WO2021166108A1 - Task abnormality monitoring device, method, and program - Google Patents

Task abnormality monitoring device, method, and program Download PDF

Info

Publication number
WO2021166108A1
WO2021166108A1 PCT/JP2020/006466 JP2020006466W WO2021166108A1 WO 2021166108 A1 WO2021166108 A1 WO 2021166108A1 JP 2020006466 W JP2020006466 W JP 2020006466W WO 2021166108 A1 WO2021166108 A1 WO 2021166108A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
task
deadline
wake
execution
Prior art date
Application number
PCT/JP2020/006466
Other languages
French (fr)
Japanese (ja)
Inventor
圭祐 堀井
整 山本
寿和 加藤
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2020/006466 priority Critical patent/WO2021166108A1/en
Priority to JP2021564624A priority patent/JP7026870B2/en
Publication of WO2021166108A1 publication Critical patent/WO2021166108A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring

Definitions

  • This disclosure relates to a task monitoring technology for detecting an abnormality in a task and shifting it to a safe state in a system in which a plurality of tasks operate.
  • Non-Patent Document 1 executes a monitoring task at a fixed cycle and confirms the behavior of the periodic task each time it wakes up.
  • the start time and end time of the process are recorded in the periodic task, and the monitoring task determines whether the elapsed time calculated from the start time and end time of the periodic task is within the deadline. Further, the monitoring task does not perform the determination process every cycle, and the monitoring frequency can be set for each cycle task.
  • An object of the present disclosure is to reduce the processing load while satisfying safety constraints when monitoring a plurality of tasks having different cycles.
  • the task abnormality monitoring device of the present disclosure is A deadline table that stores the time when the deadline of each execution task of multiple execution tasks is reached as the deadline time corresponding to each execution task, The total time that is not guaranteed to be in a safe state is calculated from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task to allow safety. Among the deadline times that are less than the time, the time that is after the latest deadline time and is less than the safe allowable time calculated from the previous wake-up time of the monitoring task is set as the next wake-up time of the monitoring task.
  • a wake-up time setting unit that wakes up the monitoring task at the wake-up time, It is provided with a task monitoring unit that executes the monitoring task that wakes up at the wake-up time.
  • the processing load can be reduced because the wake-up time setting unit sets the latest time less than the safety allowable time as the wake-up time of the next monitoring task.
  • Specific Example 2 of the scheduling table 851 according to the first embodiment. A specific example of the task table 883 according to the first embodiment.
  • a specific example of the abnormality treatment time table 836 according to the first embodiment.
  • FIG. 837 A specific example of the search table 837 according to the first embodiment.
  • the flowchart of the initialization processing in the task execution part 85 which concerns on Embodiment 1.
  • FIG. The flowchart of the initialization processing in the task monitoring unit 83 which concerns on Embodiment 1.
  • FIG. The flowchart at the time of a normal operation in the execution task 86 which concerns on Embodiment 1.
  • FIG. The flowchart of the task control unit 87 which concerns on Embodiment 1 at the time of a normal operation.
  • the flowchart at the time of a normal operation in the monitoring task 84 which concerns on Embodiment 1.
  • FIG. 5 is a flowchart during normal operation of the abnormality determination unit 841, the abnormality treatment unit 842, and the execution time acquisition unit 845 according to the first embodiment.
  • FIG. 5 is a flowchart during normal operation in the deadline table update unit 843 according to the first embodiment.
  • the flowchart at the time of normal operation in the wake-up time setting unit 844 which concerns on Embodiment 1.
  • FIG. The block diagram of the task abnormality monitoring apparatus which concerns on Embodiment 2.
  • FIG. A specific example of the deadline table 831 according to the second embodiment.
  • the flowchart at the time of a normal operation in the task control unit 87 which concerns on Embodiment 2.
  • FIG. The flowchart at the time of receiving the task information in the receiving task 89 which concerns on Embodiment 2.
  • FIG. The flowchart at the time of a normal operation in the monitoring task 84 which concerns on Embodiment 2.
  • FIG. 5 is a flowchart during normal operation in the deadline table update unit 843 according
  • FIG. 1 is a configuration diagram of a task abnormality monitoring device according to the first embodiment.
  • the task abnormality monitoring device includes a CPU (Central Processor Unit) 10, a timer 20, a secondary storage device 30, a communication interface 40, an input / output (Output) circuit 50, and a memory 80 as H / W (Hardware).
  • the program area 81 in the memory 80 has an execution task 86 of the task execution unit 85, a task control unit 87, and a monitoring task 84 of the task monitoring unit 83 as a task abnormality monitoring program.
  • a plurality of execution tasks 86 are operated by the task control unit 87.
  • a preferred example of the task control unit 87 is an RTOS (Real Time Operating System).
  • Each execution task 86 is a task for realizing the function of the ECU 100, and is a task for performing vehicle control processing. Further, each execution task 86 is a periodic task that wakes up at a fixed cycle.
  • the task monitoring unit 83 executes the monitoring task 84 that wakes up at the wake-up time.
  • the monitoring task 84 is a task that performs an abnormality determination process for the execution task 86 each time the user wakes up.
  • the task monitoring unit 83 calculates the wake-up time when the monitoring task 84 should wake up next after the monitoring task 84 performs the abnormality determination process for the execution task 86.
  • the execution task 86 includes an execution time recording unit 861 that records the processing time in the task execution log 881.
  • the execution time recording unit 861 stores the time when the processing of the execution task is completed in the task execution log 881 of the ring buffer structure based on the position information indicating the write destination in the ring buffer structure.
  • the task control unit 87 includes a task scheduling unit 871 that manages the scheduling of the execution task 86.
  • the task control unit 87 includes a task information update unit 872 that notifies the task monitoring unit 83 of the update of the task configuration.
  • the task information update unit 872 notifies the task information including the cycle of the execution task, the wake-up time of the execution task, and the deadline time of the execution task.
  • the monitoring task 84 includes an abnormality determination unit 841 that determines whether or not the execution task 86 exceeds the deadline.
  • the abnormality determination unit 841 sets the execution task for which the abnormality determination was completed at the time of the previous wake-up of the deadline table 831 to the execution task set at the wake-up time as the abnormality determination target task, and the end time of the abnormality determination target task is the deadline time. Abnormality judgment is performed based on whether or not the value falls between the previous value of and the latest value of the deadline time.
  • the abnormality determination target task is an execution task in which a deadline time after the wake-up time is set in the deadline table 831.
  • the monitoring task 84 includes an abnormality handling unit 842 that takes action on the execution task 86 in which an abnormality has occurred.
  • the abnormality handling unit 842 executes a treatment for the execution task 86 in which the abnormality has occurred, and returns the vehicle to a safe state.
  • the monitoring task 84 includes a deadline table update unit 843 that generates a deadline table 831 used for determining an abnormality and calculating a wake-up time.
  • the deadline table update unit 843 calculates the deadline time based on the task information and updates the deadline table 831.
  • the deadline table 831 stores the time when the deadline of each execution task of the plurality of execution tasks is reached as the deadline time corresponding to each execution task.
  • the deadline table 831 stores a plurality of execution tasks 86 arranged in order of deadline time.
  • the monitoring task 84 includes a wake-up time setting unit 844 that sets the next wake-up time of the monitoring task 84.
  • the wake-up time setting unit 844 sets the latest time less than the safe allowable time of each execution task as the next wake-up time of the monitoring task based on the deadline time of each execution task and the abnormality treatment time, and sets the wake-up time as the wake-up time.
  • the monitoring task 84 includes an execution time acquisition unit 845 that acquires the processing time of the execution task 86 from the task execution log 881.
  • the execution time acquisition unit 845 reads the task execution log 881 at the time when the processing of the execution task is completed based on the position information indicating the read destination in the ring buffer structure.
  • the CPU 10 may be either single core or multi-core, but if it is multi-core, the task execution unit 85 and the task monitoring unit 83 may be assigned to different cores.
  • Scheduling table 851 of the task execution unit 85 Execution log position table 852 of the task execution unit 85, Deadline table 831, task monitoring unit 83, Monitoring log position table 832 of task monitoring unit 83, Monitoring position 833 of task monitoring unit 83, Wake-up position 834 of task monitoring unit 83, Last deadline timetable 835 of task monitoring unit 83, Abnormal action time table 836 of task monitoring unit 83, Search table 837 of task monitoring unit 83, Search position 838 of task monitoring unit 83, Task execution log 881 of the shared unit 88, Task wake-up timetable 882 of common unit 88, Task table 883 of the shared unit 88, Task table update status 884 of the shared unit 88.
  • the data stored in the shared unit 88 can be accessed from either the task execution unit 85 or the task monitoring unit 83.
  • the CPU 10 is a processor.
  • the processor is an IC (Integrated Circuit) that performs arithmetic processing.
  • the processor is a device that executes a task abnormality monitoring program that operates in the task abnormality monitoring device.
  • the task abnormality monitoring program is a program that realizes the functions of the task execution unit 85 and the task monitoring unit 83.
  • a task is an execution unit in a task abnormality monitoring device that is a computer, and a preferred specific example of the task is a program executed by a processor.
  • the memory 80 is a storage device. Specific examples of the memory 80 are SRAM (Static Random Access SS Memory) and DRAM (Dynamic Random Access SS Memory). The memory 80 holds the calculation result of the processor.
  • the secondary storage device 30 is a storage device that stores data in a non-volatile manner.
  • a specific example of the secondary storage device 30 is an HDD (Hard Disk Drive).
  • the secondary storage device 30 may be a portable recording medium such as a memory card, a NAND flash, a flexible disk, an optical disk, a compact disk, or a DVD (Digital VerSail Disc).
  • the secondary storage device 30 is a computer-readable recording medium, and may store information in the program area 81 and the data area 82 of the memory 80.
