KR20220129364A - Bus off detection method and electronic control unit performing the same - Google Patents

Abstract

The present invention pertains to a bus off detection method and an electronic control unit performing the same. An electronic control unit for a vehicle, in which multiple electronic control units transmit and receive data using a CAN bus, and which has a base value of a maximum IFS time, which is a maximum time interval between data frames continuously received during normal vehicle operation, comprises: a counter which repeatedly counts from an EOF field of a preceding data frame to an EOF field of a following data frame received on the CAN bus; and a CAN controller, which, in a case that a time calculated from an output value of the counter has a value larger than the maximum IFS time, determines the case as a bus-off state and notifies the CAN bus. The bus off detection method and the electronic control unit performing the same proposed in the present invention can secure the internal network of the vehicle, enabling safe operation.

Description

BUS OFF DETECTION METHOD AND ELECTRONIC CONTROL UNIT PERFORMING THE SAME

The present invention relates to a bus-off detection method and an electronic control apparatus for performing the same, and more particularly, to a method for detecting a bus-off by using IFS for continuously received data frames, and an electronic control apparatus for performing the same.

Most vehicles currently produced control the ECU through CAN, and most functions of the vehicle are performed. And according to the CAN standard, a fault confinement mechanism is defined for error recognition and management of ECUs, and ECUs operate according to the mechanism. For the safety of the CAN bus among the fault confinement mechanisms, the Bus Off mode is defined to logically exclude ECUs with errors or communication failures from the CAN bus.

As more functions and external communication interfaces are added to vehicles for user safety and driving convenience, new attacks and vulnerabilities targeting in-vehicle networks are emerging. In particular, an attack that forcibly turns off the ECU by exploiting the fault confinement mechanism designed for vehicle safety has been announced.

Since the ECU in Bus Off mode cannot transmit/receive any messages over the CAN Bus, if an ECU, which is important for a function, is forcibly switched to Bus Off mode, a big problem may occur to the lives of users and drivers.

Korea Patent Publication No. 10-2014-0047984 (published on April 23, 2014)

An object of the present invention is to provide a method for detecting a bus-off attack by analyzing a time interval between continuously received data frames monitored on a CAN bus, and an electronic control device for performing the same.

The above object of the present invention is to provide an electronic control device for a vehicle in which a plurality of electronic control devices transmit and receive data using a CAN bus and store the maximum IFS time, which is the maximum time interval between data frames continuously generated during normal vehicle operation. A method of detecting bus-off of a CAN bus, comprising: a first step of measuring an inter-frame space (IFS) between adjacent data frames received on a CAN bus; The second step of determining whether the measured IFS time is greater than the maximum IFS time by comparing the maximum IFS time allowed in the vehicle, and the second step of determining whether the measured IFS time is greater than the maximum IFS time If it has, it is determined that Bus Off has occurred and it can be achieved by a bus off detection method including a third step of notifying the CAN bus.

The above object of the present invention is to provide an electronic control device for a vehicle in which a plurality of electronic control devices transmit and receive data using a CAN bus and store the maximum IFS time, which is the maximum time interval between data frames continuously generated during normal vehicle operation. A method of detecting bus-off of a CAN bus, comprising a first step of starting counting from the EOF field of a preceding data frame received on the CAN bus, and a second step of terminating counting at the EOF field of a subsequent data frame received on the CAN bus a third step of repeatedly performing the first and second steps by designating the following data frame of the second step as the preceding frame; the fourth step and the fourth step of calculating the elapsed time from the time the EOF field of the preceding data frame is received from the output value of the counter, and determining whether the calculated time has a value greater than the maximum IFS time If the time calculated as a result of the determination has a value greater than the maximum IFS time, it is determined that Bus Off has occurred and it can also be achieved by a bus off detection method including a fifth step of notifying the CAN bus.

Another object of the present invention is for a vehicle having a maximum IFS time, which is a maximum time interval between data frames continuously received during normal vehicle operation, as a known value, in which a plurality of electronic control devices transmit and receive data using a CAN bus. In the electronic control device,

a counter for repeatedly counting from an EOF field of a preceding data frame received on a CAN bus to an EOF field of a subsequent data frame;

- the subsequent data frame is a data frame that is continuously received after the preceding data frame;

When the time calculated from the output value of the counter has a value greater than the maximum IFS time, it is determined as a bus-off state and can be achieved by an electronic control device comprising a CAN controller that notifies the CAN bus do.

