WO2015045507A1 - Vehicular control device - Google Patents

Vehicular control device Download PDF

Info

Publication number
WO2015045507A1
WO2015045507A1 PCT/JP2014/065838 JP2014065838W WO2015045507A1 WO 2015045507 A1 WO2015045507 A1 WO 2015045507A1 JP 2014065838 W JP2014065838 W JP 2014065838W WO 2015045507 A1 WO2015045507 A1 WO 2015045507A1
Authority
WO
WIPO (PCT)
Prior art keywords
software
access authority
unit
operation mode
switching
Prior art date
Application number
PCT/JP2014/065838
Other languages
French (fr)
Japanese (ja)
Inventor
統宙 月舘
成沢 文雄
祐 石郷岡
朋仁 蛯名
昌義 川津
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2015045507A1 publication Critical patent/WO2015045507A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to a vehicle control device.
  • a car manufacturer prepares a dedicated ECU for each distributed function, a plurality of ECUs are mixed in one vehicle control system.
  • a standardized software architecture of the vehicle control device it is easy to construct a vehicle control system by combining ECUs with different specifications.
  • modularization is performed in units of functions that depend on the microcomputer, algorithms for sensor and actuator control processing, and in units of setting parameters. Therefore, even if the microcomputer is changed, the target module can be modified. This can be done without modifying other modules.
  • functional safety mechanisms have been introduced into vehicle control systems in conjunction with the electronic control of safety devices in vehicle control equipment.
  • functional safety is an idea of ensuring safety by causing the system to transition to the safe side when a problem occurs in the system.
  • ASIL Automatic Safety Integrity Level
  • the functional safety standard ISO 26262 is required to prevent interference between software having different safety requirements. Specifically, it is to prevent QM software with a low safety level from running out of control and accessing a memory storing software with a high safety level such as ASILD and destroying data. Therefore, in order to comply with the functional safety standard ISO26262 in a general vehicle control system, a mechanism for preventing interference between software is required.
  • Patent Document 1 proposes switching an operation mode between a user mode and a kernel mode when executing a task having a different safety level.
  • an object of the present invention is to provide a vehicle control device that can ensure safety while suppressing a processing load even when a plurality of software having different safety levels are operated.
  • the present invention relates to a storage unit, a software control unit that controls operations of a plurality of software stored in the storage unit, and an operation mode switching that switches an operation mode of the software control unit between a privileged mode and a non-privileged mode. And an access authority switching unit that switches an access authority of each software to the storage unit.
  • FIG. 1 is a configuration diagram of a vehicle control apparatus according to an embodiment of the present invention.
  • the engine control unit ECU1 includes an arithmetic unit (CPU) 11, a memory 12 as a storage unit, an input / output circuit 13, a CAN controller 14, a throttle sensor 15, and a pedal sensor 16.
  • the arithmetic unit (CPU) 11 includes a CPU core 111 and a memory protection unit (MPU) 112.
  • the CPU core 111 is a processor (Central Processing Unit) that executes a plurality of software (sometimes referred to as “programs” in this embodiment) stored (stored) in the memory 12.
  • the arithmetic unit (CPU) 11 has operation modes called privileged mode and non-privileged mode, and both operation modes can be switched by interrupt processing. Note that although the number of CPU cores 111 is one, the number of CPU cores 111 may be plural.
  • the memory protection device (MPU) 112 is a device that mainly manages access authority to the memory 12, and includes an access authority violation monitoring unit that monitors software access authority. To manage access authority is to set access authority in an arbitrary area in the address space of the memory 12, and to validate or invalidate the setting. Further, the access to the memory 12 is monitored, and if there is an abnormality (that is, violation), the processing of the CPU core 111 is invalidated or stopped so that the processing result is not reflected. Equivalent functions can also be configured using hardware such as circuit devices.
  • the memory protection device (MPU) 112 includes a storage area setting unit that divides the memory 12 and sets a plurality of storage areas. A memory protection area described later is an area set by the storage area setting unit.
  • the memory 12 has a program area 121 and a data storage area 122.
  • the program area 121 stores a software control unit 1121, an access authority switching unit 1212, an operation mode switching unit 1213, and an MPU setting unit 1214.
  • the data storage area 122 includes a memory access authority management table 1220010 described later with reference to FIG. 2, a memory protection area access authority management table 1220021 described with reference to FIG. 3, a memory protection area active state management table 1220030 described with reference to FIG.
  • the table size management table 1220080, the previous operation mode flag management table 1220090 described in FIG. 11, and the save data management table for interrupt processing 12200100 described in FIG. 12 are stored.
  • the configuration of the engine control ECU 1 is an ECU architecture compatible with the functional safety standard ISO 26262, but the configuration is not limited thereto.
  • the table stored in the data storage area 122 of the engine control device 1 will be described below.
  • FIG. 2 is a diagram showing an example of the memory access authority management table 1220010.
  • the memory access authority management table 1220010 is a table for managing setting information of default access authority for the memory 12 managed by the MPU, and includes a head address field 1220011, a tail address field 1220012, a privileged mode write field 1220013, and a privileged mode execution field. 1220014, a privileged mode read field 1220015, a non-privileged mode write field 1220016, a non-privileged mode execution field 1220017, and a non-privileged mode read field 1220018.
  • the memory access authority management table 1220010 is used to manage the setting information of the default access authority for the memory 12, but the present invention is not limited to this.
  • the start address field 1220011 holds a start address indicating a memory managed by the memory protection unit (MPU) 112.
  • the tail address field 1220012 holds an address indicating the tail of the memory managed by the memory protection unit (MPU) 112.
  • the privileged mode write field 1220013 holds a value for determining whether the arithmetic unit (CPU) 11 can write to an area (hereinafter referred to as a memory protection area) designated by a head address and a tail address in the privileged mode.
  • a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible.
  • the privileged mode execution field 1220014 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the privileged mode.
  • the privileged mode read field 1220015 holds a value for determining whether the arithmetic unit (CPU) 11 can read from the memory protection area in the privileged mode.
  • a value of 0 or 1 is held, and when 0, reading is impossible, and when 1, reading is possible.
  • the non-privileged mode write field 1220016 holds a value for determining whether the arithmetic unit (CPU) 11 can write to the memory protection area in the non-privileged mode.
  • a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible.
  • the non-privileged mode execution field 1220017 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed.
  • the non-privileged mode read field 1220018 holds a value for determining whether or not the arithmetic unit (CPU) 11 can read the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed.
  • the default access authority of the memory area 12 allows privileged mode writing, execution, and reading, but non-privileged mode writing, execution, and reading are not permitted. For example, writing, execution, and reading may be permitted in privileged mode and non-privileged mode.
  • FIG. 3 is a diagram showing an example of the memory protection area access authority management table 1220020.
  • the memory protection area access authority setting management table 1220020 is a table for managing access authority setting information for the memory 12 managed by the MPU.
  • the memory protection area number field 1220021, the head address field 1220022, the tail address field 1220023, the privilege mode It consists of a write field 1220024, a privileged mode execution field 1220025, a privileged mode read field 1220026, a non-privileged mode write field write 1220027, a non-privileged mode execute field 1220028, and a non-privileged mode read field 1220029.
  • the memory protection area access authority management table 1220020 is used to manage access authority setting information for the memory 12, but the present invention is not limited to this.
  • the memory protection area access authority management table 1220020 has a plurality of memory protection areas 1 to 4, and the access authority switching unit sets different access authorities for each memory protection area. Further, although the memory protection areas 2 and 3 are actually the same area, the access authority switching unit sets different access authorities for the memory protection areas 2 and 3 according to the security level of the software.
  • the memory protection area number field 1220021 holds the area number of the memory protection area managed by the memory protection unit (MPU) 12. Here, a total of four areas can be set as the memory protection area, but this is not a limitation.
  • the start address field 1220022 holds a start address indicating a memory protection area managed by the memory protection unit (MPU) 112.
  • the tail address field 1220023 holds an address indicating the tail of the memory protection area managed by the memory protection unit (MPU) 112.
  • the privileged mode write field 1220024 holds a value for the arithmetic unit (CPU) 11 to determine whether or not writing to the memory protection area is possible. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible.
  • Privileged mode execution field 1220025 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the area specified by the head address and the tail address in the privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed.
  • the privileged mode read field 1220026 holds a value for determining whether the arithmetic unit (CPU) 11 can read data from the memory area in the privileged mode. Here, a value of 0 or 1 is held, and when 0, reading is impossible, and when 1, reading is possible.
  • the non-privileged mode write field 1220027 holds a value for determining whether the arithmetic unit (CPU) 11 can write to the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible.
  • the non-privileged mode execution field 1220028 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the non-privileged mode.
  • the non-privileged mode read field 1220029 holds a value for determining whether or not the arithmetic unit (CPU) 11 can read the memory protection area in the non-privileged mode.
  • a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed.
  • the access authority to the memory 12 whose range is not specified by the head address 220022 and the tail address 220023 is set to the default access authority set in the memory access authority management table 1220010.
  • FIG. 4 is a diagram showing an example of the memory protection area active state management table 1220030.
  • the memory protection area activation state management table 1220030 is a table for managing whether the access authority set in the memory protection area by the memory protection unit (MPU) 112 is valid or invalid.
  • the memory protection area number field 1220031 holds the area number of the memory protection area managed by the memory protection unit (MPU) 112.
  • the memory protection area is four areas, but the number of areas is not limited to this.
  • the active state field 1220032 holds the value of the active state of the memory protection area managed by the memory protection unit (MPU) 112.
  • MPU memory protection unit
  • a value of 0 or 1 is held, and in the case of 0, the access authority setting set in the corresponding memory area is invalid, and in the case of 1, the access authority setting set in the corresponding memory area is valid.
  • the access authority set in the corresponding memory area is the default access authority in the memory protection area access authority management table 1220010.
  • FIG. 5 is a diagram showing an example of the memory protection area activation pattern management table 1220040.
  • the memory protection area activation pattern management table 1220040 is a memory protection area activation state setting pattern set in the activation state field 1220032 of the memory protection area activation state management table 1220030.
  • the memory protection area number field 1220041 and the activation pattern 1 field 1220042 An active pattern 2 field 1220043.
  • the access authority switching unit manages a plurality of access authority patterns set for each of a plurality of memory protection areas as an activation pattern 1 and an activation pattern 2. By switching patterns, individual access authorities for a plurality of memory protection areas are switched at once.
  • the memory protection area number field 1220041 holds the area number of the memory protection area managed by the memory protection unit (MPU) 112.
  • the memory protection area is four areas, but the number of areas is not limited to this.
  • the active pattern 1 field 1220042 is one of the setting patterns of the active state of the memory protection area set in the active state field 1220032 of the memory protection area active state management table 1220030. Although the active state is set for all the memory areas here, the active state may be set only for a part of the memory areas.
  • the active pattern 2 field 1220043 is one of the setting patterns of the active state of the memory protection area set in the active state field 1220032 of the memory protection area active state management table 1220030. Although the active state is set for all the memory areas here, the active state may be set only for a part of the memory areas.
  • FIG. 6 is a diagram showing an example of the operation mode management table 1220050.
  • the operation mode management table 1220050 is a table for managing the operation mode of the arithmetic unit (CPU) 11 and includes an operation mode flag field 1220051.
  • the operation mode flag field 1220051 holds a value indicating the operation mode of the arithmetic unit (CPU) 11.
  • a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 indicates a privileged mode, and when 1 is held, a non-privileged mode is indicated.
  • each software is classified according to the classification by the operation mode separately from the classification based on the general safety level (ASIL, QM).
  • ASIL general safety level
  • each software includes privileged mode operation software (ASILOS) operable in the privileged mode, and non-privileged mode operation software (ASIL applications 1-2, QM applications 1-3) operable in the non-privileged mode. It is divided into. Further, the non-privileged mode operation software is further divided into a plurality of stages according to the safety level. In FIG. 7, the non-privileged mode operation software is divided into ASIL applications 1 and 2 having a relatively high safety level and QM applications 1 to 3 having a relatively low security level.
  • the software classification is devised, and the range of software that operates in the non-privileged mode is one of the software of the safety level ASIL that is normally assumed to operate in the privileged mode. Has been expanded to include parts.
  • the operation mode switching unit switches the operation mode.
  • the access authority switching unit switches the access authority according to the security level of the software.
  • FIG. 8 is a diagram showing an example of the program switching ID management table 1220060.
  • the program switching ID management table 1220060 is a table for managing IDs assigned to realize partitioning between software in a program executed by the arithmetic unit (CPU) 11. It consists of a field 1220061, a program name field 1220062, a safety level field 1220063, an operation mode field 1220064, and a program switching field ID 1220065.
  • Program No. A field 1220061 is a number assigned to software executed in the engine control ECU 1.
  • the program name field 1220062 is a name of software executed in the engine control ECU 1.
  • the safety level field 1220063 is a safety level assigned to software executed in the engine control ECU 1.
  • the safety level is broadly classified into ASIL and QM, and the safety level for software assigned ASIL is higher than software assigned QM.
  • the safety level is set based on the magnitude of the effect on the system when an abnormality occurs in the software.
  • Software with a high safety level is a high level of safety required for operation. Means that.
  • the operation mode field 1220064 indicates the operation mode of the arithmetic unit (CPU) 11 that is obtained when the corresponding program is executed.
  • the operation in the privileged mode is assigned to the OS and some applications, and the other applications operate in the non-privileged mode.
  • the program switching ID field 1220065 holds the program switching ID of the program that operated last time.
  • the program switching ID is uniquely determined by the combination of the ASIL level and the execution operation mode.
  • 1 is assigned to a program whose ASIL level is ASIL and the execution operation mode is privileged mode
  • 2 is assigned to a program whose ASIL level is ASIL and execution operation mode is non-privileged mode
  • the ASIL level is QM.
  • 3 is assigned to a program whose operation mode is non-privileged mode, the setting of the program switching ID is not limited to this.
  • FIG. 9 is a diagram showing an example of the previous program switching ID management table 1220070.
  • the previous program switching ID management table 1220070 includes a previous program switching ID field 1220071.
  • the previous program switching ID field 1220071 holds the value of the program switching ID of the program that was operated last time.
  • FIG. 10 is a diagram showing an example of the table size management table 1220080.
  • the table size management table 1220080 includes a name field 1220081, a total number field 1220082, a program number field 1220083, and a memory protection area number field 1220084.
  • the name field 1220081 is a name of a target managed by the table size management table 1220080.
  • the total number field 1220082 represents the total number of objects managed by the table size management table 1220080.
  • the program number field 1220083 indicates the maximum number of program IDs managed by the program switching ID management table 1220060.
  • the memory protection area number field 1220084 indicates the maximum number of memory protection area numbers managed by the memory protection area access authority management table 1220020.
  • FIG. 11 is a diagram showing an example of the previous operation mode flag management table 1220090.
  • the previous operation mode flag management table 1220090 is a table for managing a value indicating the operation mode of the arithmetic unit (CPU) 11 of the previously executed program, and includes a previous operation mode flag field 1220091.
  • the previous operation mode flag field 1220091 holds a value indicating the operation mode of the arithmetic unit (CPU) 11 of the previously executed program.
  • a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 when the previous program was executed is a privileged mode, and when 1 is held, a non-privileged mode is held. Indicates.
  • FIG. 12 is a diagram showing an example of the interrupt processing save data management table 1220100.
  • the interrupt processing save data management table 1220100 is a table for managing data saved during interrupt processing by the OS, and includes an operation mode field 1220101 and a program counter field 1220102.
  • the operation mode field 1220101 holds a value indicating the operation mode of the arithmetic unit (CPU) 111 immediately before the OS interrupt process.
  • a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 indicates a privileged mode, and when 1 is held, a non-privileged mode is indicated.
  • the program counter field 1220102 is an address of the memory executed by the arithmetic unit (CPU) 111 immediately before the OS interrupt process.
  • the above table is stored in the storage area 122 of the engine control ECU 1 of the first embodiment.
  • FIG. 13 is an operation flow of the software control unit 1211. Hereinafter, each step of FIG. 13 will be described.
  • the diagnosis setting information transmission execution unit 1211 substitutes 0 for i (S1211000).
  • the diagnostic setting information confirmation data generation unit 1211 adds 1 to i (S1211001).
  • the software control unit 1211 determines whether i exceeds the total number of programs managed by the table size management table 1220080 (S1211002). If i exceeds the total number of programs, the process ends. If not, the process proceeds to S1211003.
  • the software control unit 1211 calls the MPU setting unit 1215 described later with reference to FIG. 11 (S1211003).
  • the software control unit 1211 stores the program number corresponding to i in the program switching ID management table 1220060. The program is executed, and the process proceeds to step 1211001 (S1211004).
  • FIG. 14 is an operation flow of the MPU setting unit 1215.
  • the MPU setting unit 1215 reads the program number ID equal to i from the program switching ID management table 1220060.
  • the program switching ID is acquired (S1215000).
  • the MPU setting unit 1215 acquires the previous program switching ID from the previous program switching ID management table 1220070 (S1215001).
  • the MPU setting unit 1215 compares the acquired program switching ID with the previous program switching ID (S1215002). If both values are equal, the process proceeds to step 1215006, and if different, the process proceeds to step 1215003.
  • the MPU setting unit 1215 proceeds to S1215004 if one of the acquired program switching ID and the previous program execution ID is 1, and proceeds to S1215005 if different.
  • the MPU setting unit 1215 calls an operation mode switching unit 1213 shown in FIG. 15 described later, and switches the operation mode of the arithmetic unit (CPU) (S1215004).
  • the MPU setting unit 1215 calls an access authority switching unit 1212 shown in FIG. 13 described later, changes the active state of the memory area, and switches the access authority to the memory 12 (S1215005).
  • the MPU setting unit 1215 updates the previous program ID in the previous program switching ID management table 1220070 with the current program ID (S1215006), and ends the process.
  • FIG. 15 is an operation flow of the operation mode switching unit 1213.
  • the operation mode switching unit 1213 acquires the operation mode flag of the arithmetic unit (CPU) 11 from the operation mode flag management table 1220050 (S1213000).
  • the operation mode switching unit 1213 performs OS interrupt processing, and saves the current program counter and operation mode flag in the interrupt processing save data management table 1220100 (S1213001).
  • the operation mode switching unit 1213 acquires an operation mode flag from the interrupt processing saved data management table 1220100 (S1213002).
  • the operation mode switching unit 1213 inverts the value of the acquired operation mode flag and updates the operation mode flag in the interrupt processing save data management table 1220100 with the inverted value (S1213003).
  • the operation mode switching unit 1213 ends the interrupt processing by the OS, acquires the operation mode flag and the program counter saved from the interrupt processing saved data management table 1220100 (S1213004), updates the program counter and the operation mode flag, and performs processing. finish.
  • FIG. 16 is an operation flow of the access authority switching unit 1212. Hereinafter, each step of FIG. 16 will be described.
  • the access authority switching unit 1212 receives the program number corresponding to i from the program switching ID management table 1220060.
  • the program switching ID is acquired (S1212000).
  • the access authority switching unit 1212 acquires the previous program switching ID from the previous program switching ID management table 1220070 (S1212001).
  • the access authority switching unit 1212 substitutes 0 for j (S1212002).
  • the access authority switching unit 1212 compares the combination of the acquired program ID and the previous program ID (S1212003). If the combination is (1, 3) or (3, 1), the process proceeds to step 1212004. Otherwise, the process proceeds to step 1212007. move on.
  • the access authority switching unit 1212 adds 1 to j (S1212004).
  • the access authority switching unit 1212 sets the active state of the same memory protection area number as j of the memory protection area activation state management table 1220030 to the value of the activation pattern 2 of the same memory protection area number as j of the memory protection area activation pattern management table 1220040. (S1212005).
  • the access authority switching unit 1212 compares the number of memory protection areas in the table size management table 1220080 with j (S1212006), and proceeds to step 1212006 when the number of memory areas is smaller than j. In the case of No in S1212003, the access authority switching unit 1212 adds 1 to j (S1212007).
  • the access authority switching unit 1212 sets the active state of the same memory protection area number as j in the memory protection area activation state management table 1220030 to the value of the activation pattern 1 having the same memory protection area number as j in the memory protection area activation pattern management table 1220040. (S1212008).
  • the access authority switching unit 1212 compares the number of memory protection areas in the table size management table 1220080 with j (S1212009), and proceeds to step 1212006 if the number of memory areas is smaller than j.
  • the access authority switching unit 1212 updates the previous program switching ID in the previous program switching ID management table 1220070 with the value of the acquired program switching ID (S1212010).
  • the software control unit 1211 has a program no. 1, the software “QM application 1” of the safety level QM that operates in the non-privileged mode is operated. During the execution of the QM application 1, the software control unit 1211 displays the program number. 2, software “ASIL application 1” of the safety level ASIL operating in the non-privileged mode is to be operated. At this time, since “QM application 1” and “ASIL application 1” have the same operation mode in the non-privileged mode, the operation mode switching by the operation mode switching unit is unnecessary, but the safety level is different. Therefore, the access authority switching unit switches the access authority.
  • the operation mode is changed when the software to be operated is changed from “QM application 1” to “ASIL application 1”.
  • the operation mode must be switched by the switching unit.
  • the operation mode switching process with a large processing load (overhead) is not required, and the access authority switching process is sufficient. Therefore, when the software is changed from “QM application 1” to “ASIL application 1”. Speed up the process.
  • the software control unit 1211 reads the program number. 3, software “ASILOS” of the safety level ASIL operating in the non-privileged mode is to be operated. At this time, since the operation mode differs between “ASIL application 1” and “ASILOS”, the operation mode switching unit switches the operation mode. Here, operation mode switching processing with a large processing load occurs.
  • the software control unit 1211 reads the program number. 4, software “QM application 2” of safety level QM operating in the non-privileged mode is to be operated. At this time, since “ASILOS” and “QM application 2” have different operation modes, the operation mode switching unit switches the operation mode. Here again, the operation mode switching process with a large processing load occurs.
  • the software control unit 1211 reads the program number. 5, the software “ASIL application 2” having the safety level ASIL operating in the non-privileged mode is to be operated. Conventionally, it is necessary to switch the operation mode by the operation mode switching unit. However, in this embodiment, it is not necessary to switch the operation mode, and the access authority switching unit switches the access authority.
  • the software control unit 1211 reads the program number. 6, software “QM application 3” having a safety level QM operating in the non-privileged mode is to be operated.
  • the operation mode switching unit it is necessary to switch the operation mode by the operation mode switching unit.
  • the operation mode switching is unnecessary, and the access authority switching unit grants the access authority. Switch.
  • the software to be operated is program No.
  • the operation mode switching which was conventionally required four times, can be performed only twice in the present embodiment.
  • the software used for vehicle control is more secure with a lower degree of safety than one with a higher degree of safety. Therefore, by adopting memory protection by switching access authority between softwares with a relatively low degree of safety, it is possible to narrow down the objects that require operation mode switching to software with a relatively high degree of safety. That is, it is possible to increase the safety level that requires operation mode switching. Therefore, as a whole, the number of operation mode switching can be reduced.
  • the present embodiment even when a plurality of pieces of software having different safety levels are operated, safety can be ensured while suppressing the processing load. That is, by flexibly controlling the active state of the memory protection area managed by the memory protection device 112, it is possible to realize memory protection between software of different safety levels in the operation mode of the same arithmetic unit (CPU) 11. . In addition, by utilizing the switching of the operation mode of the arithmetic unit (CPU) 11 and the setting of the active state of the memory protection area managed by the memory protection device 112, it is possible to switch the memory access authority at a low speed with less OS interrupt frequency. can do.
  • the vehicle control device may notify the driver accordingly.
  • a vehicle control system in which a plurality of vehicle control devices including a vehicle control device for a user interface are connected via an in-vehicle network will be described as an example.
  • Violation Violation
  • the abnormality information is transmitted to the user interface vehicle control device, and the user interface vehicle control device which has received the abnormality information issues a command regarding a warning to the driver.
  • a backup memory for storing access abnormality information may be provided in the vehicle control device, and when there is a violation of authority in software access, it may be stored in the backup memory.
  • the analysis tool is connected to the vehicle control device via the in-vehicle network, and a message requesting memory access abnormality information is transmitted from the analysis tool, so that the vehicle control device that receives this message accesses the memory. By transmitting the abnormality information to the analysis tool, the memory access abnormality information can be extracted.
  • the software that can operate in the privileged mode is ASILOS
  • the non-privileged mode operation software is divided into a plurality of stages according to the safety level.
  • the mode operation software may be divided into a plurality of stages according to the safety level.
  • the access authority switching unit switches the access authority according to the software security level.
  • the ASIL OS and the ASIC-C application are privileged mode operation software
  • the non-privileged mode operation software is an ASIL-B application, an ASIL-A application, and a QM application. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)

Abstract

The purpose of the present invention is to provide a vehicular control device capable of ensuring safety while suppressing process load even when a plurality of software with different safety levels are operated. The present invention is characterized by being provided with: a storage unit; a software control unit that controls operation of a plurality of software stored in the storage unit; an operation mode switch unit that switches operation mode of the software control unit between a privilege mode and a non-privilege mode; and an access right switch unit that switches access right of each software with respect to the storage unit.