  • the input / output circuit 50 has a port to which devices are connected, and data is input / output from each device.
  • a sensor 60 and an actuator 70 necessary for realizing the function of the ECU 100 are connected to the input / output circuit 50.
  • the communication interface 40 has a communication port for the processor to communicate with another device.
  • the processor reads and executes the task abnormality monitoring program from the memory 80.
  • the memory 80 not only the task abnormality monitoring program but also the OS (Operating System) is stored.
  • the processor executes the task abnormality monitoring program while executing the OS.
  • the task abnormality monitoring device may include a plurality of processors that replace the processors. These plurality of processors share the execution of the task abnormality monitoring program.
  • Each processor like the processor, is a device that executes a task abnormality monitoring program. Data, information, signal values and variable values used, processed or output by the task abnormality monitoring program are stored in the memory 80, the secondary storage device 30, or a register or cache memory in the processor.
  • the task abnormality monitoring program is a program that causes a computer to execute each process, each procedure, or each process by replacing "department" of the task execution unit 85 and the task monitoring unit 83 with "process", “procedure”, or "process”. ..
  • the task abnormality monitoring method is a method performed by the task abnormality monitoring device, which is a computer, executing the task abnormality monitoring program.
  • the task abnormality monitoring program may be provided by being stored in a computer-readable recording medium, or may be provided as a program product.
  • the functions of the task execution unit 85 and the task monitoring unit 83 are realized by software, but as a modification, the functions of the task execution unit 85 and the task monitoring unit 83 are realized by a combination of software and hardware. May be done. That is, a part of the functions of the task execution unit 85 and the task monitoring unit 83 may be realized by a dedicated electronic circuit, and the rest may be realized by software.
  • the dedicated electronic circuit is a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA, an FPGA, or an ASIC.
  • GA is an abbreviation for Gate Array.
  • FPGA is an abbreviation for Field-Programmable Gate Array.
  • ASIC is an abbreviation for Application Special Integrated Circuit.
  • the processor, memory, and dedicated electronic circuit are collectively called "processing circuit". That is, the functions of the task execution unit 85 and the task monitoring unit 83 are realized by the processing circuit regardless of whether they are realized by software or a combination of software and hardware.
  • FIG. 2 shows an example of the scheduling table 851.
  • the task scheduling unit 871 schedules tasks according to the scheduling table 851.
  • the cycle here is the wake-up cycle of the execution task 86, and the deadline time is the permissible time from the wake-up of the execution task 86 to the completion of the process.
  • the value of each item in the scheduling table 851 is statically set before the program is generated. Further, each item does not have to be collected in one table and may be managed separately.
  • three tasks are woken up (registered in the ready queue) at the same time, and the tasks with the highest priority are executed in order.
  • the task scheduling unit 871 switches to the task with a higher priority and executes the process.
  • FIG. 3 shows an example of a scheduling table 851 having a data structure different from that of FIG. In FIG. 3, different wake-up times are set for each cycle, and it is possible to reduce the number of task switchings by intentionally shifting the wake-up time.
  • the scheduling table 851 may have a structure as shown in FIG.
  • FIG. 4 shows an example of the task table 883.
  • the task table 883 is used for notifying the task configuration from the task execution unit 85 to the task monitoring unit 83.
  • the task table 883 includes all the data of the scheduling table 851, and an item called a task update type is added. Set either "Add” or "Delete” for the task update type.
  • FIG. 5 shows a setting example of the task table update state 884.
  • the task table update status 884 is used for notifying the task monitoring unit 83 of the task table status from the task execution unit 85.
  • the task table update state 884 can be set to any of the four patterns shown in FIG.
  • FIG. 6 shows an example of the task wake-up time table 882.
  • the task wake-up time table 882 is used by the task execution unit 85 to notify the task monitoring unit 83 of the wake-up time of each execution task 86.
  • the wake-up time is a time indicating the wake-up timing of the execution task 86.
  • the task wake-up time table 882 is a collection of wake-up times for each task.
  • the wake-up time is not updated every cycle, but is updated only when a task is added, such as when the task is initialized and when the task is restarted. Further, only the latest value is stored in the task wake-up time table 882.
  • the wake-up times of the execution tasks 1, 2, and 3 are set to 1000, 1002, 1012, but the wake-up times of the execution tasks 1, 2, and 3 may all be the same time, for example, 1000.
  • FIG. 7 shows an example of the task execution log 881.
  • the task execution log 881 is a table in which the processing end time of the execution task 86 is recorded.
  • the task execution log 881 is used by the task execution unit 85 to notify the task monitoring unit 83 of the processing end time of each execution task 86.
  • the task execution log 881 can record the end times of a plurality of times for each task, and FIG. 7 shows an example of recording the past five times.
  • the task execution log 881 is a ring buffer structure, in FIG. 7 after recording up to l 4 is recorded in l 0.
  • FIG. 8 shows an example of the execution log position table 852 of the task execution unit 85 and the monitoring log position table 832 of the task monitoring unit 83.
  • the execution log position 859 and the monitoring log position 839 indicate the latest positions for each task in the task execution log 881.
  • the task execution unit 85 determines the next writing position according to the execution log position 859.
  • the task monitoring unit 83 determines the position to be read next according to the monitoring log position 839. Since the task execution unit 85 and the task monitoring unit 83 operate asynchronously, the log positions are stored in their respective local areas.
  • the initial values of the execution log position 859 and the monitoring log position 839 are set to 0.
  • the execution log position 859 and the monitoring log position 839 are position information indicating a write destination and a read destination in the ring buffer structure.
  • FIG. 9 shows an example of the deadline table 831.
  • the deadline table 831 aggregates the deadline times of the execution task 86 into one table, and is used for determining the task to be determined for abnormality and setting the next wake-up time of the monitoring task 84.
  • the deadline time is the absolute time when each task reaches the deadline.
  • FIG. 9 shows an example in which the wake-up times of the execution tasks 1, 2 and 3 are all 1000, and the initial deadline time is 1000.
  • the deadline times of each execution task shown in FIG. 2 are 8, 16, and 24. Can be calculated by adding.
  • the deadline time after the second wake-up can be calculated by adding the cycles 10, 20, and 30 to the first deadline time.
  • each wake-up schedule offset (t n ) is added to the first deadline time instead of the cycle.
  • the deadline time after the second wake-up can be calculated with.
  • FIG. 9 shows a deadline table 831 with a major cycle of 60.
  • the deadline table 831 on the left side of FIG. 9 is the deadline table 831 at the time of initialization.
  • the deadline table 831 is sorted in order of earliest deadline time as shown on the left side of FIG. 9 at the time of initialization.
  • the deadline time in the deadline table 831 is cyclically overwritten after the execution task is executed.
  • the deadline table 831 on the right side of FIG. 9 is a deadline table 831 in the middle of the first cycle, and is a deadline table 831 in which the deadline times of the upper two rows are updated.
  • the configuration of the deadline table 831 is updated at the time of initialization and at the time of updating the task configuration.
  • the monitoring position 833 indicates the position of the task to be determined as an abnormality, and the line number on the deadline table 831 is set in the monitoring position 833.
  • the initial value of the monitoring position 833 is 1.
  • the wake-up position 834 indicates the position of the deadline time that is the wake-up time of the monitoring task 84, and the line number of the deadline table 831 is set in the wake-up position 834.
  • the initial value of the wake-up position 834 is 1.
  • the search position 838 indicates the position of the deadline time as a wake-up time candidate, and the line number of the deadline table 831 is set at the search position 838.
  • the initial value of the search position 838 is 1.
  • FIG. 10 shows an example of the previous deadline timetable 835.
  • the previous deadline time is the deadline time that arrived one cycle before, and the previous deadline time table 835 is a collection of the latest values of the previous deadline time for each task.
  • the previous deadline timetable 835 is used for the abnormality determination process of the execution task 86, and is updated every time the abnormality determination process is completed once.
  • the initial value of the previous deadline time is set to 0.
  • FIG. 11 shows an example of the abnormal treatment time table 836.
  • the abnormal treatment time table 836 summarizes the abnormal treatment time required for the abnormal treatment for each task.
  • the abnormality treatment time is the time from the detection of an abnormality to the completion of the transition to the safe state.
  • FIG. 11 shows an example in which the treatment content differs for each task in which an abnormality has occurred. If the treatment content is the same for all tasks, only one abnormal treatment time needs to be defined.
  • the values in the anomaly treatment time table 836 are statically set before the program is generated.
  • FIG. 12 shows an example of the search table 837.
  • the search table 837 is for managing the deadline time which is a wake-up time candidate and the non-detection time for each deadline time, and is added every time the search position is updated.
  • the undetected time of each execution task is the time from each deadline time of each execution task to the wake-up time candidate.
  • the undetected time can be calculated by subtracting each deadline time of each execution task from the deadline time which is a wake-up time candidate indicated by the latest search position.
  • the non-detection time is the time during which the monitoring task 84 is not executed, and indicates the time during which the abnormality of the execution task is not detected.
  • FIG. 13 is a flowchart of the initialization process in the task execution unit 85.
  • Step S101 The task scheduling unit 871 starts task scheduling according to the scheduling table 851.
  • Step S102 The task information update unit 872 updates the task table 883 of the shared unit 88.
  • the update method basically, the contents of the scheduling table 851 are diverted, and all task update types are set to "addition".
  • the task information update unit 872 updates the task wake-up time table 882 of the shared unit 88.
  • a preferred method for acquiring the time is a method of reading from the timer 20.
  • the time may be the current time or the elapsed time since the system booted. However, the accuracy of the acquired time must be less than or equal to the shortest deadline time among the deadline times of all execution tasks.
  • FIG. 14 is a flowchart of the initialization process in the task monitoring unit 83. It is assumed that the initialization process of the task monitoring unit 83 is started after the initialization process of the task execution unit 85 is completed.
