JP7408426B2 - In-vehicle wireless communication device, in-vehicle wireless communication system, and in-vehicle wireless communication method - Google Patents

Description

The disclosed embodiments relate to an in-vehicle wireless communication device, an in-vehicle wireless communication system, and an in-vehicle wireless communication method.

In recent years, with the expansion of the MaaS (Mobility as a Service) and small EV (Electric Vehicle) markets, there is a need to reduce the mounting space for electronic devices in order to secure space inside the vehicle. On the other hand, as vehicle control becomes more sophisticated, the number of electronic devices that need to be installed is increasing.

In order to reduce the installation space, there is a method to reduce the wiring space by replacing wired communication between devices with wireless communication. However, in the case of wireless communication, due to its characteristics, it is susceptible to the influence of the radio wave environment inside and outside the vehicle and to malicious attacks, so a failsafe against these is required (for example, see Patent Document 1).

Unexamined Japanese Patent Publication No. 2017-152762

However, in the conventional technology, there is room for further improvement in realizing fail-safe according to the mode of radio wave abnormality.

One aspect of the embodiment is made in view of the above, and provides an in-vehicle wireless communication device, an in-vehicle wireless communication system, and an in-vehicle wireless communication method that can realize fail-safe according to the mode of radio wave abnormality. The purpose is to

An in-vehicle wireless communication device according to one aspect of the embodiment includes a communication section and a control section. The communication unit performs wireless communication with a slave wireless communication device that is connected by wire to a device that is an input/output target of a control device mounted on a vehicle. The control unit monitors the received radio wave power from the slave wireless communication device via the communication unit , determines that the radio wave abnormality is due to a malicious attack when the received radio wave power is outside the law, and performs a predetermined operation. Perform failsafe processing.

According to one aspect of the embodiment, it is possible to realize failsafe according to the aspect of radio wave abnormality.

FIG. 1A is a schematic explanatory diagram (part 1) of the in-vehicle wireless communication method according to the embodiment. FIG. 1B is a schematic explanatory diagram (Part 2) of the in-vehicle wireless communication method according to the embodiment. FIG. 1C is a schematic explanatory diagram (Part 3) of the in-vehicle wireless communication method according to the embodiment. FIG. 2 is a block diagram illustrating a configuration example of a wireless communication system according to an embodiment. FIG. 3A is a flowchart (Part 1) showing a processing procedure executed by the wireless master ECU according to the embodiment. FIG. 3B is a flowchart (part 2) showing the processing procedure executed by the wireless master ECU according to the embodiment. FIG. 3C is a flowchart (part 3) showing the processing procedure executed by the wireless master ECU according to the embodiment. FIG. 3D is a flowchart (part 4) showing the processing procedure executed by the wireless master ECU according to the embodiment. FIG. 4 is an explanatory diagram of the in-vehicle wireless communication method according to the first modification. FIG. 5A is an explanatory diagram (part 1) of the in-vehicle wireless communication method according to the second modification. FIG. 5B is an explanatory diagram (part 2) of the in-vehicle wireless communication method according to the second modification.

DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments of an in-vehicle wireless communication device, an in-vehicle wireless communication system, and an in-vehicle wireless communication method disclosed in the present application will be described in detail with reference to the accompanying drawings. Note that the present invention is not limited to the embodiments described below.

Further, below, an example will be described in which the in-vehicle wireless communication device according to the embodiment is a wireless master ECU (Electronic Control Unit) to which the in-vehicle wireless communication method according to the embodiment is applied.

First, an overview of the in-vehicle wireless communication method according to the embodiment will be explained using FIGS. 1A to 1C. 1A to 1C are schematic explanatory diagrams (Part 1) to (Part 3) of the in-vehicle wireless communication method according to the embodiment. In order to make the explanation easier to understand, FIG. 1A shows an in-vehicle wireless communication system 1' having a wired connection configuration according to a comparative example.

