JP7383995B2 - Communication systems and communication devices - Google Patents

Description

The present disclosure relates to a communication system that is mounted on a vehicle and in which a plurality of communication devices are connected to each other via communication lines.

For example, Patent Document 1 below discloses that an electronic control device (hereinafter referred to as a communication device) installed in a vehicle and equipped with a communication function includes a control microcomputer that controls the vehicle, and a control microcomputer that monitors the operation of the control microcomputer. A technology has been proposed in which the system is equipped with a separate monitoring microcomputer.

Patent No. 4005421

On the other hand, there was no concept of monitoring the operation of the electronic control device through communication with a device outside the electronic control device. The present disclosure provides a technique for monitoring the operation of an electronic control device through communication with a device outside the electronic control device.

One aspect of the present disclosure is a communication system (1) mounted on a vehicle. The communication system includes a plurality of communication devices (10, 20). The plurality of communication devices are communicably connected to each other via communication lines. The plurality of communication devices includes a first communication device (10) and a second communication device (20). The first communication device acquires at least one type of status information indicating the status of the first communication device, generates determination information including the acquired status information, and outputs the determination information to the second communication device. The information generation section (52) is configured as follows. The second communication device obtains the determination information, compares the state information included in the determination information with predetermined normality information when the first communication device is normal, and compares the state information included in the determination information to The communication device includes a monitoring unit (63) configured to determine an abnormality in the communication device.

According to one aspect of the present disclosure, the first communication device determines an abnormality in the first communication device by communicating with a second communication device that is an external device of the first communication device. The second communication device that determines whether or not the first communication device is abnormal is a communication device that is provided in advance in the communication system. Therefore, it is possible to monitor whether or not the first communication device is abnormal with a simple configuration without increasing the number of components in the communication system.

FIG. 1 is a block diagram showing the configuration of a vehicle control system. The block diagram which shows the function of each ECU in a vehicle control system. Flowchart illustrating information generation processing. 5 is a flowchart illustrating IT acquisition processing. An explanatory diagram illustrating an example of correspondence information. Flowchart illustrating monitoring processing. 5 is a flowchart illustrating communication success/failure determination processing. Flowchart illustrating individual determination processing. 5 is a flowchart illustrating abnormality determination processing. A timing chart explaining the operation. FIG. 3 is a block diagram showing the configuration of each ECU in the on-vehicle control system of Modification 1. FIG. FIG. 7 is a block diagram showing the configuration of each ECU in the on-vehicle control system of Modification 2. FIG. FIG. 7 is a block diagram showing the configuration of each ECU in the on-vehicle control system of Modification 3.

Hereinafter, exemplary embodiments of the present disclosure will be described with reference to the drawings. Note that "matching" in this specification is not limited to matching in a strict sense, and may not be exact matching as long as the same effect is achieved.

[Embodiment]
[1. composition]
<Overall configuration>
First, the configuration of the in-vehicle control system 1 according to the present embodiment will be explained with reference to FIG. 1. The on-vehicle control system 1 according to this embodiment is a system mounted on a vehicle. The in-vehicle control system 1 includes a plurality of electronic control units (hereinafter referred to as ECUs). ECU is an abbreviation for Electronic Control Unit. The plurality of ECUs are communicably connected to each other by a communication line 90. Note that in FIG. 1, three ECUs are illustrated. However, the number of ECUs included in the in-vehicle control system 1 is not limited to this, and may be two or more.

In this embodiment, the communication line 90 is a communication line common to a plurality of ECUs, and these plurality of ECUs are communication devices that perform communication according to a communication protocol such as CAN. CAN is an abbreviation for Controller Area Network and is a registered trademark. Note that the present disclosure is not limited thereto. The communication protocol may be a communication protocol other than CAN. Further, the communication line 90 does not need to be a communication line common to a plurality of ECUs, and the communication protocol in this case may be, for example, Ethernet or other communication protocol. Ethernet is a registered trademark.

A vehicle information unit and a controlled object are connected to each of the plurality of ECUs included in the in-vehicle control system 1 via communication lines. The vehicle information section includes various sensors that detect the state of the vehicle. The controlled object is an object controlled by the ECU based on the detection result by the vehicle information unit.

In this embodiment, the in-vehicle control system 1 includes an engine ECU 10, a door ECU 20, and a brake ECU 30 as a plurality of ECUs.
The engine ECU 10 controls the controlled object 12 based on the detection result by the vehicle information section 11. The vehicle information unit 11 may include, for example, a crank angle sensor that detects a crank angle, a temperature sensor, and the like. The controlled object 12 may include, for example, an actuator that operates a fuel injection valve.

The door ECU 20 controls the controlled object 22 based on the detection result by the vehicle information section 21. The vehicle information unit 21 may include, for example, a touch sensor that detects a person's contact with a door. The controlled object 12 may include, for example, an actuator that opens and closes a door (hereinafter referred to as a door actuator).

The brake ECU 30 controls the controlled object 32 based on the detection result by the vehicle information section 31. The vehicle information unit 31 may include, for example, a brake pedal sensor that detects the opening degree of the brake pedal. The controlled object 32 may include, for example, an actuator that drives a brake (hereinafter referred to as a brake actuator).

Note that the first communication device referred to below is a communication device including an information generation section (for example, information generation section 52) described below. On the other hand, the second communication device is a communication device including a monitoring section (for example, the monitoring section 63) described later. In this embodiment, the engine ECU 10 corresponds to a first communication device, and the door ECU 20 corresponds to a second communication device.

<Engine ECU10>
The engine ECU 10 as a first communication device includes a microcomputer (hereinafter referred to as a microcomputer) 101 including a CPU 102, a ROM, a RAM, and a semiconductor memory (hereinafter referred to as a memory) 103 such as a flash memory. The engine ECU 10 realizes each function as shown in FIG. 2 by the CPU 102 executing a program stored in a non-transitional tangible recording medium. In this embodiment, the memory 103 corresponds to a non-transitional tangible recording medium that stores a program. Furthermore, by executing this program, a method corresponding to the program is executed.

As shown in FIG. 2, the engine ECU 10 includes the functions of a control section 51 and an information generation section 52. The control unit 51 performs various controls on the engine as the control target 12 based on the detection results of the vehicle information unit 11.

The information generation unit 52 acquires at least one type of status information, generates determination information, and outputs the determination information to the second communication device by executing an information generation process to be described later. The determination information is information that includes at least one type of acquired status information. The status information is information indicating the status of the first communication device (ie, engine ECU 10), and is used by the second communication device to determine whether the first communication device is abnormal.

The status information may be information that quantitatively represents the status of the first communication device. Representing quantitatively means representing as a numerical value. Specifically, the state information may include the TS, WDG output, IT, ID, the number of interrupt occurrences M, the number of task omissions N, etc., as will be described later. However, the status information is not limited to these. The status information may be various types of information representing the status of the first communication device. Furthermore, the status information may be information that represents the status of the first communication device, and does not need to be information that quantitatively represents the status of the first communication device.

<Door ECU20>
The door ECU 20 as a second communication device includes a microcomputer (hereinafter referred to as a microcomputer) 201 including a CPU 202, a ROM, a RAM, and a semiconductor memory (hereinafter referred to as a memory) 203 such as a flash memory. The door ECU 20 realizes each function as shown in FIG. 2 by the CPU 202 executing a program stored in a non-transitional tangible recording medium. In this embodiment, the memory 203 corresponds to a non-transitional tangible recording medium that stores a program. Furthermore, by executing this program, a method corresponding to the program is executed.