Description

車両用制御装置Vehicle control device
 本発明は、車両用制御装置に関するものである。 The present invention relates to a vehicle control device.
 近年の多くの車両制御システムは、電子化された車両制御機器を操作するECU、すなわち電子制御装置(Electronic Control Unit)と、複数のECU間の通信を可能にする車載LAN(Local Area Network)から構成されている。 Many vehicle control systems in recent years are from an ECU that operates electronic vehicle control equipment, that is, an electronic control unit (Electronic Control Unit), and an in-vehicle LAN (Local Area Network) that enables communication between multiple ECUs. It is configured.
 車両制御システムは環境負荷の低減や安全要求に伴い、システムの高機能化、機能の分散化、複雑化が進んでいる。その結果、ECUのソフトウェアアーキテクチャの標準化、安全装置の電子制御化とその安全性確保の仕組みの重要性が増大している。 Vehicle control systems are becoming increasingly sophisticated, distributed, and complicated due to reduced environmental loads and safety requirements. As a result, the importance of standardizing the software architecture of the ECU, electronic control of the safety device, and the mechanism for ensuring its safety is increasing.
 例えば、カーメーカは分散させた機能毎に専用のECUを用意するため、一つの車両制御システムに複数のECUが混在する。標準化された車両制御装置のソフトウェアアーキテクチャを導入することで、仕様の異なるECUを組合せて車両制御システムを構築することを容易にしている。AUTOSARアーキテクチャでは、マイコンに依存する機能単位や、センサやアクチュエータの制御処理のアルゴリズム、設定パラメータ単位でモジュール化が行われているため、マイコンが変更となっても対象となるモジュールを修正するだけで、他のモジュールを修正することなく対応できる。 For example, since a car manufacturer prepares a dedicated ECU for each distributed function, a plurality of ECUs are mixed in one vehicle control system. By introducing a standardized software architecture of the vehicle control device, it is easy to construct a vehicle control system by combining ECUs with different specifications. In the AUTOSAR architecture, modularization is performed in units of functions that depend on the microcomputer, algorithms for sensor and actuator control processing, and in units of setting parameters. Therefore, even if the microcomputer is changed, the target module can be modified. This can be done without modifying other modules.
 また、車両制御機器における安全装置の電子制御化にともない機能安全の仕組みが車両制御システムに導入されてきている。ここで、機能安全とはシステムに不具合が生じたときにシステムが安全側に遷移することで安全を確保する考えである。例えば自動車向け機能安全規格ISO26262では、安全度水準であるASIL(AutomotiveSafety Integrity Level)が設けられている。 Also, functional safety mechanisms have been introduced into vehicle control systems in conjunction with the electronic control of safety devices in vehicle control equipment. Here, functional safety is an idea of ensuring safety by causing the system to transition to the safe side when a problem occurs in the system. For example, in functional safety standard ISO26262 for automobiles, ASIL (Automatic Safety Integrity Level) which is a safety level is provided.
 一般的な車両制御システムは、コスト増加抑制や性能最適化の要求を満たすべく、さまざまな制御アプリケーションによって構成されており、さまざまな安全度水準のソフトウェアが混在することになる。機能安全規格ISO26262では安全要求が異なるソフトウェア間の干渉を防止することが求められている。具体的には、安全度水準の低いQMのソフトウェアが暴走して、ASILD等の安全度水準の高いソフトウェアが格納されているメモリへアクセスし、データを破壊することを防ぐことである。従って、一般的な車両制御システムにおいて機能安全規格ISO26262に準拠するには、ソフトウェア間の干渉を防止する仕組みが必要となる。 General vehicle control systems are composed of various control applications to meet the demands for cost increase suppression and performance optimization, and software with various safety levels are mixed. The functional safety standard ISO 26262 is required to prevent interference between software having different safety requirements. Specifically, it is to prevent QM software with a low safety level from running out of control and accessing a memory storing software with a high safety level such as ASILD and destroying data. Therefore, in order to comply with the functional safety standard ISO26262 in a general vehicle control system, a mechanism for preventing interference between software is required.
 このような仕組みの一例として、特許文献1では、安全度の異なるタスクを実行する場合には、ユーザモードとカーネルモードとの間で動作モードを切り換えることが提案されている。 As an example of such a mechanism, Patent Document 1 proposes switching an operation mode between a user mode and a kernel mode when executing a task having a different safety level.
特開2012-247978号公報JP 2012-247978 A
 しかし、上記従来技術では、安全度水準の異なるタスクを実行すべく動作モードを切り換える際に、負荷の大きい割り込み処理を行うものである。従って、上記従来技術では、安全性を確保できたとしても、オーバーヘッドが増加してしまうという問題がある。 However, in the above prior art, when the operation mode is switched to execute a task with a different safety level, an interrupt process with a heavy load is performed. Therefore, the above conventional technique has a problem that even if safety can be ensured, overhead increases.
 そこで、本発明は、安全度水準の異なる複数のソフトウェアを動作させる場合であっても、処理負荷を抑えつつ安全性を確保することができる車両用制御装置を提供することを目的とする。 Therefore, an object of the present invention is to provide a vehicle control device that can ensure safety while suppressing a processing load even when a plurality of software having different safety levels are operated.
 本発明は、記憶部と、該記憶部に記憶される複数のソフトウェアの動作を制御するソフトウェア制御部と、前記ソフトウェア制御部の動作モードを特権モードと非特権モードとの間で切り換える動作モード切換部と、前記記憶部に対する前記各ソフトウェアのアクセス権限を切り換えるアクセス権限切換部とを備えることを特徴とする。 The present invention relates to a storage unit, a software control unit that controls operations of a plurality of software stored in the storage unit, and an operation mode switching that switches an operation mode of the software control unit between a privileged mode and a non-privileged mode. And an access authority switching unit that switches an access authority of each software to the storage unit.
 本発明によれば、安全度水準の異なる複数のソフトウェアを動作させる場合であっても、処理負荷を抑えつつ安全性を確保することができる。 According to the present invention, even when a plurality of software having different safety levels are operated, safety can be ensured while suppressing a processing load.
本発明の実施形態に係る車両用制御装置の構成図である。It is a lineblock diagram of a control device for vehicles concerning an embodiment of the present invention. 車両用制御装置のメモリ保護領域アクセス権限設定管理テーブルの例を示す図である。It is a figure which shows the example of the memory protection area access authority setting management table of the control apparatus for vehicles. 車両用制御装置のメモリ保護領域アクセス権限管理テーブルの例を示す図である。It is a figure which shows the example of the memory protection area access authority management table of the control apparatus for vehicles. 車両用制御装置のメモリ保護領域活性状態管理テーブルの例を示す図である。It is a figure which shows the example of the memory protection area active state management table of the control apparatus for vehicles. 車両用制御装置のメモリ保護領域活性パターン管理テーブルの例を示す図である。It is a figure which shows the example of the memory protection area active pattern management table of the control apparatus for vehicles. 車両用制御装置の動作モード管理テーブルの例を示す図である。It is a figure which shows the example of the operation mode management table of the control apparatus for vehicles. 車両用制御装置で動作するソフトウェアの安全度水準と動作モードの例を示す図である。It is a figure which shows the example of the safety degree level and operation mode of the software which operate | move with the control apparatus for vehicles. 車両用制御装置のプログラム切換ID管理テーブルの例を示す図である。It is a figure which shows the example of the program switching ID management table of the control apparatus for vehicles. 車両用制御装置の前回プログラムID管理テーブルの例を示す図である。It is a figure which shows the example of the last program ID management table of the control apparatus for vehicles. 車両用制御装置のテーブルサイズ管理テーブルの例を示す図である。It is a figure which shows the example of the table size management table of the control apparatus for vehicles. 車両用制御装置の前回動作モードフラグ管理テーブルの例を示す図である。It is a figure which shows the example of the last operation mode flag management table of the control apparatus for vehicles. 車両用制御装置の割り込み処理用退避データ管理テーブルの例を示す図である。It is a figure which shows the example of the save data management table for interruption processes of the control apparatus for vehicles. 車両用制御装置のソフトウェア制御部の例を示す図である。It is a figure which shows the example of the software control part of the control apparatus for vehicles. 車両用制御装置のMPU設定部の動作フローの例を示す図である。It is a figure which shows the example of the operation | movement flow of the MPU setting part of the control apparatus for vehicles. 車両用制御装置の動作モード切換部の動作フローの例を示す図である。It is a figure which shows the example of the operation | movement flow of the operation mode switching part of the control apparatus for vehicles. 車両用制御装置のアクセス権限切換部の動作フローの例を示す図である。It is a figure which shows the example of the operation | movement flow of the access authority switching part of the control apparatus for vehicles. 車両用制御装置で動作するソフトウェアの安全度水準と動作モードの他の例を示す図である。It is a figure which shows the other example of the safety level of the software which operate | moves with the control apparatus for vehicles, and another example of operation mode.
 図1は、本発明の実施形態に関わる車両用制御装置の構成図である。以下、車両用制御装置として、エンジンを制御する装置であるECU1を元に説明する。エンジン制御装置ECU1は演算装置(CPU)11、記憶部としてのメモリ12、入出力回路13、CANコントローラ14、スロットルセンサ15、ペダルセンサ16を備える。 FIG. 1 is a configuration diagram of a vehicle control apparatus according to an embodiment of the present invention. Hereinafter, the control device for a vehicle will be described based on the ECU 1 that is a device for controlling the engine. The engine control unit ECU1 includes an arithmetic unit (CPU) 11, a memory 12 as a storage unit, an input / output circuit 13, a CAN controller 14, a throttle sensor 15, and a pedal sensor 16.
 演算装置(CPU)11は、CPUコア111、メモリ保護装置(MPU)112からなる。CPUコア111は、メモリ12が記憶(格納)している複数のソフトウェア(本実施形態では「プログラム」と称することがある。)を実行するプロセッサ(Central Processing Unit)である。演算装置(CPU)11は、特権モード、非特権モードと呼ばれる動作モードを有しており、両動作モードは、割り込み処理によって切り換えることができる。なお、CPUコア111の数は1つとしているが、CPUコア111の数は複数でもかまわない。 The arithmetic unit (CPU) 11 includes a CPU core 111 and a memory protection unit (MPU) 112. The CPU core 111 is a processor (Central Processing Unit) that executes a plurality of software (sometimes referred to as “programs” in this embodiment) stored (stored) in the memory 12. The arithmetic unit (CPU) 11 has operation modes called privileged mode and non-privileged mode, and both operation modes can be switched by interrupt processing. Note that although the number of CPU cores 111 is one, the number of CPU cores 111 may be plural.
 メモリ保護装置(MPU)112は、主にメモリ12へのアクセス権限を管理する装置であり、ソフトウェアのアクセス権限を監視するアクセス権限違反監視部を備える。アクセス権限を管理するとは、メモリ12のアドレス空間に対し、任意の領域にアクセス権限を設定し、その設定を有効化、無効化することである。さらにメモリ12に対するアクセスを監視し、アクセスに異常(即ち、違反)があればCPUコア111の処理を無効又は中止して、処理結果が反映されないようにする。同等の機能を、回路デバイスなどのハードウェアを用いて構成することもできる。また、メモリ保護装置(MPU)112は、メモリ12を分割して複数の記憶領域を設定する記憶領域設定部を備えている。後述するメモリ保護領域は、この記憶領域設定部により設定される領域である。 The memory protection device (MPU) 112 is a device that mainly manages access authority to the memory 12, and includes an access authority violation monitoring unit that monitors software access authority. To manage access authority is to set access authority in an arbitrary area in the address space of the memory 12, and to validate or invalidate the setting. Further, the access to the memory 12 is monitored, and if there is an abnormality (that is, violation), the processing of the CPU core 111 is invalidated or stopped so that the processing result is not reflected. Equivalent functions can also be configured using hardware such as circuit devices. In addition, the memory protection device (MPU) 112 includes a storage area setting unit that divides the memory 12 and sets a plurality of storage areas. A memory protection area described later is an area set by the storage area setting unit.
