JP5822783B2 - Failure detection device - Google Patents

Description

  The present invention groups a plurality of nodes capable of realizing the same function, and dynamically detects a failure in a distributed system in which nodes within the group exchange input / output data with each other and perform comparison for comparison. It is related with the failure detection apparatus which performs.

  In current automobiles, various functions are realized by exchanging data between a plurality of nodes. Therefore, in order to realize finer control when a failure occurs, it is important to make the recognition about the failed node coincide between normal nodes in the system.

  The conventional failure detection and failure information sharing technology performs monitoring on an arbitrary number of nodes (hereinafter referred to as monitoring nodes) with respect to data of nodes to be monitored (hereinafter referred to as monitoring target nodes). Detect failure. Each monitoring node exchanges failure information, which is each monitoring result, with other monitoring nodes for each cycle, and shares failure information by a predetermined method such as majority decision based on the collected results. (For example, see Patent Document 1).

JP 2009-37575 A

  However, in the conventional method, since the control information for confirming the failure and the failure information for information sharing are transmitted separately, when monitoring a certain node with multiple nodes, the reliability of failure detection However, there is a problem that the influence on the bus load becomes large. On the other hand, when the number of monitoring nodes is small, the influence on the bus load is small, but there is a possibility that the target cannot be monitored due to a failure of the monitoring node. Although it is possible to detect a failure of the monitoring node and switch the monitoring node, it is necessary to consider complicated settings such as a response when the switching destination is out of order.

  As described above, the conventional failure information sharing method has a large influence on the bus load in order to increase the resistance against the failure of the monitoring node, and reduces the number of monitoring nodes to reduce the influence on the bus load. There was a risk that it could not be monitored.

  In addition, when the number of failed nodes is increased by the data selection means at the time of information sharing, it is possible to make an erroneous determination conventionally. For example, in the case of identifying a failure node by majority vote, there is a possibility that an erroneous result is output when a majority of the failure occurs.

  The present invention has been made to solve the above-described problems. While suppressing an increase in network load for sharing fault information, function redundancy, addition of a dynamic fault detection function, and between normal nodes are performed. It is an object of the present invention to obtain a failure detection apparatus that can realize the coincidence of recognition for a failure node and can perform failure detection with high reliability.

  The failure detection device according to the present invention is a failure detection device that detects a failure of a node in a distributed system in which a plurality of nodes connected to a network are grouped and input / output data is periodically exchanged between the groups. Each node performs an operation on input data, and outputs an operation result to the other node in the group, and an operation unit that outputs the operation result and an input / output set that is a combination of the output data and the input data as the operation result. In addition, when the input / output group is received from another node, the transfer unit that extracts the input data is compared with the output data in the input / output group and the operation result, and the operation result matches one of the output data in the input / output group. If this happens, the value is output, and if any output data matches and does not match, the output data node that does not match fails. On the other hand, if the calculation result does not match all the output data of the input / output group, a comparison unit that adds the calculation result to all the output data of the input / output group and creates a new input / output group, and a comparison unit And a failure detection unit for notifying other nodes in the group of the failure of the node determined by each node. When each node receives a failure notification for the same node from a plurality of nodes in one cycle, After the period, the failure notification from the node that has received the failure notification is ignored.

  The failure detection apparatus according to the present invention determines that the node of the output data is faulty when it includes output data that does not match, and notifies other nodes of the failure, and also notifies failure to the same node from a plurality of nodes in one cycle. Since the failure notification from the node that received the failure notification is ignored after the next cycle, the function redundancy and dynamics are suppressed while suppressing an increase in the network load for failure information sharing. Thus, it is possible to realize a failure detection function and a recognition of failure nodes among normal nodes. Further, it is possible to perform failure detection with high reliability.