The door ECU 20 includes the functions of a control section 61 and a monitoring section 63, as shown in FIG. The control unit 61 performs various controls on the door actuator as the control target 22 based on the detection result of the vehicle information unit 21 .

The monitoring unit 63 acquires determination information from the first communication device (i.e., engine ECU 10) by executing a monitoring process to be described later, and based on the above-mentioned status information included in the determination information, the monitoring unit 63 performs the first communication. Determine equipment abnormality.

<Brake ECU30>
The brake ECU 30 includes a microcomputer (hereinafter referred to as a microcomputer) 301 including a CPU 302, a ROM, a RAM, and a semiconductor memory (hereinafter referred to as a memory) 303 such as a flash memory. The brake ECU 30 realizes each function as shown in FIG. 2 by the CPU 302 executing a program stored in a non-transitional tangible recording medium. In this embodiment, the memory 303 corresponds to a non-transitional tangible recording medium that stores a program. Furthermore, by executing this program, a method corresponding to the program is executed.

The brake ECU 30 has the function of a control section 71, as shown in FIG. The control unit 71 performs various controls on the brake actuator as the controlled object 32 based on the detection result of the vehicle information unit 31.

[2. process]
<Information generation processing>
Next, the information generation process executed by the first communication device (that is, the information generation unit 52 of the engine ECU 10) will be described using the flowchart of FIG. 3. The information generation process is repeatedly executed at a predetermined cycle by the microcomputer 101 (that is, the CPU 102) included in the first communication device. The CPU 102 acquires multiple types of status information in S110-S160, and generates determination information including the acquired status information in S170. Note that the acquired status information and determination information are stored in the memory 103.

First, in S110, the CPU 102 acquires a time stamp (hereinafter referred to as TS) as status information. The TS is information representing time, and the TS acquired in this step represents the time when the determination information was generated. For example, the first communication device may be configured to obtain the absolute time through a process different from the main information generation process, and the TS may be expressed as an absolute time. However, the present disclosure is not limited thereto. The TS may be any information that is commonly used within the vehicle control system 1 and represents time.

In S120, the CPU 102 executes IT acquisition processing. The IT acquisition process is a process for determining the interval time (ie, IT). IT is an abbreviation for Interval Time. IT is a period (i.e., a transmission period of determination information) in which determination information is transmitted from the first communication device to the second communication device (i.e., door ECU 20). In this embodiment, IT is a numerical value determined such that the larger the load (i.e., processing load) of the first communication device (i.e., CPU 102 of engine ECU 10) is, the larger the value is. Note that the IT acquisition process will be described later.

The CPU 102 obtains the ID in S130. The ID here is information for identifying the source of the determination information. The ID is represented by a predetermined number of bits. For example, in this embodiment where the first communication device is the engine ECU 10, the ID may be information representing the engine ECU 10 that is the source of the determination information. For example, the ID may be information indicating that the first communication device to be monitored is the engine ECU 10, and the second communication device to be monitored is the door ECU 20. However, the ID is not limited to these modes, and can be set in various modes.

In S140, the CPU 102 generates a watchdog (hereinafter referred to as WDG) output. The microcomputer 101 has a WDG function, and the WDG circuit (not shown) monitors whether the control unit 51 of the first communication device (i.e., engine ECU 10) is operating normally based on the output of the WDG pulse. There is.

The output of the WDG pulse means whether the output is "H" or "L", and the output pattern of the WDG pulse is determined in advance. For example, in this embodiment, a pattern in which "H" and "L" alternate, such as "H", "L", "H", and "L", is predetermined as the output pattern of the WDG pulse. There is. Note that the output pattern of the WDG pulse is not limited to this, and can be set arbitrarily. The WDG output refers to the output of such a WDG pulse.

The WDG pulse is output at every predetermined period (for example, 1 msec). For example, if the WDG output differs from a predetermined WDG pulse output pattern, the microcomputer 101 may be abnormal. In other words, the first communication device including the microcomputer 101 may be abnormal.

In S150, the CPU 102 obtains the number of interrupt occurrences M. The number of interrupt occurrences M refers to the number of times that interrupts occur within a predetermined period of time (for example, 1 msec). An interrupt refers to, for example, input of a predetermined signal from a specific sensor connected to the microcomputer 101. The microcomputer 101 is configured to execute predetermined processing when this interrupt occurs.

In this embodiment in which the engine ECU 10 is the first communication device, for example, the crank angle sensor corresponds to the specific sensor. A crank angle signal indicating a predetermined crank angle corresponds to a predetermined signal. Note that the number of interrupt occurrences that can be processed within a predetermined time in the microcomputer 101 (hereinafter referred to as the number of interrupts at maximum load M _max ) is predetermined. In other words, if the number of interrupt occurrences M exceeds the number of interrupts at maximum load _Mmax , there is a possibility that the microcomputer 101 is abnormal.

In S160, the CPU 102 obtains the number of missed tasks N. The number of missed tasks N refers to the number of times that missed tasks occur within a predetermined period of time (for example, 1 msec). Note that the number of times the microcomputer 101 can allow task omissions within a predetermined period of time (hereinafter referred to as the number of task omissions during maximum load N _max ) is predetermined. In other words, if the number N of task omissions exceeds the number N _max of task omissions under maximum load, there is a possibility that the microcomputer 101 is abnormal.

In S170, the CPU 102 generates determination information. The determination information includes at least one piece of status information acquired in S110-S160. In this embodiment, the determination information includes all the status information acquired in S110-S160.

In S180, the CPU 102 generates a communication frame including determination information. For example, a communication frame that is a CAN communication frame and includes determination information in a data field is generated. Then, the CPU 102 outputs the generated communication frame to the communication line 90. With this, the CPU 102 ends this information generation process.

<IT acquisition processing>
Next, the IT acquisition process that the CPU 102 executes in S120 of the information generation process will be described using the flowchart shown in FIG.

In S210, the CPU 102 acquires load information of the first communication device. Load information is information that quantitatively represents the magnitude of the load on the first communication device. In this embodiment in which the first communication device is the engine ECU 10 (that is, the CPU 102), the CPU 102 acquires the engine rotation speed as load information. The engine rotation speed is calculated based on the detected value of a crank angle sensor included in the vehicle information section 11. The CPU 102 may be configured to calculate the engine speed in a process separate from this information generation process, or may be configured to obtain the engine speed from another ECU via the communication line 90. good.

In S220, the CPU 102 acquires correspondence information. The correspondence information is information indicating the correspondence between the load information and the IT (that is, the transmission cycle of the determination information), and is stored in the memory 103 in advance. In the correspondence information, load information and IT are correlated such that the larger the load, the longer the IT. For example, in the correspondence information of this embodiment shown in FIG. 5, the engine speed and IT are correlated such that the higher the engine speed, the longer IT becomes. Note that in the correspondence information, each associated IT may be set to match the cycle obtained by multiplying the output cycle of the WDG signal.

In S230, the CPU 102 determines the IT based on the correspondence information, and ends the present IT acquisition process. As a result, IT is determined such that the longer the load on the first communication device is, the longer it becomes.

For example, the information generation process may be activated for each IT according to load information. Then, the communication frame including the determination information is transmitted to the second communication device for each IT through information generation processing.

<Monitoring process>
The monitoring process executed by the microcomputer 201 (that is, the CPU 202) included in the door ECU 20 as the second communication device will be described using the flowchart shown in FIG. The monitoring process is started when the second communication device acquires determination information addressed to the second communication device via the communication line 90.

In S310, the CPU 202 acquires determination information.
In S320-340, the CPU 202 compares the normal information and the status information included in the determination information for each type of status information included in the determination information. The status information here is information expressed quantitatively, and normal information is also information expressed quantitatively. The normal information is status information when the first communication device is normal, and a predetermined value is set for each type of status information. The normal information is stored in advance in the memory 203 of the second communication device (namely, the door ECU 20).