  • the deadline table update unit 843 acquires task information from the shared unit 88. Specifically, it is a task table 883 and a task wake-up time table 882.
  • the deadline table update unit 843 generates the deadline table 831 based on the task table 883 and the task wake-up time table 882 acquired from the shared unit 88.
  • the method of generating the deadline table 831 is as described above.
  • Step S204 The wake-up time setting unit 844 sets the first wake-up time of the monitoring task 84.
  • a flowchart for calculating the wake-up time is shown in FIG. Since the specific calculation method is the same as during normal operation, the details will be described later. If the initialization process takes time, the deadline time is set to the wake-up time for the first few times, and the deadline table 831 is generated and the wake-up time is calculated by dividing it into a plurality of wake-up times. May be good. Further, as a preferable setting method of the wake-up time, a method of putting the monitoring task to sleep after setting the time until the next wake-up in the timer 20 and waking up by the timer interrupt can be considered.
  • FIG. 15 is a flowchart of the execution task 86 during normal operation.
  • Step S301 Execution task 86 executes the main process.
  • the main process here is a process for realizing the function as the ECU 100, which has nothing to do with the monitoring function.
  • the execution time recording unit 861 records the end time of the main process in the task execution log 881.
  • the end time is acquired by using the timer 20.
  • the value acquired here must be of the same type as the first wake-up time (current time, elapsed time from the start of startup, etc.).
  • the execution time recording unit 861 writes the end time at the position indicated by the execution log position 859 of the execution task 86 that has executed the main process.
  • Step S303 Since the execution time recording unit 861 has updated the task execution log 881, the execution log position 859 is also updated. Specifically, the value obtained by adding 1 to the current log position may be updated to the remainder when divided by the size of the ring buffer.
  • FIG. 16 is a flowchart of the task control unit 87 during normal operation.
  • Step S401 The task scheduling unit 871 schedules tasks according to the scheduling table 851.
  • the task information update unit 872 confirms whether the task configuration has been updated.
  • the task abnormality monitoring device assumes an environment in which the task control unit 87 updates the contents of the scheduling table 851 in response to a task addition request or a task deletion request. Therefore, the task information update unit 872 can confirm the presence / absence of the additional task or the deletion task by referring to the scheduling table 851. If the task configuration has not been updated, it ends without doing anything.
  • Step S404 The task information update unit 872 confirms whether the update task type is "addition". This is because, in the case of an additional task, it is necessary to notify the task monitoring unit 83 of the task wake-up time table 882.
  • Step S405 If the update task type is "addition", the task information update unit 872 updates the task wake-up time table 882 of the shared unit 88.
  • the method of acquiring the wake-up time is the same as that at the time of initialization.
  • FIG. 17 is a flowchart of the monitoring task 84 during normal operation.
  • Step S501 The abnormality determination unit 841 uses the task execution log 881 and the deadline table 831 to determine whether or not the execution task has exceeded the deadline. The detailed processing procedure of the abnormality determination unit 841 will be described later.
  • Step S502 The deadline table update unit 843 updates the deadline table 831 when the task configuration is updated. If there is no need to update the deadline table 831, nothing is done in this step. Further, in an environment where the task configuration is not updated during operation, this step itself is unnecessary.
  • the wake-up time setting unit 844 uses the deadline table 831 to calculate the next wake-up time of the monitoring task 84 and sets it in the timer 20.
  • the wake-up time of the monitoring task 84 can be uniquely determined for each major cycle.
  • the wake-up time of the monitoring task 84 needs to be calculated only once at the time of initialization, and in this step, the wake-up time setting unit 844 does not calculate the next wake-up time of the monitoring task 84, and the timer 20 is set. Only set.
  • an item of wake-up time may be added to the deadline table 831. In FIG.
  • the item of the wake-up time is added to the deadline table 831, and the item of the wake-up time is set to 1 if the deadline time is the wake-up time and 0 if the deadline time is not the wake-up time. Details will be described later.
  • FIG. 18 is a flowchart of the abnormality determination unit 841 and the abnormality treatment unit 842 during normal operation (step S501).
  • Step S601 the abnormality determination unit 841 determines that the execution task indicated by the monitoring position 833 in the deadline table 831 is the abnormality determination target task.
  • the execution time acquisition unit 845 acquires the end time of the task subject to abnormality determination from the task execution log 881. At this time, the end time indicated by the monitoring log position 839 of the task is acquired.
  • Step S602 The abnormality determination unit 841 sets the execution task indicated by the monitoring position 833 of the deadline table 831 as the abnormality determination target task, and acquires the deadline time of the abnormality determination target task as the latest deadline time.
  • Step S603 The abnormality determination unit 841 acquires the previous deadline time of the task subject to abnormality determination from the previous deadline time table 835.
  • the abnormality determination unit 841 determines whether or not the execution task 86 has been completed within the deadline time. As a determination method, it is determined whether or not the end time acquired from the task execution log 881 is within the interval between the previous deadline time and the latest deadline time. "Last deadline time ⁇ end time ⁇ latest deadline time" If the wake-up of the execution task 86 fails, the end time becomes a time before the previous deadline time. Therefore, with this determination method, not only the deadline is exceeded but also the wake-up failure can be detected.
  • the abnormality treatment unit 842 takes measures for the task determined to be abnormal. Possible actions include saving logs, stopping / restarting tasks, and restarting the entire system.
  • the content of the abnormal treatment may be set individually for each task, or may be the same for all tasks.
  • Step S606 The abnormality determination unit 841 updates the previous deadline time of the previous deadline time table 835 with the latest deadline time for the abnormality determination of the next cycle.
  • Step S607 The abnormality determination unit 841 updates the monitoring position 833 in order to move the abnormality determination target to the next task.
  • 1 is added to the current value, and if the value exceeds the last row of the deadline table 831, it is cleared to 0.
  • Step S608 The abnormality determination unit 841 updates the deadline time in the deadline table 831 when the monitoring is completed. This is to prepare for the case where the deadline table 831 makes one round, and it is possible to update the time in the next major cycle by adding the least common multiple of the cycle.
  • Step S609 The abnormality determination unit 841 updates the monitoring log position 839 for the determination of the next cycle.
  • the log position is updated by the method of step S303 in FIG. 15 as in the execution log position 859.
  • Step S610 The abnormality determination unit 841 compares the updated monitoring position 833 with the wake-up position 834, and if the monitoring position 833 becomes a value larger than the wake-up position 834, it is determined that all the abnormality determination processes to be performed at the time of this wake-up have been completed. And end the process. On the other hand, if the monitoring position is equal to or lower than the wake-up position, the undetermined task still exists, so the process returns to step S601 and proceeds to the abnormality determination process of the next task.
  • FIG. 19 is a flowchart of the deadline table update unit 843 during normal operation (step S502).
  • the task configuration is updated during operation, for example, in order to restart the task when an abnormality occurs in the task, the task is temporarily deleted from the scheduling target and the task is restarted. It is conceivable that the task is added to the scheduling target again after completion.
  • Step S702 If the task configuration is updated, the deadline table update unit 843 acquires the update contents (task update type, updated task identifier, cycle, priority, deadline time, etc.) from the task table 883. If the task update type is "addition", the task wake-up time table 882 is also acquired.
  • Step S703 The deadline table update unit 843 confirms whether the task update type is "addition".
  • Step S704 The deadline table update unit 843 adds the deadline time of the additional task to the deadline table 831 when the task update type is "addition". At this time, the deadline time is added for the major cycle before the task is added.
  • Step S705 The deadline table update unit 843 confirms whether the task update type is "delete”. If the task update type is neither "add” nor "delete”, it is determined that the task table update status 884 is incorrect, and the deadline table 831 ends without updating.
  • Step S706 When the task update type is "delete", the deadline table update unit 843 deletes all the deadline times of the corresponding task from the deadline table 831.
  • Step S707 The deadline table update unit 843 refers to the task table 883 and confirms whether or not there is the next update content. If there is the next update content, the process returns to step S701. When the updated contents are confirmed up to the end of the task table 883, the process proceeds to the next step.
  • the deadline table update unit 843 confirms whether or not the major cycle needs to be changed by updating the task configuration. This is because when the major cycle changes, it is necessary to change the range of deadline time registered in the deadline table.
  • the deadline table update unit 843 updates the deadline time according to the change in the major cycle. If the major cycle is long, add the deadline time in the shortage range. On the other hand, if the major cycle becomes shorter, the unnecessary deadline time is deleted.
  • the task table 883, the task wake-up time table 882, and the task table update state 884 required for updating the deadline table 831 are data updated from the task execution unit 85. Therefore, when it is necessary to refer to the task table 883, the deadline table update unit 843 prohibits the update from the task execution unit 85 until the task table update state 884 is updated by exclusive control.
  • FIG. 20 is a flowchart of the wake-up time setting unit 844 during normal operation (step S503).
  • Step S801 The wake-up time setting unit 844 searches the deadline table 831 for the next wake-up time of the monitoring task 84. Since the search starts after the current wake-up position 834, the first search position 838 is set to the wake-up position 834 + 1. Since the deadline table 831 is sorted in the order of earliest time, the deadline time closest to the current time is the first wake-up candidate.
  • FIG. 12 shows the search table 837 when the wake-up position 834 of the deadline table 831 of FIG. 9 is the row number 9.
  • Step S802 The wake-up time setting unit 844 acquires the deadline time indicated by the search position 838 from the deadline table 831.
  • the acquired deadline time is used until the wake-up time is determined, it is registered in the search table 837.
  • the wake-up time setting unit 844 acquires the deadline time 1056 of the task 2 indicated by the search position 838 from the deadline table 831 and registers it in the first row of the search table 837.
  • Step S803 The wake-up time setting unit 844 acquires the abnormal treatment time of the task indicated by the search position 838 from the abnormal treatment time table 836.
