-up flag 30 corresponding to the task belonging to Partition 1 to E_OK (S16). Further, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20).

  FIG. 9 illustrates a case where the task does not finish executing within the time of Partition 1 at this time. In this case, when the time of Partition 1 expires, task execution is interrupted by the task scheduler, and TP is switched to Partition 2 by the partition scheduler 21 (S11 to S14). In this case, since wai_psw has not been called by the task, the wai_psw flag 29 remains NG.

  When the partition scheduler 21 next activates Partition 1 (S11 to S14), since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is NG (No in S15), the partition scheduler 21 changes to Partition 1. The wakeup flag 30 corresponding to the task to which it belongs is updated to E_TMOUT (S17). Further, the partition scheduler 21 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task is resumed from where it was interrupted. When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Further, since the wakeup flag 30 is E_TMOUT in S17, wai_psw sets E_TMOUT as a return value (S25). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 21 next activates Partition 1 (S11 to S14), after the processing in the case of Yes in S15 is executed as described above, the task scheduler of Partition 1 starts its operation ( S19), the task in Partition 1 is executed (S20). At this time, the task receives E_TMOUT set during sleep from wai_psw as a return value, and returns from wai_psw. In this way, based on the return value of wai_psw being E_TMOUT, the task can recognize that it has not completed execution within the time of Partition 1 and that it needs to perform an abnormal action. It becomes possible.

  As described above, in the first embodiment, the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG when the TP is switched, and the wai_psw flag 29 is set to OK when the execution of the task is completed. I try to update it. Then, before the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG when the TP is switched, it is detected that the wai_psw flag 29 is NG.

  According to this, it can be detected that the task has not finished executing within the time of TP by the wai_psw flag 29 being NG. That is, it is possible to monitor whether or not the task can be completed within the time of TP. In addition, it is possible to monitor with a simple process of only updating information (wai_psw flag 29) at a predetermined timing.

  Here, as a method for monitoring whether or not the execution of a task is completed at a constant cycle, a method for monitoring whether or not the execution of each task is completed at a predetermined cycle can be considered. . However, in such a case, there is a problem that the application program becomes complicated when a mechanism for independently monitoring each application program that generates a task is implemented.

  In contrast to this, in the first embodiment, the wai_psw flag 29 is updated to OK in the API function that is called when the task finishes executing the process and sleeps. Further, the partition scheduler 21 that schedules the TP updates the wai_psw flag 29 to NG at the time of TP switching, and detects whether the wai_psw flag 29 is NG before updating the wai_psw flag 29 at the time of TP switching. I have to.

  According to this, it is possible to implement a monitoring mechanism using the existing processing timing in the multitask system adopting time partitioning. That is, it becomes possible to monitor whether or not the task can be completed within the time of TP.

  In the above-described example, a case where only three TPs (safety monitoring TP1, normal control TP2 and safety control TP3) are combined as a scheduling pattern has been described as an example. There may be a plurality of control partitions and safety control partitions such as TP3. For example, there are two TP2 and TP4 for normal control, TP1 for safety monitoring, and two TP3 and TP5 for safety control, and these five TPs (TP1 to TP5) are combined to form a scheduling pattern. It may be configured. In this case, in S14, the partition scheduler 21 determines the type of the abnormal state of the execution status (data input / output, etc.) related to TPX, and selects either TP3 or TP5 for safety control according to the abnormal type. That's fine. In S14, either TP2 or TP4 for normal control may be selected.

  As described above, in this embodiment, the OS 100 includes the partition scheduler 21 that selects and determines the partition to be activated next in response to a notification from the TP1 for safety monitoring or a notification from each TP. ing. The partition scheduler 21 operates at a predetermined timer period independently of the tasks executed in each TP.

  With the configuration in which the partition scheduler 21 that operates independently receives the result notification from all TPs, the partition scheduler 21 can centrally grasp the situation regarding all TPs. Therefore, for example, when the partition scheduler 21 decides and selects the next partition in response to the result notification from the safety monitoring TP1, the partition scheduler 21 considers the situation of each TP. The next partition can be determined and selected only from the TP in the normal state. According to this, there is an effect that more accurate partition scheduling can be realized.

<Embodiment 2 of the Invention>
Then, the safety control apparatus concerning Embodiment 2 of this invention is demonstrated. Since the configuration of the safety control device according to the second embodiment is the same as the configuration of the safety control device according to the first embodiment described with reference to FIG. 1 except that the OS 200 is provided instead of the OS 100, The description is omitted. Below, the relationship between the partition scheduler 31 and the tasks generated by starting up the applications 101 to 103 will be described with reference to the drawings. FIG. 10 is a diagram showing the relationship between the partition scheduler 31 and the tasks 24, 26, and 28 that are activated in the multiprogramming environment provided by the OS 200.