Most vehicles currently produced control the ECU through CAN, and most functions of the vehicle are performed. And according to the CAN standard, a fault confinement mechanism is defined for error recognition and management of ECUs, and ECUs operate according to the mechanism. For the safety of the CAN bus among the fault confinement mechanisms, the Bus Off mode is defined to logically exclude ECUs with errors or communication failures from the CAN bus. Recently, an attack to force ECU to Bus Off by exploiting this fault confinement has been announced. Since the ECU in Bus Off mode cannot transmit/receive any messages on the CAN Bus, if an ECU, which is important for a function, is forcibly switched to Bus Off mode, a big problem may occur to the lives of users and drivers.

According to the bus-off detection method and the electronic control device performing the bus-off detection method presented in the present invention, it is possible to efficiently detect a bus-off attack by measuring the IFS time of continuously received data frames. In addition, the bus-off detection method presented in the present invention and the electronic control device performing the same can ensure the internal network of the vehicle, thereby enabling safe driving.

1 is a plan view of a micro LED display;
2 is an explanatory diagram showing three state diagrams appearing in a node according to the values of TEC and REC in the vehicle.
3 is an explanatory diagram illustrating a data frame transmission method according to the passage of time when an attacker generates Bus Off in the CAN Bus.
4 is a data format of a CAN bus in Standard Format and Extended Format.
5 is a flowchart for detecting a Bus Off attack according to an embodiment of the present invention;
6 is a flowchart for detecting a Bus Off attack according to an embodiment of the present invention;
7 is a block diagram of a CAN bus and a plurality of electronic control devices connected thereto.

The terms used in the present invention are only used to describe specific embodiments, and are not intended to limit the present invention. The singular expression includes the plural expression unless the context clearly dictates otherwise. In the present specification, terms such as “comprise” or “have” are intended to designate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, but one or more other features It is to be understood that this does not preclude the possibility of the presence or addition of numbers, steps, operations, components, parts, or combinations thereof.

In addition, in this specification, "on or on top of" means to be located above or below the target part, and does not necessarily mean to be located above the direction of gravity. Also, when a part of a region, plate, etc. is said to be "on or on" another part, it means that another part is in contact with or spaced "on or on" another part, as well as another part in between. Including cases where there is

In addition, in this specification, when a component is referred to as "connected" or "connected" with another component, the component may be directly connected or directly connected to the other component, but in particular It should be understood that, unless there is a description to the contrary, it may be connected or connected through another element in the middle.

Also, in this specification, terms such as first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

A microLED (μLED) display is a display that uses a micro-sized LED as a light source. Compared to existing large-sized LEDs, it has a faster response speed, supports low power and high luminance, and does not break when bent. Due to these advantages, it is known that it can be applied to smart watches, smart textiles, and head-wearing display (HMD) devices that require ultra-light weight. Compared to organic EL, micro LED has a relatively small aperture ratio occupied by the pixel area. Therefore, when an anti-reflection film formed over the entire surface is adopted, the transmittance is significantly lowered and the luminance of the output image is markedly lowered.

1 is a plan view of a micro LED display. As shown in FIG. 1 , the pixel area in which the pixel is formed will be referred to as 'A1', and the non-pixel area will be referred to as 'A2'. The pixel area A1 indicated by a solid line may be formed to designate r, g, and b sub-micro LEDs as one set as shown in FIG. 1(a), and as shown in FIG. 1(b), each It goes without saying that sub-pixels may also be designated. The non-pixel area A2 refers to an area other than the pixel area A1 , and most of the pixel forming circuit unit 11 is included in the non-pixel area A2 .

The present invention proposes an efficient bus-off attack detection method using IFS, which is the interval between data frames, in order to detect such a bus-off attack. Through this, it is possible to secure the safety of the driver and the security of the network inside the vehicle.

IFS is information indicating the time interval between data frames on the CAN bus. For continuous data frames, IFS of at least 3 bit time must exist between data frames. 1 is an explanatory diagram illustrating a data frame transmission method according to the passage of time on a CAN bus in a normal operation state. That is, in order for the ECU to transmit a message frame on the CAN Bus, the next message frame can be transmitted after waiting at least 3 bit time after the data frame already being transmitted to the CAN Bus is transmitted. At 50kbps, which is the bit rate of general CAN communication, 3bit time is 6㎲ (microsecond).

