JP6631426B2 - In-vehicle communication system - Google Patents

Description

  The present invention relates to an in-vehicle communication system.

  The in-vehicle communication system is used for various controls on a vehicle. However, in recent years, the vulnerability of in-vehicle communication systems has often been pointed out. Patent Document 1 discloses a technique for overcoming the vulnerability of a conventional in-vehicle communication system.

  The technology disclosed in Patent Literature 1 encodes all signals exchanged between a plurality of electronic control units (hereinafter, referred to as “ECUs”) incorporated in an in-vehicle communication system using a message authentication code, and performs on-vehicle communication. Prevent unauthorized access to the communication system.

JP 2013-98719 A

  The technology disclosed in Patent Literature 1 increases the number of bits of a signal exchanged in an in-vehicle communication system. As a result, an excessive communication load is added to the in-vehicle communication system.

  An object of the present invention is to provide a technique for preventing unauthorized access to an in-vehicle communication system without increasing the communication load of the in-vehicle communication system.

An in-vehicle communication system according to one aspect of the present invention is configured to notify, among a plurality of nodes, the presence of an external factor that hinders the operation of a node, when there is an external factor that hinders the operation of the node. The in-vehicle communication system includes a first node and a second node each having a communication unit that repeatedly outputs a state signal in the absence of the external factor. In the absence of the external cause, the communication unit of the first node may have a value less than a reception interval threshold defined for a reception interval at which the second node receives the state signal from the first node. By determining the transmission timing of the status signal based on the transmission interval threshold set in, and varying the transmission interval threshold within a range not exceeding the reception interval threshold, repeatedly output the status signal at an indefinite time interval It is configured to If the communication unit of the second node does not receive the status signal within the reception interval defined by the reception interval threshold, the second node generates a notification signal that notifies the existence of the external cause. .

  According to the configuration, the communication unit of the first node repeatedly outputs the state signal in the absence of an external factor that hinders the operation of the first node. However, it can be known that they are not exposed to external factors. During this time, the second node does not need to perform processing to deal with external factors, so that the communication load of the vehicle-mounted communication system does not become excessively large.

If the second node does not receive the status signal for a predetermined period, the second node generates a notification signal for notifying the presence of the unauthorized access , so that the in-vehicle communication system can execute a process for dealing with the unauthorized access .

Since the communication unit repeatedly outputs the status signal at a time interval shorter than the predetermined period, the second node can appropriately determine the presence of the unauthorized access on condition that the status signal is not received within the predetermined period. .

Since the time interval at which the status signal is transmitted is indefinite, unauthorized access that simulates the status signal is less likely to be incorporated into the onboard communication system.

With respect to the above configuration, the in-vehicle communication system may further include a bus electrically connected to a plurality of nodes including the first node and the second node. The plurality of nodes may each output a signal with a different identifier to the bus. A signal generation unit that adds a first identifier to the state signal and a data signal used for controlling a predetermined control target to generate a communication signal, wherein the communication unit is a device other than the first node; A determination unit that determines whether an identifier added to a received signal received from the node is the first identifier. When the determination unit determines that the identifier attached to the received signal is the first identifier, the communication unit stops outputting the status signal, and the stop period of the output of the status signal is The second node may generate the notification signal when the reception interval exceeds a reception interval defined by a reception interval threshold.

According to the above configuration, the plurality of nodes electrically connected to the bus output signals with different identifiers, so that the first node cannot receive signals from other nodes in the absence of unauthorized access. It does not receive the signal with the first identifier. When the determining unit of the first node determines that the identifier added to the received signal from a node other than the first node is the first identifier, the communication unit stops outputting the status signal. Thus, the presence of unauthorized access can be properly detected.

With respect to the above configuration, the signal generation unit does not encode the data signal while encoding the state signal .

According to the above configuration, since the signal generation unit encodes the state signal, the content of the state signal is difficult to analyze. Therefore, an unauthorized access that simulates a state signal is less likely to be incorporated into a vehicle-mounted communication system.

  With respect to the above configuration, each of the first node and the second node may be an electronic control unit designed to control an engine.

  According to the above configuration, since the first node and the second node are electronic control units designed to control the engine, unauthorized processing for controlling the engine is prevented.

  Regarding the above configuration, each of the first node and the second node may be an electronic control unit designed to control a brake.

  According to the above configuration, since the first node and the second node are the electronic control units designed to control the brake, an illegal process for controlling the brake is inhibited.

  The above-described technology contributes to preventing unauthorized access to the in-vehicle communication system without increasing the communication load of the in-vehicle communication system.

It is a conceptual block diagram of the vehicle-mounted communication system of 1st Embodiment. FIG. 2 is a conceptual block diagram of the vehicle-mounted communication system shown in FIG. 1. FIG. 9 is a schematic block diagram illustrating a functional configuration of an ECU according to a second embodiment. It is a schematic flowchart of a generation process of a state signal. 10 is a schematic flowchart of a detection process for detecting an external factor that hinders an appropriate operation of another ECU. 11 is a flowchart illustrating a process of changing a threshold used in the generation process illustrated in FIG. 4 (third embodiment). It is a conceptual block diagram of the vehicle-mounted communication system in which the unauthorized ECU was incorporated (4th Embodiment). FIG. 2 is a schematic block diagram illustrating an exemplary functional configuration of an ECU. 9 is a schematic flowchart showing a process of a first determination unit of the ECU shown in FIG. 9 is a schematic flowchart showing a process of a second determination unit of the ECU shown in FIG. 9 is a schematic flowchart showing a process of a third determination unit of the ECU shown in FIG. It is a schematic block diagram showing the example functional composition of ECU of 5th Embodiment. It is a conceptual block diagram of the vehicle-mounted communication system of 6th Embodiment. It is a conceptual block diagram of the vehicle-mounted communication system of 7th Embodiment. It is a conceptual block diagram of the vehicle-mounted communication system of 8th Embodiment.