 メモリ12はプログラム領域121とデータ記憶領域122を有する。プログラム領域121は、ソフトウェア制御部1121、アクセス権限切換部1212、動作モード切換部1213、MPU設定部1214を格納する。データ記憶領域122は後述の図2で説明するメモリアクセス権限管理テーブル1220010、図3で説明するメモリ保護領域アクセス権限管理テーブル1220021、図4で説明するメモリ保護領域活性状態管理テーブル1220030、図5で説明するメモリ保護領域活性パターン管理テーブル1220040、図6で説明する動作モード管理テーブル1220050、図8で説明するプログラム切換ID管理テーブル1220060、図9で説明する前回プログラムID管理テーブル1220070、図10で説明するテーブルサイズ管理テーブル1220080、図11で説明する前回動作モードフラグ管理テーブル1220090、図12で説明する割り込み処理用退避データ管理テーブル12200100を格納する。 The memory 12 has a program area 121 and a data storage area 122. The program area 121 stores a software control unit 1121, an access authority switching unit 1212, an operation mode switching unit 1213, and an MPU setting unit 1214. The data storage area 122 includes a memory access authority management table 1220010 described later with reference to FIG. 2, a memory protection area access authority management table 1220021 described with reference to FIG. 3, a memory protection area active state management table 1220030 described with reference to FIG. The memory protection area activation pattern management table 1220040 described, the operation mode management table 1220050 described in FIG. 6, the program switching ID management table 1220060 described in FIG. 8, the previous program ID management table 1220070 described in FIG. 9, and described in FIG. The table size management table 1220080, the previous operation mode flag management table 1220090 described in FIG. 11, and the save data management table for interrupt processing 12200100 described in FIG. 12 are stored.
 本実施形態では、エンジン制御ECU1の構成を機能安全規格ISO26262対応のECUアーキテクチャとしているが構成はこれに限らない。例えば、データを保存するための不揮発性メモリ(バックアップラム)や水温センサなどを備えてもよい。 In the present embodiment, the configuration of the engine control ECU 1 is an ECU architecture compatible with the functional safety standard ISO 26262, but the configuration is not limited thereto. For example, you may provide the non-volatile memory (backup ram) for storing data, a water temperature sensor, etc.
 エンジン制御装置1のデータ記憶領域122に格納されるテーブルを下記より説明する。 The table stored in the data storage area 122 of the engine control device 1 will be described below.
 図2は、メモリアクセス権限管理テーブル1220010の例を示す図である。メモリアクセス権限管理テーブル1220010は、MPUが管理する、メモリ12に対するデフォルトのアクセス権限の設定情報を管理するテーブルであり、先頭アドレスフィールド1220011、後尾アドレスフィールド1220012、特権モード書き込みフィールド1220013、特権モード実行フィールド1220014、特権モード読み込みフィールド1220015、非特権モード書き込みフィールド1220016、非特権モード実行フィールド1220017、非特権モード読み出しフィールド1220018からなる。説明の都合上、本実施形態ではメモリ12に対するデフォルトのアクセス権限の設定情報を管理するためにメモリアクセス権限管理テーブル1220010を用いるが、これに限らない。 FIG. 2 is a diagram showing an example of the memory access authority management table 1220010. The memory access authority management table 1220010 is a table for managing setting information of default access authority for the memory 12 managed by the MPU, and includes a head address field 1220011, a tail address field 1220012, a privileged mode write field 1220013, and a privileged mode execution field. 1220014, a privileged mode read field 1220015, a non-privileged mode write field 1220016, a non-privileged mode execution field 1220017, and a non-privileged mode read field 1220018. For convenience of explanation, in this embodiment, the memory access authority management table 1220010 is used to manage the setting information of the default access authority for the memory 12, but the present invention is not limited to this.
 先頭アドレスフィールド1220011は、メモリ保護ユニット(MPU)112が管理するメモリを示す先頭アドレスを保持する。後尾アドレスフィールド1220012は、メモリ保護ユニット(MPU)112が管理するメモリの後尾を示すアドレスを保持する。特権モード書き込みフィールド1220013は、演算装置(CPU)11が特権モード時に先頭アドレスと後尾アドレスによって指定された領域(以下、メモリ保護領域)に対し、書き込み可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は書き込み不可とし、1の場合は書き込み可能とする。特権モード実行フィールド1220014は、演算装置(CPU)11が特権モード時にメモリ保護領域に対し、処理を実行可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。特権モード読み込みフィールド1220015は、演算装置(CPU)11が特権モード時にメモリ保護領域に対し、読み出し可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は読み出し不可とし、1の場合は読み出し可能とする。非特権モード書き込みフィールド1220016は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、書き込み可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は書き込み不可とし、1の場合は書き込み可能とする。非特権モード実行フィールド1220017は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、処理を実行可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。非特権モード読み出しフィールド1220018は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、読み出し可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。ここで、メモリ領域12のデフォルトのアクセス権限は、特権モードの書き込み、実行、読み出しは許可するが、非特権モードの書き込み、実行、読み出しは許可されない、としたがこれに限らない。例えば、特権モード、非特権モードにおいても書き込み、実行、読み出しを許可してもかまわない。 The start address field 1220011 holds a start address indicating a memory managed by the memory protection unit (MPU) 112. The tail address field 1220012 holds an address indicating the tail of the memory managed by the memory protection unit (MPU) 112. The privileged mode write field 1220013 holds a value for determining whether the arithmetic unit (CPU) 11 can write to an area (hereinafter referred to as a memory protection area) designated by a head address and a tail address in the privileged mode. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible. The privileged mode execution field 1220014 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed. The privileged mode read field 1220015 holds a value for determining whether the arithmetic unit (CPU) 11 can read from the memory protection area in the privileged mode. Here, a value of 0 or 1 is held, and when 0, reading is impossible, and when 1, reading is possible. The non-privileged mode write field 1220016 holds a value for determining whether the arithmetic unit (CPU) 11 can write to the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible. The non-privileged mode execution field 1220017 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed. The non-privileged mode read field 1220018 holds a value for determining whether or not the arithmetic unit (CPU) 11 can read the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed. Here, the default access authority of the memory area 12 allows privileged mode writing, execution, and reading, but non-privileged mode writing, execution, and reading are not permitted. For example, writing, execution, and reading may be permitted in privileged mode and non-privileged mode.
 図3は、メモリ保護領域アクセス権限管理テーブル1220020の例を示す図である。メモリ保護領域アクセス権限設定管理テーブル1220020は、MPUが管理する、メモリ12に対するアクセス権限の設定情報を管理するテーブルであり、メモリ保護領域番号フィールド1220021、先頭アドレスフィールド1220022、後尾アドレスフィールド1220023、特権モード書き込みフィールド1220024、特権モード実行フィールド1220025、特権モード読み込みフィールド1220026、非特権モード書き込みフィールド書き込み1220027、非特権モード実行フィールド1220028、非特権モード読み出しフィールド1220029からなる。説明の都合上、本実施形態ではメモリ12に対するアクセス権限の設定情報を管理するためにメモリ保護領域アクセス権限管理テーブル1220020を用いるが、これに限らない。 FIG. 3 is a diagram showing an example of the memory protection area access authority management table 1220020. The memory protection area access authority setting management table 1220020 is a table for managing access authority setting information for the memory 12 managed by the MPU. The memory protection area number field 1220021, the head address field 1220022, the tail address field 1220023, the privilege mode It consists of a write field 1220024, a privileged mode execution field 1220025, a privileged mode read field 1220026, a non-privileged mode write field write 1220027, a non-privileged mode execute field 1220028, and a non-privileged mode read field 1220029. For convenience of explanation, in the present embodiment, the memory protection area access authority management table 1220020 is used to manage access authority setting information for the memory 12, but the present invention is not limited to this.
 メモリ保護領域アクセス権限管理テーブル1220020では、複数のメモリ保護領域1~4を有し、アクセス権限切換部は、各メモリ保護領域に対し、異なるアクセス権限を設定する。また、メモリ保護領域2,3は、実際には同じ領域であるが、アクセス権限切換部は、このメモリ保護領域2,3に対し、ソフトウェアの安全度に応じて異なるアクセス権限を設定する。 The memory protection area access authority management table 1220020 has a plurality of memory protection areas 1 to 4, and the access authority switching unit sets different access authorities for each memory protection area. Further, although the memory protection areas 2 and 3 are actually the same area, the access authority switching unit sets different access authorities for the memory protection areas 2 and 3 according to the security level of the software.
 メモリ保護領域番号フィールド1220021は、メモリ保護ユニット(MPU)12が管理するメモリ保護領域の領域番号を保持する。ここではメモリ保護領域が設定可能な領域は合計4領域としているがこれに限らない。先頭アドレスフィールド1220022は、メモリ保護ユニット(MPU)112が管理するメモリ保護領域を示す先頭アドレスを保持する。後尾アドレスフィールド1220023は、メモリ保護ユニット(MPU)112が管理するメモリ保護領域の後尾を示すアドレスを保持する。特権モード書き込みフィールド1220024は、演算装置(CPU)11がメモリ保護領域に対し、書き込み可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は書き込み不可とし、1の場合は書き込み可能とする。 The memory protection area number field 1220021 holds the area number of the memory protection area managed by the memory protection unit (MPU) 12. Here, a total of four areas can be set as the memory protection area, but this is not a limitation. The start address field 1220022 holds a start address indicating a memory protection area managed by the memory protection unit (MPU) 112. The tail address field 1220023 holds an address indicating the tail of the memory protection area managed by the memory protection unit (MPU) 112. The privileged mode write field 1220024 holds a value for the arithmetic unit (CPU) 11 to determine whether or not writing to the memory protection area is possible. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible.
 特権モード実行フィールド1220025、演算装置(CPU)11が特権モード時に先頭アドレスと後尾アドレスによって指定された領域に対し、処理を実行可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。 Privileged mode execution field 1220025 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the area specified by the head address and the tail address in the privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed.
 特権モード読み出しフィールド1220026は、演算装置(CPU)11が特権モード時にメモリ領域に対し、読み出し可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は読み出し不可とし、1の場合は読み出し可能とする。非特権モード書き込みフィールド1220027は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、書き込み可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は書き込み不可とし、1の場合は書き込み可能とする。非特権モード実行フィールド1220028は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、処理を実行可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。非特権モード読み出しフィールド1220029は、演算装置(CPU)11が非特権モード時にメモリ保護領域に対し、読み出し可能か判断するための値を保持する。ここでは0か1の値を保持し、0の場合は処理の実行不可とし、1の場合は処理の実行可能とする。ここで、先頭アドレス220022と後尾アドレス220023によって範囲指定されないメモリ12へのアクセス権限は、メモリアクセス権限管理テーブル1220010で設定されたデフォルトのアクセス権限に設定される。 The privileged mode read field 1220026 holds a value for determining whether the arithmetic unit (CPU) 11 can read data from the memory area in the privileged mode. Here, a value of 0 or 1 is held, and when 0, reading is impossible, and when 1, reading is possible. The non-privileged mode write field 1220027 holds a value for determining whether the arithmetic unit (CPU) 11 can write to the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held, and when 0, writing is impossible, and when 1, writing is possible. The non-privileged mode execution field 1220028 holds a value for determining whether the processing unit (CPU) 11 can execute processing for the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed. The non-privileged mode read field 1220029 holds a value for determining whether or not the arithmetic unit (CPU) 11 can read the memory protection area in the non-privileged mode. Here, a value of 0 or 1 is held. If 0, the process cannot be executed. If 1, the process can be executed. Here, the access authority to the memory 12 whose range is not specified by the head address 220022 and the tail address 220023 is set to the default access authority set in the memory access authority management table 1220010.
