JP6520683B2 - Control system - Google Patents

Description

  The present invention relates to a control system that controls a plurality of in-vehicle devices mounted in a vehicle.

  For example, Patent Document 1 describes a vehicle control device (intra-box) in which change of behavior control to a control target by the control means according to the vehicle mode is easy when the vehicle configuration is changed.

  The vehicle control device of Patent Document 1 stores, as mode information, behavior control that the functional domain ECU and the sub domain ECU execute on the control target for each vehicle mode, according to the vehicle configuration. And according to the vehicle mode set based on the vehicle environment in which a vehicle was placed, a vehicle control apparatus performs with respect to a control object by each functional domain ECU and each sub domain ECU based on the stored mode information Control the behavior control.

Unexamined-Japanese-Patent No. 2010-241298

  As described in Patent Document 1 described above, when a hierarchical structure including a vehicle control device, a functional domain ECU, a sub domain ECU, and the like is adopted as a vehicle control system, communication between respective configurations is It will be complicated. For example, in the case of the hierarchical structure described above, the functional domain ECU communicates with the vehicle control device, other functional domain ECUs, sub domain ECUs, facilities outside the vehicle, etc., and communicates with many partners for various purposes. It will be necessary to

  Here, it is possible to execute various processing on communication data according to each communication partner and the communication purpose with the communication partner, that is, according to what kind of data is to be communicated with the communication partner. . For example, when communicating with a vehicle control device, in order to prevent stealing of data by a third party, it is conceivable to perform a security check on whether the vehicle control device is a legitimate communication partner or not. . Further, for example, in communication with the sub ECU, it is conceivable to add a time stamp indicating the transmission time to data transmitted from the functional domain ECU.

  Various processing on such communication data can be individually performed by each application that creates data to be transmitted or uses received data. However, when the communication is complicated due to the hierarchical structure, applications for creating and using data to be transmitted and received increase. Therefore, it is necessary to individually create a program for processing to be executed on data to be transmitted / received for each application, and there is a problem that the load for creating the application increases accordingly.

  The present invention has been made in view of the above-described point, and in a control system having a hierarchical structure, control capable of performing necessary processing on communication data without increasing the load of creating an application. It aims to provide a system.

In order to achieve the above object, a control system according to the present invention is for controlling a plurality of in-vehicle devices (30 to 35) mounted on a vehicle,
The control system is divided into a plurality of domains in advance according to the functions of a plurality of in-vehicle devices, and further, in each of the plurality of domains, a device control unit ( 15, 16, 24, 25 for controlling the in-vehicle devices ) , 26 ) and the domain control unit ( 11, 21 ) that controls the device control unit,
The domain control unit communicates with domain control units belonging to other domains, and communicates with device control units belonging to the same domain. The communication data includes a transmission source, a reception destination, and data. Contains information indicating the type,
Communication data received from the communication partner by selecting the communication interface service according to the class of the communication partner provided at least for the domain control unit and understood from the transmission source or the reception destination and the data to be communicated A communication interface (41b , 51b, 61b ) for applying the selected communication interface service to communication data to be transmitted to the communication partner ;
The domain control unit includes at least one control unit (12, 13, 14, 22, 23),
As a hierarchy of communication partners, a domain control unit outside the own domain and another control unit or device control unit of the domain control unit in the own domain are divided into different hierarchies,
The communication interface service applied by the communication interface is changed according to the hierarchy of the communication partner .

  As described above, in the control system according to the present invention, each application that creates data to be transmitted or uses received data at least in the domain control unit individually has a program for processing communication data. Instead, the communication interface provided for the domain control unit is configured to centrally execute necessary communication interface services for communication data. Therefore, in the domain control unit, necessary processing can be performed on the communication data without increasing the creation load of the application.

  In the present invention, communication data exchanged between the domain control unit and the communication counterpart includes information indicating a transmission source, a reception destination, and a type of data. Therefore, the communication interface can grasp the hierarchy of the communication partner from the information indicating the transmission source or the reception destination. Therefore, based on the layer of the communication partner grasped from the information indicating the transmission source or the reception destination and the information indicating the type of communication data, the communication interface performs appropriate communication interface service to be executed on the communication data. It can be selected and applied.

  The reference numerals in the parentheses above merely show an example of the correspondence with specific configurations in the embodiments to be described later so as to facilitate understanding of the present invention, and it is intended to limit the scope of the present invention in any way. It is not intended.

  The technical features described in the claims of the claims other than the features described above will be apparent from the description of the embodiments to be described later and the accompanying drawings.

It is a block diagram showing composition of a control system concerning an embodiment. FIG. 7 is a diagram showing an example in which the PTC of the motion domain control unit is implemented as a PTC application in the electronic control device, and the communication control application is provided in the electronic control device. It is a flowchart which shows the specific processing content of a communication IF application. FIG. 6 is an explanatory diagram for describing a specific example of a communication IF service provided by the communication IF application. It is an explanatory view for explaining a modification of an embodiment.

  Hereinafter, a control system according to an embodiment of the present invention will be described with reference to the drawings. The control system 1 according to the present embodiment is applied to a hybrid vehicle having an engine 31 and an electric motor (motor generator) 33 as a traveling drive source, as shown in FIG. 1, for example, and mounted on the hybrid vehicle It is used to control various in-vehicle devices 30-35. However, the control system 1 according to the present embodiment is not limited to the control of the in-vehicle devices 30 to 35 in a hybrid vehicle, and may be a normal vehicle having only an engine or an electric vehicle having only an electric motor. The invention may be applied to control of in-vehicle devices.