  As shown in FIG. 10, the second embodiment has an OS 200 instead of the OS 100, a partition scheduler 31 instead of the partition scheduler 21, and a wake-up flag 30 as compared with the first embodiment. The point of having a wake-up counter 32 is different. Hereinafter, the same contents as those in the first embodiment will be omitted as appropriate.

  The partition scheduler 31 differs from the partition scheduler 21 according to the first embodiment in that instead of updating the wakeup flag 30, the wakeup counter 32 is updated.

  A plurality of wake-up counters 32 are prepared so as to correspond to the tasks 24, 26, and 28, respectively. The wake-up counter 32 is stored in the execution memory 11, for example. The wake-up counter 32 is a variable that takes a counter value. When the value of the wake-up counter 32 is 0, it means that the task corresponding to the wake-up counter 32 has been completed within the time of 1 TP of the TP to which the task belongs. When the wakeup counter 32 has a value of 1 or more, it means that the execution has not been completed within the time of 1TP of the TP to which the task belongs. In this case, the value of the wake-up counter 32 means how many TPs to which the task belongs are straddled from the start of execution of the task corresponding to the wake-up counter 32 to the end of execution.

  The wake-up counter 32 has an initial value of 0. When the wai_psw flag 29 corresponding to the task belonging to the TP is NG when the TP becomes active, the partition scheduler 31 counts up the wake-up counter 32 corresponding to the task. That is, if the task continues to be executed across several TPs without completing the execution, the value of the wake-up counter 32 corresponding to the task continues to be counted up. As a result, when the wake-up counter 32 is updated to a value of 1 or more, the task corresponding to the wake-up counter 32 has not been executed within the time of 1TP of TP, and the wake-up counter 32 It can be seen how many TPs the task belongs to before the corresponding task finishes executing.

  The OS 200 is partially different from the OS 100 according to the first embodiment in the processing content of the provided wai_psw. Compared with the OS 100 according to the first embodiment, the wai_psw provided by the OS 200 returns the value of the wake-up counter 32 to the calling task as a return value instead of the value corresponding to the wake-up flag 30, and the wake-up counter The difference is that the value of 32 is initialized. This return value is returned to a task that has been sleeping by calling wai_psw and wakes up and returns from wai_psw. As a result, when the return value from wai_psw is 0, the calling task can recognize that it has completed execution within the time of 1TP. On the other hand, if the return value from wai_psw is 1 or more, the caller task has not completed execution within the time of 1TP, and straddles several TPs until it completes execution. Can be recognized.

  Then, the caller task executes processing according to the return value from wai_psw. First, a case will be described in which the caller task is a task that needs to be completed within the time of 1TP. In this case, when the return value from wai_psw is 0, the calling task executes normal processing. On the other hand, when the return value from wai_psw is 1 or more, the calling task executes an abnormality treatment.

  Next, a case will be described in which the caller task is a task that only needs to be completed within a time of 2TP. In this case, when the return value from wai_psw is 0 or 1, the calling task executes normal processing. On the other hand, when the return value from wai_psw is 2 or more, the calling task executes an abnormality treatment. As described above, in the second embodiment, it is possible to perform appropriate monitoring according to a task that does not necessarily have to be completed within 1TP. That is, a threshold value for the return value suitable for each task is set, and when the return value is equal to or greater than the threshold value, the abnormality treatment may be executed.

  Here, even when the time required for task processing is variable, it is also possible to perform appropriate monitoring by dynamically changing the threshold value. For example, a threshold corresponding to each task is prepared on the execution memory 11, and the task or the partition scheduler 31 updates the threshold at an arbitrary timing.

  Subsequently, the partition scheduling process and the flag control process performed by the partition scheduler 31 will be described below with reference to FIG. FIG. 11 is a flowchart showing a specific example of the processing procedure of the partition scheduler 31 according to the first embodiment of the invention. In addition, about the process procedure similar to the process procedure concerning Embodiment 1 demonstrated with reference to FIG. 6, the same code | symbol is attached | subjected and description is abbreviate | omitted. In the processing procedure according to the second embodiment, compared to the processing procedure according to the first embodiment, when the answer is YES in S15, S18 is executed without executing S16, and S27 is executed instead of S17. The difference is that you are trying to do.

