WO2019012907A1 - Computation device - Google Patents

Computation device Download PDF

Info

Publication number
WO2019012907A1
WO2019012907A1 PCT/JP2018/022681 JP2018022681W WO2019012907A1 WO 2019012907 A1 WO2019012907 A1 WO 2019012907A1 JP 2018022681 W JP2018022681 W JP 2018022681W WO 2019012907 A1 WO2019012907 A1 WO 2019012907A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
software module
output
execution unit
unit
Prior art date
Application number
PCT/JP2018/022681
Other languages
French (fr)
Japanese (ja)
Inventor
拓 下沢
飯室 聡
裕弘 小田
成沢 文雄
林 正人
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2019012907A1 publication Critical patent/WO2019012907A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation

Definitions

  • the present invention relates to a computing device.
  • the processing contents required are becoming more sophisticated, and the use of technology and software performed in general servers and workstations is also increasing.
  • Such software is not created by the development method performed in the conventional on-vehicle controller, and its quality is not necessarily high.
  • the operation must be continued, and it is necessary not only to detect the failure but also to identify and separate the failure location.
  • the final quality of the on-board control device is improved by checking a plurality of different implementations having the same function, and a majority decision is made to fail in one implementation. Even if occurs, the operation can be continued.
  • predetermined data is divided into three or more data areas.
  • Storage means for storing and writing the predetermined data in different formats into the three or more data areas, and reading and collating the data written in the three or more data areas when the application is executed
  • Processing program execution means for executing the application using the restored data, performing predetermined repair when the results of the above are inconsistent, and the result of executing the application and at least one other diagnostic repair device
  • a verification processing means is disclosed for verifying the result of executing the application.
  • Patent Document 1 The invention described in Patent Document 1 can not realize fault detection and fault identification using limited computing resources.
  • a computing device comprises: a storage unit storing a first software module having the same function and implemented differently and a second software module and a third software module; A first software module, the second software module, an operation unit that executes the third software module, an output of the first software module by the operation unit, and an output of the second software module
  • a detection unit for detecting a failure and the detection unit detect a failure the use of the third software module is started, the output of the first software module, the output of the second software module, and the output of the second software module Based on the output of the third software module, and It includes a fault identification unit for identifying the Towea module.
  • Block diagram showing the configuration of the ECU 100 in the first embodiment A diagram showing an example of the first module input table 15 A diagram showing an example of the first module output table 16 A diagram showing an example of the first output comparison table 17 A diagram showing an example of the first module management table 18 Diagram showing an operation example of the ECU 100 Flow chart showing failure detection processing Flow chart showing failure identification processing Block diagram showing the configuration of the ECU 100A in the second embodiment Flowchart representing the operation of the first module execution unit 13B in the second embodiment Block diagram showing configuration of control system S in the third embodiment Flow chart showing fault identification processing in the third embodiment
  • FIG. 1 is a block diagram showing the configuration of the ECU 100, that is, an electronic control unit.
  • the ECU 100 has a CPU 110, which is an arithmetic device, and a memory 120, which is a main storage area.
  • the memory 120 stores a plurality of modules as described later.
  • a module is software that can be commonly used from a plurality of applications.
  • a module is, for example, a library, a function, a part of a function, or an application specialized for commonly used functions.
  • a module is software consisting of a plurality of functions called from an application, such as a dynamically linked library (Dynamic Link Library), and is independent of the application.
  • the inputs to the module are the arguments to these functions.
  • the output of the module is the return value of these functions.
  • three modules of a P module denoted by reference numeral 41, a Q module denoted by reference numeral 42, and an R module denoted by reference numeral 43 will be described, but these are collectively referred to simply as "module”.
  • the P module 41, the Q module 42, and the R module 43 all have the same function, and it is expected that the same output can be obtained for the same input even when any module is used. .
  • these modules have different implementations and are not binary matches.
  • the P module 41, the Q module 42, and the R module 43 are, for example, a first implementation, a second implementation, and a third implementation of a standardized library.
  • the reliability of the P module 41 and the Q module 42 is higher than that of the R module 43, in other words, the degree of perfection is high.
  • the CPU 110 can execute both an application created for a 32-bit CPU and an application created for a 64-bit CPU, the following configuration may be used. That is, the P module 41 may be a first implementation for a 32-bit CPU, the Q module 42 may be a first implementation for a 64-bit CPU, and the R module 43 may be a second implementation for a 32-bit CPU.
  • the CPU 110 is an arithmetic device capable of general purpose calculation, and has two CPU cores operable in parallel, that is, a first CPU core 111 and a second CPU core 112.
  • the CPU 110 may have three or more CPU cores, or may have a function that one CPU logically behaves as having a plurality of cores, a so-called hardware hyper threading function.
  • the CPU 110 may be a single semiconductor chip, or may be a so-called SoC (System-on-Chip) in which a memory 120 described below is mounted on one semiconductor chip.
  • SoC System-on-Chip
  • Memory 120 is a main storage device that is volatile, and is configured of, for example, a dynamic random access memory (DRAM).
  • a program including code executed by the CPU 110 and data to be read and written is disposed.
  • the program used by the first CPU core 111 and the program executed by the second CPU core 112 are referred to as a first program 11 and a second program 21, respectively.
  • the first program 11 and the second program 21 have the same configuration and perform the same operation.
  • the first CPU core 111 and the second CPU core 112 can communicate, whereby the first program 11 and the second program 21 can exchange information.
  • the first program 11 includes a first application 12 and a first module execution unit 13.
  • the first module execution unit 13 includes a P module 41, an R module 43, a first module input table 15, a first module output table 16, a first output comparison table 17, and a first module management table 18.
  • the second program 21 includes a second application 22 and a second module execution unit 23.
  • the second module execution unit 23 includes the Q module 42, the R module 43, the second module input table 25, the second module output table 26, the second output comparison table 27, and the second module management table 28. Have.
  • the first application 12 and the second application 22 are in the same relationship of so-called binary match.
  • the first program 11 and the second program 21 have the same configuration and perform the same operation. If any module provided in the first program 11 and the second program 21 operates without a fault such as a bug, the execution results of both applications become the same. By comparing the execution results of the first program 11 and the second program 21 using a verification device or the like (not shown) and using the final output of the ECU 100, safety and reliability are enhanced, and control software is It can be done.
  • the R module 43 included in the second program 21 is identical to the R module 43 included in the first program 11, that is, has a binary matching relationship.
  • the second module input table 25, the second module output table 26, the second output comparison table 27, and the second module management table 28 respectively correspond to the first module input table 15, the first module output table 16, and the first output.
  • the configuration is the same as that of each of the comparison table 17 and the first module management table 18. The configuration and operation of the first program 11 will be mainly described below.
  • the first application 12 of the first program 11 is software that realizes main functions in the ECU 100.
  • one first application 12 is provided for simplicity, but a plurality of applications may be provided.
  • the first application 12 calls the first module execution unit 13 to execute the module and obtain its output.
  • this process is expressed as “call a module from the first application 12”, but in practice, the first module execution unit 13 intervenes in the execution of the module as described later.
  • the first module execution unit 13 is called from the first application 12 to execute a module.
  • the first module execution unit 13 selects and executes one module when called from the first application 12, and compares it with the execution result of the module in the second module execution unit 23 when a predetermined condition described later is satisfied.
  • the second module execution unit 23 uses a module different from the first module execution unit 13. If it is determined by this comparison that there is no failure in any of the used modules, the calculation result is output to the first application 12. However, if it is determined that a failure has occurred in one of the modules due to a mismatch or the like, the first module execution unit 13 uses the other module to identify the faulty module.
  • the ECU 100 uses only two different modules, one in each of the different modules, until it is determined that there is a failure in other words. Then, if it is determined that there is a fault, the third module is used to identify the faulty module.
  • the first module input table 15 the input to the module is added every time the first application 12 calls the module and any input is performed.
  • the first module output table 16 records the output each time the module performs an output.
  • information indicating whether the return value of each function is comparable for each function included in the module is recorded in advance.
  • the first output comparison table 17 is referred to when determining whether to compare the outputs of the modules.
  • the first module management table 18 describes the presence or absence of a module failure. Based on the description of the first module management table 18, the module to be executed is selected. Each configuration will be described in detail below.
  • FIG. 2 is a diagram showing an example of the first module input table 15. However, FIG. 2 shows an example in which a plurality of functions are called at one time, and one call of one function corresponds to one line of the first module input table 15. Further, each row of the first module input table 15 is arranged in the order of being called. In the first column “No.” of the first module input table 15, the number of each row is stored. If the order and identification of each line are possible, identifiers other than numbers may be used.
  • the second column “calling function” of the first module input table 15 stores information identifying the function called in each call, for example, the function name and the address address of the function.
  • the third column “input” of the first module input table 15 stores the input to the module in each call.
  • information indicating that there is no argument in the case of a function having no input value and no argument for example, “none” or “- "Is recorded.
  • the first module execution unit 13 adds a new line to the first module input table 15, and records the identifier of the function and the input to the module.
  • FIG. 3 is a diagram showing an example of the first module output table 16.
  • Each row of the first module output table 16 corresponds to one output from any module. Since the outputs of the modules are generated in response to the inputs, each row of the first module output table 16 corresponds to a single invocation to the module, ie, each row of the first module input table 15.
  • the numbers of the respective rows are stored. If the order and identification of each line are possible, identifiers other than numbers may be used.
  • the second column "output" of the first module output table 16 stores the output of the module in each call. If there is no output value, information indicating that there is no output value, for example, "none" or "-" is recorded.
  • the first module execution unit 13 executes the module and obtains its output, it adds a new line to the first module output table 16 and adds its output.
  • the first module output table 16 stores the outputs of all executed modules. Outputs of a plurality of modules may be stored in one table, or outputs may be stored in different tables for each module.
  • FIG. 4 is a diagram showing an example of the first output comparison table 17.
  • Each row of the first output comparison table 17 stores information indicating whether the output of each function provided in the module can be compared.
  • the first column “function” of the first output matching table 17 stores an identifier of the function.
  • the second column “output comparison division” of the first output comparison table 17 includes information indicating whether to compare the outputs of the functions, for example, “Compare”, “Ignore”, and “Compare if”. It is one of error. "Compare” indicates that the comparison is to be made, and “Ignore” indicates that the comparison is not to be made. "Compare if error” indicates that if the output is a value indicating an error, the contents are compared, and if it is successful, the comparison is not performed.
  • the function to which “Compare if error” is applied is, for example, the following function. That is, the function dynamically allocates a memory area and returns the start address of the allocated area with a positive integer when successful, and returns a type of error with a negative integer when unsuccessful.
  • this function is executed in each of a plurality of modules, if an area can be normally secured, the two will output different values and there is no point in comparing them. However, in case of failure, if the type of error is different, it is known that the module has some problem.
  • a function that compares outputs only under specific conditions it is possible to reduce functions that do not compare, and it is possible to detect faults rather than simply using “Compare” and “Ignore”. You can increase the frequency.
  • FIG. 5 is a diagram showing an example of the first module management table 18.
  • Each row of the first module management table 18 stores the operation status of each module.
  • the first column "module" of the first module management table 18 stores an identifier for identifying a module.
  • the operation status of the module is stored in the next column "Operation Status".
  • the operating status indicates whether the module is normal or there is a problem with “OK” and “NG”, respectively.
  • all modules are "OK", and as will be described later, the output is not matched, a faulty module is identified, and a module identified as faulty is "NG”.
  • the first module execution unit 13 can continue to use a module without a fault by obtaining an output using a module whose “operation status” is “OK” among the modules.
  • FIG. 6 is a diagram showing an operation example of the ECU 100. As shown in FIG. 6 (a) to 6 (d) all show information at the same time, FIG. 6 (a) shows the first module input table 15, and FIG. 6 (b) shows the output of the P module 41. 6C shows the second module output table 26 which is the output of the Q module 42, and FIG. 6D shows the first output of the R module 43. It is a figure which shows the example of module output Table 16A.
  • the first output comparison table 17 will be described using the example illustrated in FIG. Although the output of the R module 43 is included in the first module output table 16, it will be described here as being stored in the first module output table 16A independent of the first module output table 16 for the sake of explanation.
  • the P module 41 and the Q module 42 were operated by using the first program 11 and the second program 21 respectively.
  • the first module input table 15 of FIG. 6A there are three module calls, and Function A, Function B, and Function C are called in this order.
  • the outputs of the P module 41 at this time were 0, 100, and -1 in order as shown in the first module output table 16 of FIG. 6 (b).
  • the outputs of the Q module 42 were 0, 200, and -2, respectively, as shown in the second module output table 26 of FIG. 6C.
  • the outputs of P module 41 and Q module 42 are compared.
  • the outputs of the two it is judged that there is a failure in either of the P module 41 and the Q module 42 because they are “1” and “2”.
  • the same input is made to the R module 43, and the result shown in the first module output table 16A of FIG. 6D is obtained.
  • the output of Function C where the outputs of the P module 41 and the Q module 42 do not match is the result "-2" in FIG. 6 (d). That is, the output of the R module 43 matches the Q module 42 and does not match the P module 41. By majority, it can be identified that the Q module 42 and the R module 43 are normal and the P module 41 has a failure.
  • FIGS. 7 and 8 are flowcharts showing the operation of the first module execution unit 13 that implements the operation example described with reference to FIG. FIG. 7 shows details of fault detection processing, and FIG. 8 shows details of fault identification processing.
  • the operation of the second module execution unit 23 included in the second program 21 is substantially the same as the operation of the first module execution unit 13 of the first program 11.
  • first module execution unit 13 of the first program 11 will be described in common with both.
  • the first module execution unit 13 executes a program whose operation is represented by the flowchart of FIG. 7 when the first application 12 calls a module.
  • the first module execution unit 13 is given an identifier and an input value of a function of the module.
  • the first module execution unit 13 adds the identifier and the input value to a new line of the first module input table 15 (S701).
  • the first module execution unit 13 selects a module for executing a call of the first application 12 (S702).
  • the modules are selected from the modules included in the first module execution unit 13 from the modules that are “OK” in the first module management table 18.
  • the first module execution unit 13 selects a module so that the modules operated by the first program 11 and the second program 21 are different.
  • the first module execution unit 13 selects modules in ascending order
  • the second module execution unit 23 selects modules in descending order.
  • the selection in ascending order is a selection method in which the P module 41 is selected with the highest priority, the Q module 42 is selected when the P module 41 is NG, and the R module 43 is selected when the Q module 42 is also NG.
  • Selection in descending order is a selection method in which selection is performed in the reverse order of ascending order.
  • the ascending order and the descending order are in the order described above, and the modules provided in the program are selected.
  • the first module execution unit 13 executes the function of the selected module to obtain an output value (S703). Next, in order to perform collation, the contents of the second module output table 26 in the second module execution unit 23 of the second program 21 are acquired (S705).
  • the first module execution unit 13 changes the processing target line (hereinafter referred to as “processing target line”) for each row described in the first module output table 16 one by one for the processing of S706 to S710 described below. It is made to execute repeatedly (S705A). However, when the first module execution unit 13 performs all operations shown in FIG. 7 every time the first application 12 calls a module, only one row is described in the output table, and therefore S705A and S710A described later are not present. You may handle it.
  • the first module execution unit 13 specifies the calling function in the processing target line, acquires the output comparison class of the function with reference to the first output comparison table 17, and determines whether the output comparison class is “Ignore”. It is determined (S706). If the first module execution unit 13 determines that the output comparison classification is "Ignore" (S706: Yes), the process proceeds to S710A. If it is determined that the output comparison class is not "Ignore" (S706: No), the first module execution unit 13 determines whether the output comparison class is "Compare if error” (S707). If the first module execution unit 13 determines that the output comparison classification is “Compare if error” (S 707: Yes), it proceeds to S 708. If the first module execution unit 13 determines that the output comparison classification is not "Compare if error” (S706: No), the process proceeds to S710.
  • step S708 whether or not the output value of the process target line in the first program 11 and the output value of the process target line in the second program 21 are both values indicating success at S708. Determine if it is a value indicating failure. If the first module execution unit 13 determines that both are values indicating success, the evaluation is unnecessary, and thus the process proceeds to S710A, and if it is determined that at least one is a value indicating failure, the process proceeds to step S709. In step S709, whether or not the output value of the process target line in the first program 11 and the output value of the process target line in the second program 21 are both values indicating an error in step S709. Determine if it is a value that indicates an error.
  • step S710 the first module execution unit 13 determines whether the output value of the processing target line in the first program 11 and the output value of the processing target line in the second program 21 match. If the first module execution unit 13 determines that the two match, the process proceeds to step S710A. If the first module execution unit 13 determines that the two do not match, the first module execution unit 13 proceeds to the failure identification process of step S720.
  • step S710A the first module execution unit 13 determines whether all the rows in the output table have been processed, and if it is determined that there is a row not to be processed, the row is set as the process target in step S706. Return. If the first module execution unit 13 determines that all the rows in the output table have been processed, the process proceeds to step S711. In step S711, the first module execution unit 13 erases the information stored in the first module input table 15 and the first module output table 16. Thereby, when the process shown in FIG. 7 is executed next, it is possible to avoid the same matching being performed, and it is possible to shorten the next matching time. Next, the first module execution unit 13 passes the output value obtained in S703 to the first application 12 and ends the processing shown in FIG. 7 (S712).
  • FIG. 8 is a flowchart showing the details of the failure identification process.
  • the process shown in the flowchart of FIG. 8 is executed when a negative determination is made in step S709 or step S710 of FIG.
  • the first module execution unit 13 is a module that is “OK” from the first module management table 18 and is a module other than the module used by itself and the module that performed the output obtained in S705. Is selected (S801).
  • the specification of the module that has performed the output obtained in S705 may be acquired from the second program 21 by communication, or may be specified according to a method of selecting a module in the second module execution unit 23, which is obtained in advance.
  • the module selected in step S801 is hereinafter referred to as a substitute module.
  • the first module execution unit 13 inputs the input value described in the first module input table 15 to the alternative module for the function whose output is not matched in the process shown in FIG. 7 and obtains the output value (S802) ).
  • the first module execution unit 13 compares the output value with the two previous values (S803).
  • the first module execution unit 13 determines whether the output of the alternative module matches one of the two output values compared in S710 of FIG. 7 (S804).
  • the first module execution unit 13 determines that there is a failure in the module that has output the non-matching module. It is set as NG (S805).
  • the first module execution unit 13 clears the contents of the first module input table 15 and the first module output table 16 as in S711 (S806).
  • the first module execution unit 13 outputs the output value of the majority, that is, the output value of the alternative module to the first application 12 (S807), and ends the processing shown in FIG.
  • the first module execution unit 13 determines that the outputs of all the three modules do not match in S804 (S804: No), the first module execution unit 13 shifts to processing at the time of failure in consideration of the possibility of failure in all modules. (S811).
  • the process at the time of failure is, for example, a process of securing safety by limiting functions such as the degeneration operation.
  • the case of reaching S811 is a case where two or more modules have the same problem, for example, a bug, and the occurrence probability is extremely low.
  • the first program 11 and the second program 21 are respectively operated by applications performing the same operation. For this reason, the operations of the first program 11 and the second program 21 perform the same operation unless there is a fault such as a bug in the module.
  • the modules provided in the first program 11 and the second program 21 are a P module 41 and an R module 43, and a Q module 42 and an R module 43, respectively. Since the first program 11 prioritizes the P module 41 and the second program 21 prioritizes and selects the Q module 42, the first program 11 and the second program 21 respectively input the same input to different modules. Therefore, these outputs are expected to be the same value, which the first module execution unit 13 collates. If the two do not match, it is known that there is a failure in one of the modules, so that it is possible to prevent the first application 12 from using the output of the failed module as it is.
  • the first module execution unit 13 selects the R module 43 in the above example as an alternative module, and the first module execution unit 13 executes the R module 43 to generate a third output value.
  • Get The first module execution unit 13 compares the three values of the P module 41, the Q module 42, and the R module 43, and determines the correct output by majority decision. Then, the first module execution unit 13 determines that the module that has output the output value belonging to the minority group in the majority vote is the module having a fault, and records “NG” in the operation status of that module in the first module management table 18.
  • the first application 12 continues to operate using the majority value according to the majority rule described above. Then, if it is determined that there is a failure in the P module 41, for example, the first module execution unit 13 uses the R module 43 in subsequent module calls. As a result, even if it is determined that one of the modules is faulty, the collation by the two modules can be continued, and the first application 12 can prevent the operation based on the output of the wrong module. That is, it is possible to obtain both the effect of continuing processing even if one module has a fault and the effect of securing security by checking the outputs of the two types of modules.
  • the use of computational resources in the ECU 100 is mostly in the first application 12 that implements functions, and is less used by modules. As described above, since the ECU 100 compares the outputs of the modules, the consumption of the computing resources of the CPU 110 and the storage resources of the memory 120 can be reduced as compared with the case of comparing the outputs of the first application 12. Furthermore, since the ECU 100 executes only two types of modules until the failure identification processing is performed, it is possible to similarly reduce the use of computation resources.
  • the ECU 100 includes the memory 120 in which the P module 41, the Q module 42, and the R module 43 having the same function and different mounting are stored, the P module 41, the Q module 42, and the R module 43. It comprises a CPU 110 to be executed and a first module execution unit 13 and a second module execution unit 23 (S706 to S710 in FIG. 7) for detecting a fault based on the output of the P module 41 and the output of the Q module 42 by the CPU 110. Further, when a fault is detected by the fault detection process shown in FIG. 7, the ECU 100 starts using the R module 43, and based on the output of the P module 41, the output of the Q module 42, and the output of the R module 43.
  • the first module execution unit 13 and the second module execution unit 23 (S804 in FIG. 8) for identifying a faulty software module are provided. That is, the ECU 100 has three modules but uses only two of them until a fault is detected, and uses a third module to identify a faulty module when a fault is detected. Therefore, the ECU 100 can realize fault detection and fault identification using limited computing resources.
  • the ECU 100 stops the use of the software module identified as having a fault (S804 to S805 in FIG. 8). Therefore, the ECU 100 can continue the operation using a fault-free software module.
  • the ECU 100 determines the P module 41 and the Q module. The fault is detected based on the software module not identified as having a fault among 42 and the output of the R module 43 (S702 in FIG. 7).
  • the P module 41, the Q module 42, and the R module 43 include a software module for a 32-bit CPU and a software module for a 64-bit CPU.
  • a library is often created for each of a 32-bit CPU and a 64-bit CPU in order to support multiple types of CPUs. By utilizing them, it is possible to implement the first embodiment described above by creating one library with a unique implementation.
  • the P module 41 and the Q module 42 are executed in parallel by different CPU cores. Therefore, the outputs of the P module 41 and the Q module 42 can be obtained quickly to quickly determine the presence or absence of a failure.
  • Each of the P module 41, the Q module 42, and the R module 43 includes a plurality of functions.
  • a first output comparison table 17 is provided which defines the operations of S706 and S707 of failure detection processing for each of a plurality of functions.
  • the first module execution unit 13 refers to the first output comparison table 17 to determine the failure detection condition for each function. Therefore, the ECU 100 can cope with a software module including a function whose output value is not constant even if a normal operation is performed, for example, a function of dynamically securing a memory area and returning the top address of the secured area. it can.
  • Module 1 In FIG. 7, although output matching is always performed, matching may not be performed each time a module is called. For example, module calls may be checked a fixed number of times, for example, every three times. In this case, the number of calls is counted using a counter, and collation is performed only when it is a multiple of three. Further, the matching may be performed for a predetermined time, for example, every 10 ms. In this case, using a timer device or the like that measures time, collation is performed when 10 ms or more has elapsed since the previous collation. When the collation is not performed, the input and output of the call of the module are added to the first module input table 15 and the first module output table 16.
  • the collation can be performed later collectively.
  • the output of the obtained module may be passed to the first application 12 as it is.
  • the control process of the first application 12 may be affected by the time of the matching process. Therefore, the influence can be reduced by collectively performing the matching process according to some criteria. Furthermore, it is also possible to perform the matching process at a timing with little influence such as the waiting time of the periodic process.
  • the application using the module in which the failure is detected needs to take action such as continuing the execution taking over the state of the other normal application.
  • Module selection is performed to maintain the dual system. However, if a failure is identified, the application using the module in which the failure is detected may be stopped, and thereafter only the other application may continue to operate.
  • the present modification is particularly effective when it is difficult for an application using a module in which a failure is detected to take over the state of the other normal application to continue execution. That is, this modification is useful as a temporary process up to restart and repair.
  • both the first program 11 and the second program 21 execute the process shown in the flowchart of FIG.
  • the modules selected by the first program 11 and the second program 21 as alternative modules are the same, for example, the R module 43 as described above, only one process is sufficient. Therefore, only the module execution unit of one of the programs may perform the execution of the alternative module and the comparison process (S801 to S804), and the result may be transmitted to the other module execution unit.
  • this modification in the other program or CPU core in which the collation process is not performed, another process can be executed during that time, and the utilization efficiency of the CPU can be improved.
  • the ECU 100 has three modules of the P module 41, the Q module 42, and the R module 43, but may have four or more types of modules.
  • the first program 11 may have a P module 41 and an R module 43
  • the second program 21 may have a Q module 42 and a Z module.
  • the first module execution unit 13 of the first program 11 executes the R module 43
  • the second program 21 executes the Z module.
  • the probability of failure can be further reduced by using more types of modules. Also, by using N types of modules having the same functions and different implementations, the operations described in the first embodiment until faults occur in N-2 modules, that is, fault detection processing and fault identification processing Can continue. This has the effect of improving the continuity and availability of the operation.
  • the “output comparison classification” of the first output comparison table 17 shows only three types of “Compare, Ignore, and“ Compare if error ”in FIG.
  • the “output comparison classification” is not limited to this.
  • a section may be provided to compare only on success regardless of the type of error, or a section may be provided to compare only error or success.
  • a division may be provided in which only part of the output value, for example, the upper 3 bits and the lower 1 bit are compared. According to this modification, by creating the section in accordance with the specification of the module to be used, it is possible to improve the accuracy of the failure determination and to perform the failure detection promptly.
  • the first program 11 and the second program 21 each include only one application.
  • each program may have a plurality of applications using modules.
  • a column identifying the calling application is added to the first module input table 15, and information indicating the relationship between the calling application and the called function is stored. According to this modification, even when the module is shared and used by a plurality of applications, the effects of the above-described embodiment can be obtained.
  • the P module 41 and the R module 43 which are software modules are described as being different from the first application 12.
  • the software module is a statically linked library and may be pre-installed in the first application 12. In this case, for example, the input to the P module 41 and the output from the P module 41 are executed inside the first application 12.
  • the first module execution unit 13 is a module whose operation status is “OK” in the first module management table 18, and selects a module other than the module used by itself and the module which performed the output obtained in S705. That is, in S801, a module which was not used by any of the first module execution unit 13 and the second module execution unit 23 was selected. However, the module which is not executed by itself, that is, the module which has produced the output obtained in S 705 may be further executed.
  • the CPU 110 includes the first CPU core 111 and the second CPU core 112.
  • the fault identifying unit outputs the output of the P module 41 calculated by the second CPU core 112 when the output of the P module 41 calculated by the first CPU core 111 does not match the output of the Q module 42 calculated by the second CPU core 112. And the output of the Q module 42 calculated by the first CPU core 111, it is identified that the first CPU core 111 or the second CPU core 112 has a fault.
  • the output value of the P module 41 executed by the first program 11 is the output value A
  • the output value of the Q module 42 executed by the second program 21 is the output value B1
  • the output value of the Q module 42 executed by the first program 11 Is an output value B
  • an output value of the R module 43 which is an alternative module executed by the first program 11 is an output value C.
  • the ECU 100 compares the output value B1 with the output value B2 to determine whether the mismatch between the output value A and the output value B1 is due to hardware failure of the CPU core or the like that has executed the output value B1. Can.
  • Selection of a module in S702 of FIG. 7 may be performed based on a preset priority.
  • the priority is set to each row of the first module management table 18.
  • the first module execution unit 13 selects a module whose operation status is “OK” and which has the highest priority.
  • the second module management table 28 and the second module execution unit 23 The same applies to the second module management table 28 and the second module execution unit 23.
  • the first CPU core 111 and the second CPU core 112 may read an area of the memory 120 in which necessary information is stored, instead of performing communication between CPU cores. However, in this case, it is necessary to confirm that the other CPU core also obtains the output of the module. This confirmation is apparent when using synchronous communication, and may be performed by checking the number of lines recorded in the first module output table 16. If the other CPU core does not obtain the output of the module, it waits until the other CPU core obtains the output of the module.
  • the plurality of modules described above may be libraries of different versions or different revisions having the same functions for the same architecture. The implementation may differ depending on the version or revision. Furthermore, the plurality of modules described above may not be identical in all functions, and may include other functions as long as they include functions used from the application. For example, when an application calls a function A, a function B, and a function C provided in a module, one module may include only functions A to C, and another module may further include a function D in addition to the functions A to C .
  • FIGS. 9 to 10 A second embodiment of the ECU, which is a control device, will be described with reference to FIGS. 9 to 10.
  • the same components as in the first embodiment will be assigned the same reference numerals and differences will be mainly described.
  • the points that are not particularly described are the same as in the first embodiment.
  • the present embodiment differs from the first embodiment mainly in that only one CPU core is provided.
  • FIG. 9 is a block diagram showing the configuration of ECU 100A in the second embodiment.
  • the CPU 110 ⁇ / b> A of the ECU 100 ⁇ / b> A has a first CPU core 111.
  • the first CPU core 111 operates the first program 11.
  • the first module execution unit 13B of the first program 11 operates three modules of the P module 41, the Q module 42, and the R module 43.
  • FIG. 10 is a flowchart showing the operation of the first module execution unit 13B in the second embodiment.
  • the same processes as in FIG. 7 in the first embodiment are assigned the same step numbers. That is, the difference from FIG. 7 is that S702A is executed instead of S702, S703A is executed instead of S703, and S705 is not executed.
  • the other steps are the same as those in FIG.
  • the first module execution unit 13B selects two modules for executing a call of the first application 12 (S702A). This selection method is the same as in the first embodiment. Then, the first module execution unit 13B executes the function of each of the selected modules to obtain an output value (S703A). The subsequent processing is the same as that of the first embodiment, and thus the description thereof is omitted.
  • the first module execution unit 13 executes a calculation using the P module 41 and the Q module 42, and compares their output values Do. That is, in the first embodiment, the execution of modules separately performed by the first program 11 and the second program 21 is performed in one program. Therefore, the process performed for fault detection is the same as that of the first embodiment in that the process of giving the same input to two different modules and comparing their outputs. Further, as in the first embodiment, the alternative module is selected and executed in order to identify a fault and the output thereof is obtained. Furthermore, it is the same as the third modification of the first embodiment in that there is only one program for executing and comparing alternative modules. That is, in this embodiment as well, detection and identification of a fault similar to the first embodiment are possible.
  • FIGS. 11 to 12 A third embodiment of the ECU, which is a control device, will be described with reference to FIGS. 11 to 12.
  • the same components as in the first embodiment will be assigned the same reference numerals and differences will be mainly described.
  • the points that are not particularly described are the same as in the first embodiment.
  • the present embodiment differs from the first embodiment mainly in that another ECU is used to identify a fault.
  • FIG. 11 is a block diagram showing the configuration of a control system S in the third embodiment.
  • the control system S includes a first ECU 1001, a second ECU 1002, and an alternative execution ECU 1003.
  • the first ECU 1001, the second ECU 1002, and the alternative execution ECU 1003 each include a first network interface 119, a second network interface 219, and a third network interface 1110, and can communicate with each other via the network X.
  • the physical characteristics of the network X and the communication protocol used in the network X are not particularly limited.
  • the network X corresponds to, for example, CAN (Car Area Network) or IEEE 802.3.
  • the first ECU 1001 includes a CPU 110 and a memory 120.
  • the second ECU 1002 includes a CPU 210 and a memory 220.
  • the alternative execution ECU 1003 includes a CPU 310 and a memory 320.
  • the hardware configuration of the CPU 110, the CPU 210, and the CPU 310 is the same as that of the CPU 110 in the first embodiment.
  • the P module 41 is stored in the first ECU 1001
  • the Q module 42 is stored in the second ECU 1002
  • the R module 43 is stored in the alternative execution ECU 1003.
  • the first module execution unit 13C corresponds to the first module execution unit 13 in the first embodiment, but differs from the first module execution unit 13 in that the R module 43 is not provided.
  • the second module execution unit 23C corresponds to the second module execution unit 23 in the first embodiment, but differs from the second module execution unit 23 in that the R module 43 is not provided.
  • the first CPU core 111 built in the CPU 110 of the first ECU 1001 performs the same operation as the first CPU core 111 in the first embodiment. However, the present embodiment is different from the first embodiment in that communication with the second CPU core 112 is performed via the network X. Further, the first module execution unit 13C of the first ECU 1001 does not execute the R module 43 itself, and acquires an execution result from the alternative execution ECU 1003.
  • the second CPU core 112 built in the CPU 210 of the second ECU 1002 performs the same operation as the second CPU core 112 in the first embodiment. However, the present embodiment is different from the first embodiment in that communication with the first CPU core 111 is performed via the network X. In addition, the second module execution unit 23C of the second ECU 1002 does not execute the R module 43 itself, and acquires an execution result from the alternative execution ECU 1003.
  • the alternative execution ECU 1003 executes the R module 43 to identify a faulty module at the time of fault detection.
  • the alternative execution ECU 1003 includes, in the memory 320, an alternative module execution unit 1140 that identifies a failure.
  • the alternative module execution unit 1140 is executed by the CPU core 1151.
  • the alternative module execution unit 1140 includes an R module 43 for fault identification, a module input reception unit 1141, and a module output transmission unit 1142.
  • the module input reception unit 1141 receives an input for performing a function of a module through the third network interface 1110.
  • the module output transmission unit 1142 transmits, through the third network interface 1110, an output obtained by executing the function of the module.
  • the alternative module execution unit 1140 When receiving an input value from the first ECU 1001 or the second ECU 1002, the alternative module execution unit 1140 inputs the input value to the R module 43. Then, the alternative module execution unit 1140 transmits the obtained calculation result to the transmission source of the input value.
  • FIG. 12 is a flowchart showing failure identification processing in the first module execution unit 13C and the second module execution unit 23C in the present embodiment.
  • the same processes as in FIG. 8 in the first embodiment are assigned the same step numbers. That is, the difference from FIG. 8 is that S1201 is executed instead of S801, and S1202 is executed instead of S802.
  • the other steps are the same as those in FIG.
  • the operation of the first module execution unit 13C will be described on behalf of the first module execution unit 13C and the second module execution unit 23C.
  • the first module execution unit 13C transmits an input value to the alternative execution ECU 1130 (S1201). Then, the first module execution unit 13C receives, from the alternative execution ECU 1130, the calculation result using the R module 43 by the alternative module execution unit 1140 (S1202). The other steps are the same as those in FIG.
  • the first program 11 and the second program 21 are executed in different ECUs. However, similar to the ECU 100 in the first embodiment, it may be executed in different CPU cores of the same ECU. In this case, the fault detection process is the same as that of the first embodiment, and only the fault identification process is the process described in the third embodiment. This can reduce the number of required ECUs.
  • the first program 11 and the second program 21 may be executed in different CPU cores of the same ECU, and the same ECU may further include a third CPU core that executes the alternative module execution unit 1140.
  • the network interface 1110 and the communication network bus 1120 can be realized as performing inter-core communication in the same ECU. This allows the number of required ECUs to be one.
  • Modification 3 of the third embodiment In the third embodiment described above, only one set of the first ECU 1101 and the second ECU 1102 is shown. However, there may be a plurality of sets of ECUs that perform the same processing.
  • the alternative execution ECU 1130 may be shared by these sets of ECUs. Since the alternative execution ECU 1130 operates only when a failure is detected, the operation rate of the alternative execution ECU 1130 is low. Therefore, the operation rate of the alternative execution ECU 1130 can be improved by executing the process according to the request from the plurality of sets of ECUs.
  • the plurality of ECUs may use the same module or different modules.
  • the plurality of ECUs may use the same module or different modules.
  • the module S, the module T, the module V and the module W are stored in different ECUs
  • the alternative execution ECU 1130 includes the module X and the module W, and the calculation result of the module X or the module W according to the input value input from each ECU including the module S, the module T, the module V, and the module W
  • the following effects can be obtained. That is, the number of required alternative execution ECUs can be reduced.
  • each alternative execution ECU 1130 may have a function to monitor the processing load size and the fault situation in the other alternative execution ECU 1130.
  • the alternative module execution unit 1140 has a function of transmitting information indicating the magnitude of the current calculation load of the CPU 310 and whether or not arithmetic processing using the R module 43 is performed to surrounding devices.
  • the first module execution unit 13C and the second module execution unit 23C determine an alternative execution ECU 1130 that executes an operation using the R module 43 based on the information received from each alternative execution ECU 1130.
  • the first module execution unit 13C and the second module execution unit 23C specify the alternative execution ECU 1130 that has not performed the calculation using the R module 43 and has the lowest calculation load of the CPU 310, and The alternative execution ECU 1130 is made to execute an operation using the R module 43.
  • the first ECU 1001 includes a first network interface 119 for communicating with another computing device, and an alternative module execution unit 1140 for outputting the magnitude of the current calculation load to the other computing device via the communication unit.
  • the first module execution unit 13C determines an alternative execution ECU 1003 that calculates the output of the third software module based on the received current calculation load. Therefore, the loads of the plurality of alternative execution ECUs 1003 can be equalized.
  • the failure identification process is executed by the first module execution unit 13C of the first ECU 1001 or the second module execution unit 23C of the second ECU 1002.
  • the fault identification process may be executed in the alternative module execution unit 1140.
  • the substitute execution ECU 1003 also acquires the output value of the module executed in the first ECU 1001 and the second ECU 1002.
  • the fault identification process in the alternative module execution unit 1140 is the same as S803 and S804 in FIG.
  • the alternative module execution unit 1140 transmits, to each ECU, information indicating the module in which the failure is identified.
  • the first module execution unit 13C and the second module execution unit 23C receive the information, and execute the processing after S805. According to this modification, it is possible to balance the processing load of the first module execution unit 13C and the second module execution unit 23C of the first ECU 1001 and the second ECU 1002 with the processing load of the alternative module execution unit 1140.
  • each CPU core operates one program in the embodiment and modification described above, each CPU core may operate a plurality of programs, and a plurality of CPU cores may operate one program. You may share it.
  • a part or all of the code executed by each CPU core or a part or all of the data used by the CPU core may be different, and only different codes and data may be stored.
  • the code executed by the CPU 110 or the data to be read only may be arranged in the non-volatile memory, and the data to be read and written may be stored in the volatile memory.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Retry When Errors Occur (AREA)
  • Stored Programmes (AREA)