<First embodiment>
If a plurality of ECUs incorporated in the in-vehicle communication system are notified of the absence of an external factor that hinders the normal operation of the in-vehicle communication system, these ECUs do not need to execute processing for dealing with the external factors. Good. Therefore, the communication load of the in-vehicle communication system is maintained at a low level while no external factors are present. In the first embodiment, an exemplary in-vehicle communication system having a function of notifying the absence of an external factor that prevents normal operation will be described.

  FIG. 1 is a conceptual block diagram of a vehicle-mounted communication system (hereinafter, referred to as a communication system 100) of the first embodiment. With reference to FIG. 1, a communication system 100 will be described.

  The communication system 100 includes a plurality of ECUs and a bus 120. FIG. 1 shows two ECUs 111 and 112 as a plurality of ECUs. The ECUs 111 and 112 are communicably connected by a bus 120. ECU 111 outputs state signal CDS to bus 120. The ECU 112 receives the status signal CDS via the bus 120. The communication system 100 may be constructed based on a known technology of a controller area network (CAN).

  As shown in FIG. 1, state signal CDS is repeatedly output from ECU 111 to bus 120. The transmission interval of the status signal CDS may be constant or may be indefinite.

  FIG. 2 is a conceptual block diagram of the communication system 100. With reference to FIGS. 1 and 2, the communication system 100 is further described.

  FIG. 1 shows the communication system 100 in the absence of an external factor that hinders the operation of the ECU 111, while FIG. 2 shows the communication system 100 in the presence of an external factor. As described with reference to FIG. 1, the ECU 111 repeatedly outputs the state signal CDS in the absence of an external factor. On the other hand, the ECU 111 does not output the state signal CDS in the presence of an external factor. In the present embodiment, the first node is exemplified by the ECU 111.

  As external factors that hinder the operation of the ECU 111, disconnection between the ECU 111 and the bus 120, presence of another ECU that hinders normal operation of the ECU 111, impersonation of the ECU 111, and other ECUs that output improper signals to the bus 120 And the failure of the ECU 111 are exemplified. The principle of the present embodiment is not limited to a specific external factor that hinders the operation of the ECU 111.

<Second embodiment>
The ECU may have various functional configurations due to the communication principle of the state signal described in relation to the first embodiment. In the second embodiment, an exemplary functional configuration of the ECU will be described.

  FIG. 3 is a schematic block diagram illustrating a functional configuration of the ECU 200 according to the second embodiment. Referring to FIGS. 1 and 3, ECU 200 will be described. The description of the first embodiment is applied to the elements denoted by the same reference numerals as the first embodiment.

  The functional configuration of ECU 200 is applicable to both ECUs 111 and 112 described with reference to FIG. Therefore, the description regarding ECU 200 may be applied to ECUs 111 and 112, respectively.

  ECU 200 includes a communication unit 210, a determination unit 220, and a signal generation unit 230. Communication unit 210 includes a transmission unit 211 and a reception unit 212. The status signal is output from transmitting section 211 to bus 120 (see ECU 111 in FIG. 1). The receiving unit 212 receives, via the bus 120, the status signal output by another ECU (see the ECU 112 in FIG. 1). The communication unit 210 may be a transceiver included in a general ECU. The determination unit 220 may be a CPU (Central Processing Unit) of a general ECU. The signal generation unit 230 may be a CAN controller included in a general ECU.

  The determination unit 220 includes a reset unit 221 and a second clock unit 222. The second timer 222 measures time. The reset unit 221 receives a state signal output by another ECU from the receiving unit 212. The reset unit 221 generates a reset signal according to the status signal received from the receiving unit 212. The reset signal is output from the reset unit 221 to the second clock unit 222. The second timer 222 sets the clock to zero in response to the reset signal.

  If the receiving unit 212 does not receive a status signal from another ECU, the clock value continues to increase. When the clock value exceeds a predetermined threshold, the second clock unit 222 generates a trigger signal. The trigger signal is output from second timing section 222 to signal generation section 230.

  The signal generator 230 includes a notification signal generator 231, a first timer 232, and a state signal generator 233. The notification signal generation unit 231 receives the trigger signal from the second clock unit 222. The notification signal generator 231 generates a notification signal according to the trigger signal.

  FIG. 3 shows the warning operation unit AMP. The notification signal is output from the notification signal generation unit 231 to the warning operation unit AMP. The warning operation unit AMP performs a predetermined warning operation according to the notification signal. The warning operation section AMP may be a warning display board incorporated in the instrument panel. In this case, the warning display panel displays information indicating that another ECU has failed in response to the notification signal. The principle of the present embodiment is not limited to a specific device used as the warning operation unit AMP.