  In the second embodiment, when the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is OK (Yes in S15), the partition scheduler 31 proceeds to S18. On the other hand, when the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is NG (No in S15), the partition scheduler 31 counts up the wake-up counter 32 corresponding to the task (S27). Then, the partition scheduler 31 proceeds to S18.

  Subsequently, the flag control process in the task will be described with reference to FIG. FIG. 12 is a flowchart showing a specific example of the processing procedure of the API function wai_psw according to the second embodiment of the invention. In addition, about the process procedure similar to the process procedure concerning Embodiment 1 demonstrated with reference to FIG. 7, the same code | symbol is attached | subjected and description is abbreviate | omitted.

  In the second embodiment, after executing the process of S22, wai_psw sets the value of the wakeup counter 32 corresponding to the caller task as the return value of wai_psw (S28). Then, wai_psw initializes the value of the wake-up counter 32 with 0 (S29), and proceeds to S26.

  Next, a specific example of task execution status monitoring by the flag control process described with reference to FIGS. 11 and 12 will be described with reference to FIGS. 13 and 14. FIG. 13 is a diagram showing a specific example of the task execution status when the task is completed within the time of 1TP, and FIG. 14 is the task execution when the task is not completed within the time of 1TP. It is a figure which shows the specific example of a condition. 13 and 14, “Partition 1” and “Partition 2” indicate time partitions, and “Task” indicates a task belonging to Partition 1.

  First, with reference to FIG. 13, a case will be described in which execution of a task is completed within a time of 1TP. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up counter 32 is “0”. FIG. 13 is shown from the time when the partition scheduler 31 started after 1 Tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 31 does not count up the wake-up counter 32 corresponding to the task belonging to Partition 1. In addition, the partition scheduler 31 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). The task calls wai_psw when normal processing is finished (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Also, wai_psw sets the value “0” of the wake-up counter 32 corresponding to the caller task to the return value of wai_psw (S28). Furthermore, wai_psw initializes the value of the wake-up counter 32 corresponding to the caller task to “0” (S29). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 31 next activates Partition 1 (S11 to S14), since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 31 changes to Partition 1. The wakeup counter 32 corresponding to the task to which it belongs does not count up. That is, the value of the wake-up counter 32 remains “0”. In addition, the partition scheduler 31 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task receives the value “0” set at the time of sleep from wai_psw as a return value, and returns from wai_psw. The task calls wai_psw when normal processing is finished (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Also, wai_psw sets the value “0” of the wake-up counter 32 corresponding to the caller task to the return value of wai_psw (S28). Furthermore, wai_psw initializes the value of the wake-up counter 32 corresponding to the caller task to “0” (S29). Then, wai_psw causes the calling task to sleep (S26).

  Next, when Partition 1 becomes active, E_OK is set in the wai_psw flag 29 and “0” is set in the return value of wai_psw, so the same processing is repeated. As described above, when the task can be completed within the time of one partition 1, the task may execute normal processing based on the return value of wai_psw being “0”. It becomes possible to recognize that.

  Next, with reference to FIG. 14, a case where the task has not finished executing within the time of 1TP will be described. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up counter 32 is “0”. FIG. 14 is shown from the time when the partition scheduler 31 started after 1 Tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 31 does not increment the wake-up counter 32 corresponding to the task belonging to Partition 1. In addition, the partition scheduler 31 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20).

  FIG. 14 illustrates a case where the task does not finish executing within the time of Partition 1 at this time. In this case, when the time of Partition 1 expires, task execution is interrupted by the task scheduler, and TP is switched to Partition 2 by the partition scheduler 31 (S11 to S14). In this case, since wai_psw has not been called by the task, the wai_psw flag 29 remains NG.

  When the partition scheduler 31 next activates Partition 1 (S11 to S14), since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is NG (No in S15), the partition scheduler 31 changes to Partition 1. The wake-up counter 32 corresponding to the task to which it belongs is counted up (S27). That is, the value of the wake-up counter 32 is “1”. In addition, the partition scheduler 31 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task is resumed from where it was interrupted. When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Also, wai_psw sets the value “1” of the wake-up counter 32 corresponding to the caller task to the return value of wai_psw (S28). Furthermore, wai_psw initializes the value of the wake-up counter 32 corresponding to the caller task to “0” (S29). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 31 next activates Partition 1 (S11 to S14), after the processing in the case of Yes in S15 is executed as described above, the task scheduler of Partition 1 starts its operation ( S19), the task in Partition 1 is executed (S20). At this time, the task receives “1” set at the time of sleep from wai_psw as a return value, and returns from wai_psw. In this way, when the return value of wai_psw is "1", the task has recognized that it has not been able to complete execution within the time of one partition 1 and that it is necessary to perform an error treatment. It becomes possible to do. Note that, as described above, when a task is allowed to cross the TP to which the task belongs only once, the task may execute normal processing without being determined to be abnormal. . In this case, when the return value of wai_psw is 2 or more, the task determines that there is an abnormality and executes the abnormality process.