It is a block diagram which shows the failure detection apparatus of Embodiment 1 of this invention. BRIEF DESCRIPTION OF THE DRAWINGS It is a block diagram of the system assumed as an application object of the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows operation | movement between two ECUs in the failure detection apparatus of Embodiment 1 of this invention. It is a block diagram of the system which consists of four ECUs in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the data flow between ECU of FIG. It is explanatory drawing which shows the operation | movement at the time of normal using ECU1 as a start node in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the operation | movement at the time of abnormality which made ECU1 the start node in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the system whole operation | movement at the time of normal at the time of 4ECU structure in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the whole system operation at the time of abnormality at the time of 4 ECU structure in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the failure notification of ECU2 by ECU3 in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the failure notification of ECU2 by ECU4 in the failure detection apparatus of Embodiment 1 of this invention. It is a flowchart which shows operation | movement of ECU which transmits the input / output group in the failure detection apparatus of Embodiment 1 of this invention. It is a flowchart which shows operation | movement of ECU which received the input / output group in the failure detection apparatus of Embodiment 1 of this invention. It is a flowchart which shows operation | movement of ECU which received the failure notification in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the erroneous failure notification with respect to normal ECU1 by failure ECU2 in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the erroneous failure notification with respect to normal ECU1 by failure ECU2 in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the erroneous failure notification with respect to normal ECU1 by failure ECU3 in the failure detection apparatus of Embodiment 1 of this invention. It is explanatory drawing which shows the operation | movement in the failure detection apparatus of Embodiment 2 of this invention. It is explanatory drawing which shows the operation | movement in the failure detection apparatus of Embodiment 3 of this invention. It is explanatory drawing which shows the operation | movement in the failure detection apparatus of Embodiment 4 of this invention. It is explanatory drawing which shows the operation | movement in the failure detection apparatus of Embodiment 5 of this invention.

Embodiment 1 FIG.
In the first embodiment, a case of an ECU (Electronic Control Unit) will be described as an example of a plurality of nodes connected to a network. In the first embodiment, a plurality of ECUs capable of realizing the same function are grouped, and in-group ECUs exchange input / output data with each other for comparison, thereby making the functions redundant and dynamic failure detection capability. Addition is realized and failure information is shared when a failure is detected.

  Here, being able to realize the same function means that the corresponding ECU has the same calculation function, and the same calculation result can be obtained for a certain input. The dynamic failure detection capability means that the ECU that detects a failure automatically switches according to the occurrence state of the failure.

  The present invention assumes that two ECUs do not fail simultaneously within one cycle. This assumption is only a problem when two nodes fail at the same time within one period and both make the same error at the same time, but is reasonable because the probability is considered to be sufficiently small.

  Each ECU acquires input data and performs an operation based on it to obtain output data. Thereafter, a pair of input data and output data (hereinafter referred to as an input / output group) is transmitted to the ECUs in the group. The ECU that has received the input / output set performs an operation based on the input data, obtains output data, and compares it with the received output data set. Here, since the ECU that has received the input / output set has the same function as the transmitted ECU, if it is normal, the same output data can be obtained for the same input data. If any of the calculated output data matches the received output data set, the value is output. On the other hand, if the calculated output data does not match any of the received output data sets, the calculation result is added to the end of the input / output set and transmitted to other ECUs in the group. Data transfer when the output data does not match is performed while satisfying a response time required for the application (hereinafter referred to as a deadline). Thus, if there are two normal ECUs in the system, a correct result is output. As a result, the function is made redundant. If no matching output is found until the deadline is violated, the response time can be satisfied by outputting the previous value or default value.

  Further, when the output data is output in accordance with one of the output data sets, it can be determined that the ECU to which the output data that does not match is added is out of order. In the above procedure, two normal ECUs including a faulty ECU in the output path can determine the faulty ECU.