As shown in FIG. 1A, the in-vehicle wireless communication system 1' according to the comparative example includes one or more ECUs. Here, there are three ECUs, ECU #1 to #3. These ECUs are wired to be able to communicate with each other via, for example, a CAN (Controller Area Network). In addition, each ECU is connected to sensors, actuators, ICs (Integrated Circuits), switches, etc. that are subject to input/output by wires, such as wire harnesses, etc., and executes the vehicle control functions assigned to each ECU. .

Note that, as shown in FIG. 1A, for example, ECU #1 is a drive control system ECU, ECU #2 is a meter ECU, and ECU #3 is a battery management ECU.

Incidentally, in recent years, with the expansion of MaaS and small EV markets, there has been a need to reduce the mounting space for electronic devices in order to secure space inside the vehicle. On the other hand, as vehicle control becomes more sophisticated, the number of electronic devices that need to be installed is increasing.

In order to reduce the installation space, it is possible to reduce the wiring space by replacing wired communication with wireless communication between devices.

Specifically, as shown in FIG. 1B, the in-vehicle wireless communication system 1 according to the embodiment includes a wireless master ECU 10 and one or more wireless slave ECUs 20. Here, it is assumed that there are two wireless slave ECUs 20.

The wireless master ECU 10 is wire-connected to the aforementioned ECUs #1 to ECU #3 via CAN so that they can communicate with each other. Moreover, the wireless master ECU 10 has a wireless communication interface (not shown), and is provided to be able to wirelessly communicate with each of the wireless slave ECUs 20.

Further, each of the wireless slave ECUs 20 bundles physically nearby sensors, actuators, ICs, switches, etc., and is connected by wire with a wire harness or the like. Further, each of the wireless slave ECUs 20 has a wireless communication interface (not shown), and is provided to be able to wirelessly communicate with the wireless master ECU 10.

ECU #1 to ECU #3 exchange data with sensors, actuators, ICs, switches, etc. that are subject to input/output via wireless communication between these wireless master ECU 10 and wireless slave ECU 20. . Thereby, it is possible to save wiring space in the vehicle interior space.

However, due to its characteristics, wireless communication is susceptible to the influence of the radio wave environment inside and outside the vehicle and to malicious attacks. As shown in FIG. 1B, the influence of the radio wave environment includes, for example, the influence of strong radio waves from a microwave oven installed in convenience store C in the city, and the influence of Wi-Fi spots.

Examples of malicious attacks include jamming attacks and DoS attacks (Denial of Service attacks), as shown in FIG. 1B. A jamming attack is an attack that causes radio interference by transmitting strong radio waves and interrupts wireless communications. A DoS attack is an attempt to impersonate a communication target and send erroneous or large amounts of data to induce malfunction.

Therefore, in the in-vehicle wireless communication method according to the embodiment, the wireless master ECU 10 acquires the communication status of each wireless slave ECU 20, determines a radio wave abnormality based on the acquired communication status, and performs fail-safe processing according to the determination result. I decided to implement it.

Specifically, as shown in FIG. 1C, the wireless master ECU 10 acquires the communication status of each wireless slave ECU 20 (step S1). The communication status includes received radio wave power from each of the wireless slave ECUs 20, communication cycles with each of the wireless slave ECUs 20, position information of each of the wireless slave ECUs 20, and the like.

Then, the wireless master ECU 10 determines a radio wave abnormality based on the acquired communication status (step S2). In this determination, even the aspects of radio wave abnormalities, such as "problems with the radio wave environment" and "malicious attacks", are determined.

Then, the wireless master ECU 10 executes failsafe processing according to the determination result (step S3). In step S3, different fail-safe processing is executed depending on the determined state of radio wave abnormality. The fail-safe process includes, for example, instructing each ECU #1 to #3 to shift to the evacuation driving mode. The evacuation driving mode is, for example, a mode in which the vehicle is treated as having failed and is guided to a safe place such as the shoulder of the road and stopped.

As described above, in the in-vehicle wireless communication method according to the embodiment, the wireless master ECU 10 acquires the communication status of each wireless slave ECU 20, determines a radio wave abnormality based on the acquired communication status, and performs fail-safe operation according to the determination result. I decided to carry out the process.