Abstract

A computation device comprising: a storage unit storing a first software module, a second software module, and a third software module each having the same function but implemented separately; a computation unit for executing the first software module, the second software module, and the third software module; a detection unit for detecting a failure on the basis of an output from the first software module and an output from the second software module implemented by the computation unit; and a failure identification unit for starting the use of the third software module when a failure is detected by the detection unit, and identifying the software module in which the failure occurred on the basis of an output from the first software module, an output from the second software module, and an output from the third software module.

Description

演算装置Arithmetic unit
 本発明は、演算装置に関する。 The present invention relates to a computing device.
 車載制御装置では、要求される処理内容の高度化が進んでおり、一般のサーバーやワークステーション等で行われている技術やソフトウェアを利用することも増えつつある。このようなソフトウェアは従来の車載制御装置において行われていた開発手法によって作成されておらず、その品質は必ずしも高くない。しかも車載制御装置では、ソフトウェアのバグといった障害が発生したとしても、動作を継続させなければならず、障害の検出のみならず、障害箇所を特定し切り離すことが必要になる。この目的のため、同じ機能を持つ複数の異なる実装を照らし合わせてチェックすることで、車載制御装置全体の最終的な品質を高めることが行われており、多数決を行うことで一つの実装で障害が発生しても動作を継続させることができる。
 特許文献1には、予め設定されたアプリケーションによる処理を実行し、実行された処理結果を比較してデータの診断及び修復を行う診断修復装置において、所定のデータを3以上の複数のデータ領域に記憶する記憶手段と、前記所定のデータを前記3以上の複数のデータ領域に異なる形式で書き込み、前記アプリケーションの実行時に前記3以上の複数のデータ領域にそれぞれ書き込んだデータを読み込んで照合し、照合の結果が不一致であった場合に所定の修復を行い、修復後のデータを用いて前記アプリケーションを実行する処理プログラム実行手段と、前記アプリケーションを実行した結果と、少なくとも1つの他の診断修復装置で前記アプリケーションを実行した結果とを照合する照合処理手段が開示されている。 In the on-vehicle control device, the processing contents required are becoming more sophisticated, and the use of technology and software performed in general servers and workstations is also increasing. Such software is not created by the development method performed in the conventional on-vehicle controller, and its quality is not necessarily high. Moreover, in the on-vehicle control device, even if a failure such as a software bug occurs, the operation must be continued, and it is necessary not only to detect the failure but also to identify and separate the failure location. For this purpose, the final quality of the on-board control device is improved by checking a plurality of different implementations having the same function, and a majority decision is made to fail in one implementation. Even if occurs, the operation can be continued.
According to Patent Document 1, in a diagnosis and repair apparatus that executes processing by an application set in advance and compares the executed processing results to diagnose and repair data, predetermined data is divided into three or more data areas. Storage means for storing and writing the predetermined data in different formats into the three or more data areas, and reading and collating the data written in the three or more data areas when the application is executed Processing program execution means for executing the application using the restored data, performing predetermined repair when the results of the above are inconsistent, and the result of executing the application and at least one other diagnostic repair device A verification processing means is disclosed for verifying the result of executing the application.
日本国特開2013-109532号公報Japan JP 2013-109532 gazette
 特許文献1に記載されている発明では、限られた演算資源を用いて障害の検出および障害の特定を実現することができない。 The invention described in Patent Document 1 can not realize fault detection and fault identification using limited computing resources.
 本発明の第1の態様による演算装置は、同一の機能を有し異なる実装がなされた第1のソフトウェアモジュール、第2のソフトウェアモジュール、および第3のソフトウェアモジュールが格納される記憶部と、前記第1のソフトウェアモジュール、前記第2のソフトウェアモジュール、前記第3のソフトウェアモジュールを実行する演算部と、前記演算部による前記第1のソフトウェアモジュールの出力、および前記第2のソフトウェアモジュールの出力に基づき障害を検出する検出部と、前記検出部が障害を検出すると、前記第3のソフトウェアモジュールの使用を開始し、前記第1のソフトウェアモジュールの出力と、前記第2のソフトウェアモジュールの出力と、前記第3のソフトウェアモジュールの出力と、に基づき障害のあるソフトウェアモジュールを特定する障害特定部と、を備える。 A computing device according to a first aspect of the present invention comprises: a storage unit storing a first software module having the same function and implemented differently and a second software module and a third software module; A first software module, the second software module, an operation unit that executes the third software module, an output of the first software module by the operation unit, and an output of the second software module When a detection unit for detecting a failure and the detection unit detect a failure, the use of the third software module is started, the output of the first software module, the output of the second software module, and the output of the second software module Based on the output of the third software module, and It includes a fault identification unit for identifying the Towea module.
 本発明によれば、限られた演算資源を用いて障害の検出および障害の特定を実現することができる。 According to the present invention, it is possible to realize fault detection and fault identification using limited computing resources.
第1の実施の形態におけるECU100の構成を表すブロック図Block diagram showing the configuration of the ECU 100 in the first embodiment 第1モジュール入力表15の一例を示す図A diagram showing an example of the first module input table 15 第1モジュール出力表16の一例を示す図A diagram showing an example of the first module output table 16 第1出力照合表17の一例を示す図A diagram showing an example of the first output comparison table 17 第1モジュール管理表18の一例を示す図A diagram showing an example of the first module management table 18 ECU100の動作例を示す図Diagram showing an operation example of the ECU 100 障害検出処理を示すフローチャートFlow chart showing failure detection processing 障害特定処理を示すフローチャートFlow chart showing failure identification processing 第2の実施の形態におけるECU100Aの構成を表すブロック図Block diagram showing the configuration of the ECU 100A in the second embodiment 第2の実施の形態における第1モジュール実行部13Bの動作を表すフローチャートFlowchart representing the operation of the first module execution unit 13B in the second embodiment 第3の実施の形態における制御システムSの構成を表すブロック図Block diagram showing configuration of control system S in the third embodiment 第3の実施の形態における障害特定処理を示すフローチャートFlow chart showing fault identification processing in the third embodiment
―第1の実施の形態―
 以下、図1~図8を参照して、制御装置であるECUの第1の実施の形態を説明する。 -First embodiment-
Hereinafter, a first embodiment of an ECU that is a control device will be described with reference to FIGS. 1 to 8.
(構成)
 図1は、ECU100すなわち電子制御装置(Electronic Control Unit)の構成を表すブロック図である。ECU100は、演算装置であるCPU110および、主記憶領域であるメモリ120を有する。メモリ120には後述するように複数のモジュールが格納される。 (Constitution)
FIG. 1 is a block diagram showing the configuration of the ECU 100, that is, an electronic control unit. The ECU 100 has a CPU 110, which is an arithmetic device, and a memory 120, which is a main storage area. The memory 120 stores a plurality of modules as described later.
 モジュールとは、複数のアプリケーションから共通に利用可能なソフトウェアである。モジュールとはたとえば、ライブラリ、関数、関数の一部、または共通に利用される機能に特化したアプリケーションなどである。本実施の形態では、モジュールはアプリケーションから呼びされる複数の関数からなるソフトウェア、たとえば動的にリンクされるライブラリ(Dynamic Link Library)であり、アプリケーションとは独立している。モジュールへの入力は、これらの関数に対する引数である。モジュールの出力は、これらの関数の返り値である。また本実施の形態では符号41で表すPモジュール、符号42で表すQモジュール、および符号43で表すRモジュールの3つのモジュールを説明するが、これらをまとめて単に「モジュール」とも呼ぶ。 A module is software that can be commonly used from a plurality of applications. A module is, for example, a library, a function, a part of a function, or an application specialized for commonly used functions. In the present embodiment, a module is software consisting of a plurality of functions called from an application, such as a dynamically linked library (Dynamic Link Library), and is independent of the application. The inputs to the module are the arguments to these functions. The output of the module is the return value of these functions. Further, in the present embodiment, three modules of a P module denoted by reference numeral 41, a Q module denoted by reference numeral 42, and an R module denoted by reference numeral 43 will be described, but these are collectively referred to simply as "module".
 Pモジュール41、Qモジュール42、およびRモジュール43はいずれも同じ機能を有し、いずれのモジュールを用いる場合であっても、同一の入力に対しては同一の出力が得られることが期待される。ただしこれらのモジュールは実装が異なっており、バイナリ一致ではない。Pモジュール41、Qモジュール42、およびRモジュール43はたとえば、ある規格化されているライブラリの第1の実装、第2の実装、および第3の実装である。Rモジュール43よりもPモジュール41およびQモジュール42の信頼性が高く、換言すると完成度が高い。またたとえばCPU110が32ビットCPU用に作成されたアプリケーションと64ビットCPU用に作成されたアプリケーションの両方が実行可能な場合は、以下の構成でもよい。すなわちPモジュール41が32ビットCPU用の第1の実装、Qモジュール42が64ビットCPU用の第1の実装、Rモジュール43が32ビットCPU用の第2の実装であってもよい。 The P module 41, the Q module 42, and the R module 43 all have the same function, and it is expected that the same output can be obtained for the same input even when any module is used. . However, these modules have different implementations and are not binary matches. The P module 41, the Q module 42, and the R module 43 are, for example, a first implementation, a second implementation, and a third implementation of a standardized library. The reliability of the P module 41 and the Q module 42 is higher than that of the R module 43, in other words, the degree of perfection is high. For example, when the CPU 110 can execute both an application created for a 32-bit CPU and an application created for a 64-bit CPU, the following configuration may be used. That is, the P module 41 may be a first implementation for a 32-bit CPU, the Q module 42 may be a first implementation for a 64-bit CPU, and the R module 43 may be a second implementation for a 32-bit CPU.
 CPU110は、汎用的な計算が可能な演算装置であり、並列に動作可能な2つのCPUコア、すなわち第1CPUコア111と第2CPUコア112とを有する。ただしCPU110は、3つ以上のCPUコアを有していてもよいし、1つのCPUが論理的に複数のコアを有するようにふるまう機能、いわゆるハードウエアハイパースレディング機能を有してもよい。さらにCPU110は、半導体チップとして単体のものであってもよいし、以下で述べるメモリ120を一つの半導体チップ上に搭載した、いわゆるSoC(System-on-Chip)であってもよい。 The CPU 110 is an arithmetic device capable of general purpose calculation, and has two CPU cores operable in parallel, that is, a first CPU core 111 and a second CPU core 112. However, the CPU 110 may have three or more CPU cores, or may have a function that one CPU logically behaves as having a plurality of cores, a so-called hardware hyper threading function. Furthermore, the CPU 110 may be a single semiconductor chip, or may be a so-called SoC (System-on-Chip) in which a memory 120 described below is mounted on one semiconductor chip.
 メモリ120は、揮発性である、たとえばDRAM(Dynamic Random Access Memory)などから構成される主記憶装置である。メモリ120には、CPU110が実行するコードおよび読み書きするデータを含むプログラムが配置される。本実施の形態では、第1CPUコア111の使用するプログラムと第2CPUコア112が実行するプログラムを、それぞれ第1プログラム11と第2プログラム21とする。第1プログラム11および第2プログラム21は同様の構成を有し同様の動作を行う。第1CPUコア111と第2CPUコア112は通信が可能であり、これにより第1プログラム11と第2プログラム21とが情報の授受が可能である。 Memory 120 is a main storage device that is volatile, and is configured of, for example, a dynamic random access memory (DRAM). In the memory 120, a program including code executed by the CPU 110 and data to be read and written is disposed. In the present embodiment, the program used by the first CPU core 111 and the program executed by the second CPU core 112 are referred to as a first program 11 and a second program 21, respectively. The first program 11 and the second program 21 have the same configuration and perform the same operation. The first CPU core 111 and the second CPU core 112 can communicate, whereby the first program 11 and the second program 21 can exchange information.
 第1プログラム11は、第1アプリケーション12と、第1モジュール実行部13とを有する。第1モジュール実行部13は、Pモジュール41と、Rモジュール43と、第1モジュール入力表15と、第1モジュール出力表16と、第1出力照合表17と、第1モジュール管理表18とを有する。第2プログラム21は、第2アプリケーション22と、第2モジュール実行部23とを有する。第2モジュール実行部23は、Qモジュール42と、Rモジュール43と、第2モジュール入力表25と、第2モジュール出力表26と、第2出力照合表27と、第2モジュール管理表28とを有する。 The first program 11 includes a first application 12 and a first module execution unit 13. The first module execution unit 13 includes a P module 41, an R module 43, a first module input table 15, a first module output table 16, a first output comparison table 17, and a first module management table 18. Have. The second program 21 includes a second application 22 and a second module execution unit 23. The second module execution unit 23 includes the Q module 42, the R module 43, the second module input table 25, the second module output table 26, the second output comparison table 27, and the second module management table 28. Have.
 第1アプリケーション12と第2アプリケーション22は同一、いわゆるバイナリ一致の関係にある。第1プログラム11および第2プログラム21は同様の構成を有し同様の動作を行う。仮に第1プログラム11および第2プログラム21に備えられるいずれのモジュールにもバグ等の障害がなく動作する場合には、いずれのアプリケーションの実行結果も同一のものとなる。図示していない照合装置などを用いて、第1プログラム11と第2プログラム21の実行結果を照合して、最終的なECU100の出力とすることによって、安全性と信頼性を高めて制御ソフトウェアを実行することができる。  The first application 12 and the second application 22 are in the same relationship of so-called binary match. The first program 11 and the second program 21 have the same configuration and perform the same operation. If any module provided in the first program 11 and the second program 21 operates without a fault such as a bug, the execution results of both applications become the same. By comparing the execution results of the first program 11 and the second program 21 using a verification device or the like (not shown) and using the final output of the ECU 100, safety and reliability are enhanced, and control software is It can be done.
 第2プログラム21に含まれるRモジュール43は、第1プログラム11に含まれるRモジュール43と同一、すなわちバイナリ一致の関係にある。第2モジュール入力表25と、第2モジュール出力表26、第2出力照合表27、および第2モジュール管理表28のそれぞれは、第1モジュール入力表15、第1モジュール出力表16、第1出力照合表17、および第1モジュール管理表18のそれぞれと構成が同一である。以下では第1プログラム11の構成および動作を主に説明する。 The R module 43 included in the second program 21 is identical to the R module 43 included in the first program 11, that is, has a binary matching relationship. The second module input table 25, the second module output table 26, the second output comparison table 27, and the second module management table 28 respectively correspond to the first module input table 15, the first module output table 16, and the first output. The configuration is the same as that of each of the comparison table 17 and the first module management table 18. The configuration and operation of the first program 11 will be mainly described below.
 第1プログラム11の第1アプリケーション12は、ECU100における主要な機能を実現するソフトウェアである。なお本実施の形態では、簡単のために第1アプリケーション12は一つとするが、複数のアプリケーションを備えてもよい。第1アプリケーション12はモジュールの機能を必要とする時に、第1モジュール実行部13を呼び出し、モジュールを実行してその出力を得る。以下では簡単のためにこの処理を「第1アプリケーション12からモジュールを呼び出す」と表現するが、実際には後述するようにモジュールの実行には第1モジュール実行部13が介在する。 The first application 12 of the first program 11 is software that realizes main functions in the ECU 100. In the present embodiment, one first application 12 is provided for simplicity, but a plurality of applications may be provided. When the first application 12 needs the function of the module, it calls the first module execution unit 13 to execute the module and obtain its output. Hereinafter, for the sake of simplicity, this process is expressed as “call a module from the first application 12”, but in practice, the first module execution unit 13 intervenes in the execution of the module as described later.
 第1モジュール実行部13は、第1アプリケーション12から呼び出されてモジュールを実行する。第1モジュール実行部13は、第1アプリケーション12から呼び出されると1つのモジュールを選択して実行し、後述する所定の条件を満たす場合に第2モジュール実行部23におけるモジュールの実行結果と比較する。なお後述するように、第2モジュール実行部23は第1モジュール実行部13とは異なるモジュールを使用している。この比較により使用したいずれのモジュールにも障害がないと判断する場合は算出結果を第1アプリケーション12に出力する。しかし、両者が不一致などの理由でいずれかのモジュールに障害が発生していると判断する場合は、第1モジュール実行部13はもう一つのモジュールを使用して障害のあるモジュールを特定する。すなわちECU100は通常は、換言すると障害があると判断するまでは、第1モジュール実行部13と第2モジュール実行部23が異なるモジュールを1つずつ、合計2つのモジュールのみを使用する。そして障害があると判断すると、3つ目のモジュールを使用して障害があるモジュールを特定する。 The first module execution unit 13 is called from the first application 12 to execute a module. The first module execution unit 13 selects and executes one module when called from the first application 12, and compares it with the execution result of the module in the second module execution unit 23 when a predetermined condition described later is satisfied. As described later, the second module execution unit 23 uses a module different from the first module execution unit 13. If it is determined by this comparison that there is no failure in any of the used modules, the calculation result is output to the first application 12. However, if it is determined that a failure has occurred in one of the modules due to a mismatch or the like, the first module execution unit 13 uses the other module to identify the faulty module. That is, normally, the ECU 100 uses only two different modules, one in each of the different modules, until it is determined that there is a failure in other words. Then, if it is determined that there is a fault, the third module is used to identify the faulty module.
 第1モジュール入力表15には、第1アプリケーション12がモジュールを呼び出して何らかの入力が行われるたびにモジュールへの入力が追記される。第1モジュール出力表16には、モジュールが出力を行うたびにその出力が記録される。第1出力照合表17には、モジュールが備えるそれぞれの関数について、その関数の返り値が比較可能なものであるかを示す情報が予め記録される。第1出力照合表17は、モジュールの出力を比較するか否かを判断する際に参照される。第1モジュール管理表18には、モジュールの障害の有無が記載される。第1モジュール管理表18の記載に基づき、実行するモジュールが選択される。以下、各構成を詳述する。 In the first module input table 15, the input to the module is added every time the first application 12 calls the module and any input is performed. The first module output table 16 records the output each time the module performs an output. In the first output comparison table 17, information indicating whether the return value of each function is comparable for each function included in the module is recorded in advance. The first output comparison table 17 is referred to when determining whether to compare the outputs of the modules. The first module management table 18 describes the presence or absence of a module failure. Based on the description of the first module management table 18, the module to be executed is selected. Each configuration will be described in detail below.