Bus Off attack is an attack that intentionally puts the target ECU into Bus Off state. TEC (Transmit Error Counter) and REC (Receive Error Counter) are defined in each ECU to manage ECU status for errors occurring in CAN communication. In particular, when the TEC is 256 or higher, the corresponding ECU becomes Bus Off, and the ECU in Bus Off state cannot transmit or receive any frame over the CAN Bus.

In order to Bus Off the target ECU, the attacker generates a bit error after the Arbitration field in the data frame transmitted by the target ECU. The target ECU, recognizing the bit error, increments the TEC (Transmit Error Count) by 8 and tries to retransmit the failed data frame. By repeating the same process, the attacker makes the target ECU's TEC to be 256 or higher, and makes the target ECU Bus Off from the CAN Bus.

The CAN controller of every node (ECU) participating in the CAN communication bus network manages two 8-bit registers. A register TEC (Transmission Error Counter) that counts transmission errors and a register REC (Receive Error Counter) that counts receive errors. Two registers are used for the purpose of limiting faults in CAN BUS (Fault Confinement).

Figure 2 shows three state diagrams that appear in a node according to the values of TEC and REC in the vehicle. If an error occurs, the counter is incremented, and if there is no fault, the counter is decremented. When either TEC or REC counter exceeds a certain value, the node transitions to another state mode to control the error.

Clean up the rules for incrementing the counter.

<TEC Counter>

When the sending node sends an error flag: TEC = TEC + 8

On successful transmission: TEC = TEC - 1

<REC counter>

When the receiving node transmits an error flag: REC = REC + 1

When the receiving node transmits the first error flag: REC = REC + 8

On successful transfer: REC = REC - 1

The sending node increments the TEC counter faster than the receiving node increments the REC counter. This is because the sending node sends the message directly, so it is easier to find faults. Depending on the TEC and REC values, the node transitions to one of Error Active, Error Passive, and Bus Off states.

Error Active status is a general communication status, and when an error occurs, an error flag with 6 dominant values ('0') is loaded on the bus.

If the counter value exceeds 127, it transitions to Error Passive state. In this state, transmission is restricted, but message transmission and reception can continue. If no more errors occur in the Error Passive state, it returns to the Error Active state.

If the node in question continues to transmit errors and the counter value exceeds 255, the node is excluded from the network and goes into Bus off state. It removes network coupling by preventing the node from participating in any further communication. Of course, the connection is not physically disconnected even in the Bus Off state. If the application is restarted in Bus Off state (Reset) or the 11-bit recessive value is repeated 128 times, it can return to Error Active state from Bus Off state.

3 is an explanatory diagram for explaining a data frame transmission method according to the passage of time when an attacker generates Bus Off in the CAN Bus. In order for an attacker to Bus Off the target ECU, two conditions must be satisfied. The first is the attack data frame transmission timing. The attacker must transmit the data frame at the same timing as the target ECU transmits the data frame. The second is the content of the attack data frame, which consists of the same arbitration field as the arbitration field of the data frame transmitted by the target ECU. After the arbitration field, the 0 (dominant) bit is used instead of the 1 (recessive) bit of the target data frame. The data frame should be transmitted. In the case of CAN communication, it is difficult to convert the 0 (dominant) bit that should normally be transmitted into 1 (recessive) bit of the data frame. will do

4 shows data formats of CAN bus in Standard Format and Extended Format. The attacker converts the bit value of any one field (generally Data Field) selected from among the Control Field, Data Field, CRC Field and ACK Field transmitted after the Arbitration field shown in FIG. 4 from '1' to '0'. will attack

The description of each field of the data frame in the CAN message format is summarized in Table 1.