Therefore, according to the in-vehicle wireless communication method according to the embodiment, it is possible to realize failsafe according to the aspect of radio wave abnormality.

Note that the communication status acquired by the wireless master ECU 10 may include position information (including distance and position) measured by UWB (Ultra Wide Band). Then, a "malicious attack" may be determined at all times based on such UWB position information. This point will be discussed later in the explanation using FIG. 3D.

In addition, if the wireless master ECU 10 itself becomes unable to operate normally due to a radio wave abnormality, for example, one of ECUs #1 to #3 becomes the master and switches ECUs #1 to #3 to evacuation driving mode. It may also be possible to cause the transition to occur. This point will be discussed later in the explanation using FIG. 4.

Furthermore, a priority may be set for each wireless slave ECU 20, and when a radio wave abnormality occurs, for example, the evacuation driving level may be changed according to the priority. This point will be discussed later in the explanation using FIGS. 5A and 5B.

Hereinafter, a configuration example of the in-vehicle wireless communication system 1 to which the in-vehicle wireless communication method according to the above-described embodiment is applied will be described in more detail.

FIG. 2 is a block diagram showing a configuration example of the in-vehicle wireless communication system 1 according to the embodiment. Note that FIG. 2 shows only the constituent elements necessary for explaining the features of this embodiment, and the description of general constituent elements is omitted.

In other words, each component illustrated in FIG. 2 is functionally conceptual, and does not necessarily need to be physically configured as illustrated. For example, the specific form of distributing/integrating each block is not limited to what is shown in the diagram, and all or part of the blocks can be functionally or physically distributed/integrated in arbitrary units depending on various loads and usage conditions. It is possible to configure them in an integrated manner.

Furthermore, in the explanation using FIG. 2, the explanation of components that have already been explained may be simplified or omitted.

As already mentioned, as shown in FIG. 2, the in-vehicle wireless communication system 1 according to the embodiment includes a wireless master ECU 10, one or more wireless slave ECUs 20, and one or more control system ECUs 30. The control system ECU 30 corresponds to the ECUs #1 to #3 described above.

The wireless master ECU 10 includes a communication section 11, a storage section 12, and a control section 13.

The communication unit 11 is realized by, for example, a NIC (Network Interface Card). The communication unit 11 transmits and receives information through wired communication with one or more control system ECUs 30 mounted on the vehicle, and also transmits and receives information to one or more wireless slave ECUs 20 connected by wires to various devices subject to input/output of the control system ECU 30. Information is sent and received via wireless communication.

Although the communication section 11 is represented by one block in FIG. 2, it may of course be represented by two blocks, a wireless communication section and a wired communication section.

The storage unit 12 is realized by, for example, a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk, and in the example of FIG. 2, the power information 12a, Schedule information 12b and location information 12c are stored.

The power information 12a is information regarding received radio wave power acquired by an acquisition unit 13a, which will be described later, and includes a power value of legal power and a power value of regulated power. Legal power is the maximum received power allowed by the Radio Law or the regulations of each country. The specified power is the maximum power and minimum power received from the wireless slave ECU 20.

The schedule information 12b is information regarding the communication cycle with the wireless slave ECU 20, and includes a prescribed schedule with each of the wireless slave ECUs 20.

The position information 12c is information regarding the position of the wireless slave ECU 20, and includes the prescribed position range of each wireless slave ECU 20.

The control unit 13 is a controller, and for example, various programs stored in a storage device inside the wireless master ECU 10 use the RAM as a work area by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), etc. This is achieved through execution. Further, the control unit 13 can be realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

The control unit 13 includes an acquisition unit 13a, a determination unit 13b, and a fail-safe processing execution unit 13c, and realizes or executes information processing functions and operations described below.

The acquisition unit 13a acquires the communication status with each of the wireless slave ECUs 20 via the communication unit 11. As already mentioned, the communication status includes the received radio wave power from each of the wireless slave ECUs 20, the communication cycle with each of the wireless slave ECUs 20, the position information of each of the wireless slave ECUs 20, and the like.