(第1モジュール入力表15)
 図2は、第1モジュール入力表15の一例を示す図である。ただし図2では、一度に複数の関数が呼び出された場合の例を示しており、1つの関数の1回呼び出しが第1モジュール入力表15の1行に相当する。また第1モジュール入力表15の各行は、呼び出された順に並んでいる。第1モジュール入力表15の最初の列である「No.」には、各行の番号が格納される。なお各行の順番と識別が可能であれば、数字以外の識別子を用いてもよい。第1モジュール入力表15の2番目の列である「呼び出し関数」には、各呼び出しにおいて呼び出された関数を識別する情報、たとえば関数名や関数のアドレス番地が格納される。第1モジュール入力表15の3番目の列である「入力」には、各呼び出しにおけるモジュールへの入力が格納される。なお図2に示す例では全ての呼び出しにおいて何らかの入力がされているが、入力の値が存在せず引数を持たない関数の場合には引数がないことを示す情報、たとえば「なし」や「-」が記録される。第1モジュール実行部13は、第1アプリケーション12がモジュールを呼び出す際に、第1モジュール入力表15に新たな行を追加し、関数の識別子とモジュールへの入力を記録する。 (First module input table 15)
FIG. 2 is a diagram showing an example of the first module input table 15. However, FIG. 2 shows an example in which a plurality of functions are called at one time, and one call of one function corresponds to one line of the first module input table 15. Further, each row of the first module input table 15 is arranged in the order of being called. In the first column “No.” of the first module input table 15, the number of each row is stored. If the order and identification of each line are possible, identifiers other than numbers may be used. The second column “calling function” of the first module input table 15 stores information identifying the function called in each call, for example, the function name and the address address of the function. The third column “input” of the first module input table 15 stores the input to the module in each call. In the example shown in FIG. 2, although some input is made in all calls, information indicating that there is no argument in the case of a function having no input value and no argument, for example, “none” or “- "Is recorded. When the first application 12 calls a module, the first module execution unit 13 adds a new line to the first module input table 15, and records the identifier of the function and the input to the module.
(第1モジュール出力表16)
 図3は、第1モジュール出力表16の一例を示す図である。第1モジュール出力表16の各行は、いずれかのモジュールからの1回の出力に対応する。モジュールの出力は入力に応じて発生するので、第1モジュール出力表16の各行はモジュールへの1回ずつの呼び出し、すなわち第1モジュール入力表15の各行に対応する。第1モジュール出力表16の最初の列である「No.」には、各行の番号が格納される。なお各行の順番と識別が可能であれば、数字以外の識別子を用いてもよい。第1モジュール出力表16の2番目の列である「出力」には、それぞれの呼び出しにおけるモジュールの出力が格納される。なお出力値がない場合は出力値がないことを示す情報、たとえば「なし」や「-」が記録される。第1モジュール実行部13は、モジュールを実行してその出力が得られると、第1モジュール出力表16に新たな行を追加してその出力を追記する。 (First module output table 16)
FIG. 3 is a diagram showing an example of the first module output table 16. Each row of the first module output table 16 corresponds to one output from any module. Since the outputs of the modules are generated in response to the inputs, each row of the first module output table 16 corresponds to a single invocation to the module, ie, each row of the first module input table 15. In the first column “No.” of the first module output table 16, the numbers of the respective rows are stored. If the order and identification of each line are possible, identifiers other than numbers may be used. The second column "output" of the first module output table 16 stores the output of the module in each call. If there is no output value, information indicating that there is no output value, for example, "none" or "-" is recorded. When the first module execution unit 13 executes the module and obtains its output, it adds a new line to the first module output table 16 and adds its output.
 ただし第1モジュール出力表16には実行した全てのモジュールの出力が格納される。1つのテーブルに複数のモジュールの出力が格納されてもよいし、モジュールごとに異なるテーブルに出力が格納されてもよい。 However, the first module output table 16 stores the outputs of all executed modules. Outputs of a plurality of modules may be stored in one table, or outputs may be stored in different tables for each module.
(第1出力照合表17)
 図4は、第1出力照合表17の一例を示す図である。第1出力照合表17の各行は、モジュールに備えられる各関数の出力が比較が可能であるか否かを示す情報が格納される。第1出力照合表17の最初の列である「関数」には、関数の識別子が格納される。第1出力照合表17の第二の列である「出力比較区分」には、その関数の出力の比較を行うか否かを示す情報、たとえば、゛Compare゛、゛Ignore゛、および゛Compare if error゛のいずれかである。゛Compare゛は比較の対象であることを表し、゛Ignore゛は比較の対象ではないことを表す。また゛Compare if error゛は、出力がエラーを示す値であった場合にはその内容を比較し、成功した場合には比較しないことを表す。 (First Output Matching Table 17)
FIG. 4 is a diagram showing an example of the first output comparison table 17. Each row of the first output comparison table 17 stores information indicating whether the output of each function provided in the module can be compared. The first column “function” of the first output matching table 17 stores an identifier of the function. The second column “output comparison division” of the first output comparison table 17 includes information indicating whether to compare the outputs of the functions, for example, “Compare”, “Ignore”, and “Compare if”. It is one of error. "Compare" indicates that the comparison is to be made, and "Ignore" indicates that the comparison is not to be made. "Compare if error" indicates that if the output is a value indicating an error, the contents are compared, and if it is successful, the comparison is not performed.
 ゛Compare if error゛が適用される関数は、たとえば次のような関数である。すなわちその関数は、動的にメモリ領域を確保して成功時には正の整数で確保した領域の先頭アドレスを返し、失敗時には負の整数でエラーの種類を返す。この関数を複数のモジュールでそれぞれ実行した場合に、正常に領域が確保できれば両者は異なる値を出力するので比較する意味がない。しかし失敗した場合にはエラーの種類が異なればモジュールに何らかの問題があることがわかる。このように、特定条件下でのみ出力を比較する関数を規定することにより、比較をしない関数を減らすことができ、単純に゛Compare゛と゛Ignore゛の二種類とするよりも、障害の検出できる頻度を増やすことができる。 The function to which “Compare if error” is applied is, for example, the following function. That is, the function dynamically allocates a memory area and returns the start address of the allocated area with a positive integer when successful, and returns a type of error with a negative integer when unsuccessful. When this function is executed in each of a plurality of modules, if an area can be normally secured, the two will output different values and there is no point in comparing them. However, in case of failure, if the type of error is different, it is known that the module has some problem. Thus, by defining a function that compares outputs only under specific conditions, it is possible to reduce functions that do not compare, and it is possible to detect faults rather than simply using “Compare” and “Ignore”. You can increase the frequency.
(第1モジュール管理表18)
 図5は、第1モジュール管理表18の一例を示す図である。第1モジュール管理表18の各行には、各モジュールの動作状況が格納される。第1モジュール管理表18の最初の列である「モジュール」にはモジュールを識別する識別子が格納される。次の列である「動作状況」には、そのモジュールの動作状況が格納される。動作状況は、モジュールが正常であるか何らかの問題があるかを、それぞれ゛OK゛と゛NG゛で表している。初期状態では、全てのモジュールは゛OK゛であり、後で述べるように出力が不一致となり障害があるモジュールが特定され、障害があることが特定されたモジュールは゛NG゛となる。なお第1モジュール実行部13は、そのモジュールのうち「動作状況」が゛OK゛のモジュールを使用して出力を得ることで、障害のないモジュールを使用し続けることができる。 (First module management table 18)
FIG. 5 is a diagram showing an example of the first module management table 18. Each row of the first module management table 18 stores the operation status of each module. The first column "module" of the first module management table 18 stores an identifier for identifying a module. The operation status of the module is stored in the next column "Operation Status". The operating status indicates whether the module is normal or there is a problem with “OK” and “NG”, respectively. In the initial state, all modules are "OK", and as will be described later, the output is not matched, a faulty module is identified, and a module identified as faulty is "NG". The first module execution unit 13 can continue to use a module without a fault by obtaining an output using a module whose “operation status” is “OK” among the modules.
(動作例)
 図6は、ECU100の動作例を示す図である。図6(a)~図6(d)はすべて同一の時刻における情報を示しており、図6(a)は第1モジュール入力表15を示す図、図6(b)はPモジュール41の出力である第1モジュール出力表16を示す図、図6(c)はQモジュール42の出力である第2モジュール出力表26を示す図、図6(d)はRモジュール43の出力である第1モジュール出力表16Aの例を示す図である。なお第1出力照合表17は、図4に例示したものを使用して説明する。なおRモジュール43の出力は第1モジュール出力表16に含まれるが、ここでは説明のために第1モジュール出力表16とは独立した第1モジュール出力表16Aに格納されるとして説明する。 (Operation example)
FIG. 6 is a diagram showing an operation example of the ECU 100. As shown in FIG. 6 (a) to 6 (d) all show information at the same time, FIG. 6 (a) shows the first module input table 15, and FIG. 6 (b) shows the output of the P module 41. 6C shows the second module output table 26 which is the output of the Q module 42, and FIG. 6D shows the first output of the R module 43. It is a figure which shows the example of module output Table 16A. The first output comparison table 17 will be described using the example illustrated in FIG. Although the output of the R module 43 is included in the first module output table 16, it will be described here as being stored in the first module output table 16A independent of the first module output table 16 for the sake of explanation.
 まず、Pモジュール41およびQモジュール42がそれぞれ第1プログラム11と第2プログラム21で使用されて動作した。その結果、図6(a)の第1モジュール入力表15に記載されているように、3回のモジュール呼び出しがあり、Function A、Function B、Function Cがこの順で呼ばれた。この際のPモジュール41の出力は、図6(b)の第1モジュール出力表16に示すように、順に、0、100、-1であった。その一方でQモジュール42の出力は、図6(c)の第2モジュール出力表26に示すように、順に、0、200、-2であった。 First, the P module 41 and the Q module 42 were operated by using the first program 11 and the second program 21 respectively. As a result, as described in the first module input table 15 of FIG. 6A, there are three module calls, and Function A, Function B, and Function C are called in this order. The outputs of the P module 41 at this time were 0, 100, and -1 in order as shown in the first module output table 16 of FIG. 6 (b). On the other hand, the outputs of the Q module 42 were 0, 200, and -2, respectively, as shown in the second module output table 26 of FIG. 6C.
 図4に示す第1出力照合表17によれば、Function Aは゛Compare゛なので照合を行うが、Pモジュール41とQモジュール42の出力は一致しており問題はない。次のFunction Bは゛Ignore゛なので照合は行わず、Pモジュール41とQモジュール42の出力は一致していないが問題はない。最後のFunction Cは゛Compare if error゛であり、Pモジュール41とQモジュール42の出力はいずれも負数であるのでエラーである。 According to the first output collating table 17 shown in FIG. 4, since the Function A is "Compare", the collation is performed, but the outputs of the P module 41 and the Q module 42 coincide and there is no problem. Since the next Function B is "Ignore", no matching is performed, and the outputs of the P module 41 and the Q module 42 do not match but there is no problem. The last Function C is “Compare if error”, and the outputs of the P module 41 and the Q module 42 are errors since they are both negative numbers.
 したがってPモジュール41とQモジュール42の出力を比較する。両者の出力を比較すると、゛-1゛と゛-2゛なので両者は不一致であり、Pモジュール41とQモジュール42のいずれかに障害があると判断される。ここでいずれに障害があるかを判断するために、Rモジュール43に対して同様の入力が行われ、図6(d)の第1モジュール出力表16Aに示す結果となった。Pモジュール41とQモジュール42とでは出力が不一致となったFunction Cの出力は、図6(d)ではその結果は゛-2゛である。すなわち、Rモジュール43の出力はQモジュール42と一致し、Pモジュール41とは一致しない。多数決により、Qモジュール42およびRモジュール43が正常であり、Pモジュール41に障害があることが特定できる。 Therefore, the outputs of P module 41 and Q module 42 are compared. When the outputs of the two are compared, it is judged that there is a failure in either of the P module 41 and the Q module 42 because they are “1” and “2”. Here, in order to determine which one has a fault, the same input is made to the R module 43, and the result shown in the first module output table 16A of FIG. 6D is obtained. The output of Function C where the outputs of the P module 41 and the Q module 42 do not match is the result "-2" in FIG. 6 (d). That is, the output of the R module 43 matches the Q module 42 and does not match the P module 41. By majority, it can be identified that the Q module 42 and the R module 43 are normal and the P module 41 has a failure.
(フローチャート)
 図7および図8は、図6を参照して説明した動作例を実現する第1モジュール実行部13の動作を表すフローチャートである。図7は障害検出処理、図8は障害特定処理の詳細を示す。なお第2プログラム21に備えられる第2モジュール実行部23の動作は、第1プログラム11の第1モジュール実行部13の動作とほぼ同様である。以下では両者に共通する点は第1プログラム11の第1モジュール実行部13のみを説明する。 (flowchart)
FIGS. 7 and 8 are flowcharts showing the operation of the first module execution unit 13 that implements the operation example described with reference to FIG. FIG. 7 shows details of fault detection processing, and FIG. 8 shows details of fault identification processing. The operation of the second module execution unit 23 included in the second program 21 is substantially the same as the operation of the first module execution unit 13 of the first program 11. Hereinafter, only the first module execution unit 13 of the first program 11 will be described in common with both.
 第1モジュール実行部13は、第1アプリケーション12がモジュールを呼び出すと図7のフローチャートにより動作が表されるプログラムを実行する。第1アプリケーション12がモジュールを呼び出すと、第1モジュール実行部13にはモジュールの関数の識別子と入力値とが与えられる。第1モジュール実行部13は、この識別子および入力値を第1モジュール入力表15の新たな行に追記する(S701)。次に第1モジュール実行部13は、第1アプリケーション12の呼び出しを実行するためのモジュールを選択する(S702)。 The first module execution unit 13 executes a program whose operation is represented by the flowchart of FIG. 7 when the first application 12 calls a module. When the first application 12 calls a module, the first module execution unit 13 is given an identifier and an input value of a function of the module. The first module execution unit 13 adds the identifier and the input value to a new line of the first module input table 15 (S701). Next, the first module execution unit 13 selects a module for executing a call of the first application 12 (S702).
 モジュールの選択は、第1モジュール実行部13が備えるモジュールのうち、第1モジュール管理表18で゛OK゛であるモジュールから選択する。ただし第1モジュール実行部13は、第1プログラム11と第2プログラム21で動作するモジュールが異なるようにモジュールを選択する。そのためにたとえば、第1モジュール実行部13はモジュールを昇順に選択し、第2モジュール実行部23はモジュールを降順に選択する。昇順に選択とは、Pモジュール41を最優先で選択し、Pモジュール41がNGの場合はQモジュール42を選択し、Qモジュール42もNGの場合はRモジュール43を選択する選択方法である。降順に選択とは、昇順とは逆の順番に選択する選択方法である。ただしそれぞれのプログラムに備えられていないモジュールは選択できないので、昇順および降順の場合は上述した順番であってそのプログラムに備えられるモジュールを選択する。 The modules are selected from the modules included in the first module execution unit 13 from the modules that are “OK” in the first module management table 18. However, the first module execution unit 13 selects a module so that the modules operated by the first program 11 and the second program 21 are different. For that purpose, for example, the first module execution unit 13 selects modules in ascending order, and the second module execution unit 23 selects modules in descending order. The selection in ascending order is a selection method in which the P module 41 is selected with the highest priority, the Q module 42 is selected when the P module 41 is NG, and the R module 43 is selected when the Q module 42 is also NG. Selection in descending order is a selection method in which selection is performed in the reverse order of ascending order. However, since modules not provided in each program can not be selected, the ascending order and the descending order are in the order described above, and the modules provided in the program are selected.
 第1モジュール実行部13は、選択したモジュールの関数を実行して出力値を得る(S703)。次に照合を行うために、第2プログラム21の第2モジュール実行部23における第2モジュール出力表26の内容を取得する(S705)。第1モジュール実行部13は、以下に説明するS706~S710の処理を第1モジュール出力表16に記載された各行について、処理対象とする行(以下、「処理対象行」)を1行ずつ変化させて繰り返し実行する(S705A)。ただし第1アプリケーション12がモジュールを呼び出すたびに第1モジュール実行部13が図7に示す全ての動作を行う場合は、出力表には1行しか記載されないのでS705Aおよび後述するS710Aは存在しないものとして扱ってよい。 The first module execution unit 13 executes the function of the selected module to obtain an output value (S703). Next, in order to perform collation, the contents of the second module output table 26 in the second module execution unit 23 of the second program 21 are acquired (S705). The first module execution unit 13 changes the processing target line (hereinafter referred to as “processing target line”) for each row described in the first module output table 16 one by one for the processing of S706 to S710 described below. It is made to execute repeatedly (S705A). However, when the first module execution unit 13 performs all operations shown in FIG. 7 every time the first application 12 calls a module, only one row is described in the output table, and therefore S705A and S710A described later are not present. You may handle it.
 第1モジュール実行部13は、処理対象行における呼び出し関数を特定し、第1出力照合表17を参照してその関数の出力比較区分を取得し、その出力比較区分が゛Ignore゛であるか否かを判断する(S706)。第1モジュール実行部13は、その出力比較区分が゛Ignore゛であると判断する場合(S706:Yes)はS710Aに進む。第1モジュール実行部13は、その出力比較区分が゛Ignore゛ではないと判断する場合は(S706:No)、出力比較区分が゛Compare if error゛であるか否かを判断する(S707)。第1モジュール実行部13は、その出力比較区分が゛Compare if error゛であると判断する場合(S707:Yes)はS708に進む。第1モジュール実行部13は、その出力比較区分が゛Compare if error゛ではないと判断する場合(S706:No)はS710に進む。 The first module execution unit 13 specifies the calling function in the processing target line, acquires the output comparison class of the function with reference to the first output comparison table 17, and determines whether the output comparison class is “Ignore”. It is determined (S706). If the first module execution unit 13 determines that the output comparison classification is "Ignore" (S706: Yes), the process proceeds to S710A. If it is determined that the output comparison class is not "Ignore" (S706: No), the first module execution unit 13 determines whether the output comparison class is "Compare if error" (S707). If the first module execution unit 13 determines that the output comparison classification is “Compare if error” (S 707: Yes), it proceeds to S 708. If the first module execution unit 13 determines that the output comparison classification is not "Compare if error" (S706: No), the process proceeds to S710.