 図4はメモリ保護領域活性状態管理テーブル1220030の例を示す図である。メモリ保護領域活性状態管理テーブル1220030は、メモリ保護ユニット(MPU)112がメモリ保護領域に設定したアクセス権限が有効か無効かを管理するためのテーブルであり、メモリ保護領域番号フィールド1220031、活性状態フィールド1220032からなる。 FIG. 4 is a diagram showing an example of the memory protection area active state management table 1220030. The memory protection area activation state management table 1220030 is a table for managing whether the access authority set in the memory protection area by the memory protection unit (MPU) 112 is valid or invalid. The memory protection area number field 1220031, the activation state field 1220032.
 メモリ保護領域番号フィールド1220031は、メモリ保護ユニット(MPU)112が管理するメモリ保護領域の領域番号を保持する。ここではメモリ保護領域を4領域としているが、領域数はこれに限らない。 The memory protection area number field 1220031 holds the area number of the memory protection area managed by the memory protection unit (MPU) 112. Here, the memory protection area is four areas, but the number of areas is not limited to this.
 活性状態フィールド1220032は、メモリ保護ユニット(MPU)112が管理するメモリ保護領域の活性状態の値を保持する。ここでは0か1の値を保持し、0の場合は該当するメモリ領域に設定されたアクセス権限の設定は無効となり、1の場合は該当するメモリ領域に設定されたアクセス権限の設定が有効となる。活性状態の値が0を保持した場合、該当するメモリ領域に設定されたアクセス権限は、メモリ保護領域アクセス権限管理テーブル1220010におけるデフォルトのアクセス権限である。 The active state field 1220032 holds the value of the active state of the memory protection area managed by the memory protection unit (MPU) 112. Here, a value of 0 or 1 is held, and in the case of 0, the access authority setting set in the corresponding memory area is invalid, and in the case of 1, the access authority setting set in the corresponding memory area is valid. Become. When the value of the active state holds 0, the access authority set in the corresponding memory area is the default access authority in the memory protection area access authority management table 1220010.
 図5はメモリ保護領域活性パターン管理テーブル1220040の例を示す図である。メモリ保護領域活性パターン管理テーブル1220040は、メモリ保護領域活性状態管理テーブル1220030の活性状態フィールド1220032に設定するメモリ保護領域の活性状態の設定パターンであり、メモリ保護領域番号フィールド1220041、活性パターン1フィールド1220042、活性パターン2フィールド1220043からなる。 FIG. 5 is a diagram showing an example of the memory protection area activation pattern management table 1220040. The memory protection area activation pattern management table 1220040 is a memory protection area activation state setting pattern set in the activation state field 1220032 of the memory protection area activation state management table 1220030. The memory protection area number field 1220041 and the activation pattern 1 field 1220042 , An active pattern 2 field 1220043.
 この図5のメモリ保護領域活性パターン管理テーブル1220040にあるとおり、アクセス権限切換部は、複数のメモリ保護領域ごとに設定されるアクセス権限のパターンを活性パターン1及び活性パターン2として複数管理し、このパターンを切り換えることにより、複数のメモリ保護領域領域に対する個別のアクセス権限を一括して切り換える。 As shown in the memory protection area activation pattern management table 1220040 of FIG. 5, the access authority switching unit manages a plurality of access authority patterns set for each of a plurality of memory protection areas as an activation pattern 1 and an activation pattern 2. By switching patterns, individual access authorities for a plurality of memory protection areas are switched at once.
 メモリ保護領域番号フィールド1220041は、メモリ保護ユニット(MPU)112が管理するメモリ保護領域の領域番号を保持する。ここではメモリ保護領域を4領域としているが、領域数はこれに限らない。 The memory protection area number field 1220041 holds the area number of the memory protection area managed by the memory protection unit (MPU) 112. Here, the memory protection area is four areas, but the number of areas is not limited to this.
 活性パターン1フィールド1220042は、メモリ保護領域活性状態管理テーブル1220030の活性状態フィールド1220032に設定するメモリ保護領域の活性状態の設定パターンの一つである。ここでは全メモリ領域に対して、活性状態を設定しているが、一部のメモリ領域に対してのみ活性状態を設定してもよい。活性パターン2フィールド1220043は、メモリ保護領域活性状態管理テーブル1220030の活性状態フィールド1220032に設定するメモリ保護領域の活性状態の設定パターンの一つである。ここでは全メモリ領域に対して、活性状態を設定しているが、一部のメモリ領域に対してのみ活性状態を設定してもよい。 The active pattern 1 field 1220042 is one of the setting patterns of the active state of the memory protection area set in the active state field 1220032 of the memory protection area active state management table 1220030. Although the active state is set for all the memory areas here, the active state may be set only for a part of the memory areas. The active pattern 2 field 1220043 is one of the setting patterns of the active state of the memory protection area set in the active state field 1220032 of the memory protection area active state management table 1220030. Although the active state is set for all the memory areas here, the active state may be set only for a part of the memory areas.
 図6は動作モード管理テーブル1220050の例を示す図である。動作モード管理テーブル1220050は、演算装置(CPU)11の動作モードを管理するためのテーブルであり、動作モードフラグフィールド1220051からなる。 FIG. 6 is a diagram showing an example of the operation mode management table 1220050. The operation mode management table 1220050 is a table for managing the operation mode of the arithmetic unit (CPU) 11 and includes an operation mode flag field 1220051.
 動作モードフラグフィールド1220051は、演算装置(CPU)11の動作モードを示す値を保持する。ここでは0か1の値を保持し、0を保持するときは演算装置(CPU)11の動作モードは特権モード、1を保持するときは非特権モードを示す。 The operation mode flag field 1220051 holds a value indicating the operation mode of the arithmetic unit (CPU) 11. Here, a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 indicates a privileged mode, and when 1 is held, a non-privileged mode is indicated.
 本実施形態では、各ソフトウェアが一般的な安全度水準(ASIL、QM)による区分とは別に、動作モードによる分類によって区分されている。これを図7を用いて説明する。具体的には、各ソフトウェアは、特権モードで動作可能な特権モード動作ソフトウェア(ASILOS)と、非特権モードで動作可能な非特権モード動作ソフトウェア(ASILアプリ1~2、QMアプリ1~3)とに区分される。また、非特権モード動作ソフトウェアは、さらに安全度に応じて複数段階に区分されている。図7では、非特権モード動作ソフトウェアのうち比較的安全度が高いASILアプリ1~2と、比較的安全度が低いQMアプリ1~3とに区分されている。 In this embodiment, each software is classified according to the classification by the operation mode separately from the classification based on the general safety level (ASIL, QM). This will be described with reference to FIG. Specifically, each software includes privileged mode operation software (ASILOS) operable in the privileged mode, and non-privileged mode operation software (ASIL applications 1-2, QM applications 1-3) operable in the non-privileged mode. It is divided into. Further, the non-privileged mode operation software is further divided into a plurality of stages according to the safety level. In FIG. 7, the non-privileged mode operation software is divided into ASIL applications 1 and 2 having a relatively high safety level and QM applications 1 to 3 having a relatively low security level.
 安全度水準の区分に基づいて説明すると、同じASILであるソフトウェア(ASILOSと、ASILアプリ1~2)がさらに安全度に応じて複数段階に区分されており、安全度が比較的低い方のソフトウェア(ASILアプリ1~2)は、QMアプリと同じ非特権モード動作ソフトウェアに分類されている。 Explaining based on the safety level classification, software with the same ASIL (ASILOS and ASIL applications 1 and 2) is further divided into a plurality of stages according to the safety level, and the software with the relatively low safety level (ASIL applications 1 and 2) are classified into the same non-privileged mode operation software as the QM application.
 これは、各ソフトウェアが安全度に応じていわば高・中・低の3段階に区分される状態とも言える。 This can be said to be a state where each software is divided into three stages of high, medium and low according to the safety level.
 このように、本実施形態では、ソフトウェアの分類分けが工夫されており、非特権モードで動作させるソフトウェアの範囲が、通常は特権モードで動作させることが想定される安全度水準ASILのソフトウェアの一部を含むように拡張されている。 Thus, in this embodiment, the software classification is devised, and the range of software that operates in the non-privileged mode is one of the software of the safety level ASIL that is normally assumed to operate in the privileged mode. Has been expanded to include parts.
 そして、ソフトウェア制御部が動作させるソフトウェアを特権モード動作ソフトウェアと非特権モード動作ソフトウェアとの間で切り換える場合には、動作モード切換部が動作モードを切り換える。一方、ソフトウェア制御部が動作させるソフトウェアを同じ動作モードで動作するソフトウェア同士の間で切り換える場合には、アクセス権限切換部がソフトウェアの安全度に応じてアクセス権限を切り換える。 Then, when the software operated by the software control unit is switched between the privileged mode operation software and the non-privileged mode operation software, the operation mode switching unit switches the operation mode. On the other hand, when the software operated by the software control unit is switched between software operating in the same operation mode, the access authority switching unit switches the access authority according to the security level of the software.
 図8はプログラム切換ID管理テーブル1220060の例を示す図である。プログラム切換ID管理テーブル1220060は、演算装置(CPU)11が実行するプログラムにおいて、ソフトウェア間のパーティショニングを実現するために割り当てるIDを管理するテーブルであり、プログラムNo.フィールド1220061、プログラム名フィールド1220062、安全度水準フィールド1220063、動作モードフィールド1220064、プログラム切換フィールドID1220065からなる。 FIG. 8 is a diagram showing an example of the program switching ID management table 1220060. The program switching ID management table 1220060 is a table for managing IDs assigned to realize partitioning between software in a program executed by the arithmetic unit (CPU) 11. It consists of a field 1220061, a program name field 1220062, a safety level field 1220063, an operation mode field 1220064, and a program switching field ID 1220065.
 プログラムNo.フィールド1220061は、エンジン制御ECU1において実行されるソフトウェアに割り振られるナンバーである。 Program No. A field 1220061 is a number assigned to software executed in the engine control ECU 1.
 プログラム名フィールド1220062は、エンジン制御ECU1において実行されるソフトウェアの名称である。 The program name field 1220062 is a name of software executed in the engine control ECU 1.
 安全度水準フィールド1220063は、エンジン制御ECU1において実行されるソフトウェアに割り付けられた安全度水準である。ここで、安全度水準はASILとQMに大別され、QMが割り付けられたソフトウェアに比べASILが割り付けられたソフトウェアに対する安全度水準が高い。 The safety level field 1220063 is a safety level assigned to software executed in the engine control ECU 1. Here, the safety level is broadly classified into ASIL and QM, and the safety level for software assigned ASIL is higher than software assigned QM.
 ところで、安全度水準は、ソフトウェアに異常が発生した場合にシステムに与える影響の大きさに基づいて設定されており、安全度水準が高いソフトウェアとは、動作の際に要求される安全度が高いことを意味する。 By the way, the safety level is set based on the magnitude of the effect on the system when an abnormality occurs in the software. Software with a high safety level is a high level of safety required for operation. Means that.
 動作モードフィールド1220064は、該当するプログラム実行時に求められる演算装置(CPU)11の動作モードを示す。ここではOSや一部のアプリケーションに対し特権モードでの動作が割り当てられ、そのほかのアプリケーションは非特権モードで動作する。 The operation mode field 1220064 indicates the operation mode of the arithmetic unit (CPU) 11 that is obtained when the corresponding program is executed. Here, the operation in the privileged mode is assigned to the OS and some applications, and the other applications operate in the non-privileged mode.
 プログラム切換IDフィールド1220065は、前回動作したプログラムのプログラム切換IDを保持する。プログラム切換IDはASILレベルと、実行動作モードの組み合わせで一意に決定される。ここでは、ASILレベルがASIL、実行動作モードが特権モードのプログラムに対し1が割り付けられ、ASILレベルがASIL、実行動作モードが非特権モードのプログラムに対し2が割り付けられ、ASILレベルがQM、実行動作モードが非特権モードのプログラムに対し3が割り付けられるが、プログラム切換IDの設定はこれに限らない。 The program switching ID field 1220065 holds the program switching ID of the program that operated last time. The program switching ID is uniquely determined by the combination of the ASIL level and the execution operation mode. Here, 1 is assigned to a program whose ASIL level is ASIL and the execution operation mode is privileged mode, 2 is assigned to a program whose ASIL level is ASIL and execution operation mode is non-privileged mode, and the ASIL level is QM. Although 3 is assigned to a program whose operation mode is non-privileged mode, the setting of the program switching ID is not limited to this.
 図9は前回プログラム切換ID管理テーブル1220070の例を示す図である。前回プログラム切換ID管理テーブル1220070は、前回プログラム切換IDフィールド1220071からなる。 FIG. 9 is a diagram showing an example of the previous program switching ID management table 1220070. The previous program switching ID management table 1220070 includes a previous program switching ID field 1220071.
 前回プログラム切換IDフィールド1220071は、前回動作したプログラムのプログラム切換IDの値を保持する。 The previous program switching ID field 1220071 holds the value of the program switching ID of the program that was operated last time.