SOF (Start Of Frame) Consists of one dominant bit, it indicates the beginning of a message and is used to synchronize all nodes. Arbitration Field
(arbitration field) It consists of an ID having a size of 11 or 29 bits and a Remote Transmission Request (RTR) bit of 1 bit. This area is used to reconcile conflicts between messages that occur when two or more nodes transmit messages at the same time. The value of the RTR bit is used to determine whether it is a data frame ("d") or a remote frame ("r"). Control Field
(control field) It consists of 2-bit IDentifier Extension (IDE) bits and 4-bit Data Length Code (DLC). R0 is a Reserved bit (Extended CAN 2.0B R0, R1). Data Field
(data field) It can use up to 8 bytes and is used to store data (including data transmitted from one node to another). CRC
(Cyclic Redundancy Check) field It consists of a 15-bit CRC sequence generated using the bit string from the SOF to the data field and a CRC delimiter of one ‘r’ bit. This is used to check for errors in the message. ACK (ACKnowledge) field It consists of one bit ACK slot and one ACK delimiter (“d”). When a correct message is received from any node, the ACK slot value is set to 'd' as soon as the ACK field is received, and transmission continues on the bus. End Of Frame (EOF) It consists of 7 'r' bits and is used to indicate the end of the message.

If the attacker transmits the same frame at the time of transmission of the target ECU, the target ECU sends 1 bit at a specific location after the Arbitration field, but 0 bit is monitored to detect a bit error and increase the TEC. Then, it re-attempts data frame transmission, detects an error in the same way, and increases the TEC. The attacker uses this process to induce the target ECU to be in Bus Off state.

A vehicle is equipped with a plurality of electronic control units (ECUs). ECU is a term that refers to devices that electronically control each mechanical or electrical component used in a vehicle. Examples of ECUs include Airbag Control Unit (ACU), Engine Control Unit (ECU), Transmission Control Unit (TCU), Brake Control Unit (BCU), and On-Board-Diagnostic (OBD). From the moment the vehicle is turned on, each ECU periodically transmits its status to other ECUs using the CAN Bus. Therefore, in a normal vehicle state, the maximum IFS time between data frames is determined for each vehicle. It goes without saying that the maximum IFS time for each vehicle can be obtained through simple measurement, whether or not provided by the manufacturer.

In the present invention, IFS generated between data frames is used to detect such a bus-off attack. In the case of Bus Off attack, IFS between message frames is lengthened due to continuous error induced by attacker and retransmission of data frame of target ECU. Therefore, under normal circumstances, if an IFS time longer than the monitored maximum IFS time is monitored between data frames, it is possible to detect that a Bus Off attack has been performed on the CAN Bus. When a Bus Off attack occurs, an IFS longer than normal is monitored by continuous error occurrence and data frame retransmission.

5 is a flowchart for detecting a Bus Off attack according to an embodiment of the present invention. Monitoring for FIG. 5 is at least one electronic control selected from Airbag Control Unit (ACU), Engine Control Unit (ECU), Transmission Control Unit (TCU), Brake Control Unit (BCU), On-Board-Diagnostic (OBD), etc. It can be performed in the ECU (ECU), as well as by adding a separate electronic control device for monitoring for detecting the Bus Off state, and it can also be performed through this.

When the vehicle ignition is turned on, the electronic control device to which the monitoring function of the present invention is added resets the counter to start counting and performs CAN bus monitoring (ST610). When a message frame is received through monitoring, it is checked whether the message frame is a data frame by decoding the message frame (ST620). If it is determined as a data frame as a result of ST620 determination, end of frame (EOF) is detected, the counter is reset again, counting is started anew (ST630), and then steps ST610 ~ ST630 are repeated infinitely by performing again from step ST610.

In the process of infinitely repeating steps ST610 to ST630, it is checked whether an event in which the measured counter value exceeds the counter value corresponding to the maximum IFS occurs (ST650). When an event corresponding to ST650 occurs, it detects that a Bus Off attack has been applied to any one node, notifies it (ST660), and then terminates.

5 is a flowchart for detecting a Bus Off attack according to an embodiment of the present invention. Monitoring for FIG. 5 is at least one electronic control selected from Airbag Control Unit (ACU), Engine Control Unit (ECU), Transmission Control Unit (TCU), Brake Control Unit (BCU), On-Board-Diagnostic (OBD), etc. It can be performed in the ECU (ECU), as well as by adding a separate electronic control device for monitoring for detecting the Bus Off state, and it can also be performed through this.

When the vehicle ignition is turned on, the electronic control device to which the monitoring function of the present invention is added resets the counter and starts counting. Thereafter, CAN bus monitoring is performed (ST610). When a message frame is received through monitoring, it is checked whether the message frame is a data frame by decoding the message frame (ST620). Messages on CAN Bus include data frame, remote frame, error frame, and overload frame. In the present invention, the Bus Off state is detected using only the interval between data frames, regardless of the interval of other frame types. If it is determined that ST620 is not a data frame, the frame is discarded and step ST610 is performed again. If it is determined as a data frame as a result of ST620 determination, end of frame (EOF) is detected, the counter is reset again, counting is started anew (ST630), and then again from step ST610, and steps ST610 to ST630 are repeated infinitely.