  FIG. 1 is a functional block diagram showing an example of various functions of the control system 1 in order to control a plurality of on-vehicle devices 30 to 35 in the hybrid vehicle described above. However, FIG. 1 does not show all the functions of the control system 1. This is because FIG. 1 shows only an example of the configuration of the control system 1 according to the present embodiment for the convenience of description.

  In FIG. 1, the control system 1 has a function for controlling a cooling mechanism 30, an engine 31, a transmission (TM) 32, a motor generator (MG) 33, a brake device 34, and a steering device 35 as vehicle-mounted devices. . However, as described above, the control system 1 may further have a function for controlling other in-vehicle devices such as, for example, a suspension, a high voltage battery, and an air conditioner.

  As shown in FIG. 1, in the control system 1, functions for controlling various in-vehicle devices 30 to 35 are divided in advance into a plurality of logical blocks (functional blocks) 12 to 16 and 22 to 26, and the plurality of logics It is comprised by defining the connection relation between blocks 12-16 and 22-26. That is, the logical structure for controlling various in-vehicle devices 30 to 35 in the control system 1 is defined by the logical blocks 12 to 16 and 22 to 26 and the connection between the logical blocks 12 to 16 and 22 to 26. ing. The control system 1 controls the various on-vehicle devices 30 to 35 by operating the plurality of logic blocks 12 to 16 and 22 to 26 in cooperation in accordance with the defined connection relationship.

  Although not shown in FIG. 1, each of the logic blocks 12 to 16 and 22 to 26 has at least one, usually a large number of control blocks. The respective logic blocks 12 to 16 and 22 to 26 exert their respective functions (roles) by appropriately combining the arithmetic processing in the large number of control blocks.

  For example, the engine control unit 24 as a logic block has a control block that inputs sensor signals from various sensors and converts them into signals that can be handled in the logic block in order to detect the operating state of the engine 31. . Moreover, the control block which calculates the present generation torque from the driving | running state of the engine 31 grasped | ascertained from a sensor signal is provided. Furthermore, if there is a difference between the command torque instructed from the upper logic block (power train coordinator (PTC) 22) and the current generated torque, control to calculate the target engine operating state to eliminate the difference. Have a block. Further, a control block is provided to calculate the throttle valve opening degree, the fuel injection amount, the fuel injection timing, and the ignition timing for achieving the target engine operating condition. However, these are merely examples, and the engine control unit 24 may have a control block that performs other arithmetic processing necessary to exert its function. In addition, the control blocks in the engine control unit 24, including the illustrated control blocks, can be integrated or divided as appropriate.

  The control system 1 is actually embodied by distributing each of the logical blocks 12 to 16 and 22 to 26 as a control application such as a program or a database to a plurality of electronic control devices. In this case, the plurality of electronic control units are connected via separate communication lines, or each electronic control unit is connected to a common network so as to maintain the connection of the logic blocks 12-16 and 22-26. Desired electronic control devices according to the connection relationship may be configured to be communicable with each other. The logic blocks 12 to 16 and 22 to 26 do not necessarily have to be mounted on separate electronic control units, but several logic blocks may be mounted on a common electronic control unit.

  The control system 1 according to the present embodiment is divided into a plurality of domains in advance according to the functions of the plurality of in-vehicle devices 30 to 35. In other words, each of the logical blocks 12 to 16 and 22 to 26 is divided into a plurality of domains 10 and 20 in advance according to a group of functions to be performed.

  The plurality of in-vehicle devices 30 to 35 are allocated to any of the domains 10 and 20. Then, the domain control units 11 and 21 belonging to the allocated domains 10 and 20 calculate control target values of the in-vehicle devices 30 to 35 and directly output the calculated control target values to the in-vehicle devices 30 or control of the in-vehicle devices 31 to 35 Output to the in-vehicle device control unit 15, 16, 24 to 26 that controls the As shown in FIG. 1, each of the domain control units 11 and 21 includes at least one logical block.

  Specifically, in the example shown in FIG. 1, the control system 1 is divided into an exercise domain 10 and an energy domain 20. The exercise domain control unit 11 is provided in the exercise domain 10 to control the behavior of the vehicle in the front-rear direction and the lateral direction. Further, in the energy domain 20, an energy domain control unit 21 having a function of controlling the power of the vehicle is provided so as to accelerate or decelerate the vehicle or keep the speed constant.

  Further, in the control system 1 according to the present embodiment, as shown in FIG. 1, each vehicle is mounted under each domain control unit 11, 21 according to a command (control target value) from the corresponding domain control unit 11, 21. The on-vehicle equipment control units 15, 16, 24 to 26 that control the operation states of the equipment 31 to 35 are provided. The in-vehicle device control units 15, 16, 24 to 26 generate control signals for bringing the operating states of the in-vehicle devices 31 to 35 close to the control target values from the domain control units 11 and 21, respectively. Output to 35.

  Specifically, in the example shown in FIG. 1, a brake control unit 15 for controlling the brake device 34 and a steering control unit 16 for controlling the steering device 35 are provided under the motion domain control unit 11. Further, under the energy domain control unit 21, an engine control unit 24 for controlling the engine 31, a transmission (TM) control unit 25 for controlling the transmission 32, and an MG control unit 26 for controlling the motor generator 33 are provided. .

  The motor generator 33 generates regenerative energy at the time of deceleration of the vehicle or the like. A motor generator coordinator (MGC) 23, which is a high-order logic block of the MG control unit 26, also manages generation of its regenerative energy. This energy is DC converted by an inverter and stored in a high voltage battery (not shown).