  • the wake-up time setting unit 844 acquires the abnormal treatment time 8 of the task 2 indicated by the search position 838 from the abnormal treatment time table 836.
  • Step S804 The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837.
  • the difference between the deadline times is the undetected time for each row in the deadline table 831.
  • the difference in deadline time at the latest search position 838 is naturally 0.
  • the wake-up time setting unit 844 determines whether the total time G obtained by adding the abnormal treatment time of the task to the difference (non-detection time) of the deadline time calculated in step S804 is less than the FTTI (Fault Tolerant Time Interval) of the system. do.
  • the non-detection time is a time during which the monitoring task is not executed, a time during which the abnormality is not detected, and a waiting time until the abnormality detection is started.
  • the abnormal treatment time is the time during which the abnormal treatment unit 842 operates, and is the time from the detection of the abnormality to the return to the safe state. As shown in FIG. 11, the abnormality treatment time may be different for each execution task.
  • the total time G is the time from the occurrence of the abnormality to the completion of the abnormal treatment, and indicates the time during which the safe state is not guaranteed.
  • Undetected time Deadline time of search position-Total time of each deadline in the search table
  • G Undetected time + Abnormal treatment time
  • the monitoring execution time of monitoring task 84 is ignored compared to the undetected time and abnormal treatment time. It is supposed to be possible.
  • Total time G non-detection time + monitoring execution time + abnormal treatment time
  • FTTI is the permissible time from the occurrence of a failure to the transition to a safe state, and is defined in the functional safety standard ISO26262 for in-vehicle devices. By satisfying that the total time G is less than FTTI, it is possible to prevent the failure factor from spreading to other functions.
  • FTTI is a value defined for each system. The time to be compared here is not limited to FTTI as long as it is the allowable time from the occurrence of the abnormality to the completion of the abnormal treatment.
  • Step S806 The wake-up time setting unit 844 considers that if the total time G is less than FTTI, there is still time to execute the monitoring task 84, adds 1 to the search position, and the next row in the deadline table. Proceed with the judgment.
  • steps S801 to S806 are repeated as follows.
  • Step S802 The wake-up time setting unit 844 acquires the deadline time 1058 of task 1 indicated by the search position 838 from the deadline table 831 and registers it in the second row of the search table 837.
  • Step S803 The wake-up time setting unit 844 acquires the abnormal treatment time 1 of the task 1 indicated by the search position 838 from the abnormal treatment time table 836.
  • Step S804 The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
  • Step S802 The wake-up time setting unit 844 acquires the deadline time 1068 of task 1 indicated by the search position 838 from the deadline table 831 and registers it in the third row of the search table 837.
  • Step S803 The wake-up time setting unit 844 acquires the abnormal treatment time 1 of the task 1 indicated by the search position 838 from the abnormal treatment time table 836.
  • Step S804 The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
  • Step S802 The wake-up time setting unit 844 acquires the deadline time 1076 of the task 2 indicated by the search position 838 from the deadline table 831 and registers it in the fourth row of the search table 837.
  • Step S803 The wake-up time setting unit 844 acquires the abnormal treatment time 8 of the task 2 indicated by the search position 838 from the abnormal treatment time table 836.
  • Step S804 The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
  • Step S807 Setting example of wake-up position 834 1
  • the wake-up time setting unit 844 sets the line number of the search position -1 to the wake-up position 834. This is because, from the result of the determination in step S805, the completion of the abnormal treatment is not in time for FTTI at the latest search position 838, so the search position 838 immediately before is set as the next wake-up position 834.
  • the deadline time of the search position-1 is the latest deadline time among the deadline times in which the total time G calculated from the deadline time of each execution task and the abnormal treatment time of each execution task is less than the safe allowable time. be.
  • the wake-up time setting unit 844 searches the deadline table 831 for an execution task that satisfies the following conditions. 1. 1. The deadline time is an execution task since the last wake-up time, 2. The total time G, which is the difference between the latest deadline time of the execution task and the previous deadline time of the execution task plus the abnormal treatment time of the execution task, is less than the safe allowable time. 3. 3. Among the execution tasks whose total time G is less than the allowable safety time, the execution task has the maximum total time G. The wake-up time setting unit 844 sets the deadline time of the execution task that maximizes the total time G among the searched execution tasks as the next wake-up time of the monitoring task 84.
  • the line number of the search position-1 may be set to the wake-up position 834, and the time T1 may be set as follows, which is obtained by subtracting the time E exceeding the FTTI from the deadline time of the search position.
  • the excess time E is the time during which the time from the occurrence of the abnormality to the completion of the abnormal treatment (total time G) exceeds the FTTI.
  • the time T1 is the time obtained by subtracting the time E from the deadline time of the search position.
  • the time T2 between the setting example 1 and the setting example 2 described above is set at the wake-up position 834.
  • the time T2 may be between 1068 and 1073.
  • the time is as follows.
  • the setting example 1 adopts the setting example 1 because the execution of the monitoring task 84 is slower.
  • Wake-up time (time of setting example 1 + time of setting example 2)
  • ⁇ 2 T2 (However, the deadline time of T2> search position-1)
  • the abnormal treatment unit 842 sets the abnormal treatment as a common abnormal treatment for all tasks, the abnormal treatment time is the same for all tasks. Therefore, the search table 837 is no longer necessary, and the determination may be made using only the total time G at the first search position 838. Specifically, each time 1 is added to the search position, the wake-up time setting unit 844 determines whether the total time G obtained by adding the abnormal treatment time to the non-detection time of the first search position 838 is less than FTTI. .. When the total time G calculated by the first search position 838 exceeds the FTTI, the wake-up time setting unit 844 sets the search position -1 to the wake-up position 834 as in the setting example 1.
  • Wake-up position 834 Search position-1
  • the total time G calculated by the first search position 838 in step S805 is calculated as follows.
  • the wake-up time setting unit 844 sets the line number 1 of the search position -1 to the wake-up position because the total time G calculated by the first search position 838 exceeds the FTTI. Set to 834.
  • the abnormal treatment time differs for each execution task, and if the abnormal treatment time of task 1 in FIG. 11 is 16, the third search will result in the following.
  • the search ends with the total time G calculated by the second search position 838.
  • the wake-up time setting unit 844 calculates the total time from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task. Then, the time that is after the latest deadline time that is less than the allowable safety time and is less than the allowable safety time calculated from the wake-up time of the previous monitoring task is set as the next wake-up time of the monitoring task. , The monitoring task is woken up at the wake-up time.
  • Step S808 The wake-up time setting unit 844 initializes the contents of the search table 837. This is because the search table 837 is created every time the monitoring task 84 wakes up, and the value of the search table 837 does not need to be carried over to the next cycle.
  • Step S809 When the wake-up time (time T1 or time T2) is not set at the wake-up position 834, the wake-up time setting unit 844 acquires the line number of the wake-up position 834 and sets the dead line number in the deadline table 831. Get the line time as the wake-up time.
  • the wake-up time setting unit 844 acquires the wake-up time set at the wake-up position 834.
  • the wake-up time setting unit 844 calculates the difference between the wake-up time and the current time, and sets the timer 20 as the dormant time of the monitoring task 84.
  • the task abnormality monitoring device of this embodiment includes the following. 1.
  • Task information update unit 872 which notifies the monitoring task of the execution task cycle, wake-up time, and deadline time.
  • Deadline table update unit 843 which generates a deadline table 831 that stores the time when the execution task calculated from the task information reaches the deadline.
  • Wake-up time setting unit 844 which sets the latest time within the range that satisfies FTTI as the next wake-up time based on the deadline table 831 and the abnormal treatment time for each execution task. 4.
  • the tasks from the task that completed the abnormality judgment at the time of the previous wakeup to the task at the deadline time set at the wakeup time this time are set as the tasks subject to the abnormality judgment, and the end time of the execution task is the previous value of the deadline time.
  • Abnormality determination unit 841 that performs abnormality determination based on whether or not it is within the latest value, 5.
  • Execution time recording unit 861 that writes to the task execution log 881 of the ring buffer structure that stores the time when the processing of the execution task is completed based on the position information indicating the write destination in the ring buffer structure.
  • Execution time acquisition unit 845 that reads the task execution log 881 based on the position information indicating the read destination in the ring buffer structure.
  • the deadline table update unit 843 calculates the deadline time of the execution task 86 and generates the deadline table 831.
  • the abnormality determination unit 841 performs abnormality determination processing in order from the task indicated by the monitoring position 833 based on the deadline table 831.
  • the wake-up time setting unit 844 sets the latest time within the range in which the FTTI can be satisfied as the wake-up time of the next monitoring task 84 based on the deadline table 831.
  • the processing load in the monitoring function can be roughly divided into three types: (1) wake-up processing of the monitoring task 84, (2) determination processing of the task subject to abnormality determination, and (3) abnormality determination processing.
  • the task abnormality monitoring device since the latest wake-up time is calculated from the deadline time of the execution task 86 and the FTTI, the number of wake-up times of the monitoring task 84 can be minimized, and the number of wake-ups of the monitoring task 84 can be minimized.
  • the processing load can be reduced. Further, since the abnormality determination processing is performed in order according to the deadline table 831, the determination processing of the abnormality determination target task becomes unnecessary, and the processing load of (2) can be reduced.
  • the task wake-up time table 882 is updated only at the time of initialization and at the time of changing the task configuration.
  • the wake-up time of the execution task 86 gradually changes due to the accuracy of the timer 20 or the influence of the interrupt task. There is a possibility of deviation.
  • the abnormality determination target task has been described as a periodic task, but the abnormality determination process may be performed including the interrupt task.
  • the cycle is set to 0 when the task information update unit 872 updates the task table 883.
  • the deadline table update unit 843 adds only one deadline time to the deadline table 831 for the interrupt task, and the abnormality determination unit 841 deletes the interrupt task from the deadline table after the abnormality determination is completed.