 第1モジュール実行部13はS708では、第1プログラム11における処理対象行の出力値、および第2プログラム21における処理対象行の出力値が、両方とも成功を示す値であるか、それとも少なくとも一方は失敗を示す値であるかを判断する。第1モジュール実行部13は、両方とも成功を示す値であると判断する場合は評価が不要なのでS710Aに進み、少なくとも一方は失敗を示す値であると判断する場合はステップS709に進む。第1モジュール実行部13はステップS709では、第1プログラム11における処理対象行の出力値、および第2プログラム21における処理対象行の出力値が、両方ともエラーを示す値であるか、片方のみがエラーを示す値であるかを判断する。 In S708, whether or not the output value of the process target line in the first program 11 and the output value of the process target line in the second program 21 are both values indicating success at S708. Determine if it is a value indicating failure. If the first module execution unit 13 determines that both are values indicating success, the evaluation is unnecessary, and thus the process proceeds to S710A, and if it is determined that at least one is a value indicating failure, the process proceeds to step S709. In step S709, whether or not the output value of the process target line in the first program 11 and the output value of the process target line in the second program 21 are both values indicating an error in step S709. Determine if it is a value that indicates an error.
 第1モジュール実行部13は両方ともエラーを示す値であると判断する場合は比較のためにステップS710に進み、片方のみがエラーを示す値であると判断する場合はステップS720の障害特定処理に進む。ただし障害特定処理の詳細は次の図8を参照して後に説明する。第1モジュール実行部13はステップS710では、第1プログラム11における処理対象行の出力値、および第2プログラム21における処理対象行の出力値が一致するか否かを判断する。第1モジュール実行部13は、両者が一致すると判断する場合はステップS710Aに進み、両者が一致しないと判断する場合はステップS720の障害特定処理に進む。 If the first module execution unit 13 determines that both are values indicating an error, the process proceeds to step S710 for comparison, and if it is determined that only one is a value indicating an error, the fault identifying process of step S720 is performed. move on. However, the details of the failure identification processing will be described later with reference to FIG. In step S710, the first module execution unit 13 determines whether the output value of the processing target line in the first program 11 and the output value of the processing target line in the second program 21 match. If the first module execution unit 13 determines that the two match, the process proceeds to step S710A. If the first module execution unit 13 determines that the two do not match, the first module execution unit 13 proceeds to the failure identification process of step S720.
 ステップS710Aでは、第1モジュール実行部13は出力表の全ての行を処理対象としたか否かを判断し、処理対象としていない行があると判断する場合はその行を処理対象としてステップS706に戻る。第1モジュール実行部13は出力表の全ての行を処理対象としたと判断する場合はステップS711に進む。第1モジュール実行部13はステップS711では、第1モジュール入力表15および第1モジュール出力表16に格納されている情報を消去する。これにより、次に図7に示す処理が実行された際に同じ照合が実行されることを避けることができ、次回の照合時間を短縮できる。次に第1モジュール実行部13は、S703で得た出力値を第1アプリケーション12に渡し図7に示す処理を終了する(S712)。 In step S710A, the first module execution unit 13 determines whether all the rows in the output table have been processed, and if it is determined that there is a row not to be processed, the row is set as the process target in step S706. Return. If the first module execution unit 13 determines that all the rows in the output table have been processed, the process proceeds to step S711. In step S711, the first module execution unit 13 erases the information stored in the first module input table 15 and the first module output table 16. Thereby, when the process shown in FIG. 7 is executed next, it is possible to avoid the same matching being performed, and it is possible to shorten the next matching time. Next, the first module execution unit 13 passes the output value obtained in S703 to the first application 12 and ends the processing shown in FIG. 7 (S712).
 図8は、障害特定処理の詳細を示すフローチャートである。図8のフローチャートで示す処理は、図7のステップS709またはステップS710において否定判定されると実行される。図8ではまず、第1モジュール実行部13は、第1モジュール管理表18から゛OK゛となっているモジュールであって、自身が使用したモジュールおよびS705によって得た出力を行ったモジュール以外のモジュールを選択する(S801)。S705によって得た出力を行ったモジュールの特定は、第2プログラム21から通信で取得してもよいし、予め知得した第2モジュール実行部23におけるモジュールの選択方法により特定してもよい。S801において選択したモジュールを以下では代替モジュールと呼ぶ。第1モジュール実行部13は、図7に示す処理において出力が不一致となった関数について、第1モジュール入力表15に記載されている入力値を代替モジュールに入力し、その出力値を得る(S802)。 FIG. 8 is a flowchart showing the details of the failure identification process. The process shown in the flowchart of FIG. 8 is executed when a negative determination is made in step S709 or step S710 of FIG. In FIG. 8, first, the first module execution unit 13 is a module that is “OK” from the first module management table 18 and is a module other than the module used by itself and the module that performed the output obtained in S705. Is selected (S801). The specification of the module that has performed the output obtained in S705 may be acquired from the second program 21 by communication, or may be specified according to a method of selecting a module in the second module execution unit 23, which is obtained in advance. The module selected in step S801 is hereinafter referred to as a substitute module. The first module execution unit 13 inputs the input value described in the first module input table 15 to the alternative module for the function whose output is not matched in the process shown in FIG. 7 and obtains the output value (S802) ).
 そして第1モジュール実行部13は、その出力値をこれまでの2つと比較する(S803)。第1モジュール実行部13は、代替モジュールの出力が図7のS710において比較した2つのいずれかの出力値と一致するか否かを判断する(S804)。第1モジュール実行部13は、いずれかと一致すると判断する場合(S804:Yes)は、一致しない方の出力を行ったモジュールに障害があると特定し、そのモジュールを第1モジュール管理表18で゛NG゛とする(S805)。そして第1モジュール実行部13は、S711と同様に第1モジュール入力表15と第1モジュール出力表16の内容をクリアする(S806)。さらに第1モジュール実行部13は、多数派の出力値、すなわち、代替モジュールの出力値を第1アプリケーション12に出力して(S807)図8に示す処理を終了する。 Then, the first module execution unit 13 compares the output value with the two previous values (S803). The first module execution unit 13 determines whether the output of the alternative module matches one of the two output values compared in S710 of FIG. 7 (S804). When it is determined that the first module execution unit 13 matches one of the two (S804: Yes), the first module execution unit 13 determines that there is a failure in the module that has output the non-matching module. It is set as NG (S805). Then, the first module execution unit 13 clears the contents of the first module input table 15 and the first module output table 16 as in S711 (S806). Furthermore, the first module execution unit 13 outputs the output value of the majority, that is, the output value of the alternative module to the first application 12 (S807), and ends the processing shown in FIG.
 第1モジュール実行部13は、S804においてモジュール3つの出力が全て一致しないと判断する場合(S804:No)は、全てのモジュールに障害がある可能性を考慮して障害時の処理へと移行する(S811)。障害時の処理とはたとえば、縮退運転など機能を制限して安全を確保する処理である。ただしS811に到達するケースは2つ以上のモジュールが同じ問題、たとえばバグを有しているなどのケースであり、発生確率は極めて低い。 If the first module execution unit 13 determines that the outputs of all the three modules do not match in S804 (S804: No), the first module execution unit 13 shifts to processing at the time of failure in consideration of the possibility of failure in all modules. (S811). The process at the time of failure is, for example, a process of securing safety by limiting functions such as the degeneration operation. However, the case of reaching S811 is a case where two or more modules have the same problem, for example, a bug, and the occurrence probability is extremely low.
(動作の説明)
 第1プログラム11および第2プログラム21は、同じ動作を行うアプリケーションがそれぞれ動作している。このため、第1プログラム11および第2プログラム21の動作は、モジュールにバグなどの障害がなければ、同じ動作を行う。また図1に示すように、第1プログラム11および第2プログラム21に備えられるモジュールは、それぞれPモジュール41とRモジュール43、Qモジュール42とRモジュール43である。第1プログラム11はPモジュール41を優先し、第2プログラム21はQモジュール42を優先して選択するので、第1プログラム11と第2プログラム21はそれぞれ、同じ入力を異なるモジュールに入力する。したがってこれらの出力は同じ値になることが期待され、これを第1モジュール実行部13が照合する。両者が不一致である場合には、いずれかのモジュールに障害があることがわかるため、障害を有するモジュールの出力を第1アプリケーション12がそのまま使用することを防ぐことができる。 (Description of operation)
The first program 11 and the second program 21 are respectively operated by applications performing the same operation. For this reason, the operations of the first program 11 and the second program 21 perform the same operation unless there is a fault such as a bug in the module. Further, as shown in FIG. 1, the modules provided in the first program 11 and the second program 21 are a P module 41 and an R module 43, and a Q module 42 and an R module 43, respectively. Since the first program 11 prioritizes the P module 41 and the second program 21 prioritizes and selects the Q module 42, the first program 11 and the second program 21 respectively input the same input to different modules. Therefore, these outputs are expected to be the same value, which the first module execution unit 13 collates. If the two do not match, it is known that there is a failure in one of the modules, so that it is possible to prevent the first application 12 from using the output of the failed module as it is.
 さらに両者が不一致の場合には、第1モジュール実行部13が代替モジュールとして前述の例でいえばRモジュール43を選択し、第1モジュール実行部13はRモジュール43の実行によって第3の出力値を得る。第1モジュール実行部13は、Pモジュール41、Qモジュール42、およびRモジュール43の3つの値を比較し多数決により正しい出力を決定する。そして第1モジュール実行部13は、多数決における少数派に属する出力値を出力したモジュールが障害を有するモジュールと判断し、第1モジュール管理表18のそのモジュールの動作状況に゛NG゛を記録する。 Furthermore, if the two do not match, the first module execution unit 13 selects the R module 43 in the above example as an alternative module, and the first module execution unit 13 executes the R module 43 to generate a third output value. Get The first module execution unit 13 compares the three values of the P module 41, the Q module 42, and the R module 43, and determines the correct output by majority decision. Then, the first module execution unit 13 determines that the module that has output the output value belonging to the minority group in the majority vote is the module having a fault, and records “NG” in the operation status of that module in the first module management table 18.
 第1アプリケーション12は前述の多数決による多数派の値を用いて動作を継続する。そして第1モジュール実行部13は、たとえばPモジュール41に障害があることが特定されたとすると、以降のモジュールの呼び出しではRモジュール43を使用する。これにより、いずれかのモジュールに障害があることが判明した後でも、二つのモジュールによる照合を継続することができ、第1アプリケーション12が誤ったモジュールの出力に基づく動作を防止することができる。すなわち、一つのモジュールが障害を有していても処理を継続できる効果と、2種類のモジュールの出力の照合による安全性の担保の効果の両方を得ることができる。 The first application 12 continues to operate using the majority value according to the majority rule described above. Then, if it is determined that there is a failure in the P module 41, for example, the first module execution unit 13 uses the R module 43 in subsequent module calls. As a result, even if it is determined that one of the modules is faulty, the collation by the two modules can be continued, and the first application 12 can prevent the operation based on the output of the wrong module. That is, it is possible to obtain both the effect of continuing processing even if one module has a fault and the effect of securing security by checking the outputs of the two types of modules.
 さらに、ECU100における計算資源の利用は、機能の実現を行う第1アプリケーション12が大半であり、モジュールによる使用は少ない。上述したようにECU100は、モジュールの出力を比較するので、第1アプリケーション12の出力を比較する場合に比べてCPU110の演算資源およびメモリ120の記憶資源の消費を削減することができる。さらにECU100は、障害特定処理が実行されるまでは2種のモジュールしか実行しないことから、同様に演算資源の利用も削減することができる。 Furthermore, the use of computational resources in the ECU 100 is mostly in the first application 12 that implements functions, and is less used by modules. As described above, since the ECU 100 compares the outputs of the modules, the consumption of the computing resources of the CPU 110 and the storage resources of the memory 120 can be reduced as compared with the case of comparing the outputs of the first application 12. Furthermore, since the ECU 100 executes only two types of modules until the failure identification processing is performed, it is possible to similarly reduce the use of computation resources.
 上述した第1の実施の形態によれば、次の作用効果が得られる。
(1)ECU100は、同一の機能を有し異なる実装がなされたPモジュール41、Qモジュール42、およびRモジュール43が格納されるメモリ120と、Pモジュール41、Qモジュール42、およびRモジュール43を実行するCPU110と、CPU110によるPモジュール41の出力およびQモジュール42の出力に基づき障害を検出する第1モジュール実行部13および第2モジュール実行部23(図7のS706~S710)と、を備える。ECU100はさらに、図7に示す障害検出処理により障害が検出されるとRモジュール43の使用を開始し、Pモジュール41の出力と、Qモジュール42の出力と、Rモジュール43の出力と、に基づき障害のあるソフトウェアモジュールを特定する第1モジュール実行部13および第2モジュール実行部23(図8のS804)と、を備える。すなわちECU100は、3つのモジュールを備えるが障害が検出されるまではそのうち2つのモジュールしか使用せず、障害が検出されて障害のあるモジュールを特定するために3つ目のモジュールを使用する。そのためECU100は、限られた演算資源を用いて障害の検出および障害の特定を実現することができる。 According to the first embodiment described above, the following effects can be obtained.
(1) The ECU 100 includes the memory 120 in which the P module 41, the Q module 42, and the R module 43 having the same function and different mounting are stored, the P module 41, the Q module 42, and the R module 43. It comprises a CPU 110 to be executed and a first module execution unit 13 and a second module execution unit 23 (S706 to S710 in FIG. 7) for detecting a fault based on the output of the P module 41 and the output of the Q module 42 by the CPU 110. Further, when a fault is detected by the fault detection process shown in FIG. 7, the ECU 100 starts using the R module 43, and based on the output of the P module 41, the output of the Q module 42, and the output of the R module 43. The first module execution unit 13 and the second module execution unit 23 (S804 in FIG. 8) for identifying a faulty software module are provided. That is, the ECU 100 has three modules but uses only two of them until a fault is detected, and uses a third module to identify a faulty module when a fault is detected. Therefore, the ECU 100 can realize fault detection and fault identification using limited computing resources.
(2)ECU100は、障害があることが特定されたソフトウェアモジュールの使用を停止する(図8のS804~S805)。そのためECU100は、障害のないソフトウェアモジュールを用いて動作を継続することができる。 (2) The ECU 100 stops the use of the software module identified as having a fault (S804 to S805 in FIG. 8). Therefore, the ECU 100 can continue the operation using a fault-free software module.
(3)ECU100は、第1モジュール実行部13がPモジュール41およびQモジュール42のいずれか一方を障害があるソフトウェアモジュールとして特定すると(図8のS804:Yes、S805)、Pモジュール41およびQモジュール42のうち障害があることが特定されていないソフトウェアモジュール、およびRモジュール43の出力に基づき障害を検出する(図7のS702)。 (3) When the first module execution unit 13 identifies one of the P module 41 and the Q module 42 as a faulty software module (S804 in FIG. 8: Yes, S805), the ECU 100 determines the P module 41 and the Q module. The fault is detected based on the software module not identified as having a fault among 42 and the output of the R module 43 (S702 in FIG. 7).
(4)Pモジュール41、Qモジュール42、およびRモジュール43には、32ビットCPU用のソフトウェアモジュールと、64ビットCPU用のソフトウェアモジュールとが含まれる。幅広い環境での実行を可能とすべく、換言すると複数種類のCPUに対応する目的でライブラリが32ビットCPU用と64ビットCPU用のそれぞれについて作成されることが多い。それらを利用することにより、独自の実装を行ったライブラリを1つ作成することで上述した第1の実施の形態を実施することができる。 (4) The P module 41, the Q module 42, and the R module 43 include a software module for a 32-bit CPU and a software module for a 64-bit CPU. In order to enable execution in a wide range of environments, in other words, a library is often created for each of a 32-bit CPU and a 64-bit CPU in order to support multiple types of CPUs. By utilizing them, it is possible to implement the first embodiment described above by creating one library with a unique implementation.
(5)Pモジュール41およびQモジュール42は、異なるCPUコアで並列に実行される。そのため迅速にPモジュール41およびQモジュール42の出力を得て迅速に障害の有無を判断することができる。 (5) The P module 41 and the Q module 42 are executed in parallel by different CPU cores. Therefore, the outputs of the P module 41 and the Q module 42 can be obtained quickly to quickly determine the presence or absence of a failure.
(6)Pモジュール41、Qモジュール42、およびRモジュール43のそれぞれには複数の関数が含まれる。複数の関数のそれぞれについて障害検出処理のS706およびS707の動作を規定する第1出力照合表17を備える。第1モジュール実行部13は、第1出力照合表17を参照して関数ごとに障害検出の条件を判断する。そのためECU100は、正常な動作が行われても出力値が一定ではない関数、たとえば動的にメモリ領域を確保し、確保した領域の先頭アドレスを返す関数などを含むソフトウェアモジュールにも対応することができる。 (6) Each of the P module 41, the Q module 42, and the R module 43 includes a plurality of functions. A first output comparison table 17 is provided which defines the operations of S706 and S707 of failure detection processing for each of a plurality of functions. The first module execution unit 13 refers to the first output comparison table 17 to determine the failure detection condition for each function. Therefore, the ECU 100 can cope with a software module including a function whose output value is not constant even if a normal operation is performed, for example, a function of dynamically securing a memory area and returning the top address of the secured area. it can.
(変形例1)
 図7においては、常に出力の照合を行うこととしたが、照合をモジュールの呼び出しのたびに行わないとしてもよい。たとえば、モジュールの呼び出しが一定の回数、たとえば3回ごとに照合を行ってもよい。この場合には、カウンタを利用して呼び出し回数を計数し、3の倍数となった場合にのみ照合を行う。また一定の時間、たとえば10msごとに照合を行ってもよい。この場合には、時間を計測するタイマデバイスなどを利用して、前回の照合から10ms以上経過した場合に照合を行う。照合を行わなかった場合には、そのモジュールの呼び出しの入力と出力は、第1モジュール入力表15と第1モジュール出力表16に追記される。 (Modification 1)
In FIG. 7, although output matching is always performed, matching may not be performed each time a module is called. For example, module calls may be checked a fixed number of times, for example, every three times. In this case, the number of calls is counted using a counter, and collation is performed only when it is a multiple of three. Further, the matching may be performed for a predetermined time, for example, every 10 ms. In this case, using a timer device or the like that measures time, collation is performed when 10 ms or more has elapsed since the previous collation. When the collation is not performed, the input and output of the call of the module are added to the first module input table 15 and the first module output table 16.
 この場合はクリア処理(S711)を行わないので、まとめて照合を後で行うことができる。第1アプリケーション12には得たモジュールの出力をそのまま渡せばよい。これにより、以下のような効果が得られる。照合処理は、毎回行うとその照合処理の時間によって、第1アプリケーション12の制御処理に影響がある可能性がある。そこで何らかの基準にしたがい、まとめて照合処理を行うことによってその影響を低減できる。さらに周期処理の待ち時間など影響の少ないタイミングで照合処理を行うことも可能となる。なおまとめて照合を行う場合には、アプリケーションには間違った値がすでに出力された可能性がある。したがって障害が検出された場合には、障害が検出されたモジュールを利用したアプリケーションは、他方の正常であるアプリケーションの状態を引き継いで実行を継続させるなどの対処が必要である。 In this case, since the clear process (S711) is not performed, the collation can be performed later collectively. The output of the obtained module may be passed to the first application 12 as it is. Thereby, the following effects can be obtained. If the matching process is performed each time, the control process of the first application 12 may be affected by the time of the matching process. Therefore, the influence can be reduced by collectively performing the matching process according to some criteria. Furthermore, it is also possible to perform the matching process at a timing with little influence such as the waiting time of the periodic process. In addition, when performing collation collectively, there is a possibility that the wrong value has already been output to the application. Therefore, when a failure is detected, the application using the module in which the failure is detected needs to take action such as continuing the execution taking over the state of the other normal application.