  Here, various functions possessed by the control system 1 illustrated as logic blocks 12 to 16 and 22 to 26 in FIG. 1 will be described in detail.

  The control system 1 receives various information necessary for the logic blocks 12 to 16 and 22 to 26 to perform their given functions. For example, various sensors (not shown) detect the operation of various operation parts (accelerator pedal, brake pedal, shift lever, steering wheel, etc.) operated by the driver for driving the hybrid vehicle, and the operation detection signal thereof Is input to the control system 1. In addition, the running state of the vehicle (for example, speed, acceleration, yaw rate, etc.) and the operating state of various on-vehicle devices 30 to 35 (for example, engine temperature, engine speed, transmission gear ratio, inverter temperature, motor speed, brake An operation detection signal from a sensor that detects oil pressure, steering angle, etc.) is also input to the control system 1.

  The various signals described above are given to the domain control units 11 and 21 and the on-vehicle device control units 15, 16 and 24 to 26 of the control system 1.

  For example, the motion domain control unit 11 receives an operation detection signal indicating the operation of the various operation units by the driver and an operation detection signal from a sensor that detects the traveling state of the vehicle. Then, in principle, the motion domain control unit 11 calculates control target values of the brake device 34 and the steering device 35 so that the vehicle behaves according to the operation of the operation unit by the driver. Specifically, in order to control the behavior of the vehicle so as to respond to the driver's operation while the vehicle behavior control unit 12 stabilizes the behavior of the vehicle, the target acceleration in the front-rear direction with respect to the longitudinal behavior control unit 13 While giving (the target deceleration), the target acceleration in the lateral direction is given to the lateral behavior control unit 14. The longitudinal behavior control unit 13 applies a target drive torque (acceleration torque or braking torque) to the power train coordinator (PTC) 22 of the energy domain control unit 21 to achieve the given target acceleration (target deceleration) in the front-rear direction. While outputting a target braking torque which is a control target value of the brake device 34 to the brake control unit 15. Further, the left-right behavior control unit 14 outputs a target assist torque, which is a control target value of the steering device 35, to the steering control unit 16 in order to realize the given target acceleration in the left-right direction.

  Note that, for example, the motion domain control unit 11 may be provided with information on the external environment of the vehicle, such as recognition information of a white line dividing the traveling lane of the vehicle, information on a preceding vehicle and an obstacle. Thereby, in the motion domain control unit 11, for example, the control target value can be calculated so as to adjust the assist force of the steering device 35 (lane keeping assist) so as not to deviate from the traveling lane divided by the white line. It becomes. Further, in the motion domain control unit 11, for example, it is possible to calculate control target values of the brake device 34 and the steering device 35 so as to avoid a collision with a preceding vehicle or an obstacle.

  Further, the energy domain control unit 21 receives, for example, a sensor signal for detecting the voltage or current of a high voltage battery (not shown), a sensor signal indicating the traveling state of the vehicle, or the like. The MGC 23 of the energy domain control unit 21 calculates the storage amount of the high voltage battery based on the sensor signals. Furthermore, the MGC 23 mainly calculates the maximum MG torque that can be generated by the motor generator 33 based on the storage amount of the high voltage battery, and gives it to the PTC 22. The PTC 22 takes into consideration the maximum MG torque that can be generated by the motor generator 33 and the traveling state of the vehicle based on the sensor signal in order to most efficiently realize the target driving torque (acceleration torque) given from the motion domain control unit 11. Then, the target engine torque to be generated by the engine 31, the target gear ratio to be realized by the transmission 32, and the target MG torque to be generated by the motor generator 33 are calculated. The calculated target engine torque, target gear ratio, and target MG torque are respectively given to the engine control unit 24, the TM control unit 25 and the MGC 23 as control target values. In addition, the TM control unit 25 may also be provided with a control target value related to the operation of the clutch (such as the clutch connection start timing, the time until completion of the clutch connection, etc.).

  Furthermore, the MGC 23 of the energy domain control unit 21 calculates the amount of regenerated power that can be generated by the motor generator 33 mainly based on the storage amount of the high voltage battery at the time of deceleration of the vehicle or the like. The information on the regenerative braking torque corresponding to the regenerative electric energy is given from the MGC 23 to the front-rear behavior control unit 13 of the motion domain control unit 11 via the PTC 22.

  When the target deceleration is given from the vehicle behavior control unit 12, the front-rear behavior control unit 13 calculates a target braking torque for achieving the target deceleration. When the motor generator 33 can generate regenerative braking torque, a target braking torque by the brake device 34 and a target regenerative braking torque by the regenerative brake are determined so as to utilize the regenerative braking torque as much as possible. The target regenerative braking torque is given to the MGC 23 of the energy domain control unit 21 via the PTC 22 as a control target value.

  In addition to inter-domain cooperation control coordinated with the longitudinal behavior control unit 13 in the motion domain 10 described above, and the in-domain cooperation control coordinated with the MGC 23, the engine control unit 24 and the TM control unit 25, the PTC 22 Temperature adjustment control using the cooling mechanism 30, which is independent control independent of the logic block (electronic control unit), is executed.

  Cooling mechanism 30 is configured such that in the hybrid vehicle, the cooling system of engine 31 and the cooling system of the inverter of MG 33 are shared, and the same cooling water circulates between the engine 31 and the inverter of MG 33. . The cooling mechanism 30 includes a radiator for cooling the heated cooling water by heat exchange with air, a pump for circulating the cooling water, a water temperature sensor for detecting the temperature of the cooling water, and a circulation path of the cooling water. It is equipped with a channel switching valve such as a three-way valve to be switched.