  The first timer 232 measures time. When the clock value reaches a predetermined value, the first clock unit 232 generates a request signal. The request signal is output from the first timer 232 to the state signal generator 233. The state signal generator 233 generates a state signal according to the request signal. The status signal generator 233 may generate a status signal based on a general packet signal format. The state signal is transmitted from state signal generating section 233 to transmitting section 211. After that, the status signal is output from the transmission unit 211 to the bus 120.

  FIG. 4 is a schematic flowchart of the state signal generation processing. With reference to FIG. 3 and FIG. 4, the generation processing of the state signal will be described.

(Step S110)
ECU 200 waits for completion of the start-up process of the in-vehicle communication system. When the startup processing is completed, step S120 is executed.

(Step S120)
The first timing unit 232 starts timing. As a result, the clock value “T1” increases from zero. After the start of the timing, step S130 is executed.

(Step S130)
The first clock unit 232 waits for the clock value “T1” to exceed the threshold “TH1”. When the time value “T1” exceeds the threshold value “TH1”, step S140 is executed.

(Step S140)
The first timer 232 generates a request signal. The request signal is transmitted from the first timer 232 to the state signal generator 233. After transmitting the request signal, step S150 is executed.

(Step S150)
The state signal generator 233 generates a state signal according to the request signal. The state signal is transmitted from state signal generating section 233 to transmitting section 211. After that, the transmitting unit 211 outputs the status signal to the bus 120. After outputting the status signal to the bus 120, step S160 is executed.

(Step S160)
If the in-vehicle communication system is shut down, the status signal generation processing ends. Otherwise, step S120 is performed.

  FIG. 5 is a schematic flowchart of a detection process for detecting an external factor that hinders an appropriate operation of another ECU. The detection process will be described with reference to FIGS.

(Step S210)
ECU 200 waits for completion of the start-up process of the in-vehicle communication system. When the startup processing is completed, step S220 is executed.

(Step S220)
The second timing section 222 starts timing. As a result, the clock value “T2” increases from zero. After the start of the timing, step S230 is executed.

(Step S230)
If the receiving unit 212 receives the status signal via the bus 120, the status signal is transmitted from the receiving unit 212 to the reset unit 221. In this case, step S220 is performed. Otherwise, step S240 is performed.

(Step S240)
The second clock unit 222 determines whether the clock value “T2” exceeds the threshold “TH2”. When the time value “T2” exceeds the threshold value “TH2”, step S250 is executed. Otherwise, step S230 is performed.

(Step S250)
The second timer 222 generates a trigger signal. The trigger signal is transmitted from the second timer 222 to the notification signal generator 231. After transmitting the trigger signal to the notification signal generation unit 231, step S260 is executed.

(Step S260)
The notification signal generator 231 generates a notification signal according to the trigger signal. The notification signal is output from the notification signal generation unit 231 to the warning operation unit AMP. The warning operation unit AMP performs a predetermined warning operation according to the notification signal.

  In the present embodiment, the thresholds “TH1” and “TH2” are both constant values. The threshold “TH2” used in step S240 is set to a value larger than the threshold “TH1” described with reference to FIG. If the plurality of ECUs incorporated in the in-vehicle communication system have the same functional configuration as that of ECU 200 (see FIG. 3), the time interval of the output of the state signal is determined in order to determine whether or not to execute step S250. It is shorter than the period used (the period determined by the threshold “TH2”). Therefore, if the status signal is repeatedly output, no notification signal is generated. In the present embodiment, the predetermined period is exemplified by a period determined by the threshold “TH2”.

<Third embodiment>
The threshold value used in the state signal generation processing described in relation to the second embodiment is constant. Alternatively, the threshold may vary. In this case, the time interval of the output of the state signal becomes indefinite. In the third embodiment, an exemplary generation process for changing a threshold will be described.

  FIG. 6 is a flowchart illustrating a process of changing the threshold “TH1”. With reference to FIG. 3, FIG. 4, and FIG. 6, the generation processing of the state signal will be described.

  The process shown in FIG. 6 is executed in step S130 in FIG.

(Step S131)
The first timer 232 adds a value obtained from a random function to a predetermined value “TH”, and sets a threshold “TH1”. The value “TH” is constant. The first timing unit 232 may set the threshold “TH1” using a value obtained from another function instead of the random function. For example, a function using the clock value “T1” as a variable can be suitably used to set the threshold “TH1”. After setting the threshold “TH1”, step S132 is executed.

(Step S132)
The first timer 232 determines whether the threshold “TH1” is smaller than the threshold “TH2”. If threshold value “TH1” is smaller than threshold value “TH2”, step S133 is executed. Otherwise, step S131 is performed.

(Step S133)
The first clock unit 232 compares the threshold value “TH1” with the clock value “T1”.

<Fourth embodiment>
An ECU that has been illegally added to the bus is one of the external factors that hinders the normal operation of the legitimate ECU. In the fourth embodiment, an example technique for detecting unauthorized connection of an ECU to a bus will be described.

  FIG. 7 is a conceptual block diagram of the communication system 101 in which an unauthorized ECU is incorporated. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment.

  As in the first embodiment, the communication system 101 includes ECUs 111 and 112 and a bus 120. The description of the first embodiment is applied to these elements.

  The communication system 101 further includes ECUs 113, 114, and 115. As with the ECUs 111 and 112, the ECUs 113, 114 and 115 are electrically connected to the bus 120, respectively. While the ECUs 111, 112, 113, and 114 are genuine products, the ECU 115 is improperly attached to the bus 120.