  • Embodiment 2 In the first embodiment, an example of passing the task execution log 881, the task wake-up time table 882, the task table 883, and the task table update state 884 from the task execution unit 85 to the task monitoring unit 83 via the shared memory will be described. bottom.
  • the second embodiment is an example in which, among these data, the task wake-up time table 882 and the task table 883 related to the update information of the task configuration are passed by using the inter-task communication instead of the shared memory. In the second embodiment, only the points different from the first embodiment will be described, and the same points will be omitted.
  • FIG. 21 is a configuration diagram of the task abnormality monitoring device according to the second embodiment.
  • the second embodiment is different from the first embodiment in that the task control unit 87 has a task information transmission unit 873 for transmitting task information by inter-task communication, and the task monitoring unit 83 has a reception task 89.
  • the receiving task 89 includes a task information receiving unit 891 that receives task information by inter-task communication.
  • the reception task 89 includes the deadline table update unit 843 and the wake-up time setting unit 844 provided in the monitoring task 84 in the first embodiment.
  • the task information transmission unit 873 transmits task information including the execution task cycle, the wake-up time of the execution task, and the deadline time of the execution task by inter-task communication.
  • the task information receiving unit 891 receives the task information.
  • the task information transmission unit 873 is included in the task control unit 87, but a task dedicated to the transmission function may be prepared.
  • the task monitoring unit 83 stores the task wake-up time table 882a and the task table 883a in the data area 82.
  • the task execution unit 85 stores the task wake-up time table 882b and the task table 883b in the data area 82.
  • FIG. 22 shows an example of the deadline table 831 according to the second embodiment.
  • an item called a wake-up time is added on the deadline table 831, and the monitoring task 84 sets the sleep time in the timer 20 according to the wake-up time.
  • FIG. 23 is a flowchart of the task control unit 87 during normal operation.
  • the operations of steps S401 to S406 of FIG. 23 are the same as the operations of steps S401 to S406 in the flowchart shown in FIG. Therefore, only the newly added step S407 will be described here.
  • Step S407 When the task configuration is changed, the task information transmission unit 873 transmits the task table 883b and the task wake-up time table 882b to the monitoring task.
  • the task table 883b and the task wake-up time table 882b are stored in the local area instead of the shared unit, so that exclusive control is not required. Further, since the transmission of the task information means the change of the task configuration, the task information update unit 872 in the first embodiment is also unnecessary.
  • FIG. 24 is a flowchart at the time of receiving task information in the receiving task 89.
  • the receiving task 89 is a task that wakes up triggered by receiving task information from the task execution unit 85.
  • the task information receiving unit 891 stores the task information transmitted from the task execution unit 85 as the task table 883a and the task wake-up time table 882a.
  • Step S902 The deadline table update unit 843 updates the deadline table 831 based on the updated task information.
  • the procedure for updating the deadline table 831 is the same as that except for step S701 and step S710 in FIG.
  • the wake-up time setting unit 844 calculates the wake-up time based on the deadline table 831.
  • the procedure for calculating the wake-up time of the wake-up time setting unit 844 is the same as that in FIG. Set to 1.
  • 1 is set in the item of the wake-up time of the line whose deadline time is the wake-up time. Further, by calculating the wake-up time for the major cycle when updating the task configuration, it is not necessary to calculate the wake-up time of the monitoring task 84 by the wake-up time setting unit 844.
  • Step S904 The wake-up time setting unit 844 updates the wake-up position 834 at the wake-up time closest to the current time based on the deadline table 831.
  • Step S905 The wake-up time setting unit 844 sets the timer 20 with the time until the deadline time indicated by the wake-up position 834 as the dormant time.
  • FIG. 25 is a flowchart of the monitoring task 84 during normal operation.
  • Step S1001 The abnormality determination unit 841 and the abnormality treatment unit 842 perform the abnormality determination process based on the deadline table 831.
  • the operation procedure of the abnormality determination process is the same as that in FIG.
  • Step S1002 The monitoring task 84 updates the wake-up position 834 based on the wake-up time item in the deadline table 831. Specifically, the monitoring task 84 then updates the wake-up position 834 to the line where the wake-up time is set to 1.
  • Step S1003 The monitoring task 84 sets the time until the deadline time indicated by the wake-up position 834 as the dormant time in the timer 20.
  • the receiving task 89 may operate during the operation of the monitoring task 84. Therefore, in the second embodiment, the execution priority of step S1001 in the monitoring task 84 is set to the highest, then the execution priority of the receiving task 89 is set to the highest, and the execution priority of steps S1002 and S1003 in the monitoring task 84 is set. Set the degree to the lowest. By doing so, in the second embodiment, it is possible to always set the wake-up time of the monitoring task 84 according to the latest task configuration. In the monitoring task 84, it is possible to set different execution priorities for each process by adopting a multi-thread configuration.
  • the task abnormality monitoring device of this embodiment includes the following. 1.
  • Task information transmission unit 873 which transmits task information such as the cycle of additional tasks or deletion tasks, deadline time, and wake-up time by inter-task communication when the task configuration is updated.
  • Task information receiver 891 which receives task information by inter-task communication,
  • the monitoring task 84 confirms the update of the task configuration when it wakes up, but there is a possibility that the monitoring task 84 reaches the deadline time of the task added while it is dormant.
  • the second embodiment considers such a possibility.
  • the task monitoring unit 83 is immediately notified that the task information updating unit 872 has updated the task table 883. Therefore, in the second embodiment, it is possible to grasp the update of the task configuration in real time, and it is possible to wake up the monitoring task 84 at a time that surely satisfies the FTTI.

Abstract

A task abnormality monitoring device comprising: a deadline table (831) for storing a time at which the deadline of each execution task in a plurality of execution tasks is reached, as a deadline time, in association with each execution task; a wake-up time setting unit (844) for calculating a total period from the deadline time of each of the execution tasks and the abnormality handling period of each of the execution tasks, setting, as a next wake-up time of the monitoring task, a time that is the latest deadline time or later among the deadline times at which the total period is less than a permissible safety period reckoning from the wake-up time of a previous monitoring task and is less than the permissible safety period reckoning from the wake-up time of the previous monitoring task, and awakening the monitoring task at the wake-up time; and a task monitoring unit (83) for executing the monitoring task that has been awakened at the wake-up time.

Description

[規則37.2に基づきISAが決定した発明の名称] タスク異常監視装置、方法及びプログラム[Name of invention determined by ISA based on Rule 37.2.] Task abnormality monitoring device, method and program
 この開示は、複数のタスクが動作するシステムにおいて、タスクに異常が発生したことを検出し、安全状態に移行させるためのタスク監視技術に関する。 This disclosure relates to a task monitoring technology for detecting an abnormality in a task and shifting it to a safe state in a system in which a plurality of tasks operate.
 複数の周期タスクを実行するような組み込み機器において、周期タスクは所定時間(デッドライン)以内に処理を完了させなければならない。また、周期タスクがデッドラインを超過してしまった場合は、タスクを停止・再起動させるといった処置を行う必要がある。そのために、周期タスクの処理状況を監視し、デッドラインを超過していないかどうかを監視する技術が検討されている。
 非特許文献1の方式は監視タスクを定周期で実行し、起床の度に周期タスクの挙動を確認するものである。従来の方式では周期タスクにて処理の開始時刻及び終了時刻を記録し、監視タスクは周期タスクの開始時刻及び終了時刻から算出した経過時間がデッドライン以内に収まっているかを判定する。また、監視タスクは毎周期判定処理を行うわけではなく、周期タスク毎に監視頻度を設定することが可能である。 In an embedded device that executes a plurality of periodic tasks, the periodic tasks must complete the processing within a predetermined time (deadline). In addition, when the periodic task exceeds the deadline, it is necessary to take measures such as stopping and restarting the task. Therefore, a technique for monitoring the processing status of periodic tasks and monitoring whether or not the deadline is exceeded is being studied.
The method of Non-Patent Document 1 executes a monitoring task at a fixed cycle and confirms the behavior of the periodic task each time it wakes up. In the conventional method, the start time and end time of the process are recorded in the periodic task, and the monitoring task determines whether the elapsed time calculated from the start time and end time of the periodic task is within the deadline. Further, the monitoring task does not perform the determination process every cycle, and the monitoring frequency can be set for each cycle task.
 周期が大きく異なるタスクが混在するようなシステムに対して従来の監視方式を適用する場合、監視タスクの起床周期を長くすると、処理負荷は低減できるものの異常発生から検知までに時間を要してしまう。一方、起床周期を短くすると異常発生を即座に検知できるものの処理負荷が増加する。
 本開示は、周期が異なる複数のタスクを監視する場合に安全上の制約を満たしつつ、処理負荷を抑えることが目的である。 When applying the conventional monitoring method to a system in which tasks with significantly different cycles are mixed, if the wake-up cycle of the monitoring task is lengthened, the processing load can be reduced, but it takes time from the occurrence of an abnormality to the detection. .. On the other hand, if the wake-up cycle is shortened, the occurrence of an abnormality can be detected immediately, but the processing load increases.
An object of the present disclosure is to reduce the processing load while satisfying safety constraints when monitoring a plurality of tasks having different cycles.
 本開示のタスク異常監視装置は、
 複数の実行タスクの各実行タスクのデッドラインに到達する時刻をデッドライン時刻として各実行タスクに対応させて、記憶するデッドラインテーブルと、
 前記各実行タスクの前記デッドライン時刻と前記各実行タスクの異常処置時間とから安全状態あることが保証されない合計時間を計算し、前記合計時間が前回の監視タスクの起床時刻から起算して安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻以降であり前回の前記監視タスクの起床時刻から起算して安全許容時間未満となる時刻を前記監視タスクの次の起床時刻として設定し、前記起床時刻に前記監視タスクを起床させる起床時刻設定部と、
 前記起床時刻に起床した前記監視タスクを実行するタスク監視部と
を備える。 The task abnormality monitoring device of the present disclosure is
A deadline table that stores the time when the deadline of each execution task of multiple execution tasks is reached as the deadline time corresponding to each execution task,
The total time that is not guaranteed to be in a safe state is calculated from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task to allow safety. Among the deadline times that are less than the time, the time that is after the latest deadline time and is less than the safe allowable time calculated from the previous wake-up time of the monitoring task is set as the next wake-up time of the monitoring task. A wake-up time setting unit that wakes up the monitoring task at the wake-up time,
It is provided with a task monitoring unit that executes the monitoring task that wakes up at the wake-up time.