First, in S320, the CPU 202 executes communication success/failure determination processing, which will be described later. The state information to be compared is the TS, specifically the time interval between the TS included in the latest determination information and the TS included in the most recent past determination information.

In S330, the CPU 202 executes individual determination processing, which will be described later. The state information to be compared is the WDG output, the number of interrupt occurrences M, and the number of task omissions N.
In S340, the CPU 202 executes abnormality determination processing, which will be described later. In S340, the CPU 202 determines whether the first communication device is abnormal based on the results of the comparison between the four types of status information and normal information in S320-S330. In S340, a communication frame including the determination result regarding the abnormality of the first communication device is generated.

In S350, the CPU 202 transmits the communication frame generated in S340 via the communication line 90. The communication frame may include a recovery instruction, which will be described later. Further, the communication frame may include a determination result regarding an abnormality in the first communication device. Then, the CPU 202 ends the main monitoring process. Note that the monitoring information hereinafter refers to a communication frame that includes a recovery instruction and a determination result.

<Communication success/failure determination process>
Next, the communication success/failure determination process executed by the CPU 202 in S320 of the monitoring process will be described using the flowchart shown in FIG.

In S410, the CPU 202 obtains the TS and IT included in the determination information.
In S420, the CPU 202 calculates the determination information output interval P. The determination information output interval P refers to the time interval at which determination information is output from the first communication device. Specifically, the determination information output interval P is calculated as the difference between the TS included in the currently received determination information and the past TS (hereinafter referred to as PTS) included in the previously received determination information. The PTS is stored in the memory 203 as described below.

By calculating the determination information output interval P based on the TS acquired by the first communication device in this way, the determination information transmission period ( That is, IT) is estimated.

In S430, the CPU 202 determines whether the determination information output interval P falls within a predetermined IT range. For example, the CPU 202 determines whether the determination information output interval P satisfies IT-α≦P≦IT+α. α can be set to any value that is considered to be consistent with IT and P. As described above, IT is the transmission cycle of determination information that is preset in the first communication device.

In other words, when the determination information output interval P is within the predetermined range of IT, the CPU 202 determines that the determination information is being transmitted from the first communication device at the set transmission cycle, and that the first communication device It is determined that the transmission cycle of the determination information is normal. The CPU 202 moves the process to S450 when the determination information output interval P is within the predetermined range of IT, and moves the process to S440 when the determination information output interval P does not match within the predetermined range of IT.

In S440, the CPU 202 counts up the first evaluation value JIC by one, and causes the process to proceed to S440. The first evaluation value JIC is a numerical value for evaluating abnormality of the first communication device. A predetermined additional value is added to the first evaluation value JIC each time the status information included in the determination information is determined to be abnormal (that is, abnormal), and a new first evaluation value JIC is generated. It is calculated as In other words, the additional value is added to the already calculated first evaluation value JIC in order to generate a new first evaluation value JIC every time the status information included in the determination information is determined to be abnormal. This is the value to be added, and is, for example, 1 in this embodiment. However, the additional value can be set arbitrarily.

In S450, the CPU 202 stores the TS acquired in S410 in the memory 203 as a PTS. The CPU 202 completes this communication success/failure determination process.
In this manner, in the communication success/failure determination process, the determination information output interval P calculated based on the TS included in the determination information is used as state information, and the determination information output interval P is compared with IT which is normal information. Calculate the evaluation value JIC of 1. In other words, in the communication success/failure determination process, the TS is used as status information, the value obtained by adding IT to PTS is used as normal information, and by comparing these, if they match, the TS that is status information is determined to be normal. It can be said that it is determined that

<Individual judgment processing>
Next, the individual determination process that the CPU 202 executes in S330 of the monitoring process will be described using the flowchart shown in FIG.

In S510, the CPU 202 acquires the WDG output, which is the status information included in the determination information.
In S520, the CPU 202 determines whether the WDG output is normal. The output pattern of the WDG pulse in the first communication device is stored in advance in the memory 203 of the second communication device as normal information. Furthermore, the past WDG output when the determination information is received is continuously stored in the memory 203 every time the determination information is received.

Based on the past WDG output, the CPU 202 determines whether the newly received WDG output (i.e., "H" or "L") is the output (i.e., "H" or "L") estimated from the pattern as normal information. ), it is determined that the WDG output is normal. CPU 202 stores the determination result in memory 203. Note that in this step, the new determination result is stored in the memory 203 together with the past determination result.

The CPU 202 causes the process to proceed to S530 when it is determined that the WDG output is not normal, and causes the process to proceed to S540 when it is determined that the WDG output is normal.
In S530, the CPU 202 counts up the first evaluation value JIC by one, and moves the process to S570.

In S540-560, the CPU 202 detects the number of consecutive normal operations for each piece of status information. The number of successive normal operations is the number of times that the same type of status information is consecutively determined to be normal. Then, when the number of consecutive normal operations is equal to or greater than a predetermined number of times threshold, the CPU 202 calculates a new first evaluation value JIC by subtracting a predetermined subtraction value from the first evaluation value JIC.

This means that even if the first evaluation value JIC has been added in the past, if it is continuously determined to be normal after that, the addition of the past first evaluation value JIC will be affected by noise etc. This is because it is considered that the error is temporary and not an abnormality of the first communication device. In this embodiment, the number of times threshold is 3 and the subtraction value is 1. However, the number of times threshold and the subtraction value can be set arbitrarily. Note that the number of consecutive normal operations is reset when it is determined that the status information is abnormal.

First, in S540, the CPU 202 determines the number of consecutive times that the WDG output, which is status information, is determined to be normal (i.e., the number of times the WDG output is determined to be normal) based on the new determination result and the past determination result stored in the memory 203. It is determined whether the number of consecutive times) is equal to or greater than the number of times threshold. The CPU 202 counts the number of consecutive normal WDG outputs. The CPU 202 causes the process to proceed to S550 when the number of consecutive normal operations is equal to or greater than the number threshold, and causes the process to proceed to S570 when the number of successful consecutive sessions is less than the frequency threshold.

In S550, the CPU 202 determines whether the first evaluation value JIC is 1 or more. This step is a process for preventing the first evaluation value JIC from becoming a negative value. The CPU 202 causes the process to proceed to S560 when the first evaluation value JIC is 1 or more, and causes the process to proceed to S570 when the first evaluation value JIC is less than 1 (ie, 0).

In S560, the CPU 202 counts down the first evaluation value JIC by one, and moves the process to S570.
In S570-S620, the CPU 202 performs the same determination as described above regarding the number of interrupt occurrences M, which is the state information, and in S630-S680, it performs the same determination as described above regarding the number of times N, which is the state information, of missing tasks.

That is, in S570, the CPU 202 obtains the number of interrupt occurrences M, which is state information included in the determination information.
In S580, the CPU 202 determines whether the number of interrupt occurrences M is normal. The CPU 202 compares the number of interrupt occurrences M, which is status information, with the number of interrupts, _Mmax , at maximum load, which is normal information (that is, the upper limit value of normal information), and determines whether the number of interrupt occurrences, M, is the number of interrupts at maximum load, M. If it is less than or equal to _max , it is determined that the number of interrupt occurrences M is normal. CPU 202 stores the determination result in memory 203. The CPU 202 causes the process to proceed to S590 when the number M of interrupt occurrences is not normal, and causes the process to proceed to S600 when the number M of interrupt occurrences is normal.