  As described above, in the second embodiment, the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG when the TP is switched, and the wai_psw flag 29 is set to OK when the execution of the task is completed. I try to update it. When the wai_psw flag 29 is detected to be NG before the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG when the TP is switched, the counter value is updated. Yes.

  According to this, it is possible to recognize from the counter value how many TPs the task belongs to from the start to the end of execution. That is, it is possible to monitor whether or not the task can be completed within a predetermined number of TPs using the counter value. In addition, it is possible to monitor by a simple process of only updating the flag and the counter value at a predetermined timing.

<Third Embodiment of the Invention>
Then, the safety control apparatus concerning Embodiment 3 of this invention is demonstrated. Since the configuration of the safety control device according to the third embodiment is the same as the configuration of the safety control device according to the first embodiment described with reference to FIG. 1 except that the OS 300 is provided instead of the OS 100, The description is omitted. Hereinafter, the relationship between the partition scheduler 33 and the tasks generated by the activation of the applications 101 to 103 will be described with reference to the drawings. FIG. 15 is a diagram showing the relationship between the partition scheduler 31 and the tasks 24, 26, and 28 that are activated in the multiprogramming environment provided by the OS 300.

  As shown in FIG. 15, the third embodiment is different from the second embodiment in that an OS 300 is provided instead of the OS 200 and a partition scheduler 33 is provided instead of the partition scheduler 31. Hereinafter, the same contents as those in the second embodiment will be omitted as appropriate.

  The partition scheduler 33 is different from the partition scheduler 31 according to the second embodiment in that it does not count up the wake-up counter 32 but updates it by counting down. That is, the third embodiment is different from the second embodiment in how to handle the wake-up counter 32.

  Specifically, in the third embodiment, the initial value of the wakeup counter 32 is a number that allows the task corresponding to the wakeup counter 32 to cross the TP to which the task belongs. When the wai_psw flag 29 corresponding to the task belonging to the TP is NG when the TP becomes active, the partition scheduler 33 counts down the wake-up counter 32 corresponding to the task. That is, if the task continues to be executed across several TPs without completing the execution, the value of the wake-up counter 32 corresponding to the task continues to be counted down. As a result, when the wake-up counter 32 is updated to a value less than 0, it can be seen that the task corresponding to the wake-up counter 32 could not be completed within the time allowed for the number of TPs.

  The OS 300 is partially different from the OS 200 according to the second embodiment in the processing content of the provided wai_psw. The wai_psw provided by the OS 300 differs from the OS 200 according to the second embodiment in that the value of the wake-up counter 32 is initialized with the number of TPs that a task is allowed to cross. As a result, when the return value from wai_psw is 0 or more, the calling task can recognize that it has finished executing within the time corresponding to the number of allowed TPs. On the other hand, if the return value from wai_psw is less than 0, the caller task did not finish executing within the time of the allowable number of TPs, and the number of extra TPs by itself You can recognize whether you straddled. For example, when the return value is -1, one extra TP is straddled.

  Then, the caller task executes processing according to the return value from wai_psw. First, a case will be described in which the caller task is a task that needs to be completed within the time of 1TP. In this case, since it is not allowed to cross the TP, the initial value of the wake-up counter 32 is zero. If the return value from wai_psw is 0, the calling task executes normal processing. On the other hand, when the return value from wai_psw is less than 0, the caller task executes an abnormality treatment.

  Next, a case will be described in which the caller task is a task that only needs to be completed within a time of 2TP. In this case, since it is allowed to cross the TP only once, the initial value of the wake-up counter 32 is 1. If the return value from wai_psw is 0 or 1, the caller task executes normal processing. On the other hand, when the return value from wai_psw is less than 0, the caller task executes an abnormality treatment. As described above, in the third embodiment, similarly to the second embodiment, it is possible to perform appropriate monitoring corresponding to a task that does not necessarily have to be terminated within 1TP. . That is, an initial value of the wake-up counter 32 suitable for each task is set, and when the value of the wake-up counter 32 counted down is less than 0, the abnormality treatment may be executed.

