JP6555184B2 - In-vehicle control device - Google Patents

Description

  The present disclosure relates to an in-vehicle control device.

  There is ISO26262 as a functional safety standard for automobiles. In ISO 26262, ASIL is defined as an index of the safety level for designating safety requirements and safety measures for automobiles. ASIL is an abbreviation for “Automotive Safety Integrity Level”.

  According to ISO 26262, if there is no interference between applications and there is no possibility of mutual failure propagation, that is, if the applications are partitioned, different safety levels may be provided. Therefore, there is a need for a technique for preventing failure propagation between a plurality of software assigned on the same control device.

  For example, Patent Document 1 describes a technique for partitioning ASIL software and QM software in a vehicle control apparatus having ASIL software with a high safety level and QM software with a low safety level. Has been. QM is an abbreviation for “Quality Management” and means normal quality management that does not require functional safety to be applied. Specifically, in Patent Document 1, an ASIL storage area for transferring data between ASIL software allocated to a plurality of core processors, and data calculated by the ASIL software are stored for QM software access. And a shared storage area. The ASIL storage area is not accessed by the QM software. In the technique of Patent Document 1, all data shared by ASIL software is written in the ASIL storage area. Further, data written to the ASIL storage area is copied to the shared storage area. For this reason, the QM software acquires the data calculated by the ASIL software from the shared storage area.

JP2015-99517A

  In the technique of Patent Document 1, all data shared by ASIL software allocated to a plurality of core processors is written to both the ASIL storage area and the shared storage area. For this reason, a large memory capacity is required.

  Therefore, the present disclosure provides an in-vehicle control device that can reduce a necessary memory capacity.

  One aspect of the present disclosure is an in-vehicle control device. The in-vehicle control device is executed by a first processing unit (21) and a second processing unit (22) that execute software, a first software (31) executed by the first processing unit, and a second processing unit. Second software (32) and a transfer area (25).

  The exchange area is a storage area that is not accessed by the third software (33, 34). The third software is software different from the first software and the second software. The first software and the second software are software set with a higher safety level than the third software. The second software is configured to perform calculation processing using calculation result data that is data calculated by the first software.

  The second processing unit includes a request unit (41) and a reading unit (42). The first processing unit includes a writing unit (43). The request unit of the second processing unit is a part of all operation result data provided from the first software to the second software at each predetermined timing, and the second software A part of necessary calculation result data is requested to the first processing unit. The writing unit of the first processing unit writes the calculation result data requested by the request unit to the transfer area, and notifies the second processing unit that the writing of the requested calculation result data to the transfer area has been completed. . And the reading part of a 2nd process part will read calculation result data from a transfer area | region, if the notification by a writing part is received.

  In this in-vehicle control device, calculation result data is provided from the first software executed in the first processing unit to the second software executed in the second processing unit via the transfer area. The transfer area is not accessed by the third software. For this reason, the 1st software, the 2nd software, and the 3rd software are partitioned, and the security set as the 1st software and the 2nd software is secured.

  The transfer area does not always store all the calculation result data provided from the first software to the second software, but requires the second software at every predetermined timing among all the calculation result data. Only a part of the operation result data is written. For this reason, a required memory capacity can be reduced.

  Note that the reference numerals in parentheses described in this column and in the claims indicate the correspondence with the specific means described in the embodiment described later as one aspect, and the technical scope of the present disclosure It is not limited.

It is a block diagram which shows the structure of ECU of embodiment. It is a memory map of RAM. It is a flowchart showing a 1st data writing process. It is a flowchart showing a 2nd data writing process. It is a flowchart showing a data reading process. It is a flowchart showing a data request process. It is explanatory drawing explaining a request data table. It is a flowchart showing a table switching process. It is explanatory drawing explaining the data for electric throttle control, a data label, a data request notification, a data storage notification, and an operation example.

Hereinafter, embodiments for carrying out the present disclosure will be described with reference to the drawings.
[Constitution]
The ECU 11 of this embodiment shown in FIG. 1 is a control device mounted on a vehicle, that is, an in-vehicle control device. For example, the ECU 11 controls the electronic throttle 13. The electronic throttle 13 is a device that adjusts the intake air amount to the engine by controlling the actuator 14 provided in the electronic throttle 13. Note that ECU is an abbreviation for “Electronic Control Unit”.

The ECU 11 includes a microcomputer (hereinafter referred to as a microcomputer) 17 as a control unit that controls the operation of the ECU 11.
The microcomputer 17 is a multi-core microcomputer provided with a plurality of core processors (hereinafter referred to as cores). In the present embodiment, the microcomputer 17 includes a first core 21 and a second core 22. Furthermore, the microcomputer 17 includes a ROM 23, a RAM 24, a rewritable flash memory, and the like.

  The ROM 23 stores software executed by the cores 21 and 22 (hereinafter, software). Note that the software to be executed is a program. In addition, the RAM 24 stores data of calculation results by the cores 21 and 22.