In the process of infinitely repeating steps ST610 to ST630, it is checked whether an event in which the measured counter value exceeds the counter value corresponding to the maximum IFS occurs (ST650). When an event corresponding to ST650 occurs, it detects that a Bus Off attack has been applied to any one node, notifies it (ST660), and then terminates.

6 is a flowchart for detecting a Bus Off attack according to an embodiment of the present invention. When the vehicle ignition is turned on, the electronic control device to which the monitoring function of the present invention is added resets the counter and starts counting. Thereafter, CAN bus monitoring is performed (ST710). When a message frame is received through monitoring, it is checked whether the message frame is a data frame by decoding the message frame (ST720). If it is not a data frame as a result of ST720 determination, the frame is discarded and step ST710 is performed again. If it is determined as a data frame as a result of ST720 determination, an end of frame (EOF) is detected and IFS is measured (ST730). Thereafter, it is determined whether the measured IFS has a value greater than the maximum IFS (ST740), and if the ST740 determination result is true, it is determined that a Bus Off attack has been applied to any one node, and after notifying it (ST760), it ends . If the ST740 determination result is false, the counter is reset and counting starts anew (ST7500), and then starts again from step ST710.

In step ST730, an IFS time (measured IFS time), which is a time taken from the normally received previous data frame until a new normal data frame is received again, is calculated. This is to measure the IFS from the previous normal data frame transmitted on the CAN Bus until the next new normal data frame is transmitted (this is called measurement IFS).

As a follow-up measure, it is determined that the node has entered the Bus Off state by the Bus Off attack. Of course, if the node enters the Bus Off state, the application of the node can be restarted (Soft Reset).

A specific embodiment will be set and a method of detecting a Bus Off situation according to FIG. 6 which is one of the embodiments of the present invention will be described in more detail. It is assumed that the function of detecting Bus off according to the present invention is implemented in the Transmission Control Unit (TCU), and on the CAN Bus, as shown in FIG. 3 , 'ID A (normal)', 'ID B (normal)', It is assumed that 'ID C (abnormal)' data frames are sequentially transmitted. Here, it is assumed that 'ID A', 'ID B', and 'ID C' are all data frames and are generated by electronic control devices other than the TCU.

When the vehicle ignition is switched on, the TCU monitors all data frames on the CAN Bus. The TCU checks whether the received message frame is a data frame, and receives and decodes only the data frame.

After receiving the first 'ID A (normal)', the TCU starts counting by using the time at which the end of frame (EOF) of the corresponding 'ID A' is received as a trigger signal. When 'ID B' is received again, the EOF (End of Frame) of the 'ID B' is checked, counting is terminated, and the counting value (measured IFS) is compared with the maximum IFS. In this case, the actual comparison is performed by converting the counting value into time to obtain the measured IFS time, and comparing the obtained measured IFS time with the maximum IFS time.

In this case, as the 'measured IFS time > maximum IFS time' is not satisfied, the counter is reset and a new counting starts using the newly inputted EOF (End of Field) of 'ID B' as a trigger signal. will do After the 'ID B' data frame, 'ID C' without an EOF field will be input, but since it does not have an EOF, counting continues while all consecutively input abnormal 'ID C' are received. The node sending the abnormal 'ID C' recognizes that there is an error in the data frame and sends an 'error frame' on the CAN bus whenever an error occurs, so the TCU checks the error frame and checks the 'ID C' just received. It can be confirmed that is abnormal.

Afterwards, when a normal 'ID B' is input again, the EOF (End of Frame) of the 'ID B' is checked, counting is terminated, and the counting value (measured IFS) is compared with the maximum IFS time. In this case, 'measured IFS time > maximum IFS time' will be satisfied, so the Bus Off attack is identified, notified and terminated.