(変形例2)
 図7および図8に示すフローチャートでは、障害が特定された後でもモジュール選択を行い二重系を維持するものとした。しかし障害が特定された場合は、障害が検出されたモジュールを利用したアプリケーションを停止させ、以降は他方のアプリケーションのみ動作を継続させてもよい。本変形例は、障害が検出されたモジュールを利用したアプリケーションに対して他方の正常であるアプリケーションの状態を引き継いで実行を継続させることが困難な場合に特に有効である。すなわち本変形は、再起動や修復までの一時的な処理として有用である。 (Modification 2)
In the flowcharts shown in FIGS. 7 and 8, even after the fault is identified, module selection is performed to maintain the dual system. However, if a failure is identified, the application using the module in which the failure is detected may be stopped, and thereafter only the other application may continue to operate. The present modification is particularly effective when it is difficult for an application using a module in which a failure is detected to take over the state of the other normal application to continue execution. That is, this modification is useful as a temporary process up to restart and repair.
(変形例3)
 上述した実施の形態では、第1プログラム11および第2プログラム21の両方が図8のフローチャートで示す処理を実行していた。しかし第1プログラム11と第2プログラム21がそれぞれ代替モジュールとして選択するモジュールが同一、たとえば上述のようにRモジュール43であるときには、片方の処理のみで十分である。したがって、代替モジュールの実行と比較処理(S801~S804)は、いずれか片方のプログラムのモジュール実行部のみが行い、その結果を他方のモジュール実行部に伝達してもよい。本変形例によれば、照合処理を行わない他方のプログラムあるいはCPUコアにおいては、その間別の処理を実行することができ、CPUの利用効率を向上させることができる。 (Modification 3)
In the embodiment described above, both the first program 11 and the second program 21 execute the process shown in the flowchart of FIG. However, when the modules selected by the first program 11 and the second program 21 as alternative modules are the same, for example, the R module 43 as described above, only one process is sufficient. Therefore, only the module execution unit of one of the programs may perform the execution of the alternative module and the comparison process (S801 to S804), and the result may be transmitted to the other module execution unit. According to this modification, in the other program or CPU core in which the collation process is not performed, another process can be executed during that time, and the utilization efficiency of the CPU can be improved.
(変形例4)
 ECU100は、Pモジュール41、Qモジュール42、およびRモジュール43の3つのモジュールを有したが、4種類以上のモジュールを有してもよい。たとえば、第1プログラム11はPモジュール41とRモジュール43、第2プログラム21はQモジュール42とZモジュールを有してもよい。この場合は障害特定の処理において、第1プログラム11の第1モジュール実行部13はRモジュール43、第2プログラム21はZモジュールを実行する。 (Modification 4)
The ECU 100 has three modules of the P module 41, the Q module 42, and the R module 43, but may have four or more types of modules. For example, the first program 11 may have a P module 41 and an R module 43, and the second program 21 may have a Q module 42 and a Z module. In this case, in the failure identification process, the first module execution unit 13 of the first program 11 executes the R module 43, and the second program 21 executes the Z module.
 なおモジュールが偶数個なので2:2になり多数決ができない場合には、奇数個のモジュールを追加して、それぞれのモジュール実行部で複数個のモジュールを実行してもよい。本変形例によれば、より多くの種類のモジュールを利用することで、障害の確率をさらに下げることができる。また同一の機能を有し実装が異なるN種類のモジュールを用いることにより、N-2個のモジュールに障害が発生するまで第1の実施の形態において説明した動作、すなわち障害検出処理および障害特定処理を継続することができる。これによって、動作の継続性や可用性を向上させる効果が得られる。 If the number of modules is even and it is 2: 2 and it is not possible to determine the majority, an odd number of modules may be added and a plurality of modules may be executed in each module execution unit. According to this modification, the probability of failure can be further reduced by using more types of modules. Also, by using N types of modules having the same functions and different implementations, the operations described in the first embodiment until faults occur in N-2 modules, that is, fault detection processing and fault identification processing Can continue. This has the effect of improving the continuity and availability of the operation.
(変形例5)
 第1出力照合表17の「出力比較区分」は、図4において゛Compare゛、゛Ignore゛、゛Compare if error゛の3種類のみを示した。しかし「出力比較区分」はこれに限定されない。たとえば、エラーの種類は問わず成功時のみ比較する区分を設けてもよいし、エラーと成功のどちらかであったかのみを比較する区分を設けてもよい。さらに出力値の一部、たとえば上位3ビットや下位1ビットのみ比較する区分を設けてもよい。本変形例によれば、利用するモジュールの仕様にあわせて区分を作成することで、障害判定の精度を向上させ、迅速な障害の検出が行うことができる。 (Modification 5)
The “output comparison classification” of the first output comparison table 17 shows only three types of “Compare, Ignore, and“ Compare if error ”in FIG. However, the “output comparison classification” is not limited to this. For example, a section may be provided to compare only on success regardless of the type of error, or a section may be provided to compare only error or success. Furthermore, a division may be provided in which only part of the output value, for example, the upper 3 bits and the lower 1 bit are compared. According to this modification, by creating the section in accordance with the specification of the module to be used, it is possible to improve the accuracy of the failure determination and to perform the failure detection promptly.
(変形例6)
 上述した実施の形態では、第1プログラム11および第2プログラム21は、それぞれ1つのアプリケーションのみを備えた。しかし各プログラムがモジュールを使用するアプリケーションを複数備えてもよい。この場合は、第1モジュール入力表15には、呼び出し元のアプリケーションを識別する列が追加され、呼び出し元のアプリケーションと呼び出された関数との関係を示す情報が格納される。本変形例によれば、モジュールが複数のアプリケーションから共有して利用される場合でも、上述した実施の形態における効果を得ることができる。 (Modification 6)
In the embodiment described above, the first program 11 and the second program 21 each include only one application. However, each program may have a plurality of applications using modules. In this case, a column identifying the calling application is added to the first module input table 15, and information indicating the relationship between the calling application and the called function is stored. According to this modification, even when the module is shared and used by a plurality of applications, the effects of the above-described embodiment can be obtained.
(変形例7)
 上述した実施の形態では、ソフトウェアモジュールであるPモジュール41やRモジュール43は、第1アプリケーション12と異なるものとして説明した。しかしソフトウェアモジュールは静的にリンクされるライブラリであり、第1アプリケーション12に予め組み込まれてもよい。この場合は、たとえばPモジュール41への入力およびPモジュール41からの出力は、第1アプリケーション12の内部で実行される。 (Modification 7)
In the embodiment described above, the P module 41 and the R module 43 which are software modules are described as being different from the first application 12. However, the software module is a statically linked library and may be pre-installed in the first application 12. In this case, for example, the input to the P module 41 and the output from the P module 41 are executed inside the first application 12.
(変形例8)
 図8のS801において、代替モジュールは以下のように選択された。第1モジュール実行部13は、第1モジュール管理表18において動作状況が゛OK゛であるモジュールであって、自身が使用したモジュールおよびS705によって得た出力を行ったモジュール以外のモジュールを選択した。すなわちS801では第1モジュール実行部13および第2モジュール実行部23のいずれでも使われなかったモジュールを選択した。しかし自身が実行していない方のモジュール、すなわちS705によって得た出力を行ったモジュールもさらに実行してもよい。 (Modification 8)
In S801 of FIG. 8, an alternative module was selected as follows. The first module execution unit 13 is a module whose operation status is “OK” in the first module management table 18, and selects a module other than the module used by itself and the module which performed the output obtained in S705. That is, in S801, a module which was not used by any of the first module execution unit 13 and the second module execution unit 23 was selected. However, the module which is not executed by itself, that is, the module which has produced the output obtained in S 705 may be further executed.
 本変形例によれば、次の作用効果が得られる。
(7)CPU110は、第1CPUコア111および第2CPUコア112を備える。障害特定部は、第1CPUコア111が演算したPモジュール41の出力と、第2CPUコア112が演算したQモジュール42の出力とが一致しない場合に、第2CPUコア112が演算したPモジュール41の出力と、第1CPUコア111が演算したQモジュール42の出力とを用いて、第1CPUコア111または第2CPUコア112に障害があることを特定する。 According to this modification, the following effects can be obtained.
(7) The CPU 110 includes the first CPU core 111 and the second CPU core 112. The fault identifying unit outputs the output of the P module 41 calculated by the second CPU core 112 when the output of the P module 41 calculated by the first CPU core 111 does not match the output of the Q module 42 calculated by the second CPU core 112. And the output of the Q module 42 calculated by the first CPU core 111, it is identified that the first CPU core 111 or the second CPU core 112 has a fault.
 そのため本変形例ではハードウエア障害にも対応することができる。たとえば第1プログラム11が実行したPモジュール41の出力値を出力値A、第2プログラム21が実行したQモジュール42の出力値を出力値B1、第1プログラム11が実行したQモジュール42の出力値を出力値B2、第1プログラム11が実行した代替モジュールであるRモジュール43の出力値を出力値Cとする。このときECU100は、出力値B1と出力値B2とを比較することにより、出力値Aと出力値B1の不一致が、出力値B1を実行したCPUコア等のハードウェア障害によるものかを判定することができる。 Therefore, this modification can also cope with hardware failures. For example, the output value of the P module 41 executed by the first program 11 is the output value A, the output value of the Q module 42 executed by the second program 21 is the output value B1, and the output value of the Q module 42 executed by the first program 11 Is an output value B, and an output value of the R module 43 which is an alternative module executed by the first program 11 is an output value C. At this time, the ECU 100 compares the output value B1 with the output value B2 to determine whether the mismatch between the output value A and the output value B1 is due to hardware failure of the CPU core or the like that has executed the output value B1. Can.
(変形例9)
 図7のS702におけるモジュールの選択は、あらかじめ設定された優先度に基づいて行われてもよい。この場合はたとえば、第1モジュール管理表18のそれぞれの行に優先度が設定される。そして第1モジュール実行部13は、動作状況が゛OK゛であるモジュールであって優先度が最も高いモジュールを選択する。第2モジュール管理表28および第2モジュール実行部23も同様である。 (Modification 9)
Selection of a module in S702 of FIG. 7 may be performed based on a preset priority. In this case, for example, the priority is set to each row of the first module management table 18. Then, the first module execution unit 13 selects a module whose operation status is “OK” and which has the highest priority. The same applies to the second module management table 28 and the second module execution unit 23.
(変形例10)
 第1CPUコア111および第2CPUコア112は、CPUコア間の通信を行う代わりに、必要な情報が格納されているメモリ120の領域を読み込んでもよい。ただしこの場合は、他方のCPUコアもモジュールの出力を得ていることを確認する必要がある。この確認は、同期的な通信を用いる場合には明らかであるし、第1モジュール出力表16に記録されている行数を検査することで行ってもよい。なお他方のCPUコアがモジュールの出力を得ていない場合には、他方のCPUコアがモジュールの出力を得るまで待機する。 (Modification 10)
The first CPU core 111 and the second CPU core 112 may read an area of the memory 120 in which necessary information is stored, instead of performing communication between CPU cores. However, in this case, it is necessary to confirm that the other CPU core also obtains the output of the module. This confirmation is apparent when using synchronous communication, and may be performed by checking the number of lines recorded in the first module output table 16. If the other CPU core does not obtain the output of the module, it waits until the other CPU core obtains the output of the module.
(変形例11)
 上述した複数のモジュールは、同一のアーキテクチャを対象とした同一の機能を有する異なるバージョンや異なるリビジョンのライブラリであってもよい。バージョンやリビジョンの違いにより、実装が異なる場合があるからである。
 さらに上述した複数のモジュールは、全ての機能が同一でなくてもよく、プアプリケーションから使用される関数を含んでいれば、その他の関数を含んでいてもよい。たとえばアプリケーションがモジュールに備えられる関数A,関数B、関数Cを呼び出す場合に、あるモジュールは関数A~Cのみを備え、他のモジュールは関数A~Cに加えて関数Dをさらに備えてもよい。 (Modification 11)
The plurality of modules described above may be libraries of different versions or different revisions having the same functions for the same architecture. The implementation may differ depending on the version or revision.
Furthermore, the plurality of modules described above may not be identical in all functions, and may include other functions as long as they include functions used from the application. For example, when an application calls a function A, a function B, and a function C provided in a module, one module may include only functions A to C, and another module may further include a function D in addition to the functions A to C .
―第2の実施の形態―
 図9~図10を参照して、制御装置であるECUの第2の実施の形態を説明する。以下の説明では、第1の実施の形態と同じ構成要素には同じ符号を付して相違点を主に説明する。特に説明しない点については、第1の実施の形態と同じである。本実施の形態では、主に、CPUコアを1つのみ備える点で、第1の実施の形態と異なる。 -Second embodiment-
A second embodiment of the ECU, which is a control device, will be described with reference to FIGS. 9 to 10. In the following description, the same components as in the first embodiment will be assigned the same reference numerals and differences will be mainly described. The points that are not particularly described are the same as in the first embodiment. The present embodiment differs from the first embodiment mainly in that only one CPU core is provided.
 図9は、第2の実施の形態におけるECU100Aの構成を表すブロック図である。図9において、ECU100AのCPU110Aは、第1CPUコア111を有する。第1CPUコア111は、第1プログラム11を動作させる。第1プログラム11の第1モジュール実行部13Bは、Pモジュール41、Qモジュール42、およびRモジュール43の3つのモジュールを動作させる。 FIG. 9 is a block diagram showing the configuration of ECU 100A in the second embodiment. In FIG. 9, the CPU 110 </ b> A of the ECU 100 </ b> A has a first CPU core 111. The first CPU core 111 operates the first program 11. The first module execution unit 13B of the first program 11 operates three modules of the P module 41, the Q module 42, and the R module 43.
 図10は、第2の実施の形態における第1モジュール実行部13Bの動作を表すフローチャートである。図10では第1の実施の形態における図7と同一の処理には同一のステップ番号を付す。すなわち図7との相違点は、S702の代わりにS702Aを実行する点、S703の代わりにS703Aを実行する点、およびS705を実行しない点である。その他のステップは図7と同様なので説明を省略する。 FIG. 10 is a flowchart showing the operation of the first module execution unit 13B in the second embodiment. In FIG. 10, the same processes as in FIG. 7 in the first embodiment are assigned the same step numbers. That is, the difference from FIG. 7 is that S702A is executed instead of S702, S703A is executed instead of S703, and S705 is not executed. The other steps are the same as those in FIG.
 S701を実行すると第1モジュール実行部13Bは、第1アプリケーション12の呼び出しを実行するためのモジュールを2つ選択する(S702A)。この選択方法は第1の実施の形態と同様である。そして第1モジュール実行部13Bは、選択したそれぞれのモジュールの関数を実行して出力値を得る(S703A)。これ以後の処理は第1の実施の形態と同様なので説明を省略する。 When S701 is executed, the first module execution unit 13B selects two modules for executing a call of the first application 12 (S702A). This selection method is the same as in the first embodiment. Then, the first module execution unit 13B executes the function of each of the selected modules to obtain an output value (S703A). The subsequent processing is the same as that of the first embodiment, and thus the description thereof is omitted.
 本実施の形態では、第1CPUコア111上で第1アプリケーション12がモジュールを呼び出すと、第1モジュール実行部13はPモジュール41とQモジュール42とを用いて計算を実行し、その出力値を比較する。すなわち、第1の実施形態では第1プログラム11と第2プログラム21とで別々に行っていたモジュールの実行を1つのプログラム内で行うものである。したがって、障害検出のために行う処理としては、2つの異なるモジュールに対して同じ入力を与えてその出力を比較する処理という点では、第1の実施の形態と同様である。また障害を特定するために代替モジュールを選択して実行しその出力を得る点も第1の実施の形態と同様である。さらに、代替モジュールの実行および比較を行うプログラムが1つである点は、第1の実施の形態における変形例3と同様である。すなわち本実施の形態でも、第1の実施形態と同様の障害の検出と特定が可能である。 In the present embodiment, when the first application 12 calls a module on the first CPU core 111, the first module execution unit 13 executes a calculation using the P module 41 and the Q module 42, and compares their output values Do. That is, in the first embodiment, the execution of modules separately performed by the first program 11 and the second program 21 is performed in one program. Therefore, the process performed for fault detection is the same as that of the first embodiment in that the process of giving the same input to two different modules and comparing their outputs. Further, as in the first embodiment, the alternative module is selected and executed in order to identify a fault and the output thereof is obtained. Furthermore, it is the same as the third modification of the first embodiment in that there is only one program for executing and comparing alternative modules. That is, in this embodiment as well, detection and identification of a fault similar to the first embodiment are possible.
 本実施の形態を第1の実施の形態と比較すると、モジュール呼び出しのたびに、1つのCPUコアで2つのモジュールを実行するために、障害検出のために必要な1つのCPUコアあたりの演算資源は増加する。しかし本実施の形態では複数のCPUコアを必要としないため、ECU100上で必要なCPUコアの数は減らすことができる。そのためECU100のコストの削減効果、または使用しなくなるCPUコアで別の処理を行うことで、効率を増加させる効果が得られる。なお、本実施形態においても、第1の実施形態で挙げた変形例は同様に適用可能である。 Comparing this embodiment with the first embodiment, in order to execute two modules with one CPU core at each module call, computing resources per one CPU core necessary for fault detection Will increase. However, in the present embodiment, since a plurality of CPU cores are not required, the number of CPU cores required on the ECU 100 can be reduced. Therefore, the effect of reducing the cost of the ECU 100 or the effect of increasing the efficiency can be obtained by performing another process in the CPU core that is not used. Also in the present embodiment, the modification described in the first embodiment can be applied similarly.
―第3の実施の形態―
 図11~図12を参照して、制御装置であるECUの第3の実施の形態を説明する。以下の説明では、第1の実施の形態と同じ構成要素には同じ符号を付して相違点を主に説明する。特に説明しない点については、第1の実施の形態と同じである。本実施の形態では、主に、障害の特定に別のECUを用いる点で、第1の実施の形態と異なる。 -Third embodiment-
A third embodiment of the ECU, which is a control device, will be described with reference to FIGS. 11 to 12. In the following description, the same components as in the first embodiment will be assigned the same reference numerals and differences will be mainly described. The points that are not particularly described are the same as in the first embodiment. The present embodiment differs from the first embodiment mainly in that another ECU is used to identify a fault.