  For example, the coolant temperature, the engine temperature and the inverter temperature are input to the PTC 22. Then, the PTC 22 calculates control target values of the pump of the cooling mechanism 30 and the flow path switching valve based on the coolant temperature, the engine temperature, and the inverter temperature, and the pump operates so that each operation state approaches the control target value. And control the flow path switching valve. Specifically, according to the necessity of temperature control (cooling etc.) of the inverter of the engine 31 and the MG 33, the PTC 22 does not circulate any cooling water, it circulates only the engine 31, cooling water Switches between the state in which only the inverter of MG 33 circulates, and the state in which the cooling water circulates through both the engine 31 and the inverter. Further, the PTC 22 controls the flow rate of the cooling water by the number of revolutions of the pump based on the cooling water temperature, the engine temperature and the inverter temperature. As a result, the PTC 22 can properly adjust the heat generation temperature of the engine 31 and / or the inverter.

  The brake control unit 15 controls the brake device 34 in accordance with a target braking torque which is a control target value of the brake device 34 given from the front and rear behavior control unit 13. More specifically, the brake control unit 15 outputs a control signal for controlling the brake fluid pressure so that the brake device 34 generates the target braking torque. The steering control unit 16 also controls the assist torque in the steering device 35 by outputting a control signal so that the steering device 35 generates the target assist torque provided from the left and right behavior control unit 14.

  The engine control unit 24 outputs a control signal for realizing the target engine torque given from the PTC 22 to the engine 31. More specifically, the engine control unit 24 receives sensor signals from various sensors (rotation speed, temperature, air flow rate, and the like) that detect the operating state of the engine 31. Then, the current generated torque is calculated from the operating state of the engine which is grasped from the sensor signal. The engine control unit 24 calculates an engine operating state for bringing the current generated torque close to the target engine torque, and obtains a fuel injection amount, a fuel injection timing, and an ignition timing for achieving the calculated engine operating state. An injection control signal and an ignition control signal corresponding to these are output to the engine 31.

  The TM control unit 25 also receives the target gear ratio from the PTC 22 and outputs a control signal for realizing the given target gear ratio to the transmission 32. Further, when changing the transmission gear ratio in the transmission 32, the TM control unit 25 also outputs a control signal for controlling the operation of the clutch in accordance with the control target value regarding the operation of the clutch.

  When the target MG torque is given from the MGC 23, the MG control unit 26 outputs a control signal to the inverter of the motor generator 33 so as to generate the target MG torque. On the other hand, when a target regenerative braking torque is applied from MGC 23, MG control unit 26 causes motor generator 33 to apply a braking force corresponding to the target regenerative braking torque to the axle of motor generator 33. Output control signal to inverter.

  Here, in the control system 1 described above, for example, the PTC 22 communicates with the longitudinal behavior control unit 13 of the domain control unit 11 belonging to the exercise domain 10 different from the energy domain 20 to which it belongs, It is necessary to communicate with the MGC 23 of the domain control unit 21. Further, the PTC 22 needs to communicate with the engine control unit 24 and the TM control unit 25 which are device control units, and also with the cooling mechanism 30 which is an on-vehicle device. Furthermore, although not shown in FIG. 1, the PTC 22 is also required to receive data from a sensor device that detects the coolant temperature, the engine temperature and the inverter temperature in order to grasp the control state of the cooling mechanism 30. Become.

  As described above, when the control system 1 includes a plurality of logical blocks and further adopts a structure in which those logical blocks are hierarchized, in particular, in each of the domains 10 and 20, each device control unit 15, 16, 24 to The communication in the logic blocks that make up the domain control units 11 and 21 that controls 26 tends to be complicated. With respect to such a complicated communication, each application that creates and uses data to be transmitted and received in the communication is configured to execute additional processing involved in the communication as described above. If this is done, there will be a problem that the load of creating the application will increase.

  Therefore, in the control system 1 according to the present embodiment, each application that creates data to be transmitted or uses received data in the domain control unit (for example, PTC 22) is individually used for communication data processing. The communication interface provided for the domain control unit is configured to collectively execute necessary processing for communication data, instead of having the program of Therefore, in the domain control unit, necessary processing can be performed on the communication data without increasing the creation load of the application.

  Hereinafter, with reference to FIGS. 2 to 4, an example of the configuration in the case of providing the communication interface in the control system 1 will be described, and the processing content in the communication interface and the specific example of the processing performed by the communication interface will be described. .

  FIG. 2 shows a configuration in which the PTC 22 of the motion domain control unit 20 is mounted on the electronic control device 40 as the PTC application 41 a and the electronic control device 40 is provided with the communication interface 41 b as one of the applications. In FIG. 2, applications 51 a, 61 a, 71 a, which function as logic blocks for logic blocks (front-rear behavior control unit 13, MGC 23, engine control unit 24, TM control unit 25) communicating with the PTC 22 are targeted. It also shows the configuration of the electronic control units 50, 60, 70, 80 on which 81a is mounted. Further, since the electronic control device 40 mounted with the PTC application 41a communicates with the sensor device 90 and the actuator 100 of the cooling mechanism, FIG. 2 also includes the sensor device 90 and the actuator 100 of the cooling mechanism. The configuration of in-vehicle devices and the like is omitted.

  Each of the electronic control units 40 to 80 has a memory, and software of the structure shown in FIG. 2 is stored in each memory. Each of the electronic control units 40 to 80 has a software structure conforming to the so-called AUTOSAR (AUtomotive Open System Architecture), as shown in FIG. Therefore, the software structure of each of the electronic control devices 40 to 80 will be described by taking the electronic control device 40 mounted with the PTC application 41a as a representative example. The description of the software structure of the other electronic control units 50 to 80 is omitted.