 本開示のタスク異常監視装置は、起床時刻設定部が安全許容時間未満で最も遅い時刻を次の監視タスクの起床時刻としてセットするので処理負荷の低減が可能である。 In the task abnormality monitoring device of the present disclosure, the processing load can be reduced because the wake-up time setting unit sets the latest time less than the safety allowable time as the wake-up time of the next monitoring task.
実施の形態1に係るタスク異常監視装置の構成図。The block diagram of the task abnormality monitoring apparatus which concerns on Embodiment 1. FIG. 実施の形態1に係るスケジューリングテーブル851の具体例1。Specific Example 1 of the scheduling table 851 according to the first embodiment. 実施の形態1に係るスケジューリングテーブル851の具体例2。Specific Example 2 of the scheduling table 851 according to the first embodiment. 実施の形態1に係るタスクテーブル883の具体例。A specific example of the task table 883 according to the first embodiment. 実施の形態1に係るタスクテーブル更新状態884の設定例。A setting example of the task table update state 884 according to the first embodiment. 実施の形態1に係るタスク起床時刻テーブル882の具体例。A specific example of the task wake-up time table 882 according to the first embodiment. 実施の形態1に係るタスク実行ログ881の具体例。A specific example of the task execution log 881 according to the first embodiment. 実施の形態1に係る監視ログ位置テーブル832と実行ログ位置テーブル852の具体例。Specific examples of the monitoring log position table 832 and the execution log position table 852 according to the first embodiment. 実施の形態1に係るデッドラインテーブル831の具体例。A specific example of the deadline table 831 according to the first embodiment. 実施の形態1に係る前回デッドライン時刻テーブル835の具体例。A specific example of the previous deadline timetable 835 according to the first embodiment. 実施の形態1に係る異常処置時間テーブル836の具体例。A specific example of the abnormality treatment time table 836 according to the first embodiment. 実施の形態1に係る探索テーブル837の具体例。A specific example of the search table 837 according to the first embodiment. 実施の形態1に係るタスク実行部85における初期化処理のフローチャート。The flowchart of the initialization processing in the task execution part 85 which concerns on Embodiment 1. FIG. 実施の形態1に係るタスク監視部83における初期化処理のフローチャート。The flowchart of the initialization processing in the task monitoring unit 83 which concerns on Embodiment 1. FIG. 実施の形態1に係る実行タスク86における通常動作時のフローチャート。The flowchart at the time of a normal operation in the execution task 86 which concerns on Embodiment 1. FIG. 実施の形態1に係るタスク制御部87における通常動作時のフローチャート。The flowchart of the task control unit 87 which concerns on Embodiment 1 at the time of a normal operation. 実施の形態1に係る監視タスク84における通常動作時のフローチャート。The flowchart at the time of a normal operation in the monitoring task 84 which concerns on Embodiment 1. FIG. 実施の形態1に係る異常判定部841と異常処置部842と実行時刻取得部845における通常動作時のフローチャート。FIG. 5 is a flowchart during normal operation of the abnormality determination unit 841, the abnormality treatment unit 842, and the execution time acquisition unit 845 according to the first embodiment. 実施の形態1に係るデッドラインテーブル更新部843における通常動作時のフローチャート。FIG. 5 is a flowchart during normal operation in the deadline table update unit 843 according to the first embodiment. 実施の形態1に係る起床時刻設定部844における通常動作時のフローチャート。The flowchart at the time of normal operation in the wake-up time setting unit 844 which concerns on Embodiment 1. FIG. 実施の形態2に係るタスク異常監視装置の構成図。The block diagram of the task abnormality monitoring apparatus which concerns on Embodiment 2. FIG. 実施の形態2に係るデッドラインテーブル831の具体例。A specific example of the deadline table 831 according to the second embodiment. 実施の形態2に係るタスク制御部87における通常動作時のフローチャート。The flowchart at the time of a normal operation in the task control unit 87 which concerns on Embodiment 2. FIG. 実施の形態2に係る受信タスク89におけるタスク情報受信時のフローチャート。The flowchart at the time of receiving the task information in the receiving task 89 which concerns on Embodiment 2. FIG. 実施の形態2に係る監視タスク84における通常動作時のフローチャート。The flowchart at the time of a normal operation in the monitoring task 84 which concerns on Embodiment 2. FIG.
 実施の形態1.
<構成の説明> Embodiment 1.
<Explanation of configuration>
 図1は、実施の形態1に係るタスク異常監視装置の構成図である。実施の形態1ではタスク異常監視装置が車両制御を行うECU(Electric Control Unit)100に搭載されている場合を例に説明する。タスク異常監視装置はH/W(Hardware)として、CPU(Central Processor Unit)10、タイマ20、二次記憶装置30、通信インタフェース40、入出力(Input Output)回路50、及び、メモリ80を備える。 FIG. 1 is a configuration diagram of a task abnormality monitoring device according to the first embodiment. In the first embodiment, a case where the task abnormality monitoring device is mounted on the ECU (Electronic Control Unit) 100 that controls the vehicle will be described as an example. The task abnormality monitoring device includes a CPU (Central Processor Unit) 10, a timer 20, a secondary storage device 30, a communication interface 40, an input / output (Output) circuit 50, and a memory 80 as H / W (Hardware).
 メモリ80内のプログラム領域81は、タスク異常監視プログラムとして、タスク実行部85の実行タスク86と、タスク制御部87と、タスク監視部83の監視タスク84とを有する。タスク実行部85では、タスク制御部87で複数の実行タスク86が動作する。タスク制御部87の好適な例は、RTOS(Real Time Operating System)である。各実行タスク86はECU100の機能を実現するためのタスクであり、車両制御処理を行うタスクである。また、各実行タスク86は一定周期で起床する周期タスクとする。
 タスク監視部83は、起床時刻に起床する監視タスク84を実行する。監視タスク84は起床する度に実行タスク86に対して異常判定処理を行うタスクである。タスク監視部83は、監視タスク84が実行タスク86に対する異常判定処理を行った後に、監視タスク84が次に起床すべき起床時刻を算出する。 The program area 81 in the memory 80 has an execution task 86 of the task execution unit 85, a task control unit 87, and a monitoring task 84 of the task monitoring unit 83 as a task abnormality monitoring program. In the task execution unit 85, a plurality of execution tasks 86 are operated by the task control unit 87. A preferred example of the task control unit 87 is an RTOS (Real Time Operating System). Each execution task 86 is a task for realizing the function of the ECU 100, and is a task for performing vehicle control processing. Further, each execution task 86 is a periodic task that wakes up at a fixed cycle.
The task monitoring unit 83 executes the monitoring task 84 that wakes up at the wake-up time. The monitoring task 84 is a task that performs an abnormality determination process for the execution task 86 each time the user wakes up. The task monitoring unit 83 calculates the wake-up time when the monitoring task 84 should wake up next after the monitoring task 84 performs the abnormality determination process for the execution task 86.
 実行タスク86は、処理時間をタスク実行ログ881に記録する実行時刻記録部861を備える。
 実行時刻記録部861は、リングバッファ構造のタスク実行ログ881に対して、リングバッファ構造における書き込み先を示す位置情報に基づいて実行タスクの処理が終了した時刻を記憶する。
 タスク制御部87は、実行タスク86のスケジューリングを管理するタスクスケジューリング部871を備える。
 タスク制御部87は、タスク構成の更新をタスク監視部83に通知するタスク情報更新部872を備える。
 タスク情報更新部872は、実行タスクの周期と、実行タスクの起床時刻と、実行タスクのデッドライン時間とを含むタスク情報を通知する。 The execution task 86 includes an execution time recording unit 861 that records the processing time in the task execution log 881.
The execution time recording unit 861 stores the time when the processing of the execution task is completed in the task execution log 881 of the ring buffer structure based on the position information indicating the write destination in the ring buffer structure.
The task control unit 87 includes a task scheduling unit 871 that manages the scheduling of the execution task 86.
The task control unit 87 includes a task information update unit 872 that notifies the task monitoring unit 83 of the update of the task configuration.
The task information update unit 872 notifies the task information including the cycle of the execution task, the wake-up time of the execution task, and the deadline time of the execution task.