  Each of the ECUs 111, 112, 113, and 114 outputs a data signal to the bus 120. The data signal may be a packet signal. Data signals are exchanged between the ECUs 111, 112, 113, 114 via the bus 120. In the present embodiment, the plurality of nodes are exemplified by the ECUs 111, 112, 113, and 114. The in-vehicle communication system may have less than four ECUs, or may have more than four ECUs. The principle of the present embodiment is not limited at all by how many ECUs are incorporated in the in-vehicle communication system.

  ECUs 111, 112, 113, 114 may be used to control the engine of the vehicle. Alternatively, ECUs 111, 112, 113, 114 may be used to control the navigation system of the vehicle. Further alternatively, the ECUs 111, 112, 113, 114 may be used to control the braking of the vehicle. Further alternatively, the ECUs 111, 112, 113, 114 may be used to control an air conditioner of a vehicle. The principle of the present embodiment is not limited to the specific control target of each of the ECUs 111, 112, 113, 114.

  As shown in FIG. 7, data signals output from ECUs 111, 112, 113, 114 to bus 120 are provided with different identifiers. In the present embodiment, the signals with different identifiers are exemplified by data signals output from the ECUs 111, 112, 113, 114.

  The data signal output from the ECU 111 is provided with an identifier “ID111”. If the identifier “ID111” is attached to the data signal obtained from the bus 120, the ECUs 112, 113, and 114 send the data signal to the information (data (W111, X111, Y111, Z111)). If the ECUs 112, 113, 114 need information on the control factors to be controlled by the ECU 111, the ECUs 112, 113, 114 take in the data signal with the identifier “ID111”. In the present embodiment, the first node is exemplified by the ECU 111. The first identifier is exemplified by the identifier “ID111”. The communication signal is exemplified by a data signal output from the ECU 111.

  The data signal output from the ECU 112 is provided with an identifier “ID112”. If the identifier "ID 112" is attached to the data signal obtained from the bus 120, the ECUs 111, 113, and 114 provide information about the other control factor for controlling the engine. (Data (W112, X112, Y112, Z112)) may be recognized. If the ECUs 111, 113, 114 need information on the control factors to be controlled by the ECU 112, the ECUs 111, 113, 114 take in the data signal with the identifier “ID112”.

  The data signal output from the ECU 113 is provided with an identifier “ID113”. If the identifier “ID 113” is attached to the data signal obtained from the bus 120, the ECUs 111, 112, and 114 may send the data signal to information about another control factor for controlling the engine. (Data (W113, X113, Y113, Z113)) may be recognized. If the ECUs 111, 112, and 114 need information on control factors to be controlled by the ECU 113, the ECUs 111, 112, and 114 take in data signals with identifiers “ID113”.

  The data signal output from the ECU 114 is provided with an identifier “ID114”. If the identifier "ID114" is appended to the data signal obtained from the bus 120, the ECUs 111, 112, and 113 will send the data signal to information about another control factor for controlling the engine. (Data (W114, X114, Y114, Z114)) may be recognized. If the ECUs 111, 112, and 113 need information on the control factors to be controlled by the ECU 114, the ECUs 111, 112, and 113 take in the data signal with the identifier “ID114”.

  Similarly to the ECUs 111, 112, 113 and 114, the ECU 115 outputs a data signal to the bus 120. The data signal output from ECU 115 includes data (W115, X115, Y115, Z115) that may cause inappropriate operation of the engine of the vehicle on which communication system 101 is mounted.

  The data signal output from the ECU 115 has the same identifier “ID111” as the identifier provided by the ECU 111. Therefore, the ECUs 112, 113, and 114 can recognize that the data signal output from the ECU 115 includes information on a control factor to be controlled by the ECU 111. On the other hand, the ECU 111 can recognize the data signal output from the ECU 115 as an incorrect signal because the identifier “ID111” that should be uniquely assigned to the ECU 111 is added to the data signal that is not transmitted by the ECU 111. In the present embodiment, a node other than the first node is exemplified by one of the ECUs 112, 113, 114, and 115.

  FIG. 8 is a schematic block diagram illustrating an exemplary functional configuration of ECU 200A. The functional configuration of ECU 200A may be applied to each of ECUs 111, 112, 113, and 114. ECU 200A will be described with reference to FIGS. 4, 5, 7, and 8. FIG. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment.

  ECU 200A includes a communication unit 210A, a determination unit 220A, a signal generation unit 230A, and a data processing unit 240. Communication unit 210A may be a transceiver included in a general ECU. The determination unit 220A and the data processing unit 240 may be CPUs included in a general ECU. The signal generation unit 230A may be a CAN controller included in a general ECU.

  Communication unit 210A includes a transmission unit 211A and a reception unit 212A. As in the second embodiment, the transmission unit 211A outputs a status signal to the bus 120. In addition, transmitting section 211A outputs a data signal to bus 120. As in the second embodiment, the receiving unit 212A receives a status signal via the bus 120. In addition, receiving section 212A receives a data signal output from another ECU via bus 120. The status signal and the data signal received by the receiving unit 212A are transmitted to the determining unit 220A. In the present embodiment, the received signal is exemplified by the status signal or the data signal received by the receiving unit 212A.