  Here, as in the second embodiment, even when the time required for task processing is variable, it is possible to perform appropriate monitoring by dynamically changing the initial value. For example, an initial value of the wake-up counter 32 corresponding to each task may be prepared in the execution memory 11, and the task or partition scheduler 33 may update the initial value at an arbitrary timing. The wai_psw sets an initial value prepared in the execution memory 11 as an initial value of the wakeup counter 32.

  Subsequently, partition scheduling processing and flag control processing by the partition scheduler 33 will be described below with reference to FIG. FIG. 16 is a flowchart showing a specific example of a processing procedure of the partition scheduler 33 according to the first embodiment of the invention.

  The processing procedure according to the third embodiment is different from the processing procedure according to the second embodiment only in that S30 is executed instead of S27. That is, in the third embodiment, when the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is NG (No in S15), the partition scheduler 33 counts down the wake-up counter 32 corresponding to the task. (S30), go to S18.

  Subsequently, the flag control process in the task will be described with reference to FIG. FIG. 17 is a flowchart showing a specific example of the processing procedure of the API function wai_psw according to the second embodiment of the invention.

  The processing procedure according to the third embodiment is different from the processing procedure according to the second embodiment only in that S31 is executed instead of S29. That is, in the third embodiment, after executing the process of S28, wai_psw initializes the value of the wake-up counter 32 with the initial value as described above (S31), and proceeds to S26.

  Next, a specific example of task execution status monitoring by flag control processing will be described. Here, when the task is not allowed to cross the TP, the initial value of the wake-up counter 32 is zero. Therefore, in the case shown in FIG. 13, the initial value of the wake-up counter 32, the point where the wake-up counter 32 is not updated (S30), the return value of wai_psw, and the task processing according to the return value of wai_psw are also described in the second embodiment. It will be the same. Further, in the case shown in FIG. 14, it is the same as in the second embodiment except that the return value of wai_psw is -1. Therefore, in this Embodiment 3, in order to explain the feature more clearly, a case where a task that is allowed to cross TP only once becomes the execution status shown in FIGS. 18 and 19 will be described. .

  First, with reference to FIG. 18, a case will be described in which the task has not finished executing within the time of 1TP. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up counter 32 is the initial value “1”. FIG. 18 is shown from the time when the partition scheduler 33 started after 1 Tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 33 does not count down the wake-up counter 32 corresponding to the task belonging to Partition 1. Further, the partition scheduler 33 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20).

  FIG. 18 illustrates a case where the task does not finish executing within the time of Partition 1 at this time. In this case, when the time of Partition 1 expires, task execution is interrupted by the task scheduler, and TP is switched to Partition 2 by the partition scheduler 33 (S11 to S14). In this case, since wai_psw has not been called by the task, the wai_psw flag 29 remains NG.

  When the partition scheduler 33 next activates Partition 1 (S11 to S14), the wai_psw flag 29 corresponding to the task belonging to Partition 1 is NG (No in S15). The wake-up counter 32 corresponding to the task to which it belongs is counted down (S30). That is, the value of the wake-up counter 32 is “0”. Further, the partition scheduler 33 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task is resumed from where it was interrupted. When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Also, wai_psw sets the value “0” of the wake-up counter 32 corresponding to the caller task to the return value of wai_psw (S28). Furthermore, wai_psw initializes the value of the wake-up counter 32 corresponding to the caller task to “1” (S29). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 33 next activates Partition 1 (S11 to S14), after the processing in the case of Yes in S15 is executed as described above, the task scheduler of Partition 1 starts its operation ( S19), the task in Partition 1 is executed (S20). At this time, the task receives from the wai_psw as a return value “0” set at the time of sleep, and returns from wai_psw. As described above, since the return value of wai_psw is “0”, the task has been completed within the time period of two partitions 1 that the task itself is allowed to execute, and therefore normal processing may be executed. It becomes possible to recognize that.

  First, with reference to FIG. 19, a case will be described in which the task has not finished executing within a total time of 2TP. Here, it is assumed that the wai_psw flag 29 is OK and the wake-up counter 32 is the initial value “1”. FIG. 19 is shown from the time when the partition scheduler 33 started after 1 Tick has activated Partition 1 (S11 to S14).

  In this case, since the wai_psw flag 29 corresponding to the task belonging to Partition 1 is OK (Yes in S15), the partition scheduler 33 does not count down the wake-up counter 32 corresponding to the task belonging to Partition 1. Further, the partition scheduler 33 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20).