For example, the acquisition unit 13a monitors the AD value of the radio wave power input from each wireless slave ECU 20 via the communication unit 11 at the time of a reception interrupt or at all times, and notifies the determination unit 13b of the AD value. Further, for example, the acquisition unit 13a acquires the period in which communication with each of the wireless slave ECUs 20 occurs, and notifies the determination unit 13b of the period. Further, for example, the acquisition unit 13a acquires position information returned from the wireless slave ECU 20 in response to a position information request from the wireless master ECU 10, which will be described later, and notifies the determination unit 13b.

The determination unit 13b determines the radio wave abnormality and its mode based on the communication status acquired by the acquisition unit 13a. Details of this determination process will be described later using FIGS. 3A and 3B. Further, the determination unit 13b notifies the failsafe processing execution unit 13c of the determination result.

The failsafe process execution unit 13c executes a predetermined failsafe process according to the determination result by the determination unit 13b. For example, the failsafe processing execution unit 13c instructs the control system ECU 30 to shift to the evacuation driving mode. Details of the failsafe process will be described later using FIG. 3C.

Next, the processing procedure executed by the wireless master ECU 10 according to the embodiment will be described using FIGS. 3A to 3D. 3A to 3D are flowcharts (Part 1) to (Part 4) showing processing procedures executed by the wireless master ECU 10 according to the embodiment.

First, as shown in FIG. 3A, the acquisition unit 13a acquires the communication status with each wireless slave ECU 20 (step S101).

Then, the determining unit 13b determines whether the received radio wave power (P) exceeds the legal power while referring to the power information 12a (step S102). Here, if the legal power is exceeded (step S102, Yes), the determination unit 13b determines that it is a malicious attack (step S103), and the fail-safe processing execution unit 13c executes fail-safe processing in response to the malicious attack. (Step S104). The failsafe process will be described later using FIG. 3C.

On the other hand, if the legal power is not exceeded in step S102 (step S102, No), the determination unit 13b determines whether the received radio wave power (P) is outside the specified power range while referring to the power information 12a. (Step S105).

Here, if the received radio wave power (P) is outside the specified power range, that is, if the received radio wave power (P) is greater than the specified maximum power or smaller than the specified minimum power (Step S105, Yes), the determination unit 13b further is an arbitrary natural number) (step S106).

Here, if it is the Nth consecutive time (step S106, Yes), the determining unit 13b determines that the abnormal state is a temporary abnormality (temporary abnormality) (step S107), and executes temporary abnormality processing (step S108). The temporary abnormality processing will be described later using FIG. 3B.

On the other hand, if it is not the Nth consecutive time in step S106 (step S106, No), the determination unit 13b counts up the out-of-range counter (step S109).

Subsequently, the determining unit 13b determines whether the reception timing is outside the specified schedule while referring to the schedule information 12b (step S110). Here, if it is outside the regular schedule (step S110, Yes), the determination unit 13b further determines whether or not it is the Nth consecutive time (step S111).

Here, if it is the Nth consecutive time (step S111, Yes), the determination unit 13b determines that there is a temporary abnormality, as in the case where the received radio wave power (P) outside the specified power range continues N times in a row. (Step S107), and performs temporary abnormality processing (Step S108).

On the other hand, if it is not the Nth consecutive time in step S111 (step S111, No), the determination unit 13b counts up the out-of-schedule counter (step S112). Then, the wireless master ECU 10 repeats the processing from step S101.

Next, temporary abnormality processing will be explained. As shown in FIG. 3B, in the temporary abnormality process, the determination unit 13b requests position information from the corresponding wireless slave ECU 20 (step S201). The acquisition unit 13a then acquires position information from the wireless slave ECU 20 (step S202).

Then, the determining unit 13b determines whether the position of the wireless slave ECU 20 is within the specified position range while referring to the position information 12c (step S203). Here, if the position is within the specified position range (Step S203, Yes), the determining unit 13b determines that there is a problem with the radio wave environment (Step S204), and the fail-safe processing execution unit 13c executes fail-safe processing in accordance with this. (Step S206).