  The determining unit 220A further includes a first determining unit 223, a second determining unit 224, and a third determining unit 225. The first determining unit 223 receives the status signal and the data signal from the receiving unit 212A. The first determination unit 223 determines whether the signal from the receiving unit 212A is a status signal or a data signal. If the signal from receiving section 212A is a state signal, the state signal is transmitted from first determining section 223 to third determining section 225. Thereafter, the third determination unit 225 determines whether or not another ECU connected to the bus 120 is appropriately outputting the state signal. If one of the other ECUs connected to the bus 120 has not output a status signal for a predetermined period, a trigger signal is generated. If the signal from receiving section 212A is a data signal, the data signal is transmitted from first determining section 223 to second determining section 224.

  The second determination unit 224 refers to the identifier attached to the data signal. If the identifier indicates that the data signal includes information required for processing performed by the data processing unit 240, the second determination unit 224 determines that the data included in the data signal is Output to If the identifier indicates that the data signal includes information unrelated to the processing performed by the data processing unit 240, the second determination unit 224 blocks transmission of the data included in the data signal.

  For example, the data processing unit 240 of the ECU 111 needs the data included in the data signals output from the ECUs 112 and 113, but may not need the data included in the data signal output from the ECU 114. In this case, if the identifier “ID112” or “ID113” is added to the data signal from the first determination unit 223, the second determination unit 224 of the ECU 111 determines whether the data (W112, X112, Y112, Z112) or The data (W113, X113, Y113, Z113) is transmitted to the data processing unit 240 of the ECU 111. If the identifier “ID114” is attached to the data signal from the first determination unit 223, the second determination unit 224 of the ECU 111 cuts off transmission of the data signal received by the reception unit 212A.

  If the identifier given to the data signal received from receiving section 212A matches the identifier that should be given by signal generating section 230A, determining section 220A determines that the data signal received by receiving section 212A is incorrect. It may be determined. For example, if the identifier “ID111” is added to the data signal from the first determination unit 223 of the ECU 111, the second determination unit 224 of the ECU 111 determines that the incorrect data signal It can be determined that it exists. In this case, the second determination unit 224 of the ECU 111 generates a stop signal. The stop signal is output from second determination section 224 to signal generation section 230A.

  The data processing unit 240 performs a predetermined process according to the transmission of data from the second determination unit 224 to the data processing unit 240. For example, data processing unit 240 may execute an arithmetic process for obtaining information required for controlling a control target (for example, an engine). The principle of the present embodiment is not limited to a specific process executed by the data processing unit 240.

  If the result of the arithmetic processing of data processing unit 240 is information required by another ECU, data processing unit 240 generates a request signal requesting generation of a data signal representing the operation result. The data processing unit 240 includes information indicating the operation result in the request signal. The request signal is output from data processing section 240 to signal generation section 230A.

  As in the second embodiment, the signal generation unit 230A includes a notification signal generation unit 231. The description of the second embodiment is applied to the notification signal generation unit 231.

  The signal generation unit 230A includes a first clock unit 232A, a state signal generation unit 233A, and a data signal generation unit 234. The above-mentioned stop signal is transmitted from the second determination unit 224 to the first clock unit 232A. The first timer 232A executes the processing of steps S120 to S140 described with reference to FIG. 4 in the absence of the stop signal. The state signal generation unit 233A executes step S150 in response to execution of steps S120 to S140. At this time, state signal generating section 233A attaches an identifier uniquely assigned to ECU 200A to the state signal. For example, the state signal generation unit 233A of the ECU 111 attaches the identifier “ID111” to the state signal. The state signal generation unit 233A of the ECU 112 attaches the identifier “ID112” to the state signal. The state signal generation unit 233A of the ECU 113 attaches the identifier “ID113” to the state signal. The state signal generation unit 233A of the ECU 114 attaches the identifier “ID114” to the state signal.

  The first timing unit 232A stops timing in response to the stop signal. As a result, the state signal generator 233A does not generate a state signal thereafter. Therefore, a legitimate ECU other than the ECU 200A can recognize the occurrence of an abnormality in the in-vehicle communication system.

  Data processing section 240 transmits the request signal to data signal generation section 234. The data signal generation unit 234 generates a data signal representing a calculation result represented by the request signal. Data signal generating section 234 attaches an identifier uniquely assigned to ECU 200A to the data signal. For example, the data signal generation unit 234 of the ECU 111 attaches the identifier “ID111” to the data signal. The data signal generation unit 234 of the ECU 112 attaches the identifier “ID112” to the data signal. The data signal generation unit 234 of the ECU 113 attaches the identifier “ID113” to the data signal. The data signal generation unit 234 of the ECU 114 attaches the identifier “ID114” to the data signal.

  The data signal is transmitted from data signal generation section 234 to transmission section 211A. Thereafter, transmitting section 211A outputs the data signal to bus 120.

  FIG. 9 is a schematic flowchart illustrating the process of the first determination unit 223. The processing of the first determination unit 223 will be described with reference to FIGS.

(Step S310)
The first determination unit 223 waits for a signal transmission from the reception unit 212A. After transmitting the signal from the receiving section 212A, step S320 is executed.

(Step S320)
The first determination unit 223 determines whether the signal from the reception unit 212A is a status signal. If the signal from receiving section 212A is a status signal, step S330 is executed.

(Step S330)
The first determination unit 223 transmits a state signal to the third determination unit 225.

(Step S340)
The first determination unit 223 transmits a data signal to the third determination unit 225.