In S590, the CPU 202 counts up the first evaluation value JIC by one, and moves the process to S630.
In S<b>600 , the CPU 202 determines whether or not the number of consecutive normal operations is equal to or greater than the threshold value based on the determination result stored in the memory 203 . The normal consecutive number of times here is the number of times that the number of interrupt occurrences M, which is the state information, is consecutively determined to be normal. The CPU 202 counts the number of consecutive normal interrupt occurrences M. The CPU 202 causes the process to proceed to S610 when the number of consecutive interrupt occurrences M is equal to or greater than the number threshold, and causes the process to proceed to S630 when the number of normal consecutive interrupts is less than the number threshold.

In S610, the CPU 202 determines whether the first evaluation value JIC is 1 or more. The CPU 202 causes the process to proceed to S620 when the first evaluation value JIC is 1 or more, and causes the process to proceed to S630 when the first evaluation value JIC is less than 1.

In S620, the CPU 202 counts down the first evaluation value JIC by one, and moves the process to S630.
In S630, the CPU 202 obtains the number of missed tasks N, which is status information included in the determination information.

In S640, the CPU 202 determines whether the number of missed tasks N is normal. The CPU 202 compares the number of missed tasks N, which is status information, with the number of missed tasks N _max during maximum load, which is normal information (that is, the upper limit value of the normal information). The CPU 202 determines that the number of task omissions N is normal when the number of task omissions N is less than or equal to the number of task omissions at maximum load _Nmax . CPU 202 stores the determination result in memory 203. The CPU 202 causes the process to proceed to S650 when the number N of task omissions is not normal, and causes the process to proceed to S660 when the number N of task omissions is normal.

In S650, the CPU 202 increments the first evaluation value JIC by one, and then ends this process.
In S<b>660 , the CPU 202 determines whether the normal consecutive number of missed tasks N, which is the state information, is equal to or greater than the number threshold, based on the determination result stored in the memory 203 . The normal consecutive number of times here means the number of times that the number of missed tasks N, which is status information, is consecutively determined to be normal. The CPU 202 counts the number of times N of task omissions continues normally. The CPU 202 moves the process to S670 when the number of normal consecutive task omissions N is equal to or greater than the number threshold, and ends the process when the number of normal consecutive times is less than the number threshold.

In S670, the CPU 202 determines whether the first evaluation value JIC is 1 or more. The CPU 202 moves the process to S680 when the first evaluation value JIC is 1 or more, and ends this process when the first evaluation value JIC is less than 1.

In S680, the CPU 202 counts down the first evaluation value JIC by one. The CPU 202 then ends this process.
<Abnormality determination processing>
Next, the abnormality determination process executed by the CPU 202 in S340 of the monitoring process will be described using the flowchart shown in FIG. The CPU 202 determines whether the first communication device is abnormal based on the magnitude of the first evaluation value JIC generated in S320-S330 of the monitoring process (that is, the communication success/failure process and the individual determination process described above). .

In this abnormality determination process, when the first evaluation value JIC is equal to or greater than a predetermined evaluation threshold, the CPU 202 adds a predetermined value to the second evaluation value ACC to generate a new second evaluation value. An evaluation value ACC is generated. Then, the CPU 202 determines whether the first communication device is abnormal based on the magnitude of the second evaluation value ACC.

The evaluation threshold is a state in which it is assumed that some abnormality has occurred in the first communication device based on the first evaluation value JIC, and a state in which an abnormality has temporarily occurred in the state information due to the influence of noise etc. This is a threshold value for distinguishing between a state that is estimated to be The second evaluation value ACC is a numerical value representing how long the first evaluation value JIC remains equal to or higher than the evaluation threshold, and is an abnormality that is estimated to have occurred in the first communication device. This is a numerical value representing the magnitude of the abnormality (that is, the degree of abnormality). The larger the second evaluation value ACC is, that is, the longer the state in which the first evaluation value JIC is equal to or greater than the evaluation threshold, the greater the degree of abnormality in the first communication device is determined to be.

First, in S710, the CPU 202 obtains the generated first evaluation value JIC.
In S720, the CPU 202 determines whether the first evaluation value JIC is greater than or equal to a predetermined evaluation threshold. The evaluation threshold is, for example, 3 in this embodiment, and is stored in the memory 203 in advance. However, the evaluation threshold can be set arbitrarily.

The CPU 202 causes the process to proceed to S730 when it is determined that the first evaluation value JIC is equal to or greater than the evaluation threshold, and causes the process to proceed to S730 when it is determined that the first evaluation value JIC is less than the evaluation threshold. The process moves to S740.

In S730, the CPU 202 counts up the second evaluation value ACC by one, and moves the process to S740.
In S740, the CPU 202 determines whether the second evaluation value ACC is greater than or equal to the first abnormality threshold. Here, if the second evaluation value ACC is less than the first abnormality threshold, the CPU 202 determines that the first communication device is normal and causes the process to proceed to S750. On the other hand, if the second evaluation value ACC is greater than or equal to the first abnormality threshold, the CPU 202 determines that some abnormality has occurred in the first communication device, and causes the process to proceed to S770.

The first abnormality threshold is a state in which the first communication device is estimated to be normal and a state in which it is estimated that some abnormality has occurred in the first communication device based on the second evaluation value ACC. This is a threshold value for distinguishing between the state and the state. For example, in this embodiment, the first abnormality threshold is 1, which is stored in the memory 203 in advance. However, the first abnormality threshold may be set arbitrarily.

The CPU 202 sets a recovery instruction in step S750 when the first communication device is determined to be normal. The recovery instruction is an instruction for recovering from an abnormality in the first communication device, and is an instruction sent from the second communication device to the first communication device. In this step, since the first communication device is determined to be normal, the CPU 202 sets "no instruction" as the recovery instruction. Setting "no instruction" corresponds to not issuing a recovery instruction.

In S760, the CPU 202 generates a communication frame with the first communication device as the destination. The communication frame includes the recovery instruction set in S750 and the determination result that the first communication device is normal. Then, the CPU 202 ends this abnormality determination process.

In steps S770 to S830, which proceed when the second evaluation value ACC is equal to or greater than the first abnormality threshold, the CPU 202 determines the degree of abnormality of the first communication device according to the magnitude of the second evaluation value ACC. Then, a recovery instruction for recovering from the abnormality in the first communication device is determined.

First, in S770, the CPU 202 determines whether the second evaluation value ACC is greater than or equal to the first abnormality threshold and less than the second abnormality threshold. Here, if the second evaluation value ACC is equal to or less than the first abnormality threshold and the second abnormality threshold, the CPU 202 determines that the first communication device is slightly abnormal, and returns the process to S780. Move to. On the other hand, if the second evaluation value ACC is equal to or greater than the second abnormality threshold, the CPU 202 determines that a severe abnormality has occurred in the first communication device, and causes the process to proceed to S800. .

The second abnormality threshold is a threshold value for distinguishing between a state in which a minor abnormality has occurred and a state in which a severe abnormality has occurred in the first communication device based on the second evaluation value ACC. It is a threshold value. That is, the second abnormality threshold is a numerical value for estimating the degree of abnormality of the first communication device. For example, in this embodiment, the second abnormality threshold is 3, which is stored in the memory 203 in advance. However, the second abnormality threshold may be set arbitrarily.

In S770, the CPU 202 determines that the first communication device has a slight abnormality and sets a recovery instruction. In this step, a refresh instruction is set as a recovery instruction. The refresh instruction is an instruction to refresh the microcomputer 101 of the first communication device (ie, engine ECU 10).

In S790, the CPU 202 generates a communication frame with the first communication device as the destination. The communication frame includes the recovery instruction set in S780. Further, the communication frame includes a determination result that the first communication device is determined to have a slight abnormality. Then, the CPU 202 ends this abnormality determination process.