  In the electronic control unit 40, as shown in FIG. 2, software is installed to the microcontroller 47 which is hardware, and the software is largely composed of basic software 43 to 46, runtime environment (RTE) 42 and application software included in the application layer. Among them, the PTC application 41 a is mounted in the application layer, and the electronic control device 40 exhibits the function as the PTC 22 by executing the PTC application 41 a. The PTC application 41 a is actually divided into a plurality of sub applications for each of various functions as the PTC 22. A communication interface application (hereinafter, communication IF application) 41b is also implemented in the application layer as one application software.

  The basic software 43 to 46 are hierarchized into the microcontroller abstraction layer 43, the ECU abstraction layer 44, and the service layer 45, and the higher the hierarchy, the stronger the degree of abstraction and the independence from various hardware. It has become. The basic software 43 to 46 also includes a composite driver 46.

  The microcontroller abstraction layer 43 is located at the lowest layer of the basic software 43 to 46, and includes a microcontroller driver, a memory driver, a communication driver, an I / O driver, and the like. The microcontroller abstraction layer 43 is a portion depending on the hardware configuration of the microcontroller 47. However, since the microcontroller abstraction layer 43 abstracts the microcontroller 47 and its peripheral devices, layers higher than this are independent of the microcontroller 47 and the peripheral devices. The microcontroller abstraction layer 43 has a plurality of communication drivers (for example, CAN (registered trademark) driver, LIN driver, FlexRay (registered trademark) driver, and the like) as communication drivers. Then, the electronic control unit 40 performs communication using different communication drivers, that is, different communication networks, depending on, for example, whether the electronic control unit of the communication partner is in a domain, out of a domain, or the sensor unit 90. Alternatively, in the case of the sensor device 90, communication may be performed using a composite driver 46 described later.

  The ECU abstraction layer 44 is located above the microcontroller abstraction layer 43. The ECU abstraction layer 44 makes the upper software layer independent of the hardware of the electronic control device 40 by abstracting the basic components of the electronic control device 40. The ECU abstraction layer 44 includes on-board device abstraction, memory hardware abstraction, communication hardware abstraction, I / O hardware abstraction and the like.

  The service layer 45 is partially located above the ECU abstraction layer 44 to provide basic services for the application. Specifically, the service layer 45 provides services such as an OS, communication and management of a vehicle network, a memory service, a diagnostic service, and ECU state management. This service layer 45 is largely independent of hardware.

  The composite driver 46 is used when a complex function which is not available in other layers is needed to meet special functions and timing requirements for operating complex sensors and actuators. The composite driver 47 is used, for example, in the case of driving and controlling an injector that injects a fuel.

  The RTE 42 is located above the basic software 43 to 46 including the above-described layers, and is for making the various applications 41 a and 41 b included in the application layer not depend on the electronic control device 40. . Therefore, the RTE 42 provides communication between the applications 41a and 41b and communication between the applications 41a and 41b and the basic software 43 to 46.

  As described above, by adopting the software structure compliant with AUTOSAR, the applications 41a and 41b do not depend on the hardware of the microcontroller 47 and the electronic control device 40, so that the reusability of the applications 41a and 41b is achieved. Can be enhanced.

  Next, the communication IF application 41b will be described in detail. In the example shown in FIG. 2, the communication IF application 41b is embodied as one of application software. The communication IF application 41b is communicated via the communication when each sub application of the PTC application 41b communicates with the other electronic control units 50-80, the sensor unit 90, or the actuator 100 of the cooling mechanism. The communication interface service (hereinafter referred to as communication IF service) is applied to the data to perform additional processing on the communication data. Hereinafter, specific processing contents of the communication IF application 41 b and various communication IF services will be described with reference to the flowchart of FIG. 3 and the chart of FIG. 4.

  First, in step S100 of the flowchart of FIG. 3, the communication IF application 41b communicates each sub application of the PTC application 41a with the external electronic control device 50-80, the sensor device 90, or the actuator 100 of the cooling mechanism. Accept communication data when doing The communication data includes transmission data transmitted to the outside from the PTC application 41 a and reception data transmitted to the PTC application 41 a from the outside. The transmission data and the reception data both include information indicating the transmission source, the reception destination, and the type of data, in addition to the data body.

  In the subsequent step S110, the communication partner layer is specified from the information indicating the transmission source or the reception destination in the received communication data. For example, the hierarchy is divided into a domain control unit outside its own domain, a domain control unit or device control unit in the same domain, an in-vehicle device, and a sensor device, and it is specified to which hierarchy the communication partner belongs.

  Next, in step S120, the type of communication data is grasped based on the information indicating the type of data included in the communication data. For example, even if it is the same communication partner, the communication IF application 41b applies according to whether it is data of the type transmitted from the sub application of the PTC application 41a or data of the type received by the sub application. The communication IF service to be performed (that is, additional processing to be performed on communication data) is different. Further, even if the data is transmitted from the same communication counterpart, the communication IF service to be applied may be different depending on the type of the data. For example, the communication IF service to be implemented is different between the case where the device control unit receives an acknowledgment for the transmission of the control target value and the case where the device control unit receives sensor data indicating the operating state of the on-vehicle device.

  Thus, the type of communication data is utilized as one piece of information for determining the communication IF service to be applied in the communication IF application 41b. In other words, as long as the communication IF application 41b can determine the communication IF service to be applied, it is used as information equivalent to the information indicating the type of communication data, not the information indicating the type of communication data itself. Can.