  FIG. 10 is a schematic flowchart illustrating the processing of the second determination unit 224. The processing of the second determination unit 224 will be described with reference to FIGS.

(Step S410)
The second determination unit 224 waits for transmission of the data signal from the first determination unit 223. If the data signal is transmitted from first determination unit 223, step S420 is executed.

(Step S420)
The second determination unit 224 determines whether data included in the data signal is required by the data processing unit 240 with reference to the identifier attached to the data signal. If the data included in the data signal is required by the data processing unit 240, step S430 is performed. In other cases, the second determination unit 224 ends the processing.

(Step S430)
Data included in the data signal is transmitted from second determination section 224 to data processing section 240.

  FIG. 11 is a schematic flowchart illustrating the processing of the third determination unit 225 of the ECU 111. With reference to FIGS. 7, 8, and 10, the processing of third determination unit 225 of ECU 111 will be described.

(Step S505)
The third determination unit 225 of the ECU 111 waits for completion of the startup processing of the in-vehicle communication system. When the startup processing is completed, step S510 is executed.

(Step S510)
The third determination unit 225 of the ECU 111 starts timing. As a result, the clock values “T112”, “T113”, and “T114” increase from zero. The clock value “T112” corresponds to the ECU 112. The clock value “T113” corresponds to the ECU 113. The clock value “T114” corresponds to the ECU 114. After the start of the timing, step S515 is executed.

(Step S515)
The third determination unit 225 of the ECU 111 waits for transmission of the state signal from the first determination unit 223 of the ECU 111. When the state signal is transmitted from first determination unit 223 of ECU 111, step S520 is executed. Otherwise, step S560 is performed.

(Step S520)
The third determination unit 225 of the ECU 111 determines whether the status signal is output from the ECU 112 with reference to the identifier attached to the status signal. If the state signal has been output from ECU 112, step S525 is executed. Otherwise, step S530 is performed.

(Step S525)
The third determination unit 225 of the ECU 111 restarts timing of the ECU 112. As a result, the clock value “T112” increases from zero. After the restart of the timing, step S515 is executed.

(Step S530)
The third determination unit 225 of the ECU 111 determines whether the time value “T112” exceeds the threshold value “TH2”. If the clock value “T112” exceeds the threshold value “TH2”, step S565 is executed. Otherwise, step S535 is performed.

(Step S535)
The third determination unit 225 of the ECU 111 determines whether the state signal is output from the ECU 113 with reference to the identifier attached to the state signal. If the state signal has been output from ECU 113, step S540 is executed. Otherwise, step S545 is performed.

(Step S540)
The third determination unit 225 of the ECU 111 restarts timing of the ECU 113. As a result, the clock value “T113” increases from zero. After the restart of the timing, step S515 is executed.

(Step S545)
The third determination unit 225 of the ECU 111 determines whether the time value “T113” exceeds the threshold value “TH2”. If the clock value “T113” exceeds the threshold value “TH2”, step S565 is executed. Otherwise, step S550 is performed.

(Step S550)
The third determination unit 225 of the ECU 111 determines whether the time value “T114” exceeds the threshold value “TH2”. If the clock value “T114” exceeds the threshold value “TH2”, step S565 is executed. Otherwise, step S555 is executed.

(Step S555)
The third determination unit 225 of the ECU 111 restarts timing of the ECU 114. As a result, the clock value “T114” increases from zero. After the restart of the timing, step S515 is executed.

(Step S560)
The third determination unit 225 of the ECU 111 determines whether at least one of the clock values “T112”, “T113”, and “T114” exceeds the threshold “TH2”. If at least one of the measured values "T112", "T113", and "T114" exceeds the threshold "TH2", step S565 is executed. Otherwise, step S515 is performed.

(Step S565)
The third determination unit 225 of the ECU 111 generates a trigger signal. The trigger signal is then transmitted from the third determination unit 225 of the ECU 111 to the notification signal generation unit 231 of the ECU 111.

<Fifth embodiment>
If only the status signal is subjected to the encoding process, the communication load of the in-vehicle communication system is not so large. Accordingly, techniques for selectively encoding state signals may be incorporated into the embodiments described above. Coding techniques have you to the fifth embodiment may be a variety of other techniques.

  FIG. 12 is a schematic block diagram illustrating an exemplary functional configuration of an ECU 200B of the fifth embodiment. The functional configuration of ECU 200B may be applied to each of ECUs 111, 112, 113, and 114 described with reference to FIG. Referring to FIGS. 7, 9 and 12, ECU 200B will be described. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment.

  As in the fourth embodiment, the ECU 200B includes a communication unit 210A and a data processing unit 240. The description of the fourth embodiment is applied to these elements.

  ECU 200B further includes a determination unit 220B and a signal generation unit 230B. The determination unit 220B and the data processing unit 240 may be CPUs included in a general ECU. The signal generation unit 230B may be a CAN controller included in a general ECU.

  As in the fourth embodiment, the determining unit 220B includes a second determining unit 224 and a third determining unit 225. The description of the fourth embodiment is applied to these elements.

  The determining unit 220B includes a first determining unit 223B and a decoding unit 226. The receiving unit 212A receives the status signal via the bus 120. In this embodiment, the status signal is encoded, while the data signal is not. Therefore, the first determination unit 223B can refer to the identifier of the data signal, but cannot refer to the identifier of the state signal. If the first determination unit 223B cannot refer to the signal identifier from the receiving unit 212A in step S320 described with reference to FIG. 9, the first determining unit 223B determines the signal from the receiving unit 212A as a state signal. Is also good. In this case, the signal from receiving section 212A is output to decoding section 226 through first determining section 223B.