On the other hand, an ECU that does not include a faulty ECU in the output path cannot recognize the faulty ECU. Therefore, in order to make the recognition about the failure ECU coincide between the normal ECUs, the ECU that detects the failure ECU needs to notify all the ECUs in the group about the failure ECU. In the present invention, since two normal ECUs can recognize a faulty ECU, when each ECU receives two or more fault notifications, each ECU is marked as a faulty ECU, and in subsequent cycles Ignore the failure notification from the failure ECU. As a result, even if the failure ECU gives a failure notification to the normal ECU, it is ignored and it is possible to prevent the normal ECU from being determined as a failure.
Hereinafter, an embodiment of a failure detection apparatus in such a distributed system will be described.

FIG. 1 is a configuration diagram of an ECU provided with a failure detection apparatus according to Embodiment 1 of the present invention.
The ECU 1 shown in FIG. 1 includes an input unit 11, a calculation unit 12, a transfer unit 13, a comparison unit 14, an output unit 15, and a failure detection unit 16, and is connected to the in-vehicle LAN 100.
FIG. 2 is a configuration diagram of a distributed system assumed as an object of the present invention. A plurality of ECUs having the same configuration as the ECU 1 shown in FIG. 1 are connected to the same network. Here, a plurality of ECUs 1, ECUs 2,..., ECUn (n is an arbitrary integer) have the configuration of the ECU 1 in FIG. Below, the function of each ECU is demonstrated.

The input unit 11 is a functional unit that acquires data necessary for control using a sensor or the like. The calculation unit 12 is a functional unit that performs calculation according to the application based on input data acquired by the input unit 11 or the transfer unit 13. The transfer unit 13 is a functional unit that sends a message to the ECUs in the group by combining the input data and the calculated value obtained from the calculating unit 12 (hereinafter referred to as an input / output set). The input / output group has the following configuration.
{Input data: output data 1: output data 2: ...: output data n}
Here, n is an arbitrary integer, and the output data (calculated value) of the corresponding ECU is added every time transfer is performed. Therefore, in each embodiment, the operation value of the input / output group is referred to as an output data set. When the input / output group is received, the transfer unit 13 extracts the input data of the input / output group and performs calculation using the arithmetic unit 12.

The comparison unit 14 is a functional unit that compares the calculated value of the calculation unit 12 with respect to the input data of the received input / output set and the output data set of the received input / output set. If there is a match as a result of the comparison, this is passed to the output unit 15, and if there is no data matching the output data set, its calculation result (the calculation result of the calculation unit 12) is output to the output data set. To the transfer unit 13. If a mismatched output is included, the mismatched ECU is determined as a failure, and the determination result is output to the failure detection unit 16. The output unit 15 is a functional unit that outputs a calculation value determined by the comparison unit 14 to match.
The failure detection unit 16 is a functional unit that realizes sharing of failure information among the ECUs, and notifies all the ECUs in the group of information on the ECUs determined to be a failure by the comparison unit 14. Further, when failure notifications are received from a plurality of ECUs for the same ECU within one cycle, the ECU is marked as failed, and information from that ECU is ignored in subsequent cycles.
The in-vehicle LAN 100 is a network for connecting a plurality of ECUs 1, 2,..., N as shown in FIG.

  The ECUs 1, 2,..., N are each configured by a computer, and each process in the input unit 11 to the failure detection unit 16 includes software corresponding to each process and for executing these softwares. This is realized by hardware such as a CPU and a memory. Alternatively, any one of the functional units may be configured with dedicated hardware.

FIG. 3 is an explanatory diagram showing an operation extracted from the comparison process between the ECU 1 and the ECU 2 in FIG.
The ECU 1 obtains input data using the input unit 11 and obtains a computation value as output data using the computation unit 12. Then, the transfer unit 13 is used to set the input data and the calculated value as a set (hereinafter referred to as an input / output set) and transmit the set to the in-group ECU (ECU 2 in this case). When the ECU 2 receives the input / output set, the ECU 2 extracts the input data from the input / output set and provides it to the arithmetic unit 12. The comparison unit 14 compares the data output from the calculation unit 12 with the output data set included in the received input / output set. When the calculated value obtained from the calculation unit 12 matches any of the output data sets, the calculated calculation value is output using the output unit 15. In FIG. 3, the flow when the output data matches is indicated by a bold line. 3 does not include a mismatch result because the two ECUs 1 and 2 match, but if a result that does not match the output data set is included, the ECU that outputs the result is regarded as a failure and a failure is detected. Notification to the unit 16.