 図10はテーブルサイズ管理テーブル1220080の例を示す図である。テーブルサイズ管理テーブル1220080は、名称フィールド1220081、総数フィールド1220082、プログラム個数フィールド1220083、メモリ保護領域数フィールド1220084からなる。 FIG. 10 is a diagram showing an example of the table size management table 1220080. The table size management table 1220080 includes a name field 1220081, a total number field 1220082, a program number field 1220083, and a memory protection area number field 1220084.
 名称フィールド1220081は、テーブルサイズ管理テーブル1220080で管理する対象の名称である。 The name field 1220081 is a name of a target managed by the table size management table 1220080.
 総数フィールド1220082は、テーブルサイズ管理テーブル1220080で管理する対象の総数を表す。 The total number field 1220082 represents the total number of objects managed by the table size management table 1220080.
 プログラム個数フィールド1220083は、プログラム切換ID管理テーブル1220060が管理するプログラムIDの最大数を示す。 The program number field 1220083 indicates the maximum number of program IDs managed by the program switching ID management table 1220060.
 メモリ保護領域数フィールド1220084は、メモリ保護領域アクセス権限管理テーブル1220020で管理するメモリ保護領域番号の最大数を示す。 The memory protection area number field 1220084 indicates the maximum number of memory protection area numbers managed by the memory protection area access authority management table 1220020.
 図11は前回動作モードフラグ管理テーブル1220090の例を示す図である。前回動作モードフラグ管理テーブル1220090は、前回実行されたプログラムの演算装置(CPU)11の動作モードを示す値を管理するテーブルであり、前回動作モードフラグフィールド1220091からなる。 FIG. 11 is a diagram showing an example of the previous operation mode flag management table 1220090. The previous operation mode flag management table 1220090 is a table for managing a value indicating the operation mode of the arithmetic unit (CPU) 11 of the previously executed program, and includes a previous operation mode flag field 1220091.
 前回動作モードフラグフィールド1220091は、前回実行されたプログラムの演算装置(CPU)11の動作モードを示す値を保持する。ここでは0か1の値を保持し、0を保持するときは前回プログラムが実行した際の演算装置(CPU)11の動作モードが特権モードであること示し、1を保持するときは非特権モードを示す。 The previous operation mode flag field 1220091 holds a value indicating the operation mode of the arithmetic unit (CPU) 11 of the previously executed program. Here, a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 when the previous program was executed is a privileged mode, and when 1 is held, a non-privileged mode is held. Indicates.
 図12は割り込み処理用退避データ管理テーブル1220100の例を示す図である。割り込み処理用退避データ管理テーブル1220100は、OSによる割り込み処理時に退避するデータを管理するテーブルであり、動作モードフィールド1220101、プログラムカウンタフィールド1220102からなる。 FIG. 12 is a diagram showing an example of the interrupt processing save data management table 1220100. The interrupt processing save data management table 1220100 is a table for managing data saved during interrupt processing by the OS, and includes an operation mode field 1220101 and a program counter field 1220102.
 動作モードフィールド1220101は、OSの割り込み処理の直前の演算装置(CPU)111の動作モードを示す値を保持する。ここでは0か1の値を保持し、0を保持するときは演算装置(CPU)11の動作モードは特権モード、1を保持するときは非特権モードを示す。 The operation mode field 1220101 holds a value indicating the operation mode of the arithmetic unit (CPU) 111 immediately before the OS interrupt process. Here, a value of 0 or 1 is held, and when 0 is held, the operation mode of the arithmetic unit (CPU) 11 indicates a privileged mode, and when 1 is held, a non-privileged mode is indicated.
 プログラムカウンタフィールド1220102は、演算装置(CPU)111がOSの割り込み処理の直前に実行したメモリのアドレスである。 The program counter field 1220102 is an address of the memory executed by the arithmetic unit (CPU) 111 immediately before the OS interrupt process.
 以上のテーブルが実施例1のエンジン制御ECU1の記憶領域122に格納される。 The above table is stored in the storage area 122 of the engine control ECU 1 of the first embodiment.
 これよりエンジン制御ECU1のプログラム領域121に格納されているプログラムの動作フローについて説明する。 The operation flow of the program stored in the program area 121 of the engine control ECU 1 will now be described.
 図13はソフトウェア制御部1211の動作フローである。以下、図13の各ステップについて説明する。診断設定情報送信実行部1211は、iに0を代入する(S1211000)。診断設定情報確認用データ生成部1211は、iに1を加える(S1211001)。ソフトウェア制御部1211は、iがテーブルサイズ管理テーブル1220080で管理するプログラム個数の総数を超えているかを判定する(S1211002)。iがプログラム個数の総数を超えている場合には処理を終了し、超えていない場合はS1211003に進む。ソフトウェア制御部1211は、後述の図11で説明するMPU設定部1215を呼ぶ(S1211003)。これにより実行するプログラムに応じた演算装置(CPU)11の動作モードの変更や、メモリ12に割り付けられたメモリ保護領域の活性状態を変更し、メモリ保護を実現する。ソフトウェア制御部1211は、プログラム切換ID管理テーブル1220060のiに該当するプログラムNo.のプログラムを実行し、ステップ1211001に進む(S1211004)。 FIG. 13 is an operation flow of the software control unit 1211. Hereinafter, each step of FIG. 13 will be described. The diagnosis setting information transmission execution unit 1211 substitutes 0 for i (S1211000). The diagnostic setting information confirmation data generation unit 1211 adds 1 to i (S1211001). The software control unit 1211 determines whether i exceeds the total number of programs managed by the table size management table 1220080 (S1211002). If i exceeds the total number of programs, the process ends. If not, the process proceeds to S1211003. The software control unit 1211 calls the MPU setting unit 1215 described later with reference to FIG. 11 (S1211003). Thereby, the operation mode of the arithmetic unit (CPU) 11 corresponding to the program to be executed is changed, and the active state of the memory protection area allocated to the memory 12 is changed, thereby realizing memory protection. The software control unit 1211 stores the program number corresponding to i in the program switching ID management table 1220060. The program is executed, and the process proceeds to step 1211001 (S1211004).
 図14はMPU設定部1215の動作フローである。以下、図14の各ステップについて説明する。MPU設定部1215は、プログラム切換ID管理テーブル1220060からiと等しいプログラムNo.のプログラム切換IDを取得する(S1215000)。MPU設定部1215は、前回プログラム切換ID管理テーブル1220070から前回のプログラム切換IDを取得する(S1215001)。MPU設定部1215は、取得したプログラム切換IDと前回のプログラム切換IDを比較し(S1215002)、両者の値が等しい場合には、ステップステップ1215006に進み、異なる場合にはステップ1215003に進む。MPU設定部1215は、取得したプログラム切換IDと前回のプログラム実行IDのうち、どちらかのプログラムIDが1の場合には、S1215004に進み、異なる場合にはS1215005に進む。MPU設定部1215は、後述の図15の動作モード切換部1213を呼び、演算装置(CPU)の動作モードを切り換える(S1215004)。MPU設定部1215は、後述の図13のアクセス権限切換部1212を呼び、メモリ領域の活性状態を変更し、メモリ12へのアクセス権限を切り換える(S1215005)。MPU設定部1215は、前回プログラム切換ID管理テーブル1220070の前回のプログラムIDを今回のプログラムIDで更新し(S1215006)、処理を終了する。 FIG. 14 is an operation flow of the MPU setting unit 1215. Hereinafter, each step of FIG. 14 will be described. The MPU setting unit 1215 reads the program number ID equal to i from the program switching ID management table 1220060. The program switching ID is acquired (S1215000). The MPU setting unit 1215 acquires the previous program switching ID from the previous program switching ID management table 1220070 (S1215001). The MPU setting unit 1215 compares the acquired program switching ID with the previous program switching ID (S1215002). If both values are equal, the process proceeds to step 1215006, and if different, the process proceeds to step 1215003. The MPU setting unit 1215 proceeds to S1215004 if one of the acquired program switching ID and the previous program execution ID is 1, and proceeds to S1215005 if different. The MPU setting unit 1215 calls an operation mode switching unit 1213 shown in FIG. 15 described later, and switches the operation mode of the arithmetic unit (CPU) (S1215004). The MPU setting unit 1215 calls an access authority switching unit 1212 shown in FIG. 13 described later, changes the active state of the memory area, and switches the access authority to the memory 12 (S1215005). The MPU setting unit 1215 updates the previous program ID in the previous program switching ID management table 1220070 with the current program ID (S1215006), and ends the process.
 図15は動作モード切換部1213の動作フローである。以下、図15の各ステップについて説明する。動作モード切換部1213は、動作モードフラグ管理テーブル1220050から演算装置(CPU)11の動作モードフラグを取得する(S1213000)。動作モード切換部1213は、OSの割り込み処理を実施し、現在のプログラムカウンタと動作モードフラグを割り込み処理用退避データ管理テーブル1220100に退避させる(S1213001)。動作モード切換部1213は、割り込み処理用退避データ管理テーブル1220100から動作モードフラグを取得する(S1213002)。動作モード切換部1213は、取得した動作モードフラグの値を反転し、割り込み処理用退避データ管理テーブル1220100の動作モードフラグを反転した値で更新する(S1213003)。動作モード切換部1213は、OSによる割り込み処理を終了し、割り込み処理用退避データ管理テーブル1220100から退避した動作モードフラグとプログラムカウンタを取得し(S1213004)、プログラムカウンタ、動作モードフラグを更新し処理を終了する。 FIG. 15 is an operation flow of the operation mode switching unit 1213. Hereinafter, each step of FIG. 15 will be described. The operation mode switching unit 1213 acquires the operation mode flag of the arithmetic unit (CPU) 11 from the operation mode flag management table 1220050 (S1213000). The operation mode switching unit 1213 performs OS interrupt processing, and saves the current program counter and operation mode flag in the interrupt processing save data management table 1220100 (S1213001). The operation mode switching unit 1213 acquires an operation mode flag from the interrupt processing saved data management table 1220100 (S1213002). The operation mode switching unit 1213 inverts the value of the acquired operation mode flag and updates the operation mode flag in the interrupt processing save data management table 1220100 with the inverted value (S1213003). The operation mode switching unit 1213 ends the interrupt processing by the OS, acquires the operation mode flag and the program counter saved from the interrupt processing saved data management table 1220100 (S1213004), updates the program counter and the operation mode flag, and performs processing. finish.
 図16はアクセス権限切換部1212の動作フローである。以下、図16の各ステップについて説明する。アクセス権限切換部1212は、プログラム切換ID管理テーブル1220060からiに該当するプログラムNo.のプログラム切換IDを取得する(S1212000)。アクセス権限切換部1212は、前回プログラム切換ID管理テーブル1220070から前回プログラム切換IDを取得する(S1212001)。アクセス権限切換部1212は、jに0を代入する(S1212002)。アクセス権限切換部1212は、取得したプログラムIDと前回プログラムIDの組み合わせを比較し(S1212003)、組み合わせが(1,3)または(3,1)であればステップ1212004に、異なる場合はステップ1212007に進む。S1212003でYesの場合、アクセス権限切換部1212は、jに1を加える(S1212004)。アクセス権限切換部1212は、メモリ保護領域活性状態管理テーブル1220030のjと同じメモリ保護領域番号の活性状態を、メモリ保護領域活性パターン管理テーブル1220040のjと同じメモリ保護領域番号の活性パターン2の値に設定する(S1212005)。アクセス権限切換部1212は、テーブルサイズ管理テーブル1220080のメモリ保護領域数とjを比較し(S1212006)、メモリ領域数がjよりも小さいステップ1212006に、大きい場合にはステップ12120010に進む。S1212003でNoの場合、アクセス権限切換部1212は、jに1を加える(S1212007)。アクセス権限切換部1212は、メモリ保護領域活性状態管理テーブル1220030のjと同じメモリ保護領域番号の活性状態を、メモリ保護領域活性パターン管理テーブル1220040のjと同じメモリ保護領域番号の活性パターン1の値に設定する(S1212008)。アクセス権限切換部1212は、テーブルサイズ管理テーブル1220080のメモリ保護領域数とjを比較し(S1212009)、メモリ領域数がjよりも小さいステップ1212006に、大きい場合にはステップ12120010に進む。アクセス権限切換部1212は、前回プログラム切換ID管理テーブル1220070の前回プログラム切換IDを、取得したプログラム切換IDの値で更新する(S1212010)。 FIG. 16 is an operation flow of the access authority switching unit 1212. Hereinafter, each step of FIG. 16 will be described. The access authority switching unit 1212 receives the program number corresponding to i from the program switching ID management table 1220060. The program switching ID is acquired (S1212000). The access authority switching unit 1212 acquires the previous program switching ID from the previous program switching ID management table 1220070 (S1212001). The access authority switching unit 1212 substitutes 0 for j (S1212002). The access authority switching unit 1212 compares the combination of the acquired program ID and the previous program ID (S1212003). If the combination is (1, 3) or (3, 1), the process proceeds to step 1212004. Otherwise, the process proceeds to step 1212007. move on. In the case of Yes in S1212003, the access authority switching unit 1212 adds 1 to j (S1212004). The access authority switching unit 1212 sets the active state of the same memory protection area number as j of the memory protection area activation state management table 1220030 to the value of the activation pattern 2 of the same memory protection area number as j of the memory protection area activation pattern management table 1220040. (S1212005). The access authority switching unit 1212 compares the number of memory protection areas in the table size management table 1220080 with j (S1212006), and proceeds to step 1212006 when the number of memory areas is smaller than j. In the case of No in S1212003, the access authority switching unit 1212 adds 1 to j (S1212007). The access authority switching unit 1212 sets the active state of the same memory protection area number as j in the memory protection area activation state management table 1220030 to the value of the activation pattern 1 having the same memory protection area number as j in the memory protection area activation pattern management table 1220040. (S1212008). The access authority switching unit 1212 compares the number of memory protection areas in the table size management table 1220080 with j (S1212009), and proceeds to step 1212006 if the number of memory areas is smaller than j. The access authority switching unit 1212 updates the previous program switching ID in the previous program switching ID management table 1220070 with the value of the acquired program switching ID (S1212010).