  Various functions of the ECU 11 are realized when the cores 21 and 22 execute software stored in a non-transitional tangible recording medium. In this example, the ROM 23 corresponds to a non-transitional tangible recording medium that stores software. Moreover, a method corresponding to the software is executed by executing the software. The number of microcomputers constituting the ECU 11 may be one or plural.

  The software executed by the first core 21 includes at least the first software 31. The software executed by the second core 22 includes at least the second software 32. The first software 31 and the second software 32 are software for controlling the electronic throttle 13. The second software 32 is configured to perform a calculation process for controlling the electronic throttle 13 using the data calculated by the first software 31.

  For example, the first core 21 executes the first software 31 to obtain data of various parameters used for control of the electronic throttle 13 (hereinafter referred to as electric throttle control) from the sensor 15 or another ECU. I do. That is, the data calculated by the first software 31 is data necessary for the electric throttling control (hereinafter, electric throttling control data). In FIG. 1, only one sensor 15 for obtaining the electric throttling control data is shown, but there are actually a plurality of sensors 15.

  Further, as the electrical slot control data, for example, there are 10 data whose names are listed at the left end portion in FIG. The ten data are throttle opening, accelerator opening, intake air amount, engine rotation angle, engine rotation speed, O2 sensor value 1, O2 sensor value 2, intake air temperature, other data 1, and other data 2. . “O2” means oxygen. In this embodiment, it is assumed that the electric throttling control data is the ten pieces of data. However, the type and number of electric throttling control data are not limited to the ten pieces of data.

  Then, the second core 22 executes the second software 32 to acquire the electric slot control data from the first core 21 via the RAM 24, and uses the acquired electric slot control data to obtain the electronic slot control data. Performs arithmetic processing for control. This calculation processing includes processing for calculating the control amount of the actuator 14, processing for outputting an operation command to the actuator 14, and the like.

Further, software executed by the second core 22 includes abnormality detection software 33 and market monitor software 34 as third software.
The abnormality detection software 33 monitors all or part of the electric throttling control data calculated by the first software 31 at a constant period, and detects data having an abnormal value as freeze frame data at that time. Software for performing processing stored in a flash memory or the like. Examples of vehicle data stored as freeze frame data include vehicle speed and engine speed.

  The market monitor software 34 is software for performing processing for storing data for analyzing how the vehicle is used in the market in a flash memory or the like. The data to be stored by the market monitor software 34 includes, for example, the accelerator opening of the electric throttling control data calculated by the first software 31 and other data such as the air conditioner usage frequency. The data stored by the market monitor software 34 is read out by a dedicated tool at a car dealer, for example, and used for development related to the next vehicle.

The first software 31 and the second software 32 are software in which a higher degree of safety than the abnormality detection software 33 and the market monitor software 34 is set.
The function of the electric throttle control is a functional safety target. For this reason, the safety degree set for the first software 31 and the second software 32 is any one of ASILA to ASILD, which are four kinds of ASILs defined by ISO 26262, for example. On the other hand, the functions of the abnormality detection software 33 and the market monitor software 34 are not functional safety targets, and are normal quality management (ie, QM) functions. For this reason, the safety level set in the abnormality detection software 33 and the market monitor software 34 is lower than the safety level set in the first software 31 and the second software 32.

  Therefore, in order to ensure the high safety level set in the first software 31 and the second software 32, the functions of the first software 31 and the second software 32 are the abnormality detection software 33 and the market monitor software with low safety level. 34 need not be interfered by.

For this reason, in the ECU 11, an ASIL area 25 and a QM area 26 are provided as storage areas of the RAM 24.
The ASIL area 25 is a storage area that can be accessed by the first software 31 and the second software 32 but is not accessed by the abnormality detection software 33 and the market monitor software 34. In the present embodiment, access to the ASIL area 25 by the abnormality detection software 33 and the market monitor software 34 is prohibited. Access is both write access and read access. The provision of the electric throttling control data from the first software 31 to the second software 32 is performed via the ASIL area. That is, the ASIL area is a storage area dedicated to the first software 31 and the second software 32.

  The QM area 26 is a storage area that can be accessed by the abnormality detection software 33 and the market monitor software 34. Then, in the QM area 26, the electric throttling control data is written by the first software 31, and the data is read from the QM area 26 by the abnormality detection software 33 and the market monitor software 34. That is, the provision of data from the first software 31 to the abnormality detection software 33 and the market monitor software 34 is performed via the QM area 26. Further, data reading from the QM area 26 by the first software 31 and the second software 32 is not performed.

  The second core 22 includes a request unit 41 and a reading unit 42 in order to realize data exchange between the cores 21 and 22 via the ASIL region 25 and the QM region 26. The first core 21 includes a writing unit 43. Further, the first core 21 includes a regular writing unit 44.