  In the system configured by four ECUs (ECU1, ECU2, ECU3, ECU4) shown in FIG. 4, the operation focusing on the ECU1 as a start node is illustrated for all the ECUs being normal and when the ECU2 has failed. 6 and FIG. FIG. 5 shows a data flow between the ECUs in FIG.

  In FIG. 6, the ECU 1 obtains input data (5) using the input unit 11 and performs computation using the computation unit 12 to obtain output data (10). Here, values in parentheses represent data, and a normal ECU can obtain a result obtained by doubling input data. Then, the transfer unit 13 is used to transmit the input / output set {5:10}. The ECU 2 receives the input / output set {5:10}, calculates the input data (5) using the calculation unit 12, and obtains a calculation result (10). The comparison unit 14 compares the output data (10) of the calculation unit 12 with the received output data set {10} and outputs (10) using the output unit 15 because the values match at (10).

  In FIG. 7, the ECU 1 obtains input data (5) using the input unit 11 and performs computation using the computation unit 12 to obtain output data (10). Then, the transfer unit 13 is used to transmit the input / output set {5:10}. The ECU 2 receives the input / output set {5:10}, calculates the input data (5) using the calculation unit 12, and obtains a calculation result (11). Since the ECU 2 is out of order, a correct result cannot be obtained and the output data is (11). Therefore, it does not match the received output data set, and the comparison unit 14 outputs a result of mismatch. At this time, since there are only two pieces of data, it cannot be determined which data is correct, and therefore, the failure ECU cannot be specified. Since the comparison result does not match, the transfer unit 13 adds the value (11) output by the calculation unit 12 to the end of the input / output set, and transfers the input / output set {5:10:11} to the in-group ECU 3. . The ECU 3 receives the input / output set {5:10:11}, performs an operation on the input data (5) using the operation unit 12, and obtains an operation result (10). The comparison unit 14 compares the value (10) output from the calculation unit 12 with the received output data set {10:11}, and outputs (10) using the output unit 15 because the outputs (10) match. To do. The comparison unit 14 can determine that the ECU 2 to which the erroneous output data (11) is added at the time when the comparison is completed, and gives a failure notification to all the ECUs in the group using the failure detection unit 16. FIG. 10 is a failure notification from the ECU 3 to the ECU 2.

  FIG. 8 shows the operation of the entire system when all the ECUs are normal. All the ECUs agree with each other in the comparison of the two ECUs as in the operation of the ECU 1 described with reference to FIG.

FIG. 9 shows the operation of the entire system when the ECU 2 is out of order. The operation of the comparison process started from the ECU 1 is as described in FIG.
The operation of the comparison process started from the ECU 2 is as follows. The ECU 2 obtains input data (1) using the input unit 11 and performs computation using the computation unit 12 to obtain output data (3). Since the ECU 2 is out of order, the correct result (2) is not obtained. Then, the transfer unit 13 is used to transmit the input / output set {1: 3}. The ECU 3 receives the input / output set {1: 3}, calculates the input data (1) using the calculation unit 12, and obtains a calculation result (2). Since the ECU 2 is out of order, the value {3} of the output data set does not match the output data (2) of the ECU 3, and the comparison unit 14 outputs a result of mismatch. Since the comparison result does not match, the transfer unit 13 adds the value (2) output from the calculation unit 12 to the end of the input / output set, and transfers the input / output set {1: 3: 2} to the in-group ECU 4. . The ECU 4 receives the input / output set {1: 3: 2}, calculates the input data (1) using the calculation unit 12, and obtains a calculation result (2). The comparison unit 14 compares the value (2) output from the calculation unit 12 with the received output data set {3: 2}, and outputs (2) using the output unit 15 because the output (2) matches. To do. The ECU 4 can determine that the ECU 2 that has output inconsistent by the comparison unit 14 at this time is a failure, and sends a failure notification to all the ECUs in the group using the failure detection unit 16. FIG. 11 is a failure notification from the ECU 4 to the ECU 2.