On the other hand, if it is determined in step S203 that the position is not within the specified range (step S203, No), the determination unit 13b determines that it is a malicious attack (step S205), and the fail-safe processing execution unit 13c executes fail-safe processing in accordance with this. (Step S206).

Note that in FIG. 3B, the position information of the wireless slave ECU 20 is used, but the position information is not limited to this. For example, encrypted information that can be decrypted only between the wireless master ECU 10 and the wireless slave ECU 20 may be used, or current time information may be used. Furthermore, when position information is used, the position information of the wireless slave ECU 20 may be acquired by the wireless master ECU 10 by itself by actively transmitting position measurement radio waves from the wireless master ECU 10 without acquiring it from the wireless slave ECU 20. .

Further, the position information of the wireless slave ECU 20 may be constantly monitored using UWB. Such a modification will be described later using FIG. 3D.

Next, failsafe processing will be explained. As shown in FIG. 3C, in the failsafe process, the failsafe process execution unit 13c determines whether or not it is a malicious attack (step S301).

Here, if the attack is malicious (step S301, Yes), the failsafe processing execution unit 13c notifies the driver that the attack is malicious (step S302). Note that the failsafe processing execution unit 13c notifies the driver of the fact that the vehicle is under a malicious attack via, for example, a meter ECU of the control system ECU 30.

Then, the failsafe processing execution unit 13c instructs each control system ECU 30 to perform evacuation driving (step S305), and ends the processing.

On the other hand, if it is determined in step S301 that the attack is not malicious (step S301, No), the failsafe processing execution unit 13c notifies the driver that there is a problem with the radio wave environment (step S303). Here, as in step S302, the fail-safe processing execution unit 13c notifies the driver, for example, via the meter ECU, that there is a problem with the radio wave environment.

Then, the failsafe processing execution unit 13c determines whether or not the data received from the wireless slave ECU 20 cannot be decoded (step S304). Here, if the data cannot be deciphered (step S304, Yes), the fail-safe process execution unit 13c instructs each control system ECU 30 to perform an evacuation run (step S305), and ends the process.

On the other hand, if the data can be decoded (step S304, No), the wireless master ECU 10 moves to step S101 in FIG. 3A.

Next, a modified example process of constantly monitoring the position information of the wireless slave ECU 20 using UWB will be described using FIG. 3D. Such modified example processing is executed, for example, between step S101 and step S102 in FIG. 3A.

When executing such a modified example process, in step S101, the acquisition unit 13a constantly monitors the position information of the wireless slave ECU 20 using UWB, and the acquired communication status includes the monitoring result. Further, when executing such a modified example process, it is possible to determine that there is a problem with the radio wave environment in step S107 of FIG. 3A, and to replace the temporary abnormality process with a failsafe process in step S108.

As shown in FIG. 3D, in the modified example process, the determining unit 13b determines whether the UWB position information of the wireless slave ECU 20 is outside the specified position range (step S401).

Here, if the position is outside the specified position range (step S401, Yes), the determination unit 13b determines that it is a malicious attack (step S402), and the failsafe process execution unit 13c executes the failsafe process of FIG. 3C. (Step S403).

On the other hand, if the position is not outside the specified position range (step S401, No), the modification process ends as is, and the wireless master ECU 10 moves to step S102 in FIG. 3A, for example.

As described above, the wireless master ECU 10 according to the embodiment (corresponding to an example of an "in-vehicle wireless communication device") includes the communication section 11, the acquisition section 13a, the determination section 13b, and the fail-safe processing execution section 13c. Be prepared. The communication unit 11 performs wired communication with a control system ECU 30 (corresponding to an example of a "control device") mounted on the vehicle, and also communicates with a wireless slave ECU 20 (corresponding to an example of a "control device") that is connected by wire to a device that is subject to input/output of the control system ECU 30. (equivalent to an example of a "slave wireless communication device"). The acquisition unit 13a acquires the communication status of the wireless slave ECU 20 via the communication unit 11. The determination unit 13b determines a radio wave abnormality based on the communication status acquired by the acquisition unit 13a. The failsafe process execution unit 13c executes a predetermined failsafe process according to the determination result by the determination unit 13b.