 図11は、第3の実施の形態における制御システムSの構成を表すブロック図である。制御システムSは、第1ECU1001と、第2ECU1002と、代替実行ECU1003とを備える。第1ECU1001、第2ECU1002、および代替実行ECU1003はそれぞれ、第1ネットワークインタフェース119、第2ネットワークインタフェース219、および第3ネットワークインタフェース1110を備え、ネットワークXを介して相互に通信ができる。ネットワークXの物理的な特性、およびネットワークXにおいて使用される通信プロトコルは特に制限されない。ネットワークXはたとえば、CAN(Car Area Network)またはIEEE802.3に対応する。 FIG. 11 is a block diagram showing the configuration of a control system S in the third embodiment. The control system S includes a first ECU 1001, a second ECU 1002, and an alternative execution ECU 1003. The first ECU 1001, the second ECU 1002, and the alternative execution ECU 1003 each include a first network interface 119, a second network interface 219, and a third network interface 1110, and can communicate with each other via the network X. The physical characteristics of the network X and the communication protocol used in the network X are not particularly limited. The network X corresponds to, for example, CAN (Car Area Network) or IEEE 802.3.
 第1ECU1001は、CPU110と、メモリ120とを備える。第2ECU1002は、CPU210と、メモリ220とを備える。代替実行ECU1003は、CPU310とメモリ320とを備える。CPU110、CPU210、およびCPU310のハードウエア構成は第1の実施の形態におけるCPU110と同様である。図11に示すように、Pモジュール41は第1ECU1001に格納され、Qモジュール42は第2ECU1002に格納され、Rモジュール43は代替実行ECU1003に格納される。第1モジュール実行部13Cは、第1の実施の形態における第1モジュール実行部13に相当するが、Rモジュール43を備えない点が第1モジュール実行部13と異なる。第2モジュール実行部23Cは、第1の実施の形態における第2モジュール実行部23に相当するが、Rモジュール43を備えない点が第2モジュール実行部23と異なる。 The first ECU 1001 includes a CPU 110 and a memory 120. The second ECU 1002 includes a CPU 210 and a memory 220. The alternative execution ECU 1003 includes a CPU 310 and a memory 320. The hardware configuration of the CPU 110, the CPU 210, and the CPU 310 is the same as that of the CPU 110 in the first embodiment. As shown in FIG. 11, the P module 41 is stored in the first ECU 1001, the Q module 42 is stored in the second ECU 1002, and the R module 43 is stored in the alternative execution ECU 1003. The first module execution unit 13C corresponds to the first module execution unit 13 in the first embodiment, but differs from the first module execution unit 13 in that the R module 43 is not provided. The second module execution unit 23C corresponds to the second module execution unit 23 in the first embodiment, but differs from the second module execution unit 23 in that the R module 43 is not provided.
 第1ECU1001のCPU110に内蔵される第1CPUコア111は、第1の実施の形態における第1CPUコア111と同様の動作を行う。ただし本実施の形態では、第2CPUコア112との通信はネットワークXを介して行われる点が第1の実施の形態と異なる。また第1ECU1001の第1モジュール実行部13Cは、Rモジュール43を自ら実行せずに代替実行ECU1003から実行結果を取得する。 The first CPU core 111 built in the CPU 110 of the first ECU 1001 performs the same operation as the first CPU core 111 in the first embodiment. However, the present embodiment is different from the first embodiment in that communication with the second CPU core 112 is performed via the network X. Further, the first module execution unit 13C of the first ECU 1001 does not execute the R module 43 itself, and acquires an execution result from the alternative execution ECU 1003.
 第2ECU1002のCPU210に内蔵される第2CPUコア112は、第1の実施の形態における第2CPUコア112と同様の動作を行う。ただし本実施の形態では、第1CPUコア111との通信はネットワークXを介して行われる点が第1の実施の形態と異なる。また第2ECU1002の第2モジュール実行部23Cは、Rモジュール43を自ら実行せずに代替実行ECU1003から実行結果を取得する。 The second CPU core 112 built in the CPU 210 of the second ECU 1002 performs the same operation as the second CPU core 112 in the first embodiment. However, the present embodiment is different from the first embodiment in that communication with the first CPU core 111 is performed via the network X. In addition, the second module execution unit 23C of the second ECU 1002 does not execute the R module 43 itself, and acquires an execution result from the alternative execution ECU 1003.
 代替実行ECU1003は、障害検出時に障害のあるモジュールを特定するためにRモジュール43を実行する。代替実行ECU1003は、障害の特定を行う代替モジュール実行部1140をメモリ320に備える。代替モジュール実行部1140はCPUコア1151により実行される。代替モジュール実行部1140は、障害特定のためのRモジュール43と、モジュール入力受信部1141と、モジュール出力送信部1142とを備える。モジュール入力受信部1141は、第3ネットワークインタフェース1110を介して、モジュールの関数を実行するための入力を受信する。モジュール出力送信部1142は、第3ネットワークインタフェース1110を介して、モジュールの関数を実行した出力を送信する。 The alternative execution ECU 1003 executes the R module 43 to identify a faulty module at the time of fault detection. The alternative execution ECU 1003 includes, in the memory 320, an alternative module execution unit 1140 that identifies a failure. The alternative module execution unit 1140 is executed by the CPU core 1151. The alternative module execution unit 1140 includes an R module 43 for fault identification, a module input reception unit 1141, and a module output transmission unit 1142. The module input reception unit 1141 receives an input for performing a function of a module through the third network interface 1110. The module output transmission unit 1142 transmits, through the third network interface 1110, an output obtained by executing the function of the module.
 代替モジュール実行部1140は、第1ECU1001または第2ECU1002から入力値を受信すると、Rモジュール43にその入力値を入力する。そして代替モジュール実行部1140は得られた演算結果を入力値の送信元に送信する。 When receiving an input value from the first ECU 1001 or the second ECU 1002, the alternative module execution unit 1140 inputs the input value to the R module 43. Then, the alternative module execution unit 1140 transmits the obtained calculation result to the transmission source of the input value.
 図12は、本実施形態における第1モジュール実行部13Cおよび第2モジュール実行部23Cにおける障害特定処理を示すフローチャートである。図12では第1の実施の形態における図8と同一の処理には同一のステップ番号を付す。すなわち図8との相違点は、S801の代わりにS1201を実行する点、S802の代わりにS1202を実行する点である。その他のステップは図8と同様なので説明を省略する。以下では第1モジュール実行部13Cおよび第2モジュール実行部23Cを代表して第1モジュール実行部13Cの動作を説明する。 FIG. 12 is a flowchart showing failure identification processing in the first module execution unit 13C and the second module execution unit 23C in the present embodiment. In FIG. 12, the same processes as in FIG. 8 in the first embodiment are assigned the same step numbers. That is, the difference from FIG. 8 is that S1201 is executed instead of S801, and S1202 is executed instead of S802. The other steps are the same as those in FIG. Hereinafter, the operation of the first module execution unit 13C will be described on behalf of the first module execution unit 13C and the second module execution unit 23C.
 第1モジュール実行部13Cは、障害特定処理を開始すると、代替実行ECU1130に入力値を送信する(S1201)。そして第1モジュール実行部13Cは、代替実行ECU1130から代替モジュール実行部1140によるRモジュール43を用いた演算結果を受信する(S1202)。その他のステップは図8と同様なので説明を省略する。 When the fault identification process is started, the first module execution unit 13C transmits an input value to the alternative execution ECU 1130 (S1201). Then, the first module execution unit 13C receives, from the alternative execution ECU 1130, the calculation result using the R module 43 by the alternative module execution unit 1140 (S1202). The other steps are the same as those in FIG.
 上述した第3の実施の形態によれば、各モジュールを実行するECUが異なる場合でも、第1の実施の形態と同様に障害の検出と特定が可能である。 According to the third embodiment described above, even when ECUs executing the respective modules are different, it is possible to detect and specify a fault as in the first embodiment.
(第3の実施の形態の変形例1)
 上述した第3の実施の形態では、第1プログラム11および第2プログラム21が異なるECUにおいて実行された。しかし第1の実施形態におけるECU100と同様に、同一ECUの異なるCPUコアにおいて実行してもよい。この場合は、障害検出の処理は第1の実施例と同じであり、障害特定の処理のみが第3の実施の形態で示した処理となる。これによって、必要なECUの数を削減することができる。 (Modification 1 of the third embodiment)
In the third embodiment described above, the first program 11 and the second program 21 are executed in different ECUs. However, similar to the ECU 100 in the first embodiment, it may be executed in different CPU cores of the same ECU. In this case, the fault detection process is the same as that of the first embodiment, and only the fault identification process is the process described in the third embodiment. This can reduce the number of required ECUs.
(第3の実施の形態の変形例2)
 第1プログラム11および第2プログラム21が同一ECUの異なるCPUコアにおいて実行され、さらに同一のECUが、代替モジュール実行部1140を実行する第3のCPUコアを備えてもよい。この場合は、ネットワークインタフェース1110および通信ネットワークバス1120は、同一ECU内のコア間通信を行うものとして実現できる。これによって、必要なECUの数を1つとすることができる。 (Modification 2 of the third embodiment)
The first program 11 and the second program 21 may be executed in different CPU cores of the same ECU, and the same ECU may further include a third CPU core that executes the alternative module execution unit 1140. In this case, the network interface 1110 and the communication network bus 1120 can be realized as performing inter-core communication in the same ECU. This allows the number of required ECUs to be one.
(第3の実施の形態の変形例3)
 上述した第3の実施の形態では、第1ECU1101および第2ECU1102を一組のみ示した。しかし同様の処理を行うECUの組が複数存在してもよい。そしてこれらのECUの組において、代替実行ECU1130を共有してもよい。代替実行ECU1130は、障害が検出されたときのみ動作するため、代替実行ECU1130の稼働率は低い。そのため複数組のECUからの要求に応じて処理を実行することで、代替実行ECU1130の稼働率を向上させることができる。 (Modification 3 of the third embodiment)
In the third embodiment described above, only one set of the first ECU 1101 and the second ECU 1102 is shown. However, there may be a plurality of sets of ECUs that perform the same processing. The alternative execution ECU 1130 may be shared by these sets of ECUs. Since the alternative execution ECU 1130 operates only when a failure is detected, the operation rate of the alternative execution ECU 1130 is low. Therefore, the operation rate of the alternative execution ECU 1130 can be improved by executing the process according to the request from the plurality of sets of ECUs.
 またこの場合に、複数組のECUはそれぞれ同一のモジュールを使用してもよいし、異なるモジュールを使用してもよい。たとえば機能Aを有するモジュールS,モジュールT,モジュールU、および機能Bを有するモジュールV,モジュールW、モジュールXが存在し、モジュールS,モジュールT,モジュールV,およびモジュールWをそれぞれ異なるECUに格納される場合を想定する。この場合に、代替実行ECU1130がモジュールXおよびモジュールWを備え、モジュールS,モジュールT,モジュールV,およびモジュールWを備える各ECUから入力される入力値に応じてモジュールXまたはモジュールWの算出結果を各ECUに送信すると以下の効果が得られる。すなわち、必要な代替実行ECUの数を削減することができる。 Also, in this case, the plurality of ECUs may use the same module or different modules. For example, there are a module S having a function A, a module T, a module U and a module V having a function B, a module W and a module X, and the module S, the module T, the module V and the module W are stored in different ECUs The case is In this case, the alternative execution ECU 1130 includes the module X and the module W, and the calculation result of the module X or the module W according to the input value input from each ECU including the module S, the module T, the module V, and the module W When transmitted to each ECU, the following effects can be obtained. That is, the number of required alternative execution ECUs can be reduced.
(第3の実施の形態の変形例4)
 上述した第3の実施の形態の変形例3において、代替実行ECU1130は複数あってもよい。さらに、いずれかのプログラムを実行するECUが、代替実行ECU1130としての機能を兼ね備えてもよい。これにより、変形例3の場合と比較して、障害特定ECU一つが故障しても障害特定の機能を他のECUによって継続することができる。 (Modification 4 of the third embodiment)
In the third modification of the third embodiment described above, there may be a plurality of alternative execution ECUs 1130. Furthermore, the ECU that executes one of the programs may have the function of the alternative execution ECU 1130. As a result, compared to the case of the third modification, even if one failure specifying ECU fails, the failure specifying function can be continued by the other ECUs.
 プログラムを実行するECUが代替実行ECU1130としての機能を兼ね備える場合はさらに、それぞれの代替実行ECU1130は他の代替実行ECU1130における処理負荷の大きさと障害状況を監視する機能を有してもよい。この場合は代替モジュール実行部1140は、CPU310の現在の計算負荷の大きさ、およびRモジュール43を用いた演算処理を行っているか否かを示す情報を周囲の装置に送信する機能を有する。第1モジュール実行部13Cおよび第2モジュール実行部23Cは、それぞれの代替実行ECU1130から受信した情報に基づきRモジュール43を用いた演算を実行させる代替実行ECU1130を決定する。具体的には第1モジュール実行部13Cおよび第2モジュール実行部23Cは、Rモジュール43を用いた演算を行っておらず、かつCPU310の現在の計算負荷が最も低い代替実行ECU1130を特定し、その代替実行ECU1130にRモジュール43を用いた演算を実行させる。 When the ECU executing the program also has a function as the alternative execution ECU 1130, each alternative execution ECU 1130 may have a function to monitor the processing load size and the fault situation in the other alternative execution ECU 1130. In this case, the alternative module execution unit 1140 has a function of transmitting information indicating the magnitude of the current calculation load of the CPU 310 and whether or not arithmetic processing using the R module 43 is performed to surrounding devices. The first module execution unit 13C and the second module execution unit 23C determine an alternative execution ECU 1130 that executes an operation using the R module 43 based on the information received from each alternative execution ECU 1130. Specifically, the first module execution unit 13C and the second module execution unit 23C specify the alternative execution ECU 1130 that has not performed the calculation using the R module 43 and has the lowest calculation load of the CPU 310, and The alternative execution ECU 1130 is made to execute an operation using the R module 43.
 本変形例によれば、次の作用効果が得られる。
(8)第1ECU1001は、他の演算装置と通信を行う第1ネットワークインタフェース119と、現在の計算負荷の大きさを通信部を介して他の演算装置に出力する代替モジュール実行部1140とを備える。第1モジュール実行部13Cは、受信した現在の計算負荷に基づき第3のソフトウェアモジュールの出力を算出させる代替実行ECU1003を決定する。そのため複数の代替実行ECU1003の負荷を平準化することができる。 According to this modification, the following effects can be obtained.
(8) The first ECU 1001 includes a first network interface 119 for communicating with another computing device, and an alternative module execution unit 1140 for outputting the magnitude of the current calculation load to the other computing device via the communication unit. . The first module execution unit 13C determines an alternative execution ECU 1003 that calculates the output of the third software module based on the received current calculation load. Therefore, the loads of the plurality of alternative execution ECUs 1003 can be equalized.
(第3の実施の形態の変形例5)
 上述した第3の実施の形態では、障害特定処理は、第1ECU1001の第1モジュール実行部13C、または第2ECU1002の第2モジュール実行部23Cにおいて実行された。しかし障害特定処理は、代替モジュール実行部1140において実行されてもよい。この場合に代替実行ECU1003は、第1ECU1001および第2ECU1002において実行されたモジュールの出力値も取得する。代替モジュール実行部1140における障害特定処理は、図12におけるS803,S804と同様である。代替モジュール実行部1140は、障害が特定されたモジュールを示す情報を各ECUに送信する。第1モジュール実行部13Cおよび第2モジュール実行部23Cはその情報を受信し、S805以降の処理を実行する。本変形例によれば、第1ECU1001および第2ECU1002の第1モジュール実行部13Cおよび第2モジュール実行部23Cの処理負荷と代替モジュール実行部1140の処理負荷のバランスをとることができる。 (Modification 5 of the third embodiment)
In the third embodiment described above, the failure identification process is executed by the first module execution unit 13C of the first ECU 1001 or the second module execution unit 23C of the second ECU 1002. However, the fault identification process may be executed in the alternative module execution unit 1140. In this case, the substitute execution ECU 1003 also acquires the output value of the module executed in the first ECU 1001 and the second ECU 1002. The fault identification process in the alternative module execution unit 1140 is the same as S803 and S804 in FIG. The alternative module execution unit 1140 transmits, to each ECU, information indicating the module in which the failure is identified. The first module execution unit 13C and the second module execution unit 23C receive the information, and execute the processing after S805. According to this modification, it is possible to balance the processing load of the first module execution unit 13C and the second module execution unit 23C of the first ECU 1001 and the second ECU 1002 with the processing load of the alternative module execution unit 1140.
 上述した実施の形態、および変形例では各CPUコアが1つのプログラムを動作させるとしたが、それぞれのCPUコアが複数のプログラムを動作していてもよいし、複数のCPUコアが一つのプログラムを共有してもよい。この場合、それぞれのCPUコアが実行するコードの一部または全部や、CPUコアが使用するデータの一部または全部が異なり、異なるコードとデータが必要なだけ格納されている構成であってもよい。また、CPU110が実行するコードや読み込みのみ行うデータなどを不揮発性のメモリに配置し、読み書きするデータを揮発性のメモリに格納する構成であってもよい。 Although each CPU core operates one program in the embodiment and modification described above, each CPU core may operate a plurality of programs, and a plurality of CPU cores may operate one program. You may share it. In this case, a part or all of the code executed by each CPU core or a part or all of the data used by the CPU core may be different, and only different codes and data may be stored. . Alternatively, the code executed by the CPU 110 or the data to be read only may be arranged in the non-volatile memory, and the data to be read and written may be stored in the volatile memory.
 上述した各実施の形態および変形例は、それぞれ組み合わせてもよい。上記では、種々の実施の形態および変形例を説明したが、本発明はこれらの内容に限定されるものではない。本発明の技術的思想の範囲内で考えられるその他の態様も本発明の範囲内に含まれる。 Each embodiment and modification mentioned above may be combined respectively. Although various embodiments and modifications have been described above, the present invention is not limited to these contents. Other embodiments considered within the scope of the technical idea of the present invention are also included within the scope of the present invention.
 次の優先権基礎出願の開示内容は引用文としてここに組み込まれる。
 日本国特許出願2017-136657(2017年7月12日出願) The disclosure content of the following priority basic application is incorporated herein by reference.
Japanese Patent Application 2017-136657 (filed on July 12, 2017)
3…モジュール
11…第1プログラム
12…第1アプリケーション
13、13B,13C…第1モジュール実行部
15…第1モジュール入力表
16…第1モジュール出力表
17…第1出力照合表
18…第1モジュール管理表
21…第2プログラム
22…第2アプリケーション
23、23C…第2モジュール実行部
25…第2モジュール入力表
26…第2モジュール出力表
27…第2出力照合表
28…第2モジュール管理表
41…Pモジュール
42…Qモジュール
43…Rモジュール
110…CPU
111…第1CPUコア
112…第2CPUコア DESCRIPTION OF SYMBOLS 3 ... Module 11 ... 1st program 12 ... 1st application 13, 13B, 13C ... 1st module execution part 15 ... 1st module input Table 16 ... 1st module output table 17 ... 1st output collation table 18 ... 1st module Management table 21 ... second program 22 ... second application 23, 23 C ... second module execution unit 25 ... second module input table 26 ... second module output table 27 ... second output comparison table 28 ... second module management table 41 ... P module 42 ... Q module 43 ... R module 110 ... CPU
111 ... 1st CPU core 112 ... 2nd CPU core