  FIG. 19 shows a case where the task has not finished executing within the time of Partition 1 at this time. In this case, when the time of Partition 1 expires, task execution is interrupted by the task scheduler, and TP is switched to Partition 2 by the partition scheduler 33 (S11 to S14). In this case, since wai_psw has not been called by the task, the wai_psw flag 29 remains NG.

  When the partition scheduler 33 next activates Partition 1 (S11 to S14), the wai_psw flag 29 corresponding to the task belonging to Partition 1 is NG (No in S15). The wake-up counter 32 corresponding to the task to which it belongs is counted down (S30). That is, the value of the wake-up counter 32 is “0”. Further, the partition scheduler 33 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task is resumed from where it was interrupted. FIG. 19 shows a case where the task has not finished executing again within the time of Partition 1 at this time. In this case, when the time of Partition 1 expires, task execution is interrupted by the task scheduler, and TP is switched to Partition 2 by the partition scheduler 33 (S11 to S14). In this case, since wai_psw has not been called by the task, the wai_psw flag 29 remains NG.

  When the partition scheduler 33 next activates Partition 1 (S11 to S14), the wai_psw flag 29 corresponding to the task belonging to Partition 1 is NG (No in S15). The wake-up counter 32 corresponding to the task to which it belongs is counted down (S30). That is, the value of the wake-up counter 32 is “−1”. Further, the partition scheduler 33 updates the wai_psw flag 29 corresponding to the task belonging to Partition 1 to NG (S18). The task scheduler of Partition 1 starts its operation (S19) and executes the tasks in Partition 1 (S20). At this time, the task is resumed from where it was interrupted. When the task finishes executing normal processing, the task calls wai_psw (S21). The wai_psw updates the wai_psw flag 29 corresponding to the caller task to OK (S22). Further, wai_psw sets the value “−1” of the wake-up counter 32 corresponding to the caller task as the return value of wai_psw (S28). Furthermore, wai_psw initializes the value of the wake-up counter 32 corresponding to the caller task to “1” (S29). Then, wai_psw causes the calling task to sleep (S26).

  When the partition scheduler 33 next activates Partition 1 (S11 to S14), after the Yes processing is executed in S15 as described above, the task scheduler of Partition 1 starts its operation (S19). Then, the task in Partition 1 is executed (S20). At this time, the task receives “−1” set at the time of sleep as a return value from wai_psw and returns from wai_psw. As described above, since the return value of wai_psw is “−1”, the task has not been finished within the time period of two allowed Partition 1s, so it is necessary to perform an abnormality treatment. It becomes possible to recognize something.

  As described above, the wai_psw flag 29 is NG before the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG at the time of TP switching as in the third embodiment. Monitoring is also possible by updating the counter value by counting down when it is detected.

Another embodiment of the invention.
In the present embodiment, the case where the tasks belonging to each of the TPs are the safety monitoring task 24, the normal control task 26, and the safety control task 28, respectively, is exemplified, but the type of task is not limited to this. The task is not limited to the safety monitoring task 24, the normal control task 26, and the safety control task 28, and may have a task for executing processing related to control of any other control target.

  For example, you may make it have the tasks 34-36 as shown in FIG. In this case, the safety control device needs to have applications corresponding to the tasks 34 to 36 instead of the applications 101 to 103. However, since this point is obvious, illustration and description are omitted.

  The supervisory control task 34 controls the controlled object. Specifically, the supervisory control task 34 controls the actuator to be controlled based on command values from the normal control task 35 and the safety control task 36. The normal control task 35 performs control calculation for causing the control target to perform a normal function / operation. Specifically, the normal control task 35 performs a control calculation of the actuator in the normal control and calculates an actuator command value. The normal control task 35 outputs the calculated command value to the monitoring control task 34. The safety control task 36 performs a control calculation determined to ensure functional safety. Specifically, the safety control task 36 calculates the actuator command value by performing a control calculation of the actuator in the safety control. The safety control task 36 outputs the calculated command value to each of the monitoring control tasks 34. The supervisory control task 34 controls the actuator based on the command value output from the normal control task 41 or the safety control task 36.

  Furthermore, the monitoring control task 34 acquires a sensor value from the sensor to be controlled. The monitoring control task 34 outputs the acquired sensor value to the normal control task 35 and the safety control task 36. Each of the normal control task 35 and the safety control task 36 may perform actuator control calculation based on the sensor value output from the monitoring control task 34.