  Each of the request unit 41 and the reading unit 42 is a function part realized by the second core 22 executing the second software 32. In other words, the second software 32 includes a program for causing the second core 22 to function as the request unit 41 and the reading unit 42, respectively. Each of the writing unit 43 and the regular writing unit 44 is a function part realized by the first core 21 executing the first software 31. In other words, the first software 31 includes a program for causing the first core 21 to function as each of the writing unit 43 and the regular writing unit 44. Note that the method of realizing each of the request unit 41, the reading unit 42, the writing unit 43, and the regular writing unit 44 is not limited to software, and a part or all of them may be a logic circuit, an analog circuit, or the like. You may implement | achieve using the hardware which combined.

[Details of ASIL area and QM area]
FIG. 2 shows a memory map of the ASIL area 25 and the QM area 26 in the memory map of the RAM 24. As shown in FIG. 2, in the QM area 26 of the RAM 24, all ten pieces of electric slot control data calculated by the first software 31 are written in a static arrangement. That is, the storage destination address of each power slot control data in the QM area 26 is fixed. In the present embodiment, the size of each power slot control data is 4 bytes. For this reason, the size (ie, storage capacity) of the QM area 26 is “4 × 10 = 40” bytes. In FIG. 2, the two-digit number following “0x” is a hexa display address. The address value is an example. It should be noted that only a part of the ten electric throttle control data may be written in the QM area 26.

On the other hand, the ASIL area 25 of the RAM 24 includes a data area 27 into which a part of the ten electric throttle control data is written, and a label area 28 as a management area.
In the present embodiment, the data area 27 includes four storage areas E1 to E4 each having 4 bytes. Then, the electric slot control data is written one by one in each of the storage areas E1 to E4. That is, the size (that is, the storage capacity) of the data area 27 is a capacity capable of storing four electric slot control data. The number of four is the maximum number of electric slot control data that needs to be synchronized in the arithmetic processing by the second software 32. “Need simultaneity” means “need to be the same value”.

  That is, the second software 32 does not always require all the electric throttling control data calculated by the first software 31. For example, as data for electric throttle control, there is data that requires fine time resolution such as engine rotation angle, and there is data that does not change easily in minute time such as intake air temperature and is sufficient with rough time resolution. . For this reason, when the second software 32 performs the calculation process for the electric throttling control, not all the data for the electric throttling control by the first software 31 is always necessary. Only control data is required. In the present embodiment, the maximum number of part of the electrical slot control data that needs to be synchronized at the time of processing is four. The number of four is an example.

  The label area 28 is a 4-byte area. An area of one byte when viewed from the most significant bit in the label area 28 is referred to as a first position P1, a second position P2, a third position P3, and a fourth position P4. Each of the first position P1 to the fourth position P4 is associated with each of the storage areas E1 to E4. That is, when n is any one of 1 to 4, the nth position Pn and the storage area En are associated with each other. In each of the first position P1 to the fourth position P4, the identifier of the electric throttling control data written in the storage areas E1 to E4 corresponding to the position is written. The identifier of the electric throttle control data is called “data label” or simply “label”.

  In the left end portion in FIG. 9, each of “a to j” described in parentheses () on the right side of the name of each electric slot control data is a data label. For example, as shown at time t3 in FIG. 9, when the throttle opening is written in the storage area E1 in the data area 27, the throttle opening at the first position P1 in the label area 28 corresponding to the storage area E1. The data label “a” is written. Further, when the engine speed is written in the storage area E2 in the data area 27, the data label “e” that is the engine speed data label is written in the second position P2 of the label area 28 corresponding to the storage area E2. It is. On the other hand, when the data labels at the first position P1 to the fourth position P4 in the label area 28 are erased, the data values at the first position P1 to the fourth position P4 are values indicating no data. The value indicating no data is, for example, FF in hex display.

  That is, the same type of electric throttling control data is not always written in the data area 27, and different types of electric throttling control data are written each time. For this reason, by referring to the data labels at the first position P1 to the fourth position P4 in the label area 28, it is possible to know which electric throttling control data is written at which position in the data area 27. “To which position in the data area 27” means “to which of the storage areas E1 to E4” in the present embodiment. The data label written in the label area 28 corresponds to management information.

[Outline of data exchange between cores]
As shown in FIG. 1, the request unit 41 of the second core 22 issues a data request notification to the first core 21 when the calculation process of the electric throttling control is necessary. The data request notification is a notification for requesting the electric throttling control data required by the second software 32. In the present embodiment, as shown in FIG. 9, the data request notification is a 1-bit flag prepared for each of the ten electric slot control data. For example, when requesting the throttle opening, the request unit 41 turns on the data request notification about the throttle opening, and turns on the data request notification about the engine speed when requesting the engine speed. To do. In other words, issuing a data request notification means turning on the data request notification. As the data request notification state, ON is, for example, “1”, and OFF is, for example, “0”.

  For this reason, if at least one of the ten data request notifications is on, the writing unit 43 of the first core 21 needs to perform arithmetic processing of the electric throttling control. Therefore, it can be determined that it is necessary to provide correct electric throttling control data.