The CPU 202 sets a recovery instruction in S800 when the first communication device is determined to be severely abnormal. In this step, the reset instruction is set as a recovery instruction. The reset instruction is an instruction for resetting the microcomputer 101 of the first communication device (ie, engine ECU 10).

In S810, the CPU 202 generates a communication frame with the first communication device as the destination. The communication frame includes the recovery instruction set in S800. Furthermore, the communication frame includes a determination result in which it has been determined that the first communication device is severely abnormal.

In S820, the CPU 202 initializes the second evaluation value ACC. That is, the second evaluation value ACC is set to zero.
In S830, the CPU 202 initializes the first evaluation value JIC. That is, the first evaluation value JIC is set to zero. Then, the CPU 202 ends this abnormality determination process.

<Operation>
The operation of the in-vehicle control system 1 configured as described above will be explained using FIG. 10. Note that in FIG. 10, it is assumed that IT is set to 1 msec. Further, FIG. 10 shows an example in which the second communication device receives the determination information at a normal cycle (that is, matches IT).

At time t ₀ , the first evaluation value JIC and the second evaluation value ACC are 0.
At time _t1 , the WDG output as status information is "H" and normal. The number of interrupt occurrences M is less than the upper limit of the normal value, which is the number of interrupts at maximum load _Mmax , and is normal. The number of task omissions N exceeds the number of task omissions N _max at maximum load, which is the upper limit of the normal value, and the number of task omissions N is determined to be abnormal. Therefore, the first evaluation value JIC is an additional value (i.e. 1) Added to become 1. The second evaluation value ACC is 0.

At time _t2 , the WDG output as status information is "L" and normal. Since the number of interrupt occurrences M exceeds M _max and the number of interrupt occurrences M is determined to be abnormal, the first evaluation value JIC is added by one to become two. The number of missed tasks N is less than N _max and is normal. The second evaluation value ACC is 0.

At time _t3 , the WDG output as status information is "H" and normal. The number of interrupt occurrences M is normal if it is less than M _max . The number of missed tasks N is less than N _max and is normal. Here, since the WDG output is determined to be normal continuously for more than the number of times threshold value, the first evaluation value JIC is subtracted by a subtraction value (that is, 1) to become 1. The second evaluation value ACC is 0.

At time _t4 , the WDG output as status information is "H" and abnormal, and the first evaluation value JIC is added by 1 to become 2. The number of interrupt occurrences M is normal if it is less than M _max . Since the number of missed tasks N exceeds N _max and is determined to be abnormal, the first evaluation value JIC is added by 1 and becomes 3. Since the first evaluation value JIC is equal to or greater than the evaluation threshold (ie, 3), the second evaluation value ACC is added by a predetermined value (ie, 1) to become 1. The second evaluation value ACC is greater than or equal to 1, which is the first abnormality threshold, and less than 3, which is the second abnormality threshold.

Thereby, the second communication device (i.e., door ECU 20) determines that the first communication device (i.e., engine ECU 10) is in a state where a slight abnormality has occurred. The second communication device uses the refresh instruction as a recovery instruction and transmits a communication frame including the recovery instruction and the determination result to the first communication device. This refreshes the first communication device.

At time _t5 , the WDG output as status information is "L" and abnormal, and the first evaluation value JIC is added by 1 to become 4. The number of interrupt occurrences M is less than M _max and is normal. Here, since the number of interrupt occurrences M has been determined to be normal for a number of consecutive times equal to or greater than the number threshold value (that is, 3), the first evaluation value JIC is subtracted by 1 and becomes 3. The number of missed tasks N is less than N _max and is normal. Then, since the first evaluation value JIC is equal to or higher than the evaluation threshold (that is, 3), the second evaluation value ACC is added by 1 to become 2. The second evaluation value ACC is greater than or equal to 1, which is the first abnormality threshold, and less than 3, which is the second abnormality threshold.

Thereby, the second communication device (i.e., door ECU 20) determines that the first communication device (i.e., engine ECU 10) is in a state where a slight abnormality has occurred. The second communication device uses the refresh instruction as a recovery instruction and transmits a communication frame including the recovery instruction and the determination result to the first communication device. This refreshes the first communication device.

At time _t6 , the WDG output as status information is "L" and normal. The number of interrupt occurrences M exceeds M _max and is determined to be abnormal, and the first evaluation value JIC is added by 1 to become 4. The number of missed tasks N is less than N _max and is normal. Then, since the first evaluation value JIC exceeds the evaluation threshold (that is, 3), the second evaluation value ACC is added by 1 to become 3. The second evaluation value ACC is equal to or greater than 3, which is the second abnormality threshold.

Thereby, the second communication device (i.e., door ECU 20) determines that the first communication device (i.e., engine ECU 10) is in a state where a severe abnormality has occurred. The second communication device uses the reset instruction as a recovery instruction and transmits a communication frame including the recovery instruction and the determination result to the first communication device. This resets the first communication device. Then, the first evaluation value JIC and the second evaluation value ACC are initialized.

[3. effect]
According to the embodiment described in detail above, the following effects are achieved.
(1) The information generating unit 52 included in the engine ECU 10 as a first communication device acquires at least one type of status information, and in S170 generates determination information including the acquired status information, and in S180, the generated determination information The determination information is output to the second communication device. The monitoring unit 63 included in the door ECU 20 as the second communication device compares the status information included in the determination information with normality information that is status information when the first communication device is normal, and Determine equipment abnormality.

Thereby, the first communication device determines whether there is an abnormality in the first communication device through communication with the second communication device, which is an external device of the first communication device. The second communication device that determines whether or not the first communication device is abnormal is not a newly installed control device but an ECU provided in the vehicle control system 1 in advance. In other words, it is possible to monitor whether or not the first communication device is abnormal with a simple configuration without increasing the number of components in the vehicle-mounted control system 1.

(2) In S320-S330, the monitoring unit 63 compares normal information and status information for each type of status information included in the determination information, and in S340 determines whether the first communication device is abnormal. In this embodiment, multiple types of status information are used. Therefore, the accuracy of determining the abnormality of the first communication device can be improved compared to the case where one piece of status information is used.

Further, the status information is quantitatively expressed, the normal information is quantitatively expressed, and the monitoring unit 63 detects an abnormality in the first communication device by comparing the quantitatively expressed status information and the normal information. You may judge. Since the determination is made based on the comparison between the status information as a numerical value and the normal information as a numerical value, the threshold value for determination becomes clear, and the accuracy of determining the abnormality of the first communication device can be improved.

(3) In S440, S530, S590, and S650, the monitoring unit 63 adds a predetermined additional value to the first evaluation value JIC each time the status information included in the determination information is determined to be abnormal. A new first evaluation value JIC is generated. The monitoring unit 63 determines whether the first communication device is abnormal based on the magnitude of the first evaluation value JIC.

As a result, even if any of the plurality of pieces of status information temporarily indicates an inaccurate status, the first evaluation value JIC, which is the number of pieces of status information determined to be abnormal, An abnormality in the communication device is determined. Therefore, the temporary influence of noise and the like is suppressed, and the accuracy and reliability of determining abnormality of the first communication device can be improved.

(4) In S440, S530, S590, and S650, the monitoring unit 63 detects new information when the number of successive normal operations in which the same type of status information is determined to be normal is equal to or greater than a predetermined number threshold. A first evaluation value JIC is generated. Here, a predetermined subtraction value is subtracted from the above-described first evaluation value JIC to generate a new first evaluation value JIC. This suppresses the temporary influence of noise and the like, and improves the accuracy and reliability of determining abnormality in the first communication device.