  As in the fourth embodiment, the signal generator 230B further includes a first timer 232A, a state signal generator 233A, and a data signal generator 234. The description of the fourth embodiment is applied to these elements.

The signal generation unit 230B further includes a notification signal generation unit 231B and an encoding unit 235. The encoding unit 235 encodes the state signal generated by the state signal generation unit 233A using a predetermined encoding technique . The encoded state signal is transmitted from encoding section 235 to transmitting section 211A. After that, the transmitting unit 211A outputs the encoded state signal to the bus 120.

The decoding unit 226 decodes the signal transmitted from the first determination unit 223B using a predetermined decoding technique . If the signal is appropriately decoded, the decoded signal is output to third determining section 225. If decoding of the signal fails, the signal transmitted from the first determination unit 223B has a risk of originating from an incorrect ECU. In this case, the decoding unit 226 generates a trigger signal. The trigger signal is then transmitted from the decoding unit 226 to the notification signal generation unit 231B.

  As in the second embodiment, the notification signal generator 231B generates a notification signal according to the trigger signal received from the second clock 222. In addition, the notification signal generation unit 231B generates a notification signal according to the trigger signal received from the decoding unit 226.

<Sixth embodiment>
The technology described in the above embodiment may be applied to a part of a plurality of ECUs mounted on the in-vehicle communication system. If the technology described in connection with the above-described embodiment is applied only to an ECU in which unauthorized access may cause a serious situation, an increase in the communication load on the in-vehicle communication system is suppressed. In the sixth embodiment, an in-vehicle communication system including an ECU having a function of detecting unauthorized access and an ECU having no function of detecting unauthorized access will be described.

  FIG. 13 is a conceptual block diagram of a vehicle-mounted communication system (hereinafter, referred to as a communication system 100C) of the sixth embodiment. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment. The communication system 100C will be described with reference to FIGS.

  Communication system 100C includes gateway ECU 300, buses 121, 122, 123, 124, and 125, and ECUs 311-314, 321-324, 331-334, 341-344, 351-354. Buses 121, 122, 123, 124, and 125 are connected to gateway ECU 300.

  The ECUs 311 to 314 are connected to the bus 121. The ECUs 311 to 314 cooperate to control the engine of the vehicle equipped with the communication system 100C. The ECUs 321 to 324 are connected to the bus 122. The ECUs 321 to 324 cooperate to control the brake of the vehicle on which the communication system 100C is mounted. The ECUs 331 to 334 are connected to the bus 123. The ECUs 331 to 334 cooperate to control the navigation system of the vehicle on which the communication system 100C is mounted. The ECUs 341 to 344 are connected to the bus 124. The ECUs 341 to 344 cooperate with each other to control the air conditioner of the vehicle equipped with the communication system 100C. The ECUs 351 to 354 are connected to the bus 125. The ECUs 351 to 354 cooperate to control an advanced driving assistance system (ADAS: ADVANCED Driver Assistance Systems) of the vehicle on which the communication system 100C is mounted.

  Each of gateway ECU 300 and ECUs 311 to 314 and 321 to 324 has the same functional configuration as ECU 200B described with reference to FIG. Therefore, the description of the ECU 200B is applied to the gateway ECU 300 and the ECUs 311 to 314 and 321 to 324. On the other hand, each of the ECUs 331 to 334, 341 to 344, and 351 to 354 may be a general ECU.

  When an unauthorized access that affects the control of the engine occurs, at least one of the gateway ECU 300 and the ECUs 311 to 314 generates a notification signal. At least another of the gateway ECU 300 and the ECUs 311 to 314 can generate a notification signal and give a warning to a driver driving the vehicle.

  When an unauthorized access that affects the brake control occurs, at least one of the gateway ECU 300 and the ECUs 321 to 324 generates a notification signal. At least another of the gateway ECU 300 and the ECUs 321 to 324 can generate a notification signal and give a warning to a driver driving the vehicle.

<Seventh embodiment>
The in-vehicle communication system may include a domain master ECU that comprehensively manages and controls communication between a plurality of ECUs. In the seventh embodiment, an in-vehicle communication system including a domain master ECU will be described.

  FIG. 14 is a conceptual block diagram of a vehicle-mounted communication system (hereinafter, referred to as a communication system 100D) of the seventh embodiment. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment. Referring to FIG. 14, communication system 100D will be described.

  As in the sixth embodiment, the communication system 100D includes a gateway ECU 300, buses 121, 122, 123, and ECUs 312-314, 322-324, 332-334. The description of the sixth embodiment is applied to these elements.

  Communication system 100D further includes domain master ECUs 315, 325, and 335. Domain master ECU 315 is connected to bus 121. Domain master ECU 325 is connected to bus 122. The domain master ECU 335 is connected to the bus 123.

  The domain master ECU 315 manages and controls the ECUs 312 to 314 collectively. For example, domain master ECU 315 may combine the information received from ECUs 312-314 and transmit the information to gateway ECU 300. The information compiled by the domain master ECU 315 is then transmitted to at least one of the buses 122 and 123 via the gateway ECU 300.