  The operation of the comparison process started from the ECU 3 is as follows. The ECU 3 obtains input data (3) using the input unit 11, performs computation using the computation unit 12, and obtains output data (6). Then, the transfer unit 13 is used to transmit the input / output set {3: 6}. The ECU 4 receives the input / output set {3: 6}, calculates the input data (3) using the calculation unit 12, and obtains a calculation result (6). The comparison unit 14 compares the output data (6) of the calculation unit 12 with the received output data set {6}, and outputs (6) using the output unit 15 because the values match in (6). Since the comparison process started from the ECU 3 is normal for both the ECU 3 and the ECU 4, data is matched and output in the comparison process of the second ECU 4, and no extra calculation or message transfer is performed. Further, since the fault ECU is not included in the path to the output, the fault ECU is not detected.

  The operation of the comparison process started from the ECU 4 is as follows. The ECU 4 obtains input data (4) using the input unit 11 and performs computation using the computation unit 12 to obtain output data (8). Then, the transfer unit 13 is used to transmit the input / output set {4: 8}. The ECU 1 receives the input / output set {4: 8}, performs an operation on the input data (4) using the operation unit 12, and obtains an operation result (8). The comparison unit 14 compares the output data (8) of the calculation unit 12 with the received output data set {8}, and outputs (8) using the output unit 15 because the values match in (8). Since the comparison process started from the ECU 4 is normal for both the ECU 4 and the ECU 1, the data is matched and output in the comparison process of the second ECU 1, and no extra calculation or message transfer is performed. Further, since the fault ECU is not included in the path to the output, the fault ECU is not detected.

  Therefore, at this point in time, the recognition regarding the faulty ECU does not match between normal ECUs in the system. That is, while the ECUs 3 and 4 recognize that the ECU 2 has failed, the ECU 1 cannot recognize the failure of the ECU 2. Therefore, in order to make the recognition about the failure ECU in the system coincide, a failure notification is required.

  In the procedure of the present invention, since two normal ECUs can always identify a faulty ECU as in this example, faulty ECU information can be shared by only two fault notifications. The ECU that has identified the failure gives a failure notification, and the ECU that has received two failure notifications for the same ECU within one cycle marks the corresponding ECU as a failure. Thereafter, the failure notification from the ECU is ignored.

  FIG. 12 is a flowchart showing the operation of the ECU that acquires input data from the input device and starts transferring the input / output set. Here, the ECU is represented as a start node. The start node obtains input data from the input unit 11 for each cycle (step ST100), calculates the input data using the calculation unit 12, and obtains output data (step ST101). The transfer unit 13 is used to transfer the input / output data combination input / output set) to the ECUs in the group (steps ST102 and ST103).

  FIG. 13 is a flowchart showing the operation of the ECU that has received the input / output set from the in-group ECU. The ECU that has received the input / output set (step ST120) extracts input data using the transfer unit 13, performs calculations using the calculation unit 12, and obtains output data (step ST121). Then, the comparison unit 14 is used to compare whether the obtained output data matches the output data set of the input / output group (steps ST122 and ST123). If there is matching data, the output unit 15 outputs the data (step ST124). Further, if there is an ECU that outputs data other than the matched data, it is determined that the ECU has failed (steps ST125 and ST126). Information regarding the faulty ECU is notified to all ECUs in the group using the fault detection unit 16 (step ST127). If the calculated output data does not match any data in the output data set, the output data calculated by itself is added to the end of the input / output group using the transfer unit 13 (step ST128). The data is transferred to the next ECU in the group (step ST129).