Therefore, according to the wireless master ECU 10 according to the embodiment, it is possible to realize failsafe according to the mode of radio wave abnormality.

Further, the acquisition unit 13a acquires at least the received radio wave power from the wireless slave ECU 20, the communication cycle with the wireless slave ECU 20, and the position information of the wireless slave ECU 20 as the communication status, and the determination unit 13b acquires the communication status as described above. Based on this, the above radio wave abnormalities are classified into those caused by problems in the radio wave environment and those caused by malicious attacks.

Therefore, according to the wireless master ECU 10 according to the embodiment, based on the received radio wave power, the communication cycle, and the position information, it is possible to distinguish the radio wave abnormality into one caused by a problem in the radio wave environment and one caused by a malicious attack. Can be done.

Further, the determination unit 13b determines that the attack is malicious when the received radio wave power is outside the legal regulations.

Therefore, according to the wireless master ECU 10 according to the embodiment, the radio wave abnormality can be determined to be the malicious attack based on the received radio wave power.

In addition, the determination unit 13b determines that there is a temporary abnormality when the received radio wave power is within the regulations but outside the specified range.

Therefore, according to the wireless master ECU 10 according to the embodiment, the radio wave abnormality can be estimated to be at least the malicious attack or the radio wave environment problem based on the received radio wave power.

Further, the determination unit 13b determines that there is a temporary abnormality when the communication cycle is outside the specified schedule.

Therefore, according to the wireless master ECU 10 according to the embodiment, the radio wave abnormality can be estimated to be at least the malicious attack or the radio wave environment problem based on the communication cycle.

Further, the determining unit 13b determines that the attack is malicious when the position information is outside the specified position range.

Therefore, according to the wireless master ECU 10 according to the embodiment, the radio wave abnormality can be determined to be the malicious attack based on the position information.

Further, the acquisition unit 13a acquires the position information measured by UWB, and the determination unit 13b constantly determines whether the position information by UWB is outside the specified position range.

Therefore, according to the wireless master ECU 10 according to the embodiment, it is possible to acquire the above-mentioned position information by taking advantage of the characteristics of ultra-wideband wireless, which are resistant to jamming waves, high speed, and high accuracy.

Further, when determining that there is a temporary abnormality, the determination unit 13b determines whether the above-mentioned position information is outside the specified position range, and if it is outside the specified position range, it determines that it is a malicious attack, and determines that the position information is outside the specified position range. If it is not out of range, it is determined that there is a problem with the radio wave environment.

Therefore, according to the wireless master ECU 10 according to the embodiment, in the case of a temporary abnormality, it is possible to distinguish between the malicious attack and the radio wave environment problem based on the position information.

Furthermore, when it is determined that the attack is malicious, the fail-safe processing execution unit 13c causes the control system ECU 30 to notify the driver that the attack is malicious, and instructs the control system ECU 30 to perform an evacuation drive.

Therefore, according to the wireless master ECU 10 according to the embodiment, it is possible to realize failsafe in response to the malicious attack.

Furthermore, when it is determined that there is a problem with the radio wave environment, the failsafe processing execution unit 13c notifies the driver that there is a problem with the radio wave environment in the control system ECU 30, and decodes the received data from the wireless slave ECU 20. If this is not possible, the control system ECU 30 is instructed to perform an evacuation drive.

Therefore, according to the wireless master ECU 10 according to the embodiment, it is possible to realize a failsafe in response to the problem of the radio wave environment.

Incidentally, in the above-described embodiment, an example is given in which the wireless master ECU 10 acquires the communication status of the wireless slave ECU 20 and determines a radio wave abnormality, but the wireless master ECU 10 itself may become unable to operate normally due to a radio wave abnormality. Conceivable.