Claims (8)

  1.  同一の機能を有し異なる実装がなされた第1のソフトウェアモジュール、第2のソフトウェアモジュール、および第3のソフトウェアモジュールが格納される記憶部と、
     前記第1のソフトウェアモジュール、前記第2のソフトウェアモジュール、前記第3のソフトウェアモジュールを実行する演算部と、
     前記演算部による前記第1のソフトウェアモジュールの出力、および前記第2のソフトウェアモジュールの出力に基づき障害を検出する検出部と、
     前記検出部が障害を検出すると、前記第3のソフトウェアモジュールの使用を開始し、前記第1のソフトウェアモジュールの出力と、前記第2のソフトウェアモジュールの出力と、前記第3のソフトウェアモジュールの出力と、に基づき障害のあるソフトウェアモジュールを特定する障害特定部と、を備える演算装置。     A storage unit in which a first software module having the same function and implemented differently and a second software module and a third software module are stored;
    The first software module, the second software module, and an operation unit that executes the third software module;
    A detection unit that detects a fault based on an output of the first software module by the arithmetic unit and an output of the second software module;
    When the detection unit detects a failure, it starts using the third software module, and the output of the first software module, the output of the second software module, and the output of the third software module And a failure identifying unit for identifying a software module having a failure based on.
  2.  請求項1に記載の演算装置において、
     前記障害特定部により障害があることが特定されたソフトウェアモジュールの使用を停止する演算装置。     In the arithmetic device according to claim 1,
    A computing device for stopping the use of the software module identified as having a fault by the fault identification unit.
  3.  請求項2に記載の演算装置において、
     前記検出部は、前記障害特定部が前記第1のソフトウェアモジュールおよび前記第2のソフトウェアモジュールのいずれか一方を障害があるソフトウェアモジュールとして特定すると、前記第1のソフトウェアモジュールおよび前記第2のソフトウェアモジュールのうち障害があることが特定されていないソフトウェアモジュール、および前記第3のソフトウェアモジュールの出力に基づき障害を検出する演算装置。     In the arithmetic device according to claim 2,
    When the fault identifying unit identifies any one of the first software module and the second software module as a faulty software module, the detection unit determines the first software module and the second software module. And a computing device that detects a fault based on a software module not identified as having a fault and an output of the third software module.
  4.  請求項1に記載の演算装置において、
     前記第1のソフトウェアモジュール、前記第2のソフトウェアモジュール、および前記第3のソフトウェアモジュールには、32ビットCPU用のソフトウェアモジュールと、64ビットCPU用のソフトウェアモジュールとが含まれる演算装置。     In the arithmetic device according to claim 1,
    A computing device including a software module for a 32-bit CPU and a software module for a 64-bit CPU in the first software module, the second software module, and the third software module.
  5.  請求項1に記載の演算装置において、
     前記第1のソフトウェアモジュール、および前記第2のソフトウェアモジュールは並列に実行される演算装置。     In the arithmetic device according to claim 1,
    A computing device in which the first software module and the second software module are executed in parallel.
  6.  請求項1に記載の演算装置において、
     前記演算部は第1コアおよび第2コアを備え、
     前記障害特定部は、前記第1コアが演算した前記第1のソフトウェアモジュールの出力と、前記第2コアが演算した前記第2のソフトウェアモジュールの出力とが一致しない場合に、前記第2コアが演算した前記第1のソフトウェアモジュールの出力と、前記第1コアが演算した前記第2のソフトウェアモジュールの出力とを用いて、前記第1コアまたは前記第2コアに障害があることを特定する演算装置。     In the arithmetic device according to claim 1,
    The arithmetic unit comprises a first core and a second core,
    The failure identifying unit is configured to output the second core when the output of the first software module calculated by the first core does not match the output of the second software module calculated by the second core. An operation that specifies that there is a fault in the first core or the second core using the calculated output of the first software module and the output of the second software module calculated by the first core apparatus.
  7.  請求項1に記載の演算装置において、
     他の前記演算装置と通信を行う通信部と、
     現在の計算負荷の大きさを前記通信部を介して前記他の演算装置に出力する負荷算出部とをさらに備え、
     前記障害特定部は、受信した現在の前記計算負荷に基づき前記第3のソフトウェアモジュールの出力を算出させる前記演算装置を決定する演算指令部とをさらに備える演算装置。     In the arithmetic device according to claim 1,
    A communication unit that communicates with the other arithmetic device;
    And a load calculation unit for outputting the current calculation load size to the other arithmetic device via the communication unit,
    The operation specifying unit further includes an operation command unit that determines the operation unit that calculates the output of the third software module based on the received current calculation load.
  8.  請求項1に記載の演算装置において、
     前記第1のソフトウェアモジュール、前記第2のソフトウェアモジュール、および前記第3のソフトウェアモジュールのそれぞれには複数の関数が含まれ、
     前記複数の関数のそれぞれについて前記検出部の動作を規定する出力照合表をさらに備え、
     前記検出部は、前記出力照合表を参照して前記関数ごとに障害検出の条件を判断する演算装置。     In the arithmetic device according to claim 1,
    Each of the first software module, the second software module, and the third software module includes a plurality of functions.
    It further comprises an output matching table that defines the operation of the detection unit for each of the plurality of functions,
    The detection unit determines the failure detection condition for each of the functions with reference to the output comparison table.
PCT/JP2018/022681 2017-07-12 2018-06-14 Computation device WO2019012907A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017-136657 2017-07-12
JP2017136657A JP6802764B2 (en) 2017-07-12 2017-07-12 Arithmetic logic unit