 次に、本実施形態の車両用制御装置で行われる動作を図8を用いて説明する。 Next, operations performed by the vehicle control apparatus of the present embodiment will be described with reference to FIG.
 まず、ソフトウェア制御部1211は、プログラムNo.1として、非特権モードで動作する安全度水準QMのソフトウェア「QMアプリ1」を動作させている。そして、QMアプリ1の実行中に、ソフトウェア制御部1211は、プログラムNo.2として、非特権モードで動作する安全度水準ASILのソフトウェア「ASILアプリ1」を動作させようとする。このとき、「QMアプリ1」と「ASILアプリ1」とは、動作モードは非特権モードで同じであるため動作モード切換部による動作モード切換は不要であるが、安全度が異なることに起因してアクセス権限が異なるため、アクセス権限切換部がアクセス権限を切り換える。ここで、安全度水準(即ち、安全度水準がASILかQMか)に基づいて動作モードを切り換える方法では、動作させるソフトウェアを「QMアプリ1」から「ASILアプリ1」に変更する時点で動作モード切換部による動作モード切換が必要となる。しかし、本実施形態では、処理負荷(オーバヘッド)の大きな動作モード切換の処理が不要であり、アクセス権限切換の処理で済むため、ソフトウェアを「QMアプリ1」から「ASILアプリ1」に変更する際の処理を高速化する。 First, the software control unit 1211 has a program no. 1, the software “QM application 1” of the safety level QM that operates in the non-privileged mode is operated. During the execution of the QM application 1, the software control unit 1211 displays the program number. 2, software “ASIL application 1” of the safety level ASIL operating in the non-privileged mode is to be operated. At this time, since “QM application 1” and “ASIL application 1” have the same operation mode in the non-privileged mode, the operation mode switching by the operation mode switching unit is unnecessary, but the safety level is different. Therefore, the access authority switching unit switches the access authority. Here, in the method of switching the operation mode based on the safety level (that is, whether the safety level is ASIL or QM), the operation mode is changed when the software to be operated is changed from “QM application 1” to “ASIL application 1”. The operation mode must be switched by the switching unit. However, in the present embodiment, the operation mode switching process with a large processing load (overhead) is not required, and the access authority switching process is sufficient. Therefore, when the software is changed from “QM application 1” to “ASIL application 1”. Speed up the process.
 次に、ソフトウェア制御部1211は、プログラムNo.3として、非特権モードで動作する安全度水準ASILのソフトウェア「ASILOS」を動作させようとする。このとき、「ASILアプリ1」と「ASILOS」とでは動作モードが異なるため、動作モード切換部が動作モードを切り換える。ここでは、処理負荷の大きな動作モード切換の処理が発生する。 Next, the software control unit 1211 reads the program number. 3, software “ASILOS” of the safety level ASIL operating in the non-privileged mode is to be operated. At this time, since the operation mode differs between “ASIL application 1” and “ASILOS”, the operation mode switching unit switches the operation mode. Here, operation mode switching processing with a large processing load occurs.
 次に、ソフトウェア制御部1211は、プログラムNo.4として、非特権モードで動作する安全度水準QMのソフトウェア「QMアプリ2」を動作させようとする。このとき、「ASILOS」と「QMアプリ2」とでは動作モードが異なるため、動作モード切換部が動作モードを切り換える。ここでも、処理負荷の大きな動作モード切換の処理が発生する。 Next, the software control unit 1211 reads the program number. 4, software “QM application 2” of safety level QM operating in the non-privileged mode is to be operated. At this time, since “ASILOS” and “QM application 2” have different operation modes, the operation mode switching unit switches the operation mode. Here again, the operation mode switching process with a large processing load occurs.
 次に、ソフトウェア制御部1211は、プログラムNo.5として、非特権モードで動作する安全度水準ASILのソフトウェア「ASILアプリ2」を動作させようとする。従来であれば動作モード切換部による動作モード切換が必要であったが、本実施形態では動作モード切換は不要であり、アクセス権限切換部がアクセス権限を切り換える。 Next, the software control unit 1211 reads the program number. 5, the software “ASIL application 2” having the safety level ASIL operating in the non-privileged mode is to be operated. Conventionally, it is necessary to switch the operation mode by the operation mode switching unit. However, in this embodiment, it is not necessary to switch the operation mode, and the access authority switching unit switches the access authority.
 次に、ソフトウェア制御部1211は、プログラムNo.6として、非特権モードで動作する安全度水準QMのソフトウェア「QMアプリ3」を動作させようとする。ここで、安全度水準に基づいて動作モードを切り換える方法では、作モード切換部による動作モード切換が必要であるが、本実施形態では動作モード切換は不要であり、アクセス権限切換部がアクセス権限を切り換える。 Next, the software control unit 1211 reads the program number. 6, software “QM application 3” having a safety level QM operating in the non-privileged mode is to be operated. Here, in the method of switching the operation mode based on the safety level, it is necessary to switch the operation mode by the operation mode switching unit. However, in this embodiment, the operation mode switching is unnecessary, and the access authority switching unit grants the access authority. Switch.
 このように、動作させるソフトウェアをプログラムNo.1から6まで順次変更する上記の例では、従来は4回必要であった動作モード切換が、本実施形態であれば2回で済む。このように、本実施形態によれば、動作するソフトウェアが順次変更されながら行われる車両制御全体としての負荷(オーバヘッド)を減少させることができる。 In this way, the software to be operated is program No. In the above example of sequentially changing from 1 to 6, the operation mode switching, which was conventionally required four times, can be performed only twice in the present embodiment. As described above, according to the present embodiment, it is possible to reduce the load (overhead) of the entire vehicle control performed while the operating software is sequentially changed.
 一般的に、車両制御に用いられるソフトウェアは、安全度が低いものの方が安全度が高いものに比べて多い。従って、安全度の比較的低いソフトウェア間ではアクセス権限切換によるメモリ保護を採用することで、動作モード切換が必要な対象を安全度の比較的高いソフトウェアに絞ることができる。即ち、動作モード切換が必要となる安全度を引き上げることができる。従って、全体として、動作モード切換の回数を減少させることができる。 In general, the software used for vehicle control is more secure with a lower degree of safety than one with a higher degree of safety. Therefore, by adopting memory protection by switching access authority between softwares with a relatively low degree of safety, it is possible to narrow down the objects that require operation mode switching to software with a relatively high degree of safety. That is, it is possible to increase the safety level that requires operation mode switching. Therefore, as a whole, the number of operation mode switching can be reduced.
 以上のように、通常のソフトウェアアーキテクチャでは、一つのタスクに異なる安全度のソフトウェアが混在しており、異なる安全要求のソフトウェアにおいてパーティショニングを適用すると、メモリ保護ユニット(MPU)によるアクセス制限が発生する。従来手法ではアクセス権限切り換え処理は、実行中の処理の中断が伴うOSの割り込み機能によって実現されるため、既存のソフトウェアでは、メモリ保護ユニット(MPU)で管理するアクセス権限の切り換えが頻発し、処理中断によるオーバーヘッド増加が懸念されていた。 As described above, in a normal software architecture, software with different safety levels is mixed in one task, and when partitioning is applied to software with different safety requirements, access restriction by the memory protection unit (MPU) occurs. . In the conventional method, the access authority switching process is realized by an interrupt function of the OS that interrupts the process being executed. Therefore, in the existing software, the access authority managed by the memory protection unit (MPU) is frequently switched. There was concern about increased overhead due to interruptions.
 一方、本実施形態によれば、安全度水準の異なる複数のソフトウェアを動作させる場合であっても、処理負荷を抑えつつ安全性を確保することができる。即ち、メモリ保護装置112が管理するメモリ保護領域の活性状態を柔軟にコントロールすることで、同一の演算装置(CPU)11の動作モードで異なる安全度のソフトウェア間のメモリ保護を実現することができる。また、演算装置(CPU)11の動作モードの切換と、メモリ保護装置112が管理するメモリ保護領域の活性状態の設定を活用することで、OSの割り込み頻度の少ない高速なメモリアクセス権限の切換をすることができる。 On the other hand, according to the present embodiment, even when a plurality of pieces of software having different safety levels are operated, safety can be ensured while suppressing the processing load. That is, by flexibly controlling the active state of the memory protection area managed by the memory protection device 112, it is possible to realize memory protection between software of different safety levels in the operation mode of the same arithmetic unit (CPU) 11. . In addition, by utilizing the switching of the operation mode of the arithmetic unit (CPU) 11 and the setting of the active state of the memory protection area managed by the memory protection device 112, it is possible to switch the memory access authority at a low speed with less OS interrupt frequency. can do.
 なお、車両用制御装置がアクセス権限違反を検出した場合、ドライバにその旨を報知するものであっても良い。例えば、ユーザインタフェース用の車両用制御装置を含む複数の車両用制御装置が車載ネットワークを介して接続される車両制御システムを例に説明すると、いずれかの車両用制御装置がメモリアクセスの異常(即ち、違反)を検出した場合、ユーザインタフェース用の車両用制御装置に異常情報を送信し、異常情報を受信した前記ユーザインタフェース用の車両用制御装置がドライバーへの警告に関する指令を行う方法がある。 If the vehicle control device detects an access authority violation, the vehicle control device may notify the driver accordingly. For example, a vehicle control system in which a plurality of vehicle control devices including a vehicle control device for a user interface are connected via an in-vehicle network will be described as an example. , Violation) is detected, the abnormality information is transmitted to the user interface vehicle control device, and the user interface vehicle control device which has received the abnormality information issues a command regarding a warning to the driver.
 また、アクセス異常情報を記憶するバックアップメモリを車両用制御装置に設け、ソフトウェアのアクセスに権限違反があった場合には、バックアップメモリに保存するようにしてもよい。この場合には、車載ネットワークを介して解析ツールを車両用制御装置に接続し、解析ツールからメモリアクセス異常情報を要求するメッセージを送信することにより、このメッセージを受信した車両用制御装置がメモリアクセス異常情報を解析ツールに送信することで、メモリアクセス異常情報を取り出すことができる。 Also, a backup memory for storing access abnormality information may be provided in the vehicle control device, and when there is a violation of authority in software access, it may be stored in the backup memory. In this case, the analysis tool is connected to the vehicle control device via the in-vehicle network, and a message requesting memory access abnormality information is transmitted from the analysis tool, so that the vehicle control device that receives this message accesses the memory. By transmitting the abnormality information to the analysis tool, the memory access abnormality information can be extracted.
 なお、上記実施形態においては、特権モードで動作可能なソフトウェアがASILOSであり、非特権モード動作ソフトウェアが安全度に応じて複数段階に区分される例を説明したが、これに限定されず、特権モード動作ソフトウェアが安全度に応じて複数段階に区分されるものであってもよい。この場合には、同じ特権モードにおいてアクセス権限切換部がソフトウェアの安全度に応じてアクセス権限を切り換える。一例としては、図17に示すように、ASIL OSとASIC-Cアプリが特権モード動作ソフトウェアであり、非特権モード動作ソフトウェアがASIL-Bアプリ、ASIL-Aアプリ、QMアプリである例が考えられる。 In the above embodiment, the software that can operate in the privileged mode is ASILOS, and the non-privileged mode operation software is divided into a plurality of stages according to the safety level. The mode operation software may be divided into a plurality of stages according to the safety level. In this case, in the same privilege mode, the access authority switching unit switches the access authority according to the software security level. As an example, as shown in FIG. 17, the ASIL OS and the ASIC-C application are privileged mode operation software, and the non-privileged mode operation software is an ASIL-B application, an ASIL-A application, and a QM application. .