  The writing unit 43 writes the electric throttling control data requested by the requesting unit and corresponding to the data requesting notification issued by the requesting unit 41 in the data area 27 of the ASIL area 25. Specifically, the requested data slot control data is written in any of the storage areas E1 to E4 in the data area 27.

  The writing unit 43 then issues a data storage notification to the second core 22 after completing the writing of the electric throttling control data to the ASIL region 25. The data storage notification is a notification indicating that the requested storage control data has been stored (ie, written) in the ASIL area. As shown in FIG. 9, the data storage notification is also a 1-bit flag prepared for each of the ten electric slot control data, similarly to the data request notification. For example, when the throttle opening is written in the ASIL area 25, the writing unit 43 turns on data storage notification about the throttle opening, and when the engine speed is written in the ASIL area 25, the engine rotation Turn on data storage notification for numbers. In other words, issuing a data storage notification means turning on the data storage notification. In the data storage notification state, ON is, for example, “1”, and OFF is, for example, “0”.

  The reading unit 42 of the second core 22 can know from the data storage notification that the writing of the electrical slot control data requested by the request unit 41 to the ASIL region 25 has been completed. Then, the reading unit 42 acquires the electric throttling control data corresponding to the turned-on data storage notification from the ASIL area 25, and turns off the data storage notification and the data request notification corresponding to the acquired electric throttling control data. Switch to.

That is, the second software 32 requests the first software 31 for necessary data each time, and acquires the requested data via the ASIL area 25.
On the other hand, the regular writing unit 44 of the first core 21 writes all ten electric slot control data to the QM area 26 periodically (for example, every 50 ms). That is, data writing from the first software 31 to the QM area 26 is performed periodically.

[Specific processing for sending and receiving data between cores]
<First data writing process>
The first core 21 executes the first data writing process shown in FIG. 3 at regular intervals (for example, every 1 ms) by executing a part of the programs constituting the first software 31. This first data writing process corresponds to the process performed by the writing unit 43.

  As shown in FIG. 3, when the first core 21 starts the first data writing process, the first core 21 initializes the number of checked data to 0 in S110. The number of data that has been checked is a parameter that alternatively points to any of the ten electric throttle control data. As the value of the number of checked data, each of 0 to 9 is associated with each of the ten electric slot control data as shown in the left end portion in FIG. For example, the number of checked data with the value “0” corresponds to the throttle opening, the number of checked data with the value “1” corresponds to the accelerator opening, and the number of checked data with the value “2”. Corresponds to the intake air amount.

In the next S120, the first core 21 determines whether or not the number of checked data is less than 10, and if it is less than 10, the process proceeds to S130.
In S130, the first core 21 determines whether or not the data request notification for the corresponding data is on, and if it is on, the process proceeds to S140. The corresponding data is data for controlling the electrical slot corresponding to the number of checked data.

In S140, the first core 21 determines whether or not there is a vacancy in the ASIL area 25. If there is a vacancy, the process proceeds to S150.
In S150, the first core 21 specifies one position where the label is not written among the first position P1 to the fourth position P4 in the label area 28, and puts the label of the corresponding data on the specified position. Write.

  Then, the first core 21 performs a process of writing the corresponding data in the ASIL area 25 in the next S160. Specifically, the first core 21 updates the latest storage calculated by the first software 31 in one storage area corresponding to the position of the label area 28 identified in S150 among the storage areas E1 to E4 in the data area 27. Write the corresponding data. Note that the label may be written to the label area 28 after the corresponding data is written to the data area 27.

In the next S170, the first core 21 turns on the data storage notification for the corresponding data, and then proceeds to S180.
The first core 21 determines that the data request notification for the corresponding data is not on (ie, off) in S130, or determines that the ASIL area 25 is not free in S140. , The process proceeds to S180 as it is.

In S180, the first core 21 increments the number of checked data, and then returns to S120.
If the first core 21 determines in S120 that the number of checked data is not less than 10 (that is, 10 or more), the first core 21 ends the first data writing process.

  That is, in the first data writing process, it is confirmed whether or not the data request notification is turned on for each of the ten electric throttling control data as the calculation result by the first software 31 and corresponds to the turned on data request notification. The electric slot control data is written in the data area 27 of the ASIL area 25. Then, by turning on the data storage notification for the written electrical slot control data, the second core 22 is informed that the storage of the electrical slot control data in the ASIL area 25 is completed. Further, a data label is written in the label area 28 of the ASIL area 25 in order to inform the second core 22 which data is written in which position in the data area 27.

<Second data writing process>
The first core 21 executes the second data writing process shown in FIG. 4 at regular time intervals (for example, every 50 ms) by executing a part of the programs constituting the first software 31. This second data writing process corresponds to the process performed by the regular writing unit 44.

As shown in FIG. 4, when starting the second data writing process, the first core 21 initializes the number of checked data to 0 in S210.
In the next S220, the first core 21 determines whether or not the number of checked data is less than 10, and if it is less than 10, the process proceeds to S230.