5 is a block diagram of a CAN bus and a plurality of electronic control devices connected thereto. 5, an Airbag Control Unit (ACU), an Engine Control Unit (ECU), a Transmission Control Unit (TCU), and a Brake Control Unit (BCU) are connected to the CAN Bus. Each electronic control device is provided with a DSP (Digital Signal Processor) or microcontroller (μC) having a CAN controller, and a CAN transceiver. A digital signal processor (DSP) or microcontroller (μC) has a counter that measures the time interval between consecutively received data frames, and the CAN controller uses the counter value to notify the bus off state. of course there is

In the above, preferred embodiments of the present invention have been described and illustrated using specific terms, but such terms are only for clearly describing the present invention, and the embodiments and described terms of the present invention are the spirit and scope of the following claims. It is obvious that various changes and changes can be made without departing from it. Such modified embodiments should not be separately understood from the spirit and scope of the present invention, but should be considered to fall within the scope of the claims of the present invention.

ID A, ID B, ID C: data frame
IFS: Inter-Frame Space

Claims (9)

A plurality of electronic control devices transmit/receive data using the CAN bus and store the maximum IFS time, which is the maximum time interval between data frames continuously generated during normal vehicle operation. As a method of detecting,
A first step of measuring a time interval (IFS, Inter-Frame Space) between adjacent data frames received on a CAN bus;
A second step of determining whether the measured IFS time is greater than the maximum IFS time by comparing the IFS time measured in the first step with the maximum IFS time allowed in the vehicle;
and a third step of determining that Bus Off has occurred and notifying the CAN bus when the measured IFS time has a greater value than the maximum IFS time as a result of the determination in the second step.
According to claim 1,
The maximum IFS time further comprises a 0th step of measuring the vehicle in a state in which Bus Off does not occur and storing it in advance,
The 0th step is a bus off detection method, characterized in that it is performed before the 2nd step.
3. The method of claim 1 or 2,
The first to third steps are performed in any one electronic control device among a plurality of electronic control devices,
Any one of the electronic control devices is an airbag control unit, an engine control unit, a transmission control unit, a brake control unit, and an on-board diagnostic device. -Diagnostic) bus off detection method, characterized in that selected from.
A plurality of electronic control devices transmit/receive data using the CAN bus and store the maximum IFS time, which is the maximum time interval between data frames continuously generated during normal vehicle operation. As a method of detecting,
A first step of starting counting from the EOF field of the preceding data frame received on the CAN bus;
a second step of terminating counting in the EOF field of a subsequent data frame received on the CAN bus;
- the subsequent data frame is a data frame that is received successively after the preceding data frame;
a third step of repeatedly performing the first step and the second step by designating the data frame following the second step as a preceding frame;
a fourth step of calculating a time elapsed from the time the EOF field of the preceding data frame is received from the output value of the counter, and determining whether the calculated time has a value greater than the maximum IFS time; and
and a fifth step of determining that Bus Off has occurred and notifying the CAN bus when the calculated time as a result of the determination of the fourth step has a value greater than the maximum IFS time.
5. The method of claim 4,
The maximum IFS time further comprises a 0th step of measuring the vehicle in a state in which Bus Off does not occur and storing it in advance,
The 0th step is a bus off detection method, characterized in that it is performed before the 4th step.
6. The method according to claim 4 or 5,
The first to fifth steps are performed in any one electronic control device among a plurality of electronic control devices,
Any one of the electronic control devices is an airbag control unit, an engine control unit, a transmission control unit, a brake control unit, and an on-board diagnostic device. -Diagnostic) bus off detection method, characterized in that selected from.
In the electronic control device for a vehicle, the plurality of electronic control devices transmit and receive data using a CAN bus, and the maximum IFS time, which is the maximum time interval between data frames continuously received during normal vehicle operation, is a known value, the electronic control device for a vehicle comprising:
a counter for repeatedly counting from an EOF field of a preceding data frame received on a CAN bus to an EOF field of a subsequent data frame;
- the subsequent data frame is a data frame that is continuously received after the preceding data frame;
and a CAN controller for determining a bus-off state and notifying the CAN bus when the time calculated from the output value of the counter has a value greater than the maximum IFS time.
8. The method of claim 7,
The electronic control device, characterized in that the maximum IFS time is measured and stored in advance in a state in which Bus Off does not occur in the vehicle.
9. The method of claim 8,
The electronic control device includes an airbag control unit, an engine control unit, a transmission control unit, a brake control unit, and an on-board diagnostic device. Electronic control device, characterized in that any one selected from.

Images