Claims (9)

  1.  記憶部と、
     該記憶部に記憶される複数のソフトウェアの動作を制御するソフトウェア制御部と、
     前記ソフトウェア制御部の動作モードを特権モードと非特権モードとの間で切り換える動作モード切換部と、
     前記記憶部に対する前記各ソフトウェアのアクセス権限を切り換えるアクセス権限切換部とを備えることを特徴とする車両用制御装置。
    A storage unit;
    A software control unit for controlling operations of a plurality of software stored in the storage unit;
    An operation mode switching unit that switches an operation mode of the software control unit between a privileged mode and a non-privileged mode;
    A vehicle control apparatus comprising: an access authority switching unit that switches an access authority of each software to the storage unit.
  2.  前記各ソフトウェアは、特権モードで動作可能な特権モード動作ソフトウェアと、非特権モードで動作可能な非特権モード動作ソフトウェアとに区分され、
     前記ソフトウェア制御部が動作させるソフトウェアを前記特権モード動作ソフトウェアと前記非特権モード動作ソフトウェアとの間で切り換える場合には、前記動作モード切換部が動作モードを切り換え、
     前記ソフトウェア制御部が動作させるソフトウェアを同じ動作モードで動作するソフトウェア同士の間で切り換える場合には、前記アクセス権限切換部が前記ソフトウェアの安全度に応じて前記アクセス権限を切り換えることを特徴とする請求項1記載の車両用制御装置。
    Each of the software is divided into privileged mode operation software operable in a privileged mode and non-privileged mode operation software operable in a non-privileged mode,
    When switching the software that the software control unit operates between the privileged mode operation software and the non-privileged mode operation software, the operation mode switching unit switches the operation mode,
    When the software operated by the software control unit is switched between software operating in the same operation mode, the access authority switching unit switches the access authority according to the degree of safety of the software. Item 2. The vehicle control device according to Item 1.
  3.  前記非特権モード動作ソフトウェアは、安全度に応じて複数段階に区分されることを特徴とする請求項1記載の車両用制御装置。 The vehicle control device according to claim 1, wherein the non-privileged mode operation software is divided into a plurality of stages according to safety.
  4.  前記ソフトウェアのアクセス権限を監視するアクセス権限違反監視部を備え、
     前記アクセス権限違反監視部がアクセス権限違反を検知すると処理を中止することを特徴とする請求項1記載の車両用制御装置。
    An access authority violation monitoring unit for monitoring the access authority of the software;
    The vehicle control device according to claim 1, wherein when the access authority violation monitoring unit detects an access authority violation, the process is stopped.
  5.  前記ソフトウェアのアクセス権限を監視するアクセス権違反監視部を備え、
     前記アクセス権限違反監視部がにアクセス権限違反を検知すると違反に関する情報を保存することを特徴とする請求項1記載の車両用制御装置。
    An access right violation monitoring unit for monitoring the access right of the software;
    2. The vehicle control device according to claim 1, wherein when the access authority violation monitoring unit detects an access authority violation, information on the violation is stored.
  6.  前記記憶部を分割して複数の記憶領域を設定する記憶領域設定部を備え、
     前記アクセス権限切換部は、前記複数の記憶領域に対し、異なるアクセス権限を設定することを特徴とする請求項1記載の車両用制御装置。
    A storage area setting unit configured to divide the storage unit and set a plurality of storage areas;
    The vehicle control apparatus according to claim 1, wherein the access authority switching unit sets different access authorities for the plurality of storage areas.
  7.  前記記憶部を分割して複数の記憶領域を設定する記憶領域設定部を備え、
     前記アクセス権限切換部は、前記複数の記憶領域の中の同じ記憶領域に対し、ソフトウェアの安全度に応じて異なるアクセス権限を設定することを特徴とする請求項1記載の車両用制御装置。
    A storage area setting unit configured to divide the storage unit and set a plurality of storage areas;
    The vehicle control apparatus according to claim 1, wherein the access authority switching unit sets different access authorities for the same storage area among the plurality of storage areas in accordance with a degree of software safety.
  8.  前記アクセス権限切換部は、前記複数の記憶領域ごとに設定されるアクセス権限のパターンを複数管理し、
     前記パターンを切り換えることにより、前記複数の記憶領域に対する個別のアクセス権限を一括して切り換えることを特徴とする請求項6記載の車両用制御装置。
    The access authority switching unit manages a plurality of access authority patterns set for each of the plurality of storage areas,
    The vehicle control device according to claim 6, wherein the individual access authority to the plurality of storage areas is switched at once by switching the pattern.
  9.  前記アクセス権限切換部は、前記記憶部に対して設定されるアクセス権限を、前記ソフトウェアの実行中に再設定することを特徴とする請求項1記載の車両用制御装置。 The vehicle control device according to claim 1, wherein the access authority switching unit resets the access authority set for the storage unit during execution of the software.
PCT/JP2014/065838 2013-09-30 2014-06-16 Vehicular control device WO2015045507A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013202960A JP2015067107A (en) 2013-09-30 2013-09-30 Vehicle control device
JP2013-202960 2013-09-30