  In addition, for example, tasks 37 to 39 as shown in FIG. 21 may be included. In this case, the safety control device needs to have applications corresponding to the tasks 37 to 39 instead of the applications 101 to 103. However, since this point is obvious, illustration and description are omitted.

  The monitoring task 37 acquires a sensor value from the sensor to be controlled. This sensor includes a posture sensor for detecting the posture of the control target as described above. The example demonstrated here demonstrates the case where it applies to the traveling apparatus which a person can board as a control object. In this case, the monitoring task 37 can detect the movement of the center of gravity by the passenger using the posture sensor. The monitoring task 37 outputs the acquired sensor value to an HMI (Human Machine Interface) task 39.

  Based on the sensor value output from the monitoring task 37, the HMI task 39 performs control calculation of the actuator to be controlled, and calculates an actuator command value. The HMI task 39 outputs the calculated command value to the control task 38. The control task 38 controls the actuator based on the command value output from the HMI task 39.

  According to this, it is possible to realize an HMI in which a control target is controlled in accordance with a passenger's operation. For example, it is possible to perform control such that the control object moves back and forth when the passenger moves the center of gravity back and forth, and the control object turns left and right when the passenger moves the center of gravity left and right. The same can be said for the examples described with reference to the first to third embodiments and FIG. Specifically, the normal control task 26 and the safety control task 28 or the normal control task 35 and the safety control task 36 perform the same control according to the sensor value acquired by the safety monitoring task 24 or the monitoring control task 34. Thus, HMI can be realized. Moreover, according to this Embodiment, it becomes possible to perform control of the controlled object more stably. Therefore, as described above, it is possible to perform control of a controlled object with improved safety by applying a traveling device on which a person can board as a controlled object.

  In addition, as a traveling apparatus, it can also be set as the coaxial two-wheeled vehicle of standing up riding. In this case, the wheel rotates by controlling the actuator. Further, the safety control device itself may be mounted on the control target.

  Furthermore, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the gist of the present invention described above.

  In the present embodiment, the case where the OS has TP1 to TP3 is illustrated, but the type and number of TPs are not limited to this. The scheduling pattern is not limited to that exemplified in the present embodiment.

  Further, in the present embodiment, the case where the number of tasks is three is exemplified, but the number of tasks is not limited to this. For example, in the present embodiment, the case where there are three TPs TP1 to TP3 is illustrated, but the number of TPs is set to a number other than three, and each TP has one or more arbitrary numbers of tasks. You may do it.

  In this embodiment, when the TP is switched, the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG, and the wai_psw flag 29 corresponding to the task belonging to the switching destination TP is updated to NG ( Before S18, it is detected that the wai_psw flag 29 is NG (No in S15) and the wake-up flag 30 is updated to E_TMOUT (S17), but this is not restrictive. For example, when switching the TP, the wai_psw flag 29 corresponding to the task belonging to the TP before switching is updated to NG, and the wai_psw flag 29 corresponding to the task belonging to the TP before switching is updated to NG. It is also possible to detect that 29 is NG and update the wakeup flag 30 to E_TMOUT.

  In this embodiment, when the partition scheduler detects that the wai_psw flag 29 is NG (No in S15), it only updates the wakeup flag 30 (S17). Not limited. For example, when the partition scheduler detects that the wai_psw flag 29 is NG, the process corresponding to the abnormality treatment may be performed immediately. However, as in this embodiment, the task is configured to recognize an abnormality in the task by the wake-up flag 30 and notify the partition scheduler of the abnormality, so that the task notifies the partition scheduler of other abnormalities. It can be integrated into the mechanism and can be implemented more easily with a smaller amount of change.

  In the first embodiment, wai_psw sets the return value to E_TMOUT and causes the task to sleep when the wakeup flag 30 is E_TMOUT, but is not limited to this. For example, when the wake-up flag 30 is E_TMOUT, the task may be immediately returned using E_TMOUT as a return value without sleeping the task. By doing in this way, the responsiveness of the abnormal treatment by a task can be improved. However, as in the first embodiment, by unifying the processing between the normal system and the abnormal system, it is possible to more easily implement with a smaller change amount. The same can be said for the second and third embodiments. That is, in the second embodiment, wai_psw may return immediately without sleeping the task when the wake-up counter 32 is equal to or greater than the threshold value. In the third embodiment, wai_psw may be returned immediately without causing the task to sleep when the wake-up counter 32 is less than zero.