  In S230, the first core 21 performs a process of writing the corresponding data in the QM area 26. Specifically, the first core 21 writes the latest relevant data calculated by the first software 31 to an address that is statically determined as the storage location of the relevant data among the addresses in the QM area 26.

Then, in the next S240, the first core 21 increments the number of checked data, and then returns to S220.
If the first core 21 determines in S220 that the number of checked data is not less than 10 (that is, 10 or more), the first core 21 ends the second data writing process.

In other words, in the second data writing process, the 10 latest electric throttling control data calculated by the first software 31 are written in the QM area 26.
Then, the electrical slot control data written in the QM area 26 is read by the abnormality detection software 33 and the market monitor software 34 as necessary.

<Data read processing>
The second core 22 executes a part of the programs constituting the second software 32 to perform the data reading process shown in FIG. 5 at regular time intervals (for example, every 1 ms). The execution cycle of the data reading process is the same as the execution cycle of the first data writing process in the first core 21. This data reading process corresponds to the process performed by the reading unit 42.

As shown in FIG. 5, when the second core 22 starts the data reading process, the second core 22 initializes the number of checked data to 0 in S310.
In the next S320, the second core 22 determines whether or not the number of checked data is less than 10, and if it is less than 10, the process proceeds to S330.

In S330, the second core 22 determines whether or not the data storage notification for the corresponding data is on. If it is on, the process proceeds to S340.
In S340, the second core 22 performs a process of acquiring the corresponding data from the ASIL area 25. Specifically, the second core 22 specifies the position where the label of the corresponding data is written in the first position P1 to the fourth position P4 in the label area 28. Then, the second core 22 reads data from a storage area corresponding to the specified position among the storage areas E1 to E4 in the data area 27 to a predetermined calculation memory area. The data to be read is the latest relevant data. The calculation memory area is a memory area that is used by the second software 32 to perform electric throttling calculation processing and is not accessed by the abnormality detection software 33 and the market monitor software 34. . That is, the calculation memory area is a dedicated memory area for the second software 32.

  The second core 22 erases the label of the corresponding data from the label area 28 in the next S350. That is, the second core 22 erases the label stored at the position specified in S340 out of the first position P1 to the fourth position P4 in the label area 28.

  In the next S360, the second core 22 turns off the data request notification and the data storage notification for the corresponding data. Then, the second core 22 increments the number of checked data in the next S370, and then returns to S320.

On the other hand, if the second core 22 determines in S320 that the number of checked data is not less than 10 (that is, 10 or more), the process proceeds to S380.
In S380, the second core 22 performs an electric slot control calculation process using the electric slot control data read into the calculation memory area, and then ends the data reading process.

  That is, in the data reading process, for each of the ten electric throttling control data, it is confirmed whether or not the data storage notification is on, and the electric throttling control data corresponding to the turned on data storage notification is stored in the ASIL area 25. The data is read from the data area 27 and used for the calculation process of the electric throttle control. Further, the storage position in the data area 27 of the electrical slot control data corresponding to the turned-on data storage notification is specified from the label written in the label area 28 and the label writing position. In the data reading process, the data request notification, the data storage notification, and the label for the electrical slot control data read from the data area 27 are deleted. Note that data request notification and data storage notification erasure are to turn them off.

<Data request processing>
The second core 22 starts the data request process shown in FIG. 6 after completing the data read process of FIG. Therefore, the data request process is performed at the same time interval as the data read process. This data request process is also a process performed by executing a part of the programs constituting the second software 32. The data request process corresponds to the process performed by the request unit 41.

  As illustrated in FIG. 6, when the second core 22 starts the data request process, the second core 22 performs a process of acquiring the requested data type in S410. The requested data type is the type of power slot control data requested from the second core 22 to the first core 21.

  Specifically, first, the ROM 23 stores two request data tables 51 and 52 as shown in FIG. Each of the request data tables 51 and 52 is a table in which an elapsed time counter value and a request data type are recorded in association with each other.

  The elapsed time counter is a counter incremented in S440 described later in the data request process. For this reason, the elapsed time counter is incremented every 1 ms, which is the execution cycle of the data request process. In this example, since there are 8 combinations of request data types recorded in the request data tables 51 and 52, when the value of the elapsed time counter increases by 1 from 0 to 7, the next increment is performed. It is supposed to return to zero. That is, the time lapse counter wraps around between 0-7.

  In S410, the second core 22 is recorded corresponding to the value of the current elapsed time counter from the one selected from the two request data tables 51 and 52 in the table switching process described later. Read and obtain the requested data type.

For example, the request data table 51 shown in FIG. 7 is created based on the fact that the elapsed time counter is incremented every 1 ms and the following (1) to (3).
(1) The electric throttle control data requested every 1 ms is the throttle opening.

(2) The electric throttle control data requested every 2 ms is the accelerator opening, the intake air amount, the engine rotation angle, the engine rotation speed, and the O2 sensor value 1.
(3) Electric throttle control data requested every 8 ms is O2 sensor value 2, intake air temperature, other data 1, and other data 2.