In such a case, for example, one of the control system ECUs 30 may serve as a master and instruct each control system ECU 30 to retreat. Such a case will be described as a vehicle-mounted wireless communication method according to a first modification using FIG. 4. FIG. 4 is an explanatory diagram of the in-vehicle wireless communication method according to the first modification.

As shown by the "x" mark in FIG. 4, it is assumed that the wireless master ECU 10 is unable to operate normally due to a radio wave abnormality. In such a case, in the in-vehicle wireless communication method according to the first modification, it is necessary to at least make the vehicle move in an evacuation mode to ensure safety. Execute failsafe processing only with #1 to #3.

For example, in the in-vehicle wireless communication method according to the first modification, as shown in FIG. 4, if ECU #1 is a drive control system ECU important for vehicle control, ECU #1 becomes the master and It instructs ECU #2 and #3 to perform evacuation driving, and also shifts to evacuation driving mode.

As a result, even if the wireless master ECU 10 does not operate normally due to a radio wave abnormality, at least ECUs #1 to #3 can shift to the evacuation driving mode and ensure the safety of the vehicle.

It should be noted that malfunction of the wireless master ECU 10 can be determined by periodically checking responses between the ECUs #1 to #3 and the wireless master ECU 10 via CAN, for example. Such response confirmation may be a simple confirmation of life or death, or may be a Q&A type response confirmation in which a desired calculation result is obtained in response to a predetermined question.

Furthermore, in the above-described embodiment, the wireless slave ECU 20 is treated equally, but each wireless slave ECU 20 is given a priority, and when a radio wave abnormality occurs, for example, the wireless slave ECU 20 is treated equally. The evacuation driving level may be changed.

Such a case will be described as an in-vehicle wireless communication method according to a second modification using FIGS. 5A and 5B. FIGS. 5A and 5B are explanatory diagrams (part 1) and (part 2) of the in-vehicle wireless communication method according to the second modification.

Note that the rectangle shown in FIG. 5A is a very schematic representation of the interior space of the vehicle when viewed from above. The interior space of the vehicle can be divided into a plurality of zones (four in this case) as shown as zones #1 to #4 in the figure.

One or more wireless slave ECUs 20 are provided in each zone. Each of the wireless slave ECUs 20 is connected by wire to various devices that are physically close to each other. In such a vehicle interior space, the wireless master ECU 10 is preferably provided approximately at the center of the vehicle interior space. This is to equalize the distance from each zone and ensure the quality of wireless communication.

Here, as shown in FIG. 5B, the systems for each wireless slave ECU 20 in each zone are defined as slave groups #1, #2, . . . . In the in-vehicle wireless communication method according to the second modification, a "priority" is associated with each of these groups. For example, the "priority" is higher for a group that is estimated to be more important in vehicle control.

Further, the "evacuation driving level" indicates the level of evacuation driving, and for example, the higher the urgency, the higher the level. In the example of FIG. 5B, for example, "emergency complete stop required" is a level that requires an immediate evacuation run to bring the vehicle to a complete stop. For example, "emergency complete stop not required" is a level where a complete stop is necessary but there is still some time, or a complete stop is not necessary but there are restrictions on driving. In the in-vehicle wireless communication method according to the second modification, for example, the higher the above-mentioned "priority" is, the higher the "evacuation driving level" becomes.

In the in-vehicle wireless communication method according to the second modification, the evacuation driving level of the group with the highest priority among the slave groups in which a radio wave abnormality has occurred in one zone is derived as the representative value of that zone. .

Then, the representative values of each zone are compared, and fail-safe processing is executed so that the evacuation drive is performed at the evacuation drive level that is the maximum value. Thereby, fail-safe processing can be executed while changing the evacuation drive level according to the priority of each slave group.

Note that here, in order to make the explanation easier to understand, the "priority" and the "evacuation driving level" are linked, but the "priority" may be regarded as the "evacuation driving level" as is.