  FIG. 14 is a flowchart when the failure detection unit 16 receives a failure notification. If the failure notification is from the ECU identified as a failure, it is ignored (step ST200). When a failure notification from another ECU is first received (step ST201), the number of failure notifications regarding the notified ECU is set to 1, and at this time, the notified ECU is not marked as a failure (step ST203). Accordingly, when the failure ECU gives a failure notification to the normal ECU, it is possible to prevent the normal ECU from being erroneously determined as a failure. When the number of failure notifications to the corresponding ECU becomes two or more in step ST201, the corresponding ECU is marked as a failure ECU (step ST202), and the information from the failure ECU is ignored thereafter. The number of failure notifications is cleared for each cycle.

  FIG. 15 is an example when the failure ECU 2 notifies a normal ECU 1 as a failure. In this case, since other normal ECUs do not send a failure notification to the normal ECU 1, there are no two or more failure notifications to the ECU 1, and the normal ECU 1 is not erroneously determined to be a failure.

  On the other hand, FIGS. 16 and 17 show the case where two failure ECUs (ECU2, ECU3) give a failure notification to the normal ECU1 in a certain cycle. In the present invention, since it is assumed that two ECUs do not fail at the same time in one cycle, one of them is already marked as a failed ECU, and the failure notification from that ECU is ignored. Therefore, there is only one failure notification to the ECU 1, and a normal ECU 1 is not erroneously determined to be a failure.

  Regarding the suppression of network load improvement in the first embodiment, for example, when monitoring a certain node with four nodes in the conventional method, the failure node is determined by deciding a large number of four monitoring results for each period. Therefore, in the conventional method, four messages for monitoring each cycle are sent, and the bus load increases. On the other hand, in the present embodiment, even in the case of four nodes, if the ECU that sent the message (input / output group) has not failed, the outputs will match, no failure notification will be made, and the bus load will not be affected. However, each ECU needs to perform an operation on its own input and an operation on the input of another node, and the CPU load is doubled. Therefore, the ECU can be applied only to a system with a CPU load of half or less. In this embodiment, since the monitoring node is dynamically switched with respect to an arbitrary failure node, there is resistance to failure. Further, since the failed node is marked as failed, even if the majority of the failed nodes are detected, the correct nodes are not erroneously determined to be failed, and the recognition between the normal nodes is consistent.

  As described above, according to the failure detection apparatus of the first embodiment, in a distributed system in which a plurality of nodes connected to a network are grouped and input / output data is periodically exchanged within the group, the failure of the node A failure detection device that performs detection, each node performs an operation on input data, outputs an operation result, and an input / output set that is a combination of the output data and the input data as the operation result Transfers to other nodes and compares the output data in the input / output set with the transfer result to retrieve the input data when the input / output set is received from the other node. If the output data matches any of the output data, the value is output, and if it matches any output data and includes output data that does not match, it does not match If the node of the force data is determined to be faulty and the operation result does not match all the output data of the input / output group, the operation result is added to all the output data of the input / output group and a new input / output group is created. And a failure detection unit for notifying other nodes in the group of the failure of the node determined by the comparison unit, each node notifying a failure from the plurality of nodes to the same node in one cycle Since the failure notification from the node that received the failure notification is ignored after the next cycle, the function redundancy and dynamics are suppressed while suppressing an increase in the network load for failure information sharing. New failure detection function, recognition of failure nodes among normal nodes can be realized, and normal nodes are not mistakenly determined as failure, and reliable failure detection is performed. Can Kill.

Embodiment 2. FIG.
The second embodiment relates to a failure detection apparatus applied to a system where further reliability is required for data. In the following embodiments, the configuration on the drawing is the same as that of the first embodiment, and therefore, description will be made using the configuration of FIG. 1 and FIG.