Publications (1)

Publication Number Publication Date
WO2019012907A1 true WO2019012907A1 (en) 2019-01-17

Family

ID=65001280

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/022681 WO2019012907A1 (en) 2017-07-12 2018-06-14 Computation device

Country Status (2)

Country Link
JP (1) JP6802764B2 (en)
WO (1) WO2019012907A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11720012B2 (en) 2019-02-07 2023-08-08 Sony Group Corporation Optical system
KR102618998B1 (en) * 2022-12-21 2024-01-02 쿠팡 주식회사 User terminal for providing information notifying occurrence of errors of applications and method thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004355233A (en) * 2003-05-28 2004-12-16 Nec Corp Fault-tolerant system, program parallel execution method, fault detector for fault-tolerant system, and program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004355233A (en) * 2003-05-28 2004-12-16 Nec Corp Fault-tolerant system, program parallel execution method, fault detector for fault-tolerant system, and program

Also Published As

Publication number Publication date
JP2019020864A (en) 2019-02-07
JP6802764B2 (en) 2020-12-16

Similar Documents

Publication Publication Date Title
US8826288B2 (en) Computing with both lock-step and free-step processor modes
US9672095B2 (en) Safety level specific error response scheme for mixed criticality systems
CN112256507B (en) Chip fault diagnosis method and device, readable storage medium and electronic equipment
US7539903B2 (en) Method for monitoring the execution of a program by comparing a request with a response and introducing a falsification in a response
Casanova et al. Diagnosing unobserved components in self-adaptive systems
US20210124655A1 (en) Dynamic Configurable Microcontroller Recovery
US9870314B1 (en) Update testing by build introspection
WO2019012907A1 (en) Computation device
US20080133975A1 (en) Method for Running a Computer Program on a Computer System
US20170242760A1 (en) Monitoring device, fault-tolerant system, and control method
CN113722143A (en) Program flow monitoring method and device, electronic equipment and storage medium
JP6580279B2 (en) Test apparatus, test method and test program
CN113360389A (en) Performance test method, device, equipment and storage medium
CN116319421A (en) Fault detection method and device based on cloud platform, fault detection system and medium
US7484147B2 (en) Semiconductor integrated circuit
KR20010056021A (en) Method for diagnosing logics
CN115220923A (en) Signal verification method, medium, electronic device, and program product
JP7447755B2 (en) Memory error detection/correction system, memory error detection/correction method
CN111475400A (en) Verification method of service platform and related equipment
JP4618650B2 (en) Elevator electronic safety system
CN112905602B (en) Data comparison method, computing device and computer storage medium
US20240303346A1 (en) Method for checking the integrity of a compute node
JP7295780B2 (en) Semiconductor device and method of operation thereof
US7895493B2 (en) Bus failure management method and system
US20210349819A1 (en) Semiconductor device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18831877

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18831877

Country of ref document: EP

Kind code of ref document: A1