Further advantages and modifications can be easily deduced by those skilled in the art. Therefore, the broader aspects of the invention are not limited to the specific details and representative embodiments shown and described above. Accordingly, various changes may be made without departing from the spirit or scope of the general inventive concept as defined by the appended claims and their equivalents.

1 In-vehicle wireless communication system 10 Wireless master ECU
11 communication unit 12 storage unit 12a power information 12b schedule information 12c position information 13 control unit 13a acquisition unit 13b determination unit 13c failsafe processing execution unit 20 wireless slave ECU
30 Control system ECU

Claims (12)

a communication unit that performs wireless communication with a slave wireless communication device that is connected by wire to a device that is an input/output target of a control device installed in the vehicle;
Monitoring received radio wave power from the slave wireless communication device via the communication unit,
An in-vehicle wireless communication device comprising : a control unit that determines that a radio wave abnormality is caused by a malicious attack when the received radio wave power is outside the legal range, and executes a predetermined fail-safe process. The control unit includes:
If the received radio wave power is within the legal range but outside the specified range, it is determined to be a temporary abnormality.
The vehicle-mounted wireless communication device according to claim 1 . Performs wireless communication with a slave wireless communication device that is connected by wire to equipment that is subject to input/output of the control device installed in the vehicle,
When determining a radio wave abnormality in the slave wireless communication device via the wireless communication, executing a failsafe process,
a control unit that determines whether the radio wave abnormality is due to a radio wave environment problem or a malicious attack based on a communication cycle with the slave radio communication device and position information of the slave radio communication device;
An in-vehicle wireless communication device with The control unit includes:
If the communication cycle is outside the specified schedule, it is determined that there is a temporary abnormality.
The in-vehicle wireless communication device according to claim 3 . The control unit includes:
If the location information is outside the specified location range, it is determined that the attack is malicious.
The vehicle-mounted wireless communication device according to claim 3 or 4 . The control unit includes:
If it is determined to be a temporary abnormality, it is determined whether the position information is outside the specified position range, and if it is outside the specified position range, it is determined that it is a malicious attack, and if it is not outside the specified position range, the radio wave is Determined as an environmental problem
The in-vehicle wireless communication device according to claim 5 . The control unit includes:
If it is determined that there is a problem with the radio wave environment, the control device notifies the driver that there is a problem with the radio wave environment, and if the data received from the slave wireless communication device cannot be deciphered, the control device instruct the driver to evacuate
An in-vehicle wireless communication device according to any one of claims 3 to 6 . The control unit includes:
If it is determined that the attack is malicious, the control device notifies the driver that the attack is malicious, and also instructs the control device to take an evacuation drive.
An in-vehicle wireless communication device according to any one of claims 1 to 7 . For the plurality of slave wireless communication devices provided at various locations in the vehicle interior space, a slave wireless communication device provided at a central portion of the vehicle interior space,
An in-vehicle wireless communication device according to any one of claims 1 to 8. Each of the slave wireless communication devices is set with a priority level indicating the level of urgency of the fail-safe processing,
The control unit includes:
When the radio wave abnormality occurs in a plurality of the slave wireless communication devices, executing the failsafe process corresponding to the slave wireless communication device having the highest priority;
The in-vehicle wireless communication device according to claim 9. An in-vehicle wireless communication device according to any one of claims 1 to 10,
a plurality of the control devices;
At least one of the control devices includes:
When the in-vehicle wireless communication device is unable to operate normally due to the radio wave abnormality, it instructs a control device other than the at least one control device to perform evacuation driving, and also shifts to evacuation driving mode.
In-vehicle wireless communication system. An in-vehicle wireless communication method executed by an in-vehicle wireless communication device including a communication unit that performs wireless communication with a slave wireless communication device connected by wire to a device that is an input/output target of a control device installed in the vehicle, the method comprising:
Monitoring received radio wave power from the slave wireless communication device via the communication unit;
An in-vehicle wireless communication method comprising : determining that the radio wave abnormality is due to a malicious attack when the received radio wave power is outside the legal range, and executing a predetermined fail-safe process.

Images