(5) In S730, the monitoring unit 63 adds a predetermined value to the second evaluation value ACC when it is determined in S720 that the first evaluation value JIC is equal to or higher than the evaluation threshold. A new second evaluation value ACC is generated. In S740, the monitoring unit 63 determines that the first communication device is abnormal when the second evaluation value is greater than or equal to the first abnormality threshold.

In other words, the monitoring unit 63 determines that some abnormality has occurred in the first communication device when the state in which the first evaluation value JIC is determined to be equal to or greater than the evaluation threshold continues for at least the first abnormality threshold. judge. Therefore, the temporary influence of noise and the like is further suppressed, and the accuracy and reliability of determining abnormality of the first communication device can be further improved.

(6) In S780 and S800, if the second evaluation value ACC is greater than or equal to the first abnormality threshold, the monitoring unit 63 controls the first communication according to the magnitude of the second evaluation value ACC. Determine recovery instructions to recover from equipment abnormality. Thereby, depending on the degree of continuation of the abnormality, it is possible to determine a recovery instruction according to the degree of continuation of the abnormality. The recovery instruction may be a refresh instruction to the first communication device, or if the abnormality continues longer, the recovery instruction may be a reset instruction to the first communication device.

(7) The determination information generated by the information generation unit 52 includes time information (ie, TS). TS represents the time when the determination information was generated. As a result, the second communication device, which is an external device of the first communication device, calculates the determination information output interval P based on the TS acquired by the first communication device, regardless of the delay caused by the communication line 90, etc. It can be calculated. In other words, the second communication device can accurately estimate the transmission period (ie, IT) of the determination information in the first communication device, regardless of delays caused by the communication line 90 and the like.

(8) The determination information generated by the information generation unit 52 includes the transmission cycle (ie, IT) of the determination information as state information. Thereby, it is possible to compare the determination information output interval P based on the TS specified in the second communication device and IT, which is the transmission cycle preset in the first communication device.

(9) The monitoring unit 63 compares the determination information output interval P calculated based on the TS included in the determination information with the IT included in the determination information, and determines whether the first communication device is abnormal. As a result, for example, when the determination information output interval P and IT match, it is determined that the first communication device is normal, and when they do not match, it is determined that an abnormality has occurred in the first communication device. becomes possible.

Further, even if the IT in the first communication device is changed, the second communication device can recognize the most recent IT in the first communication device based on the IT included in the received determination information. In other words, even if the judgment information output interval P does not match the pre-change IT, if the judgment information output interval P matches the changed IT included in the newly received judgment information, the second communication device , it can be determined that the determination information output interval P is normal.

In other words, the second communication device cannot distinguish whether the change in the determination information output interval P is an intentional change by the first communication device or a change due to an abnormality in the first communication device. Therefore, it is possible to accurately determine an abnormality in the first communication device.

(10) In S320, the information generation unit 52 determines the transmission cycle (ie, IT) of the determination information based on load information quantitatively indicating the magnitude of the load on the first communication device. The information generation unit 52 determines the transmission period of the determination information so that the transmission cycle of the determination information becomes longer as the load on the first communication device increases. In the above-described embodiment in which the first communication device is the engine ECU 10, the load information is, for example, the engine rotation speed.

The information generation unit 52 may acquire correspondence information that associates the engine rotation speed with the IT, identify the IT corresponding to the engine rotation speed based on the correspondence information, and transmit the determination information using the identified IT. . The correspondence information is predetermined information that associates load information with IT according to the size of the load information, and is information that is associated so that the higher the load, the longer the IT.

As a result, in the engine ECU 10, which is the first communication device, IT is set to a large value when the load is large. Therefore, the engine ECU 10 can use its processing capacity for things other than transmitting the determination information. In other words, the processing capacity of the first communication device can be used efficiently.

In the above embodiment, the in-vehicle control system 1 corresponds to a communication system, the engine ECU 10 and the door ECU 20 correspond to a plurality of communication devices, the engine ECU 10 corresponds to a first communication device, and the door ECU 20 corresponds to a second communication device. corresponds to a communication device. Further, the monitoring unit 63 corresponds to a determination execution unit, a type-specific determination unit, and an addition unit. S340 corresponds to processing as a determination execution section, S430, S520, S580, and S640 correspond to processing as a type-specific determination section, and S440, S530, S590, and S650 correspond to processing as an addition section. The determination information output interval P corresponds to the transmission interval of determination information, TS corresponds to time information, and IT corresponds to the transmission period of determination information determined by the first communication device.

[4. Modified example]
Modifications of the on-vehicle control system 1 will be shown below.
<Modification 1>
In the vehicle control system 1, the engine ECU 10 is the first communication device, and the door ECU 20 is the second communication device. On the other hand, in the vehicle control system 2 of Modification 1 shown in FIG. 11, the engine ECU 10 may be the first communication device, and both the engine ECU 10 and the brake ECU 30 may be the second communication devices.

That is, the engine ECU 10 includes a control section 51 and an information generation section 52 similarly to the above-described embodiment. The information generation unit 52 executes information generation processing and transmits determination information to both the door ECU 20 and the brake ECU 30 as the second communication device. The door ECU 20 as the second communication device includes a control section 61 and a monitoring section 63 similarly to the above embodiment. Brake ECU 30 as another second communication device includes a control section 71 and a monitoring section 73. The monitoring section 73 is configured similarly to the monitoring section 63.

Thereby, the presence or absence of an abnormality in the engine ECU 10 as the first communication device can be monitored by the plurality of second communication devices (namely, the door ECU 20 and the brake ECU 30). That is, the in-vehicle control system 2 can have a redundant configuration for obtaining an abnormality determination result and a recovery instruction (i.e., monitoring information) for the engine ECU 10 as the first communication device.

Here, the door ECU 20 and the brake ECU 30 serving as the plurality of second communication devices may be configured to execute the monitoring process every time the determination information is received. The engine ECU 10 receives monitoring information from both the door ECU 20 and the brake ECU 30, and only when the judgment results included in both pieces of monitoring information match, the engine ECU 10 assumes that the judgment result is true and performs an operation according to the recovery instruction. may be configured. This prevents the engine ECU 10 from operating in accordance with a recovery instruction caused by an erroneous determination by the door ECU 20 or the brake ECU 30.

Note that the door ECU 20 and the brake ECU 30 serving as the plurality of second communication devices may be configured to alternately execute the monitoring process at a predetermined period (for example, every 100 msec, etc.). Thereby, the processing load on the door ECU 20 and the brake ECU 30 can be reduced. Furthermore, if one of the door ECU 20 and the brake ECU 30 is out of order, it is possible to continue determining whether the engine ECU 10 is abnormal.

<Modification 2>
In the vehicle-mounted control system 3 of Modification 2 shown in FIG. 12, the engine ECU 10 is the first communication device, and the door ECU 20 is the second communication device for the engine ECU 10. Further, the door ECU 20 is a first communication device, and the engine ECU 10 is a second communication device for the door ECU 20.

That is, the engine ECU 10 further includes a monitoring section 53 in addition to the control section 51 and the information generation section 52. The monitoring unit 53 is configured similarly to the monitoring unit 63. However, the monitoring unit 53 executes a monitoring process and determines whether there is an abnormality in the door ECU 20 as the first communication device based on the determination information transmitted from the door ECU 20 as the first communication device.

In addition to the control section 61 and the monitoring section 63, the door ECU 20 further includes an information generation section 62. The information generation section 62 is configured similarly to the information generation section 52. However, the information generation unit 62 executes information generation processing and transmits determination information to the engine ECU 10.