  In the subsequent step S130, the communication IF application 41b selects a communication IF service to be applied based on the layer of the communication partner identified in step S110 and the type of communication data grasped in step S120. That is, the communication IF application 41b is provided with all communication IF services required when the PTC application 41a communicates various data with the communication counterpart of each layer, and the communication counterpart layer and communication data are prepared. The necessary communication IF service is selected based on the type of A plurality of communication IF services may be selected for the same communication data. In the subsequent step S140, the selected communication IF service is applied to communication data, and additional processing necessary for communication is performed on the communication data.

  Hereinafter, a specific example of the communication IF service provided by the communication IF application 41b will be described with reference to FIG.

  First, the communication IF application 41b provides a security service as one of communication IF services. This security service is mainly for determining whether or not the communication partner is a legitimate communication partner, and for permitting communication when it is decided that it is a legitimate communication partner. The security service also detects an error in communication data and notifies the application of the transmission source.

  As this security service, the communication IF application 41b changes the service content according to the hierarchy of the communication partner. For example, when the hierarchy is a domain control unit outside of its own domain, that is, when the other party of communication is the electronic control unit 50 mounting the back and forth behavior application 51a, communication data is received via the communication network connected to the electronic control unit 50 Then, based on the information indicating the transmission source included in the received communication data, it is determined whether the communication partner is a legitimate communication partner.

  If it is determined by this determination that the communication partner is not a legitimate communication partner, as shown in FIG. 4, the communication IF application 41b functions as a firewall to transmit to the PTC application 41a the communication data transmitted from the non-legitimate communication partner. Shut off without delivery. Thereby, for example, a malicious third party intrudes into the communication network between the domains, communicates with the domain control unit (for example, the electronic control device 40), and puts the domain control unit under control. Even if such, occurrence of such a situation can be reliably prevented.

  On the other hand, when it is determined that the communication partner is a legitimate communication partner, as shown in FIG. 4, the communication IF application 41b decrypts the data received from the domain control unit (the electronic control device 50) outside its own domain. To the PTC application 41a. Conversely, the communication IF application 41b encrypts the data to be transmitted to the domain control unit (the electronic control device 50) outside its own domain and then transmits it.

  As shown in FIG. 2, the electronic control unit 50 is also provided with a communication IF application 51 b. The communication IF application 51b and the communication IF application 41b cooperate to encrypt the communication data sent to the inter-domain communication network, and to decode the communication data received from the inter-domain communication network Processing is to be performed. This can reduce the possibility of intercepting communication data from a communication network connecting between domains. Such encryption and decryption processing may not be performed on all types of data, but may be performed only on types of data with high confidentiality requirements.

  A data communication apparatus outside the vehicle, such as an external data center or a program rewriting tool, may be connected to the inter-domain communication network to communicate with each domain control unit or the like. Also in such a case, the communication IF application 41 b can provide the same security service as the security service for the electronic control device 50.

  Further, the communication IF application 41b is an electronic control in which the domain control unit or the device control unit in the domain where the communication partner is in the same hierarchy, ie, the communication partner implements the MGC application 61a, the TM control application 71a, and the engine control application 81a. In the case of the devices 60 to 80, as shown in FIG. 4, the unauthorized circuit detection is performed as a security service. In this illegal circuit detection, for example, it is detected whether or not any electronic control device is replaced with an illegal circuit, or an illegal circuit is additionally inserted, etc., and communication is discontinued when an illegal circuit is detected. . Thereby, the suppression effect such as unauthorized modification of the control system 1 can be obtained.

  Various methods can be considered to detect an incorrect circuit. For example, when data is exchanged, an incorrect circuit may be detected based on the occurrence of a mismatch between the data. In addition, it may be detected that the illegal circuit is installed, when it takes longer than the predetermined reference time to send back the control data after transmitting the control data. Furthermore, when the data is received, if the information indicating the transmission source is different from the information registered in advance, it may be detected that the unauthorized circuit is installed.

  As shown in FIG. 4, the communication IF application 41b is a control command to be output to the actuator 100 of the cooling mechanism as a security service, as shown in FIG. Perform an error check (eg, parity check) on the data of If there is an error in the data, the communication IF application 41b feeds back the occurrence of the error to the PTC application 41a without transmitting the data toward the actuator 100 of the cooling mechanism. When the PTC application 41a transmits data to the sensor device 90 for checking the operation of the sensor device 90, etc., as shown in parentheses in FIG. Similarly, an error check may be performed.

  The communication IF application 41b provides a dispatch service such as a time stamp or a scheduler when transmitting data from the PTC application 41a to the communication counterpart as one of the communication IF services, in addition to the above-described security service. Also regarding this dispatch service, the communication IF application 41b changes the service content according to the hierarchy of the communication partner.

  For example, when the hierarchy is a domain control unit outside of its own domain (that is, the communication counterpart is the electronic control unit 50), the communication IF application 41b, as shown in FIG. Add a transmission time based on the global time shared by (time stamp of global time). Thus, the domain control unit (the electronic control device 50) that has received the data can correctly recognize the time when the data is generated or acquired. This global time stamp may not be performed on all types of data, but may be performed only on types of data whose generation and acquisition times are important.

  Further, as shown in FIG. 4, the communication IF application 41b provides a scheduler service as a dispatch service for transmission data to a domain control unit (electronic control unit 50) outside its own domain. This scheduler service ranks the importance from the type of data when the plurality of data scheduled to be transmitted to the electronic control device 50 are generated by the subapplications of the PTC application 41a at substantially the same time, and is important. The transmission schedule of each data is determined so that the data is transmitted in order from the highest data.