Of the request data tables 51 and 52, the request data table 51 is normally used in S410, for example.
The second core 22 acquires the request data type in S410, and then proceeds to S420. Then, in S420, the second core 22 determines whether or not there is request data that is the electric throttling control data of the request data type acquired in S410. If the request data exists, the process proceeds to S430. .

  In S430, the second core 22 turns on the data request notification for the request data type acquired in S410, and then proceeds to S440. If the second core 22 determines in S420 that the requested data does not exist, the second core 22 skips S430 and proceeds to S440.

In S440, the second core 22 increments the elapsed time counter, and then ends the data request process.
If the request data table 51 of FIG. 7 is used in S410 by such data request processing, the electric throttling control data of the request data type described in each row of the request data table 51 is obtained every 1 ms. This is required for the first core 21.

<Table switching process>
The second core 22 performs a table switching process shown in FIG. 8 as a process of switching the request data table used in S410 of FIG. The table switching process of FIG. 8 is performed in S410 of FIG. 6, for example. Further, the table switching process may be performed, for example, at a certain time interval different from the data request process of FIG. This table switching process also corresponds to the process performed by the request unit 41.

  As shown in FIG. 8, when starting the table switching process, the second core 22 determines whether or not a specific condition is satisfied in S510. If the specific condition is not satisfied, the process proceeds to S520. move on. In S520, the second core 22 selects the first table as the request data table used in S410 of FIG. 6, and then ends the table switching process. The first table is the request data table 51 that is normally used out of the request data tables 51 and 52.

  If the second core 22 determines in 510 that the specific condition is satisfied, the process proceeds to S530. Then, in S530, the second core 22 selects the second table as the request data table used in S410 of FIG. 6, and then ends the table switching process. The second table is the request data table 52.

Here, an example of the specific condition determined in S510 and the request data table 52 will be described.
As a specific condition, for example, a condition that a sensor for detecting the O2 sensor value 2 is broken can be considered. In this case, as the request data table 52, the O2 sensor value 2 can be deleted from the request data table 51 shown in FIG. In the case of this configuration, the O2 sensor value 2 is not required from the second core 22 to the first core 21 in a situation where the O2 sensor value 2 is not normal. Therefore, it is not necessary to perform processing for transferring the uncertain O2 sensor value 2 from the first core 21 to the second core 22. In addition, such a configuration is the same for the other sensors and data for electric throttle control.

  Further, the specific condition may be a condition that the electric throttling control is prohibited. In this case, as the request data table 52, the request data type may not be recorded. In the case of this configuration, in the situation where the electric throttling control is prohibited, all the electric throttling control data is not requested from the second core 22 to the first core 21. Therefore, it is not necessary to perform a process for transferring unnecessary power-slot control data from the first core 21 to the second core 22.

  Note that the number of request data tables is not limited to two, and may be one or three or more. When the number of request data tables is one, the table switching process of FIG. 8 is not necessary. Further, when the number of request data tables is three or more, a condition for selecting one of the three or more request data tables is set, and the request data tables are switched. Just do it.

[Example]
An example of the effect of performing the processes of FIGS. 3, 5, and 6 will be described with reference to FIG. FIG. 9 illustrates an example of state transition between the ASIL area 25, the data request notification, and the data storage notification. In the example shown in FIG. 9, the request data table 51 of FIG. 7 is used in S410 of FIG. In FIG. 9, “None” written in the label area 28 of the ASIL area 25 means that the label is erased.

  First, when the value of the elapsed time counter is 0, the second core 22 performs the data request process of FIG. 6, and then the first core 21 performs the first data write process of FIG. Assume that the two cores 22 perform the data reading process of FIG. In this case, the ASIL area 25, the data request notification, and the data storage notification are as shown at time t1 in FIG.

  That is, at time t1, the electric throttling control data of the four request data types recorded in the first row of the request data table 51 are stored in the storage areas E1 to E4 of the ASIL area 25. Reading of the slot control data by the second core 22 is completed. For this reason, all the labels in the label area 28 are erased, and the data request notification and the data storage notification are all turned off. The first row of the request data table 51 is a row corresponding to “elapsed time counter value = 0” in the request data table 51.

  Next, when the second core 22 performs the data request process of FIG. 6, this data request process is performed when the value of the elapsed time counter is 1. Therefore, the ASIL area 25, the data request notification, and the data storage notification are as shown at time t2 in FIG.

  That is, at time t2, the data request notifications corresponding to the four request data types recorded in the second row of the request data table 51 among the ten data request notifications are turned on. The second row of the request data table 51 is a row corresponding to “elapsed time counter value = 1” in the request data table 51.

Next, when the first core 21 performs the first data writing process of FIG. 3, the ASIL area 25, the data request notification, and the data storage notification are as shown at time t3 in FIG.
That is, at time t3, the electric throttling control data corresponding to the turned on data request notification is written to the data area 27 of the ASIL area 25, and a, a, which are labels of the written electric throttling control data. e, f, and g are written in the label area 28 of the ASIL area 25. Then, the data storage notification for the electrical slot control data written in the data area 27 is turned on.