 監視タスク84は、実行タスク86がデッドラインを超過しているか否かを判定する異常判定部841を備える。
 異常判定部841は、デッドラインテーブル831の前回起床時に異常判定を完了した実行タスクから起床時刻に設定されている実行タスクまでを異常判定対象タスクとし、異常判定対象タスクの終了時刻がデッドライン時刻の前回値とデッドライン時刻の最新値との間に収まっているか否かで異常判定を行う。
 異常判定対象タスクとは、デッドラインテーブル831に前記起床時刻より後のデッドライン時刻が設定されている実行タスクである。
 監視タスク84は、異常が発生した実行タスク86の処置を行う異常処置部842を備える。
 異常処置部842は、異常が発生した実行タスク86に対して処置を実行し、車両を安全な状態に復帰させる。
 監視タスク84は、異常判定と起床時刻の算出とに利用するデッドラインテーブル831を生成するデッドラインテーブル更新部843を備える。
 デッドラインテーブル更新部843は、タスク情報に基づいて、デッドライン時刻を算出し、デッドラインテーブル831を更新する。
 デッドラインテーブル831は、複数の実行タスクの各実行タスクのデッドラインに到達する時刻をデッドライン時刻として各実行タスクに対応させて記憶する。
 デッドラインテーブル831は、複数の実行タスク86をデッドライン時刻順に並べて記憶している。
 監視タスク84は、監視タスク84の次回起床時刻を設定する起床時刻設定部844を備える。
 起床時刻設定部844は、各実行タスクのデッドライン時刻と異常処置時間とに基づいて、各実行タスクの安全許容時間未満で最も遅い時刻を監視タスクの次の起床時刻として設定し、起床時刻に監視タスクを起床させる。
 監視タスク84は、タスク実行ログ881から実行タスク86の処理時間を取得する実行時刻取得部845を備える。
 実行時刻取得部845は、タスク実行ログ881に対して、リングバッファ構造における読み込み先を示す位置情報に基づいて実行タスクの処理が終了した時刻の読み込みを行う。 The monitoring task 84 includes an abnormality determination unit 841 that determines whether or not the execution task 86 exceeds the deadline.
The abnormality determination unit 841 sets the execution task for which the abnormality determination was completed at the time of the previous wake-up of the deadline table 831 to the execution task set at the wake-up time as the abnormality determination target task, and the end time of the abnormality determination target task is the deadline time. Abnormality judgment is performed based on whether or not the value falls between the previous value of and the latest value of the deadline time.
The abnormality determination target task is an execution task in which a deadline time after the wake-up time is set in the deadline table 831.
The monitoring task 84 includes an abnormality handling unit 842 that takes action on the execution task 86 in which an abnormality has occurred.
The abnormality handling unit 842 executes a treatment for the execution task 86 in which the abnormality has occurred, and returns the vehicle to a safe state.
The monitoring task 84 includes a deadline table update unit 843 that generates a deadline table 831 used for determining an abnormality and calculating a wake-up time.
The deadline table update unit 843 calculates the deadline time based on the task information and updates the deadline table 831.
The deadline table 831 stores the time when the deadline of each execution task of the plurality of execution tasks is reached as the deadline time corresponding to each execution task.
The deadline table 831 stores a plurality of execution tasks 86 arranged in order of deadline time.
The monitoring task 84 includes a wake-up time setting unit 844 that sets the next wake-up time of the monitoring task 84.
The wake-up time setting unit 844 sets the latest time less than the safe allowable time of each execution task as the next wake-up time of the monitoring task based on the deadline time of each execution task and the abnormality treatment time, and sets the wake-up time as the wake-up time. Wake up a monitoring task.
The monitoring task 84 includes an execution time acquisition unit 845 that acquires the processing time of the execution task 86 from the task execution log 881.
The execution time acquisition unit 845 reads the task execution log 881 at the time when the processing of the execution task is completed based on the position information indicating the read destination in the ring buffer structure.
 CPU10はシングルコアであってもマルチコアのどちらでもよいが、マルチコアであればタスク実行部85とタスク監視部83は別々のコアに割り当てることが考えられる。 The CPU 10 may be either single core or multi-core, but if it is multi-core, the task execution unit 85 and the task monitoring unit 83 may be assigned to different cores.
 メモリ80内のデータ領域82には、以下を記憶する。
 タスク実行部85のスケジューリングテーブル851、
 タスク実行部85の実行ログ位置テーブル852、
 タスク監視部83のデッドラインテーブル831、
 タスク監視部83の監視ログ位置テーブル832、
 タスク監視部83の監視位置833、
 タスク監視部83の起床位置834、
 タスク監視部83の前回デッドライン時刻テーブル835、
 タスク監視部83の異常処置時間テーブル836、
 タスク監視部83の探索テーブル837、
 タスク監視部83の探索位置838、
 共有部88のタスク実行ログ881、
 共有部88のタスク起床時刻テーブル882、
 共有部88のタスクテーブル883、
 共有部88のタスクテーブル更新状態884。 The following is stored in the data area 82 in the memory 80.
Scheduling table 851 of the task execution unit 85,
Execution log position table 852 of the task execution unit 85,
Deadline table 831, task monitoring unit 83,
Monitoring log position table 832 of task monitoring unit 83,
Monitoring position 833 of task monitoring unit 83,
Wake-up position 834 of task monitoring unit 83,
Last deadline timetable 835 of task monitoring unit 83,
Abnormal action time table 836 of task monitoring unit 83,
Search table 837 of task monitoring unit 83,
Search position 838 of task monitoring unit 83,
Task execution log 881 of the shared unit 88,
Task wake-up timetable 882 of common unit 88,
Task table 883 of the shared unit 88,
Task table update status 884 of the shared unit 88.
 なお、共有部88に記憶するデータは、タスク実行部85とタスク監視部83のどちらからもアクセスすることが可能である。 The data stored in the shared unit 88 can be accessed from either the task execution unit 85 or the task monitoring unit 83.
 CPU10は、プロセッサである。プロセッサは、演算処理を行うIC(Integrated Circuit)である。プロセッサは、タスク異常監視装置で動作するタスク異常監視プログラムを実行する装置である。タスク異常監視プログラムは、タスク実行部85とタスク監視部83の機能を実現するプログラムである。
 タスクは、コンピュータであるタスク異常監視装置における実行単位であり、タスクの好適な具体例は、プロセッサにより実行されるプログラムである。 The CPU 10 is a processor. The processor is an IC (Integrated Circuit) that performs arithmetic processing. The processor is a device that executes a task abnormality monitoring program that operates in the task abnormality monitoring device. The task abnormality monitoring program is a program that realizes the functions of the task execution unit 85 and the task monitoring unit 83.
A task is an execution unit in a task abnormality monitoring device that is a computer, and a preferred specific example of the task is a program executed by a processor.
 メモリ80は、記憶装置である。メモリ80の具体例は、SRAM(Static Random AcceSS Memory)、DRAM(Dynamic Random AcceSS Memory)である。メモリ80は、プロセッサの演算結果を保持する。 The memory 80 is a storage device. Specific examples of the memory 80 are SRAM (Static Random Access SS Memory) and DRAM (Dynamic Random Access SS Memory). The memory 80 holds the calculation result of the processor.
 二次記憶装置30は、データを不揮発的に保管する記憶装置である。二次記憶装置30の具体例は、HDD(Hard DiSk Drive)である。また、二次記憶装置30は、メモリカード、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、DVD(Digital VerSatile DiSk)といった可搬記録媒体であってもよい。
 二次記憶装置30は、コンピュータが読み取り可能な記録媒体であり、メモリ80のプログラム領域81とデータ領域82の情報を記憶してもよい。 The secondary storage device 30 is a storage device that stores data in a non-volatile manner. A specific example of the secondary storage device 30 is an HDD (Hard Disk Drive). Further, the secondary storage device 30 may be a portable recording medium such as a memory card, a NAND flash, a flexible disk, an optical disk, a compact disk, or a DVD (Digital VerSail Disc).
The secondary storage device 30 is a computer-readable recording medium, and may store information in the program area 81 and the data area 82 of the memory 80.
 入出力回路50は、装置が接続されるポートを有し、各装置からデータが入出力される。入出力回路50には、ECU100の機能を実現するために必要なセンサ60、アクチュエータ70が接続される。 The input / output circuit 50 has a port to which devices are connected, and data is input / output from each device. A sensor 60 and an actuator 70 necessary for realizing the function of the ECU 100 are connected to the input / output circuit 50.
 通信インタフェース40は、プロセッサが他の装置と通信するための通信ポートを有する。 The communication interface 40 has a communication port for the processor to communicate with another device.
 プロセッサは、メモリ80からタスク異常監視プログラムを読み込み実行する。メモリ80には、タスク異常監視プログラムだけでなく、OS(Operating SyStem)も記憶されている。プロセッサは、OSを実行しながら、タスク異常監視プログラムを実行する。タスク異常監視装置は、プロセッサを代替する複数のプロセッサを備えていてもよい。これら複数のプロセッサは、タスク異常監視プログラムの実行を分担する。それぞれのプロセッサは、プロセッサと同じように、タスク異常監視プログラムを実行する装置である。タスク異常監視プログラムにより利用、処理又は出力されるデータ、情報、信号値及び変数値は、メモリ80、二次記憶装置30、又は、プロセッサ内のレジスタあるいはキャッシュメモリに記憶される。 The processor reads and executes the task abnormality monitoring program from the memory 80. In the memory 80, not only the task abnormality monitoring program but also the OS (Operating System) is stored. The processor executes the task abnormality monitoring program while executing the OS. The task abnormality monitoring device may include a plurality of processors that replace the processors. These plurality of processors share the execution of the task abnormality monitoring program. Each processor, like the processor, is a device that executes a task abnormality monitoring program. Data, information, signal values and variable values used, processed or output by the task abnormality monitoring program are stored in the memory 80, the secondary storage device 30, or a register or cache memory in the processor.
 タスク異常監視プログラムは、タスク実行部85とタスク監視部83の「部」を「処理」、「手順」あるいは「工程」に読み替えた各処理、各手順あるいは各工程をコンピュータに実行させるプログラムである。 The task abnormality monitoring program is a program that causes a computer to execute each process, each procedure, or each process by replacing "department" of the task execution unit 85 and the task monitoring unit 83 with "process", "procedure", or "process". ..
 また、タスク異常監視方法は、コンピュータであるタスク異常監視装置がタスク異常監視プログラムを実行することにより行われる方法である。タスク異常監視プログラムはコンピュータ読取可能な記録媒体に格納されて提供されてもよいし、プログラムプロダクトとして提供されてもよい。 The task abnormality monitoring method is a method performed by the task abnormality monitoring device, which is a computer, executing the task abnormality monitoring program. The task abnormality monitoring program may be provided by being stored in a computer-readable recording medium, or may be provided as a program product.