  Furthermore, the communication IF application 41b may provide a semantic conversion service as a dispatch service. This semantic conversion service is a case where information having the same name but different name is used inside and outside the domain, and when transmitting the information, the information used by the communication IF application 41b in the receiving destination domain Convert to the name of and send. Specifically, the communication IF application 41 b has a semantic conversion list in which pieces of information different in name but different in name are used, which are used in each domain. Then, when the communication IF application 41 b receives the information included in the semantic conversion list, the communication IF application 41 b converts the name of the information and then transmits the converted information to the domain control unit or the like of the receiving destination.

  In addition, when the above-mentioned relationship (they are synonymous information but the names are different) exists between the domain control unit and the device control unit, this meaning conversion service includes the domain control unit, the device control unit, and the like. You may apply, when transmitting information to the control part in the same domain.

  On the other hand, the communication IF application 41b is an electronic device in which the domain control unit or the device control unit in the domain in the same hierarchy of the communication partner, ie, the communication partner implements the MGC application 61a, the TM control application 71a, and the engine control application 81a. Also in the case of the control devices 60 to 80, as shown in FIG. 4, the above-described time stamp and scheduler service are provided as a dispatch service. Thereby, the same effect as described above can be obtained. However, regarding the time stamp, transmission time based on local time shared within the same domain, not global time, is added to transmission data.

  Furthermore, as shown in FIG. 4, when the communication IF application 41 b is a domain control unit or a device control unit (that is, the electronic control devices 60 to 80) in the same domain, the communication partner application 41 b serves as a dispatch service. When the transmission data from the PTC application 41a indicates a plurality of reception destinations, the data is transmitted to the plurality of instructed communication partners. This transmission service to a plurality of communication partners can also be targeted for domain control units outside their own domains.

  Furthermore, the communication IF application 41b provides an auditor service for information such as sensor data indicating the operating state of the on-vehicle device as one of the communication interface services in addition to the security service and the dispatch service described above.

  For example, when the electronic control unit 50 receives sensor data directly from the sensor unit 90, the communication IF application 41b is transmitted from the sensor unit 90 as one of the auditor services, as shown in FIG. Provide a monitoring service to monitor data anomalies. As this monitoring service, for example, the sensor device 90 is configured to transmit sensor data to the electronic control device 50 at a constant interval, and an elapsed time from the previous reception of the sensor data is a time of the constant interval. An abnormality may be determined when the next sensor data is not received despite the excess. Alternatively, the abnormality may be determined when a predetermined time does not change while the value of the sensor data does not change.

  Further, as shown in FIG. 4, the communication IF application 41 b is a case of receiving data detected by the sensor device 90 as one of the auditor services, and the data includes data indicating a transfer instruction. If yes, the data transmitted from the sensor device 90 is also transferred to another communication destination. Thereby, sensor data can be transmitted reliably to the control part which needs sensor data.

  The signals from the sensors for detecting the operation states of various in-vehicle devices are taken into the electronic control devices 70 and 80 constituting the device control unit, and the electronic control device 40 constituting the PTC control unit is the device control unit 70. , 80 may receive sensor data from the device control unit. Also in such a case, as shown in FIG. 4, the communication IF application 41b can also transfer to another domain control unit (electronic control unit 50) as an auditor service.

  Furthermore, when the electronic control unit 40 constituting the PTC control unit receives, as an auditor service, information on the behavior of the vehicle, etc., from the electronic control unit 50 constituting the back and forth behavior control unit, the above-described semantic conversion service is May be provided.

  Although the preferred embodiments of the present invention have been described above, the present invention can be variously modified and practiced without departing from the spirit of the present invention without being limited to the above-described embodiments. .

  For example, in the above-described embodiment, the communication IF application provided in the electronic control device of the transmission source and the communication IF application provided in the electronic control device of the reception destination cooperate to encrypt and decrypt the security service. The working example has been described. Furthermore, in order to enhance the function of the communication service, for example, as shown in FIG. 5, the communication IF application of the reception destination or the electronic control device of the reception destination is a communication IF application provided in the electronic control device of the transmission source. The service may be checked, and when the necessary service is not provided, for example, the electronic control unit of the transmission source may be instructed to retransmit the data without permitting the data reception process.

  As shown in FIG. 5, when the transmission source electronic control device requests the communication IF application to transmit data, a notification may also be sent to the reception destination electronic control device at the same time. As a result, the electronic control unit at the reception destination can perform the confirmation processing of the communication IF service and the preparation in advance of the data reception processing, and can suppress the delay related to the data reception processing.

  Further, in the embodiment described above, the communication IF application 41 b is provided as one of the applications in the electronic control device 40 in which the PTC application 41 a as the PTC 22 is mounted. However, the communication IF circuit having the above-described function may be provided separately from the electronic control unit 40.