Next, when the second core 22 performs the data reading process of FIG. 5, the ASIL area 25, the data request notification, and the data storage notification are as shown at time t4 in FIG.
In other words, at time t4, the second core 22 reads each power slot control data in the data area 27, and all the labels in the label area 28 are erased. The data request notification and data storage notification are all turned off.

  Next, when the second core 22 performs the data request process of FIG. 6, this data request process is executed when the value of the elapsed time counter is 2. Therefore, the ASIL area 25, the data request notification, and the data storage notification are as shown at time t5 in FIG.

  That is, at time t5, out of the ten data request notifications, the data request notifications corresponding to the four request data types recorded in the third row of the request data table 51 are turned on. The third row of the request data table 51 is a row corresponding to “elapsed time counter value = 2” in the request data table 51.

Thereafter, the same operation as described above is repeated.
[effect]
According to the first embodiment described in detail above, the following effects can be obtained.

  (1a) From the first software 31 executed in the first core 21 to the second software 32 executed in the second core 22 via the ASIL area 25 that is not accessed by the abnormality detection software 33 and the market monitor software 34 Electric throttling control data as operation result data is provided. For this reason, the first software 31 and the second software 32, the abnormality detection software 33, and the market monitor software 34 are partitioned. Therefore, the safety level set in the first software 31 and the second software 32 is ensured. Further, not all the electric throttling control data provided from the first software 31 to the second software 32 is always stored in the ASIL area 25, but a predetermined timing among the all electric throttling control data is stored. Only a part of the electric throttling control data required by the second software 32 is written every time. For this reason, a required memory capacity can be reduced. In the present embodiment, as shown in FIG. 2, the QM area 26 is 40 bytes, whereas the ASIL area 25 is 20 bytes including the label area 28.

  (1b) The request unit 41 and the reading unit 42 are realized by the second core 22 executing the second software 32. The writing unit 43 is realized by the first core 21 executing the first software 31. For this reason, it is not necessary to add hardware.

  (1c) The ASIL area 25 has a data label as management information that can specify a data area 27 in which the electric throttling control data is written and which position in the data area 27 is written in which electric throttling control data. A label area 28 to be written. The writing unit 43 on the first core 21 side writes the data slot control data requested from the second core 22 in the data area 27 and also performs a process of writing a data label in the label area 28. Further, the reading unit 42 on the second core 22 side reads the electric throttling control data from the data area 27 based on the data label in the label area 28.

  For this reason, in the second core 22, it is possible to correctly grasp at which position in the data area 27 the electric throttle control data requested from the first core 21 is written. Therefore, the electric throttling control data requested by the second core 22 can be reliably provided from the first core 21 to the second core 22.

  (1d) The QM area 26 accessible by the abnormality detection software 33 and the market monitor software 34 is provided, and the periodic writing unit 44 of the first core 21 receives all or part of the electric slot control data in the QM Write periodically to area 26. For this reason, it is also possible to provide the electrical slot control data from the first software 31 to the abnormality detection software 33 and the market monitor software 34.

(1e)
The regular writing unit 44 is realized by the first core 21 executing the first software 31. For this reason, it is not necessary to add hardware.

  (1f) The storage capacity of the ASIL area 25 needs to be the same value in the arithmetic processing by the second software 32 as the maximum number of data for the electrical throttle control that can be stored in the ASIL area 25. The maximum number of data for use is set to be the same. For this reason, the storage capacity of the ASIL area 25 can be minimized. The maximum number is four in the present embodiment, but may be other than four.

  (1g) The request unit 41, the writing unit 43, and the reading unit 42 are configured to operate at regular intervals. For this reason, it is possible to provide the electric throttling control data necessary from time to time from the first core 21 to the second core 22 at regular intervals.

  (1h) In the ROM 23, at least one request data table 51, 52 is recorded. The request data tables 51 and 52 are tables in which which of the plurality of timings is requested and which of all the electric slot control data is requested to the first core 21 is recorded. In the present embodiment, the plurality of timings are eight timings corresponding to the value of the elapsed time counter. The request unit 41 is configured to request the first core 21 for a part of all the electrical slot control data based on at least one request data table 51, 52.

  For this reason, by changing the contents recorded in the request data tables 51 and 52, the type of the electric throttle control data required from the second core 22 to the first core 21 can be changed at each timing.

  (1i) The request unit 41 switches among the request data tables 51 and 52, the request data table used for determining the electric throttling control data requested from the first core 21 based on a predetermined condition. For this reason, an optimal request data table can be used according to the situation. As a result, it is possible to request the first core 21 for the most suitable type of electric throttling control data according to the situation.

  In the present embodiment, the first core 21 corresponds to a first processing unit, and the second core 22 corresponds to a second processing unit. Further, the ASIL area 25 corresponds to a transfer area, and the QM area 26 corresponds to another area.