Thereby, in the vehicle-mounted control system 3, in addition to determining whether the engine ECU 10 is abnormal using the door ECU 20, the engine ECU 10 can determine whether the door ECU 20 is abnormal. In other words, they can monitor each other.

Specifically, the engine ECU 10 or the door ECU 20 can compare the abnormality diagnosis result of its own device (for example, the diagnosis result based on the WDG pulse) with the determination result of its own device included in the monitoring information. Become. Here, for example, if the diagnosis result of an abnormality by the own device and the judgment result of the own device included in the monitoring information are different, the second communication device when the own device and the own device are the first communication device. It is possible to detect that there may be an abnormality in one of the microcontrollers.

<Modification 3>
In the vehicle-mounted control system 4 of Modification 3 shown in FIG. 13, the engine ECU 10 is the first communication device, and the door ECU 20 is the second communication device. Further, the door ECU 20 is a first communication device, and the brake ECU 30 is a second communication device.

That is, the door ECU 20 further includes an information generation section 62 in addition to the control section 61 and the monitoring section 63. The information generation section 62 is configured similarly to the information generation section 52. However, the information generation unit 62 executes information generation processing and transmits determination information to the brake ECU 30.

In addition to the control section 71, the brake ECU 30 further includes a monitoring section 73. The monitoring section 73 is configured similarly to the monitoring section 63. However, the monitoring unit 73 executes a monitoring process and determines whether there is an abnormality in the door ECU 20 as the first communication device based on the determination information transmitted from the door ECU 20 as the first communication device.

Thereby, in the vehicle-mounted control system 4, in addition to determining whether the engine ECU 10 is abnormal using the door ECU 20, the brake ECU 30 can determine whether the door ECU 20 is abnormal. The on-vehicle control system 4 also includes a brake ECU 30 that monitors abnormalities in the door ECU 20 and monitors abnormalities in the engine ECU 10. Due to this. If the brake ECU 30 determines that the door ECU 20 is normal, it can be guaranteed that the result of the door ECU 20 determining that the engine ECU 10 is abnormal is normal.

Furthermore, it is also possible to have another ECU (not shown) monitor the brake ECU 30.
[5. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments and can be implemented with various modifications.

(1) In the above embodiment, the monitoring unit 63 determines whether or not the status information is normal for each type of status information, adds the first evaluation value JIC when it is abnormal, and further It was determined that the first communication device is abnormal using the second evaluation value ACC based on the first evaluation value JIC. However, the present disclosure is not limited thereto.

For example, the monitoring unit 63 may be configured to determine that the first communication device is abnormal when it is determined that at least one type of status information among the plurality of acquired status information is abnormal. . Alternatively, the monitoring unit 63 may be configured to determine that the first communication device is abnormal at the time when it is determined that all the status information among the plurality of acquired status information is abnormal.

(2) In the above-described embodiment, the monitoring unit 63 detects the number of times that the same type of status information is consecutively determined to be normal, and when the number of times that the same type of status information is consecutively determined to be normal is equal to or greater than the number threshold, A new first evaluation value JIC was generated by subtracting the subtraction value from the first evaluation value JIC. However, the present disclosure is not limited thereto. For example, when a predetermined number (for example, 3) or more of the status information out of the plurality of status information is normal, the monitoring unit 63 subtracts the subtraction value from the first evaluation value JIC to obtain a new first evaluation. It may be configured to generate a value JIC. For example, in FIG. 8, when all three status information such as the WDG output, the number of interrupt occurrences M, and the number of task omissions N are normal, after S650 and after S680, from the first evaluation value JIC Processing for subtracting a subtraction value may be added. This makes it possible to further suppress the temporary influence of noise and the like.

(3) The engine ECU 10, door ECU 20, and door ECU 20 described in the present disclosure are provided by configuring a processor and memory programmed to execute one or more functions embodied by a computer program. It may also be realized by a dedicated computer. Alternatively, the engine ECU 10, door ECU 20, door ECU 20 and techniques described in this disclosure may be implemented by a dedicated computer provided by a processor configured with one or more dedicated hardware logic circuits. Alternatively, the engine ECU 10, door ECU 20, door ECU 20 and methods thereof described in the present disclosure are configured by a processor and memory programmed to perform one or more functions, and one or more hardware logic circuits. It may be realized by one or more dedicated computers configured in combination with a processor. The computer program may also be stored as instructions executed by a computer on a computer-readable non-transitory tangible storage medium. The method for realizing the functions of each part included in the engine ECU 10, the door ECU 20, and the door ECU 20 does not necessarily include software, and all the functions can be realized using one or more pieces of hardware. You can.

(4) Multiple functions of one component in the above embodiment may be realized by multiple components, and one function of one component may be realized by multiple components. . Further, a plurality of functions possessed by a plurality of constituent elements may be realized by one constituent element, or one function realized by a plurality of constituent elements may be realized by one constituent element. Further, a part of the configuration of the above embodiment may be omitted. Further, at least a part of the configuration of the above embodiment may be added to or replaced with the configuration of other embodiments.

(5) In addition to the engine ECU 10, door ECU 20, and door ECU 20 described above, functions for operating the in-vehicle control system 1-4, microcomputers 101, 201, 301, CPUs 102, 202, 302, and the engine ECU 10, door ECU 20, and door ECU 20 The present disclosure can also be realized in various forms, such as a program, a non-transitional tangible recording medium such as a semiconductor memory in which the program is recorded, and a monitoring method.

1 in-vehicle control system, 10 engine ECU, 20 door ECU, 101 microcomputer, 201 microcomputer.

Claims (14)