  In the second embodiment, the initial value of the wake-up counter 32 is set to 0, but is not limited to this. For example, the initial value of the wake-up counter 32 may be a value other than 0, and the threshold value may be set accordingly. The same can be said for the third embodiment. That is, in the third embodiment, it may be determined that there is an abnormality when the value is less than 0, and the initial value of the wake-up counter 32 may be set accordingly.

DESCRIPTION OF SYMBOLS 1 Safety control apparatus 10 Processor 11 Execution memory 12 I / O port 13 Non-volatile memory 14 Reset circuit 15 Microcontroller 21, 31, 33 Partition scheduler 22 Scheduling table 23, 25, 27 Task scheduler 24 Safety monitoring task 26, 35 Normal Control task 28, 36 Safety control task 29 wai_psw flag 30 Wake-up flag 32 Wake-up counter 34 Monitoring control task 37 Monitoring task 38 Control task 39 HMI task 100, 200, 300 Operating system 101 Safety monitoring application 102 Normal control application 103 Safety control application

Claims (12)

Scheduling means for scheduling and executing the control-related task according to scheduling information indicating scheduling contents of a plurality of time partitions including a control-related time partition in which a control-related task that performs processing related to control of a control target is executed;
A storage unit for storing execution end information indicating the end of execution of the control-related task or non-execution of execution, and
The scheduling means updates the execution end information to non-execution at the time of switching the time partition related to the control-related time partition, and updates the execution end information to execution at the end of execution of the control-related task,
The scheduling means detects a case where the execution end information indicates execution not completed before the execution end information is updated to non-execution at the time of switching the time partition related to the control-related time partition;
Control device. The scheduling means includes
A system program for scheduling and executing the control-related task according to the scheduling information;
A processor for executing the system program,
The control device according to claim 1. When the control-related task is called, the system program provides a function for ending execution of the control-related task and sleeping.
The function includes a process of updating the execution end information to the execution end of the control related task.
The control device according to claim 2. The system program includes a partition scheduler that schedules the plurality of time partitions according to the scheduling information,
The partition scheduler updates the execution end information to unexecuted when the time partition related to the control-related time partition is switched, and also executes the execution end information when the time partition related to the control-related time partition is switched. Detecting the case where the execution end information indicates non-execution before updating to
The control device according to claim 3.   The control device according to claim 4, wherein the function returns a return value corresponding to a detection state when the execution end information indicates that the execution has not ended to the control-related task. The storage unit further stores a detection result value in which a normal value indicating normal is set as an initial value,
The system program updates the detection result value to an abnormal value indicating that the detection result value is abnormal when detecting a case where the execution end information indicates non-execution,
The control device according to claim 5, wherein the function sets a value corresponding to the detection result value as the return value. The storage unit further stores a counter value,
The system program updates the counter value when it detects a case where the execution end information indicates non-execution,
The control device according to claim 5, wherein the function sets the counter value to the return value.   The control device according to claim 6, wherein when the return value of the function is a value corresponding to an abnormal value, the control-related task executes a process corresponding to an abnormality instead of a normal process. The system program counts up the counter value when it detects a case where the execution end information indicates non-execution,
The control device according to claim 7, wherein the control-related task executes a process corresponding to an abnormality instead of a normal process when a return value of the function is a predetermined threshold value or more. The scheduling information further indicates scheduling contents of a plurality of time partitions including an abnormality processing time partition in which an abnormality treatment task for performing processing corresponding to the abnormality is executed,
The process corresponding to the abnormality in the control related task includes a process of notifying the partition scheduler of the abnormality,
The partition scheduler starts scheduling of the abnormal treatment task according to the scheduling content of a plurality of time partitions including the abnormal processing time partition in response to a notification from the control-related task.
The control device according to claim 8 or 9.   The switching of the time partition related to the control-related time partition is either when switching from another time partition to the control-related time partition or when switching from the control-related time partition to another time partition. The control device according to claim 1. A control method in which a control-related task is scheduled and executed by a processor according to scheduling information indicating scheduling contents of a plurality of time-partitions including a control-related time partition in which a control-related task that performs processing related to control of a control target is executed. And
The processor updates execution end information indicating execution end or non-execution of the control-related task to non-execution when switching the time partition related to the control-related time partition;
The processor updating the execution end information to the end of execution at the end of execution of the control-related task;
Detected when the execution end information indicates that execution has not ended before the processor updates the execution end information to non-execution of the control-related task when switching the time partition related to the control-related time partition. And steps to
Control method with.

Images