[Other Embodiments]
<Modification 1>
The number of cores included in the microcomputer 17 may be three or more. In that case, when paying attention to any two of the three or more cores, the two cores only have to have the same relationship as the two cores 21 and 22 of the above embodiment.

<Modification 2>
For example, the reading unit 42 of the second core 22 may be configured to compare the data storage notification with the data request notification issued by the request unit 41 and to perform fail-safe processing if they do not match. . As fail-safe processing, for example, processing for preventing data from being read from the ASIL area 25, processing for reading only data for which the data storage notification and the data request notification match, and the like are performed. It may be configured.

<Modification 3>
For example, the abnormality detection software 33 and the market monitor software 34 as the third software may be configured to be executed by the first core 21.

<Modification 4>
The first software 31 and the second software 32 are not limited to the electric throttling control software, but may be other control software.

<Modification 5>
The ECU 11 may be equipped with functions other than the functions of the software 31 to 34 described above.

As mentioned above, although the form for implementing this indication was demonstrated, this indication is not limited to the above-mentioned embodiment, and can carry out various modifications.
For example, a plurality of functions that one constituent element in the above-described embodiment has may be realized by a plurality of constituent elements, or a single function that one constituent element has may be realized by a plurality of constituent elements. Further, a plurality of functions possessed by a plurality of constituent elements may be realized by one constituent element, or a single function realized by a plurality of constituent elements may be realized by one constituent element. Moreover, you may abbreviate | omit a part of structure of the said embodiment. Further, at least a part of the configuration of the above embodiment may be added to or replaced with the configuration of the other embodiment. In addition, all the aspects included in the technical idea specified only by the wording described in the claims are embodiments of the present disclosure. In addition to the ECU 11 described above, a system including the ECU 11 as a constituent element, a program for causing a computer to function as the ECU 11, a non-transition actual recording medium such as a semiconductor memory storing the program, a data transfer method, and the like The present disclosure can also be realized in various forms.

  21 ... 1st core, 22 ... 2nd core, 25 ... ASIL area, 31 ... 1st software, 32 ... 2nd software, 33 ... Abnormality detection software, 34 ... Market monitor software, 41 ... Request part, 42 ... Reading part 43 writing unit

Claims (9)

A first processing unit (21) and a second processing unit (22) configured to execute software;
First software (31) executed by the first processing unit;
Second software (32) executed by the second processing unit;
A transfer area (25) that is a storage area that is not accessed by the third software (33, 34) that is software different from the first software and the second software,
The first software and the second software are software in which a higher degree of safety is set than the third software, and the second software stores calculation result data that is data calculated by the first software. And is configured to perform arithmetic processing,
The second processing unit includes:
A part of all operation result data provided from the first software to the second software at a predetermined timing, and a part of the calculation result data required by the second software at the timing A request unit (41) configured to request operation result data from the first processing unit;
The first processing unit includes:
The calculation result data requested by the request unit is written in the transfer area, and the second processing unit is notified that writing of the requested calculation result data in the transfer area is completed. A writing unit (43),
The second processing unit includes:
A reading unit (42) configured to read out the calculation result data from the transfer area when receiving the notification by the writing unit;
In-vehicle control device. The in-vehicle control device according to claim 1,
The request unit and the reading unit are realized by the second processing unit executing the second software,
The writing unit is realized by the first processing unit executing the first software.
In-vehicle control device. The in-vehicle control device according to claim 1 or 2,
The transfer area is
A data area (27) in which the partial calculation result data is written;
A management area (28) in which management information capable of specifying which calculation result data is written at which position in the data area is provided,
The writing unit is configured to perform a process of writing the management information in the management area;
The reading unit is configured to read the calculation result data from the data area based on the management information in the management area.
In-vehicle control device. The in-vehicle control device according to any one of claims 1 to 3,
Another area (26) which is a storage area accessible by the third software,
The first processing unit includes:
A periodic writing unit (44) configured to periodically write all or part of the operation result data in the different area;
In-vehicle control device. The vehicle-mounted control device according to claim 4,
The periodic writing unit is realized by the first processing unit executing the first software.
In-vehicle control device. It is an in-vehicle control device given in any 1 paragraph of Claims 1 thru / or 5,
The storage capacity of the transfer area is
The maximum number of the operation result data that can be stored in the transfer area is set to be the same as the maximum number of the operation result data that needs to be the same value in the operation processing by the second software. Being
In-vehicle control device. The vehicle-mounted control device according to any one of claims 1 to 6,
The request unit, the writing unit, and the reading unit are configured to operate at regular intervals.
In-vehicle control device. The vehicle-mounted control device according to any one of claims 1 to 7,
At least one table (51, 52) in which which of the plurality of operation result data is requested to the first processing unit at which timing of the plurality of timings is recorded;
The request unit is configured to request a part of all the operation result data to the first processing unit based on the at least one table.
In-vehicle control device. The in-vehicle control device according to claim 8,
The at least one table is a plurality of tables (51, 52);
The request unit is configured to switch a table to be used among the plurality of tables based on a predetermined condition.
In-vehicle control device.

Images