  In the second embodiment, data reliability is improved by transferring data until any n pieces of data match according to the degree of safety required for the system. FIG. 18 shows an operation example of the second embodiment. The second embodiment is an example in which output is performed when three pieces of data coincide with each other. The data is identical between the ECU 1 and the ECU 2, but the input / output set is transferred to the ECU 3 by the transfer unit 13, and the ECU 3 outputs the three data Are matched and output is performed from the output unit 15. In the output with three output data coincidence, the failure ECU notification is made from the three ECUs. Also in this case, the operation of the second embodiment does not need to be changed from the first embodiment, and the failure detection unit 16 of the ECU that detects the failure issues a failure notification, and each ECU notifies the failure notification from two or more ECUs. To mark the notified ECU as a failure.

Embodiment 3 FIG.
The third embodiment is an example in which the transfer when the data does not match is defined not by the deadline but by the number of transfers. An example of the operation is shown in FIG. In FIG. 19, the maximum number of transfers is 5. In this example, since the output data up to the ECU 6 do not all match, the transfer unit 13 transfers the data to the ECU 6. In FIG. 19, output from the output unit 15 is performed because the output data of the ECU 6 matches one of the output data sets. However, the output data of the ECU 6 that has reached the maximum number of transfers matches any of the output data sets. If not, the previous value or default value is output. Also in the third embodiment, the ECU that outputs the result that did not match can be determined as a failure, and the failure detection unit 16 of the ECU that detected the failure notifies the failure. Each ECU marks the notified ECU as a failure by a failure notification from two or more ECUs.

Embodiment 4 FIG.
In the fourth embodiment, data is transferred a predetermined number of times regardless of data coincidence / non-coincidence. After the predetermined number of transfers, the comparison result is compared with the obtained result, and the data with the largest number of matches is output from the output unit 15. An example of the operation is shown in FIG. In FIG. 20, the number of transfers is 5, and {10: 11: 10: 9: 10} is obtained as an output data set at the time of the ECU 5, and {10} having the largest number is output. Also in the fourth embodiment, an ECU that outputs a result that does not match the ECUs that perform output can be determined as a failure, and the failure detection unit 16 of the ECU that detects the failure notifies the failure. Each ECU marks the notified ECU as a failure by a failure notification from two or more ECUs.

Embodiment 5
In the fifth embodiment, transfer is repeated up to the deadline regardless of data coincidence / mismatch. A majority decision is made by the comparison unit 14 on the obtained result, and the result is output from the output unit 15. An example of the operation is shown in FIG. In FIG. 21, an output data set {10: 9: 10: 10} is obtained immediately before the deadline, and {10} that is the result of the majority decision is output. Here again, the ECU that performs the output can determine that the ECU that has output a mismatched result is a failure, and the failure detection unit 16 of the ECU that has detected the failure notifies the failure. Each ECU marks the notified ECU as a failure by a failure notification from two or more ECUs.

  In the present invention, within the scope of the invention, any combination of the embodiments, or any modification of any component in each embodiment, or omission of any component in each embodiment is possible. .

  1, 2, 3, 4,..., N ECU, 11 input unit, 12 calculation unit, 13 transfer unit, 14 comparison unit, 15 output unit, 16 failure detection unit.

Claims (1)

In a distributed system that groups a plurality of nodes connected to a network and periodically exchanges input / output data with each other in the group, a failure detection device that detects a failure of the node,
Each of the nodes
An arithmetic unit that performs an operation on input data and outputs an operation result;
When the input / output set which is a set of the output data and the input data which is the calculation result is transferred to another node in the group, and the input / output set is received from the other node, the input data A transfer unit for taking out
The output data in the input / output group is compared with the calculation result, and when the calculation result matches any output data in the input / output group, the value is output, and the output data is identical to the output data. If the output data does not match, the node of the output data that does not match is determined to be faulty. On the other hand, if the calculation result does not match all the output data of the input / output set, A comparison unit that adds the calculation result to all the output data to form a new input / output set;
A failure detection unit for notifying other nodes in the group of the failure of the node determined by the comparison unit;
When each node receives a failure notification for the same node from a plurality of nodes in one cycle, the failure detection from the node receiving the failure notification is ignored after the next cycle. apparatus.

Images