  The domain master ECU 325 manages and controls the ECUs 322 to 324 as a whole. For example, the domain master ECU 325 may combine the information received from the ECUs 322 to 324 and transmit the information to the gateway ECU 300. The information compiled by the domain master ECU 325 is then transmitted to at least one of the buses 121 and 123 via the gateway ECU 300.

  The domain master ECU 335 manages and controls the ECUs 332 to 334 collectively. For example, the domain master ECU 335 may combine the information received from the ECUs 332 to 334 and transmit the information to the gateway ECU 300. The information compiled by the domain master ECU 335 is then transmitted to at least one of the buses 121 and 122 via the gateway ECU 300.

<Eighth embodiment>
Communication between the domain master ECUs may depend on a high-speed communication technology such as Ethernet. In this case, no gateway ECU is needed. In the eighth embodiment, an in-vehicle communication system that performs high-speed communication between domain master ECUs will be described.

  FIG. 15 is a conceptual block diagram of a vehicle-mounted communication system (hereinafter, referred to as a communication system 100E) of the eighth embodiment. The description of the above embodiment is applied to the elements denoted by the same reference numerals as those of the above embodiment. Referring to FIG. 15, communication system 100E will be described.

  As in the seventh embodiment, the communication system 100E includes buses 121, 122, 123, ECUs 312-314, 322-324, 332-334, and domain master ECUs 315, 325, 335. The description of the seventh embodiment is applied to these elements.

  The communication system 100E further includes a high-speed communication line 301. The high-speed communication line 301 may be a general Ethernet line.

  The communication system 100E is connected to each of the domain master ECUs 315, 325, and 335. Communication system 100E enables mutual information transmission between domain master ECUs 315, 325, and 335.

  As described in relation to the seventh embodiment, the domain master ECU 315 manages and controls the ECUs 312 to 314 collectively. The ECU 315 summarizes the information received from the ECUs 312 to 314 and outputs the information to the high-speed communication line 301. Thereafter, the information compiled by the domain master ECU 315 is transmitted to at least one of the domain master ECUs 325 and 335 through the high-speed communication circuit 301.

  As described in relation to the seventh embodiment, the domain master ECU 325 manages and controls the ECUs 322 to 324 as a whole. The domain master ECU 325 collects information received from the ECUs 322 to 324 and outputs the information to the high-speed communication line 301. The information compiled by the domain master ECU 325 is then transmitted to at least one of the domain master ECUs 315 and 335 through the high-speed communication circuit 301.

  As described in relation to the seventh embodiment, the domain master ECU 335 manages and controls the ECUs 332 to 334 collectively. The domain master ECU 335 collects the information received from the ECUs 332 to 334 and outputs the information to the high-speed communication line 301. The information compiled by the domain master ECU 335 is then transmitted to at least one of the domain master ECUs 315 and 325 through the high-speed communication circuit 301.

  The principles of the various embodiments described above may be combined to suit the needs of the vehicle. Some of the various features described in relation to one of the various embodiments described above may be applied to the controller described in connection with another alternative embodiment.

  The principle of the above-described embodiment is suitably used for control of various vehicles.

100, 100C Communication system 101 Communication systems 111 to 115・ ・ ・ ・ ECU
120-125 Bus 200, 200A, 200B ECU
210, 210A ········ Communication unit 220, 220A, 220B ······························ ········ Decoding units 230, 230A, 230B ············ Signal generation unit 235 ··· Unit 300 Gateway ECU
311 to 314 ... ECU
321-324 ... ECU
331-334 ... ECU
341-344 ... ECU
351-354 ... ECU
CDS ........................... State signal

Claims (5)

When exogenous to inhibit operation of the node is present, a vehicle communication system that is constructed so as to notify the presence of the exogenous among a plurality of nodes,
A first node and a second node each having a communication unit that repeatedly outputs a state signal in the absence of the external cause,
In the absence of the external cause, the communication unit of the first node may have a value less than a reception interval threshold defined for a reception interval at which the second node receives the state signal from the first node. By determining the transmission timing of the status signal based on the transmission interval threshold set in, and varying the transmission interval threshold within a range not exceeding the reception interval threshold, repeatedly output the status signal at an indefinite time interval Is configured to
If the communication unit of the second node does not receive the status signal within the reception interval defined by the reception interval threshold, the second node generates a notification signal that notifies the existence of the external cause. In-vehicle communication system. A bus electrically connected to a plurality of nodes including the first node and the second node;
The plurality of nodes respectively output signals with different identifiers to the bus,
A signal generation unit that adds a first identifier to the state signal and a data signal used for controlling a predetermined control target to generate a communication signal, wherein the communication unit is a device other than the first node; A determination unit that determines whether an identifier attached to a received signal received from the node is the first identifier,
When the determination unit determines that the identifier attached to the received signal is the first identifier, the communication unit stops outputting the status signal, and the stop period of the output of the status signal is The in-vehicle communication system according to claim 1, wherein the second node generates the notification signal when the reception interval exceeds a reception interval defined by a reception interval threshold. The in-vehicle communication system according to claim 2, wherein the signal generation unit encodes the state signal and does not encode the data signal. The in-vehicle communication system according to any one of claims 1 to 3, wherein each of the first node and the second node is an electronic control unit designed to control an engine. The in-vehicle communication system according to any one of claims 1 to 3, wherein each of the first node and the second node is an electronic control unit designed to control a brake.

Images