Publications (1)

Publication Number Publication Date
WO2015045507A1 true WO2015045507A1 (en) 2015-04-02

Family

ID=52742665

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/065838 WO2015045507A1 (en) 2013-09-30 2014-06-16 Vehicular control device

Country Status (2)

Country Link
JP (1) JP2015067107A (en)
WO (1) WO2015045507A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108025685A (en) * 2015-09-30 2018-05-11 日立汽车系统株式会社 On-vehicle control apparatus
CN113474220A (en) * 2019-03-05 2021-10-01 日立安斯泰莫株式会社 Vehicle control device

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3085596B1 (en) * 2015-04-20 2017-11-29 Autoliv Development AB A vehicle safety electronic control system
JP6838223B2 (en) 2016-11-02 2021-03-03 日立Astemo株式会社 Vehicle control device
JP6877475B2 (en) * 2019-03-11 2021-05-26 日立Astemo株式会社 Electronic control device and stack usage
DE102019220461A1 (en) * 2019-12-20 2021-06-24 Robert Bosch Gesellschaft mit beschränkter Haftung Method and device for operating a computing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007287103A (en) * 2006-04-20 2007-11-01 Nec Electronics Corp Microcomputer and memory access control method
JP2013161299A (en) * 2012-02-06 2013-08-19 Toyota Motor Corp Information processing apparatus and interface access method
JP2013171467A (en) * 2012-02-21 2013-09-02 Toyota Motor Corp Information processing device, electronic control device for vehicle, and data read-write method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5906584B2 (en) * 2011-05-27 2016-04-20 トヨタ自動車株式会社 Control apparatus and control method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007287103A (en) * 2006-04-20 2007-11-01 Nec Electronics Corp Microcomputer and memory access control method
JP2013161299A (en) * 2012-02-06 2013-08-19 Toyota Motor Corp Information processing apparatus and interface access method
JP2013171467A (en) * 2012-02-21 2013-09-02 Toyota Motor Corp Information processing device, electronic control device for vehicle, and data read-write method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108025685A (en) * 2015-09-30 2018-05-11 日立汽车系统株式会社 On-vehicle control apparatus
CN108025685B (en) * 2015-09-30 2020-12-01 日立汽车系统株式会社 Vehicle-mounted control device
CN113474220A (en) * 2019-03-05 2021-10-01 日立安斯泰莫株式会社 Vehicle control device
CN113474220B (en) * 2019-03-05 2024-02-20 日立安斯泰莫株式会社 Vehicle control device

Also Published As

Publication number Publication date
JP2015067107A (en) 2015-04-13

Similar Documents

Publication Publication Date Title
WO2015045507A1 (en) Vehicular control device
US10127161B2 (en) Method for the coexistence of software having different safety levels in a multicore processor system
US10489332B2 (en) System and method for per-task memory protection for a non-programmable bus master
CN104866762B (en) Security management program function
US20220052871A1 (en) Vehicle control system, vehicle control method, and non-transitory computer-readable medium in which vehicle control program is stored
JP2009251967A (en) Multicore system
WO2017098643A1 (en) Data processing device, data processing method, and data processing program
JP2001014220A (en) Partition division and monitoring method for electronic device to be software-controlled
JP5533789B2 (en) In-vehicle electronic control unit
JP2014193690A (en) Vehicle controller
CA2551045C (en) Input-output control apparatus, input-output control method, process control apparatus and process control method
JP6349444B2 (en) Vehicle control device
CN107179980B (en) Method for monitoring a computing system and corresponding computing system
JP2019049928A (en) Electronic control device and control method for electronic control device
JP6502211B2 (en) Vehicle control device
JP2015099517A (en) Vehicle control device
US10269194B2 (en) Multiprocessor system and vehicle control system
CN110574343A (en) Method and semiconductor circuit for protecting an operating system of a vehicle safety system
WO2020179344A1 (en) Vehicle control device
JP5651209B2 (en) Multiprocessor system
CN108700861B (en) Method for operating a control device for a motor vehicle
US20040060050A1 (en) Method and controller for program control of a computer program having multitasking capability
JP5703505B2 (en) Computer with bus partition structure
JP2014137734A (en) Information processor and program
WO2023106073A1 (en) Onboard device, program, and information processing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14849119

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14849119

Country of ref document: EP

Kind code of ref document: A1