A communication system (1) installed in a vehicle,
The communication system includes a plurality of communication devices (10, 20) that are communicably connected to each other by a communication line,
The plurality of communication devices include a first communication device (10) and a second communication device (20),
The first communication device includes:
It is configured to acquire at least one type of status information indicating the status of the first communication device, generate determination information including the acquired status information, and output the determination information to the second communication device. information generation unit (52)
Equipped with
The second communication device includes:
obtain the determination information, compare the status information included in the determination information with predetermined normality information when the first communication device is normal, and compare the status information included in the determination information; A monitoring unit (63) configured to determine an abnormality in the communication device
Equipped with
The monitoring unit is
receiving the determination information, comparing the normal information and the status information for each type of the status information included in the determination information, and determining whether the status information included in the determination information is abnormal; a type determination unit (S430, S520, S580, S640) configured to determine;
Each time the type-specific determination unit determines that the status information included in the determination information is abnormal, a first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. an addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value;
a determination execution unit (S340) configured to determine whether the first communication device is abnormal based on the magnitude of the first evaluation value generated by the addition unit;
Equipped with
The adding unit detects the number of consecutive normal operations in which the status information of the same type is consecutively determined to be normal by the type-based determining unit, and if the number of consecutive normal operations is equal to or greater than a predetermined number threshold; The communication system further comprises subtracting a predetermined subtraction value from the first evaluation value to generate a new first evaluation value. The communication system according to claim 1,
The determination execution unit acquires the first evaluation value generated by the addition unit, determines whether or not the first evaluation value is equal to or greater than a predetermined evaluation threshold, and When the evaluation value is determined to be equal to or greater than the evaluation threshold, a predetermined value is added to a second evaluation value that is a numerical value representing the magnitude of the abnormality in the first communication device. A communication system that generates a new second evaluation value, and determines that the first communication device is abnormal when the second evaluation value is equal to or greater than a predetermined first abnormality threshold. A communication system (1) installed in a vehicle,
The communication system includes a plurality of communication devices (10, 20) that are communicably connected to each other by a communication line,
The plurality of communication devices include a first communication device (10) and a second communication device (20),
The first communication device includes:
It is configured to acquire at least one type of status information indicating the status of the first communication device, generate determination information including the acquired status information, and output the determination information to the second communication device. information generation unit (52)
Equipped with
The second communication device includes:
obtain the determination information, compare the status information included in the determination information with predetermined normality information when the first communication device is normal, and compare the status information included in the determination information; A monitoring unit (63) configured to determine an abnormality in the communication device
Equipped with
The monitoring unit is
receiving the determination information, comparing the normal information and the status information for each type of the status information included in the determination information, and determining whether the status information included in the determination information is abnormal; a type determination unit (S430, S520, S580, S640) configured to determine;
Each time the type-specific determination unit determines that the status information included in the determination information is abnormal, a first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. an addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value;
a determination execution unit (S340) configured to determine whether the first communication device is abnormal based on the magnitude of the first evaluation value generated by the addition unit;
Equipped with
The determination execution unit acquires the first evaluation value generated by the addition unit, determines whether or not the first evaluation value is equal to or greater than a predetermined evaluation threshold, and When the evaluation value is determined to be equal to or greater than the evaluation threshold, a predetermined value is added to a second evaluation value that is a numerical value representing the magnitude of the abnormality in the first communication device. A communication system that generates a new second evaluation value, and determines that the first communication device is abnormal when the second evaluation value is equal to or greater than a predetermined first abnormality threshold. The communication system according to claim 2 or 3,
The determination execution unit is configured to recover the abnormality of the first communication device according to the magnitude of the second evaluation value when the second evaluation value is greater than or equal to the first abnormality threshold. A communication system that determines a recovery instruction for and transmits the determined recovery instruction to the first communication device. The communication system according to any one of claims 1 to 4,
In the first communication device,
The information generation unit generates the determination information that is the determination information and includes time information representing a time when the determination information is generated. 6. The communication system according to claim 5,
In the first communication device,
The information generation unit outputs the determination information including the transmission cycle of the determination information as the state information at the transmission cycle. A communication system (1) installed in a vehicle,
The communication system includes a plurality of communication devices (10, 20) that are communicably connected to each other by a communication line,
The plurality of communication devices include a first communication device (10) and a second communication device (20),
The first communication device includes:
It is configured to acquire at least one type of status information indicating the status of the first communication device, generate determination information including the acquired status information, and output the determination information to the second communication device. information generation unit (52)
Equipped with
The second communication device includes:
obtain the determination information, compare the status information included in the determination information with predetermined normality information when the first communication device is normal, and compare the status information included in the determination information; A monitoring unit (63) configured to determine an abnormality in the communication device
Equipped with
In the first communication device,
The information generating unit generates the determination information, which is the determination information and includes time information representing a time when the determination information is generated, and includes a transmission cycle of the determination information as the state information, based on the transmission cycle. communication system. In the communication system according to claim 7,
The monitoring unit is
receiving the determination information, comparing the normal information and the status information for each type of the status information included in the determination information, and determining whether the status information included in the determination information is abnormal; a type determination unit (S430, S520, S580, S640) configured to determine;
Each time the type-specific determination unit determines that the status information included in the determination information is abnormal, a first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. an addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value;
a determination execution unit (S340) configured to determine whether the first communication device is abnormal based on the magnitude of the first evaluation value generated by the addition unit;
A communication system equipped with The communication system according to any one of claims 6 to 8,
In the second communication device,
The monitoring unit is
The transmission interval of the determination information is calculated based on time information included in two pieces of determination information consecutively transmitted from the first communication device, with the transmission cycle included in the determination information being the normal information. is the state information, the normal information and the state information are compared, and an abnormality of the first communication device is determined based on whether the normal information and the state information match. The communication system according to any one of claims 6 to 9,
The information generation unit determines the transmission cycle of the determination information to be longer as the load is larger, based on load information quantitatively indicating the magnitude of the load on the first communication device. The communication system according to any one of claims 1 to 10,
In the second communication device,
The monitoring unit compares the normal information and the status information for each type of the status information included in the determination information, and determines whether the first communication device is abnormal. A first communication device (10) mounted on a vehicle that obtains at least one type of state information indicating a state of the first communication device, generates determination information including the state information, and generates determination information including the state information. The second communication device (20) is communicably connected to the first communication device by a communication line and includes an information generation unit (52) configured to output to a second communication device. hand,
obtain the determination information, compare the status information included in the determination information with predetermined normality information when the first communication device is normal, and compare the status information included in the determination information; A monitoring unit (63) configured to determine an abnormality in the communication device
Equipped with
The monitoring unit is
receiving the determination information, comparing the normal information and the status information for each type of the status information included in the determination information, and determining whether the status information included in the determination information is abnormal; a type determination unit (S430, S520, S580, S640) configured to determine;
Each time the type-specific determination unit determines that the status information included in the determination information is abnormal, a first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. an addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value;
a determination execution unit (S340) configured to determine whether the first communication device is abnormal based on the magnitude of the first evaluation value generated by the addition unit;
Equipped with
The adding unit detects the number of consecutive normal operations in which the status information of the same type is consecutively determined to be normal by the type-based determining unit, and if the number of consecutive normal operations is equal to or greater than a predetermined number threshold; A second communication device that generates a new first evaluation value by subtracting a predetermined subtraction value from the first evaluation value. A first communication device (10) mounted on a vehicle that obtains at least one type of state information indicating a state of the first communication device, generates determination information including the state information, and generates determination information including the state information. The second communication device (20) is communicably connected to the first communication device by a communication line and includes an information generation unit (52) configured to output to a second communication device. hand,
obtain the determination information, compare the status information included in the determination information with predetermined normality information when the first communication device is normal, and compare the status information included in the determination information; A monitoring unit (63) configured to determine an abnormality in the communication device
Equipped with
The monitoring unit is
receiving the determination information, comparing the normal information and the status information for each type of the status information included in the determination information, and determining whether the status information included in the determination information is abnormal; a type determination unit (S430, S520, S580, S640) configured to determine;
Each time the type-specific determination unit determines that the status information included in the determination information is abnormal, a first evaluation value, which is a numerical value for evaluating the abnormality of the first communication device, is set in advance. an addition unit (S440, S530, S590, S650) configured to add a predetermined addition value to generate a new first evaluation value;
a determination execution unit (S340) configured to determine whether the first communication device is abnormal based on the magnitude of the first evaluation value generated by the addition unit;
Equipped with
The determination execution unit acquires the first evaluation value generated by the addition unit, determines whether or not the first evaluation value is equal to or greater than a predetermined evaluation threshold, and When the evaluation value is determined to be equal to or greater than the evaluation threshold, a predetermined value is added to a second evaluation value that is a numerical value representing the magnitude of the abnormality in the first communication device. generating a new second evaluation value, and determining that the first communication device is abnormal when the second evaluation value is equal to or greater than a predetermined first abnormality threshold; Communication device. A first communication device (10) mounted on a vehicle, which acquires determination information output from the first communication device including at least one type of state information indicating a state of the first communication device. and comparing the status information, which is predetermined normal information when the first communication device is normal, with the status information included in the determination information to determine whether the first communication device is abnormal. The first communication device is communicably connected to a second communication device including a monitoring unit (63) configured as follows through a communication line,
acquiring at least one type of the status information indicating the status of the first communication device, generating the determination information including the acquired status information, and outputting the determination information to the second communication device; Configured information generation unit (52)
Equipped with
The information generation unit generates the determination information that is the determination information and includes time information representing a time when the determination information is generated, and includes a transmission cycle of the determination information as the state information, A first communication device that outputs at the transmission cycle.