  Furthermore, in the embodiment described above, the example in which the communication IF application provides the security service has been described. At this time, the level of the security service may be changed according to each domain or the safety requirement level (ASIL (Automotive Safety Integrity Level)) of each device control unit. That is, for a communication partner that requires a higher security requirement level, for example, encryption is made more complex, and a plurality of methods for detecting illegal circuits are applied, so that stronger security can be secured. You may

Reference Signs List 1 control system, 11 motion domain control unit, 12 vehicle behavior control unit, 13 longitudinal behavior control unit, 14 left and right behavior control unit, 15 brake control unit, 16 steering control unit, 21 energy domain control unit, 22 power train coordinator, 23 Motor generator coordinator, 24 engine control unit, 25 TM control unit, 26 MG control unit, 30 cooling mechanism, 31 engine, 32 transmission, 33 motor generator, 34 brake device, 35 steering device, 40 electronic control device, 41 a PTC application, 41b Communication IF Application, 42 RTE, 43 Microcontroller Abstraction Layer, 44 ECU Abstraction Layer, 45 Service Layer, 46 Combined Driver, 47 Microcontroller, 90 Cent 100, actuator of cooling mechanism

Claims (14)

A control system (10) for controlling a plurality of in-vehicle devices (30 to 35) mounted on a vehicle,
The control system is divided into a plurality of domains in advance according to the functions of the plurality of in-vehicle devices, and further, a device control unit ( 15, 16, 24) for controlling the in-vehicle devices in each of the plurality of domains. , 25, 26 ) and the domain control unit ( 11, 21 ) that controls the device control unit,
The domain control unit communicates with domain control units belonging to other domains, and communicates with device control units belonging to the same domain, and the communication data includes a transmission source, a reception destination, and data. Contains information indicating the type of
Communication data to be received from the communication party by selecting the communication interface service according to the class of the communication party provided at least for the domain control unit and understood from the transmission source or the reception destination and the data to be communicated Or a communication interface (41b , 51b, 61b ) for applying the selected communication interface service to communication data to be transmitted to the communication partner ,
The domain control unit includes at least one control unit (12, 13, 14, 22, 23),
As a hierarchy of the communication partner, a domain control unit outside the own domain and another control unit or device control unit of the domain control unit in the own domain are divided into different hierarchies,
The control system to which the communication interface service which the said communication interface applies is changed according to the hierarchy of the said communicating party . The communication interface, as one of the communication interface services, determines whether or not the communication partner is a legitimate communication partner, and provides a security service that permits communication when it is determined to be a legitimate communication partner. And
The communication interface is a case in which the communication partner is a domain control unit belonging to another domain, and data is received from a domain control unit belonging to the other domain, and it is determined that the communication partner is not legitimate. The control system according to claim 1, wherein as the security service, data transmitted from the non-authentic communication partner is blocked.   When the domain control unit belonging to another domain determines that the communication interface is a legitimate communication partner, the communication interface decrypts data received from the domain control unit belonging to another domain as part of the security service. The control system according to claim 2, wherein the control system performs encryption processing on data to be sent to domain control units belonging to other domains. The domain control unit also communicates with a data communication device outside the vehicle,
The control system according to claim 2 or 3, wherein the communication interface applies the same security service as the security service for domain control units belonging to other domains when the communication partner is a data communication apparatus outside the vehicle. The communication interface, as one of the communication interface services, determines whether or not the communication partner is a legitimate communication partner, and provides a security service that permits communication when it is determined to be a legitimate communication partner. And
The communication interface is between another control unit or device control unit of a domain control unit whose communication partner belongs to the same domain, and between the other control unit or device control unit of the domain control unit belonging to the same domain. The control system according to any one of claims 1 to 4, wherein when it is determined that the communication partner is an unauthorized communication partner, communication with the unauthorized communication partner is discontinued as the security service. The communication interface, as one of the communication interface services, provides a dispatch service when transmitting data from the domain control unit to the communication partner,
The communication interface adds a transmission time based on a global time shared between domain control units to data to be transmitted as the dispatch service when the communication partner is a domain control unit belonging to another domain. The control system according to any one of 5. The communication interface, as one of the communication interface services, provides a dispatch service when transmitting data from the domain control unit to the communication partner,
The communication interface is based on the local time shared in the same domain for the data to be transmitted as the dispatch service when the other party of communication is the other control unit or the device control unit of the domain control unit belonging to the same domain The control system according to any one of claims 1 to 6, wherein a transmission time is added.   When the data from the domain control unit includes data instructing transmission to a plurality of communication partners, the communication interface transmits the data to the plurality of instructed communication partners as the dispatch service. The control system according to claim 6 or 7.   The communication interface determines, as the dispatch service, a transmission order of the plurality of data to be transmitted when the plurality of data to be transmitted to the same communication party is generated, and transmits the data according to the determined transmission order. Item 8. A control system according to item 6 or 7. The communication interface, as one of the communication interface services, provides a dispatch service when data is transmitted from the domain control unit to the communication partner, and between the domain control unit and the communication partner 10. The communication interface according to claim 1, wherein, when a different name is used for the synonymous information, the communication interface converts the name of the information used in the communication party as the dispatch service and transmits the data. Control system according to any one. The control system according to any one of claims 1 to 10, wherein an on-vehicle device and a sensor device are further divided into different layers as the communication partner layer. The domain control unit also communicates with a sensor device that detects an operation state of the in-vehicle device.
In the communication interface, when the domain control unit communicates with the sensor device and receives data detected by the sensor device, an abnormality in data transmitted from the sensor device as one of the communication interface services The control system according to claim 11 , which provides a monitoring service that monitors. The domain control unit receives sensor data detected by a sensor device that detects an operation state of the in-vehicle device.
The communication interface transfers data transmitted from the sensor device to another communication destination as one of the communication interface services when the received sensor data includes data indicating a transfer instruction. The control system according to claim 11 , which provides a service.   In the case where different names are used for synonymous information between the domain control unit and the communication party, and communication data including information having the same name but different names is received from the communication party. The control according to any one of claims 1 to 13, wherein the communication interface converts the name of the information used in the domain control unit as one of the communication interface services and provides the name to the domain control unit. system.

Images