 本実施の形態では、タスク実行部85とタスク監視部83の機能がソフトウェアにより実現されるが、変形例として、タスク実行部85とタスク監視部83の機能がソフトウェアとハードウェアとの組み合わせにより実現されてもよい。すなわち、タスク実行部85とタスク監視部83の機能の一部が専用の電子回路により実現され、残りがソフトウェアにより実現されてもよい。 In the present embodiment, the functions of the task execution unit 85 and the task monitoring unit 83 are realized by software, but as a modification, the functions of the task execution unit 85 and the task monitoring unit 83 are realized by a combination of software and hardware. May be done. That is, a part of the functions of the task execution unit 85 and the task monitoring unit 83 may be realized by a dedicated electronic circuit, and the rest may be realized by software.
 専用の電子回路は、具体的には、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ロジックIC、GA、FPGA、又は、ASICである。「GA」は、Gate Arrayの略語である。「FPGA」は、Field-Programmable Gate Arrayの略語である。「ASIC」は、Application Specific Integrated Circuitの略語である。 Specifically, the dedicated electronic circuit is a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA, an FPGA, or an ASIC. "GA" is an abbreviation for Gate Array. "FPGA" is an abbreviation for Field-Programmable Gate Array. "ASIC" is an abbreviation for Application Special Integrated Circuit.
 プロセッサ、メモリ、及び、専用の電子回路を、総称して「プロセッシングサーキットリ」という。つまり、タスク実行部85とタスク監視部83の機能は、ソフトウェアにより実現されるか、ソフトウェアとハードウェアとの組み合わせにより実現されるかに関わらず、プロセッシングサーキットリにより実現される。 The processor, memory, and dedicated electronic circuit are collectively called "processing circuit". That is, the functions of the task execution unit 85 and the task monitoring unit 83 are realized by the processing circuit regardless of whether they are realized by software or a combination of software and hardware.
 図2に、スケジューリングテーブル851の一例を示す。タスクスケジューリング部871はスケジューリングテーブル851に従ってタスクをスケジューリングする。ここでの周期とは実行タスク86の起床周期であり、デッドライン時間とは実行タスク86が起床されてから処理を完了させるまでの許容時間である。スケジューリングテーブル851における各項目の値はプログラム生成前に静的に設定されるものである。また、各項目は1つのテーブルにまとめられている必要はなく、別々に管理されていてもよい。図2のスケジューリングテーブル851の場合、3つのタスクを同時に起床(レディ・キューに登録)し、優先度の高いタスクから順に実行する。また、実行中のタスクよりも高優先度タスクが起床時刻に到達した場合、タスクスケジューリング部871は高優先度タスクに切り替えて処理を実行する。 FIG. 2 shows an example of the scheduling table 851. The task scheduling unit 871 schedules tasks according to the scheduling table 851. The cycle here is the wake-up cycle of the execution task 86, and the deadline time is the permissible time from the wake-up of the execution task 86 to the completion of the process. The value of each item in the scheduling table 851 is statically set before the program is generated. Further, each item does not have to be collected in one table and may be managed separately. In the case of the scheduling table 851 of FIG. 2, three tasks are woken up (registered in the ready queue) at the same time, and the tasks with the highest priority are executed in order. When a task with a higher priority than the task being executed reaches the wake-up time, the task scheduling unit 871 switches to the task with a higher priority and executes the process.
 図3に、図2とは異なるデータ構造のスケジューリングテーブル851の例を示す。図3は周期毎に異なる起床時刻が設定されたものであり、意図的に起床時刻をずらすことによりタスクの切り替え回数を低減させることが可能である。スケジューリングテーブル851は図3のような構造であってもよい。 FIG. 3 shows an example of a scheduling table 851 having a data structure different from that of FIG. In FIG. 3, different wake-up times are set for each cycle, and it is possible to reduce the number of task switchings by intentionally shifting the wake-up time. The scheduling table 851 may have a structure as shown in FIG.
 図4に、タスクテーブル883の一例を示す。タスクテーブル883は、タスク実行部85からタスク監視部83にタスク構成を通知するために利用する。タスクテーブル883は、スケジューリングテーブル851のデータを全て含んだうえで、タスク更新種別という項目を追加したものである。タスク更新種別には「追加」か「削除」のいずれかを設定する。 FIG. 4 shows an example of the task table 883. The task table 883 is used for notifying the task configuration from the task execution unit 85 to the task monitoring unit 83. The task table 883 includes all the data of the scheduling table 851, and an item called a task update type is added. Set either "Add" or "Delete" for the task update type.
 図5に、タスクテーブル更新状態884の設定例を示す。タスクテーブル更新状態884は、タスク実行部85からタスク監視部83にタスクテーブルの状態を通知するために利用する。タスクテーブル更新状態884は図5に示す4パターンの内、いずれかの状態を設定可能である。タスクテーブル更新状態884の初期値は「未初期化(タスクテーブル状態=0)」とする。 FIG. 5 shows a setting example of the task table update state 884. The task table update status 884 is used for notifying the task monitoring unit 83 of the task table status from the task execution unit 85. The task table update state 884 can be set to any of the four patterns shown in FIG. The initial value of the task table update state 884 is "uninitialized (task table state = 0)".
 図6に、タスク起床時刻テーブル882の一例を示す。タスク起床時刻テーブル882は、タスク実行部85からタスク監視部83に各実行タスク86の起床時刻を通知するために利用する。起床時刻とは、実行タスク86の起床タイミングを示す時刻である。タスク起床時刻テーブル882は、タスク毎の起床時刻を集約したものである。起床時刻は毎周期更新するものではなく、初期化時とタスクの再起動時などタスクを追加した時点でのみ更新する。また、タスク起床時刻テーブル882では最新値のみを記憶する。
 図6では、実行タスク1,2,3の起床時刻を1000,1002,1012としているが、実行タスク1,2,3の起床時刻をすべて同じ時刻、例えば1000にしてもよい。 FIG. 6 shows an example of the task wake-up time table 882. The task wake-up time table 882 is used by the task execution unit 85 to notify the task monitoring unit 83 of the wake-up time of each execution task 86. The wake-up time is a time indicating the wake-up timing of the execution task 86. The task wake-up time table 882 is a collection of wake-up times for each task. The wake-up time is not updated every cycle, but is updated only when a task is added, such as when the task is initialized and when the task is restarted. Further, only the latest value is stored in the task wake-up time table 882.
In FIG. 6, the wake-up times of the execution tasks 1, 2, and 3 are set to 1000, 1002, 1012, but the wake-up times of the execution tasks 1, 2, and 3 may all be the same time, for example, 1000.
 図7に、タスク実行ログ881の一例を示す。タスク実行ログ881は、実行タスク86の処理終了時刻を記録したテーブルである。タスク実行ログ881は、タスク実行部85からタスク監視部83に各実行タスク86の処理終了時刻を通知するために利用する。タスク実行ログ881はタスク毎に複数回分の終了時刻を記録可能であり、図7は過去5回分を記録する場合の例である。また、タスク実行ログ881はリングバッファ構造であり、図7においてはlまで記録した後は、lに記録する。 FIG. 7 shows an example of the task execution log 881. The task execution log 881 is a table in which the processing end time of the execution task 86 is recorded. The task execution log 881 is used by the task execution unit 85 to notify the task monitoring unit 83 of the processing end time of each execution task 86. The task execution log 881 can record the end times of a plurality of times for each task, and FIG. 7 shows an example of recording the past five times. The task execution log 881 is a ring buffer structure, in FIG. 7 after recording up to l 4 is recorded in l 0.
 図8に、タスク実行部85の実行ログ位置テーブル852とタスク監視部83の監視ログ位置テーブル832の一例を示す。実行ログ位置859と監視ログ位置839は、タスク実行ログ881におけるタスク毎の最新位置を示すものである。タスク実行部85からは、実行ログ位置859に従って、次に書き込む位置を決定する。また、タスク監視部83からは、監視ログ位置839に従って、次に読み出す位置を決定する。タスク実行部85とタスク監視部83は非同期に動作するため、それぞれのローカル領域にログ位置を記憶する。実行ログ位置859と監視ログ位置839の初期値は0とする。
 実行ログ位置859と監視ログ位置839とは、リングバッファ構造における書き込み先と読み込み先とを示す位置情報である。 FIG. 8 shows an example of the execution log position table 852 of the task execution unit 85 and the monitoring log position table 832 of the task monitoring unit 83. The execution log position 859 and the monitoring log position 839 indicate the latest positions for each task in the task execution log 881. The task execution unit 85 determines the next writing position according to the execution log position 859. Further, the task monitoring unit 83 determines the position to be read next according to the monitoring log position 839. Since the task execution unit 85 and the task monitoring unit 83 operate asynchronously, the log positions are stored in their respective local areas. The initial values of the execution log position 859 and the monitoring log position 839 are set to 0.
The execution log position 859 and the monitoring log position 839 are position information indicating a write destination and a read destination in the ring buffer structure.
 図9に、デッドラインテーブル831の一例を示す。デッドラインテーブル831は、実行タスク86のデッドライン時刻を1つのテーブルに集約したものであり、異常判定対象タスクの決定と監視タスク84の次回起床時刻の設定のために利用する。デッドライン時刻とは、各タスクがデッドラインに到達する際の絶対時刻である。 FIG. 9 shows an example of the deadline table 831. The deadline table 831 aggregates the deadline times of the execution task 86 into one table, and is used for determining the task to be determined for abnormality and setting the next wake-up time of the monitoring task 84. The deadline time is the absolute time when each task reaches the deadline.
 図9は、実行タスク1,2,3の起床時刻をすべて1000とした場合の例であり、初回のデッドライン時刻は1000に図2に示した各実行タスクのデッドライン時間8,16,24を加算することで算出可能である。2回目起床以降のデッドライン時刻は初回のデッドライン時刻に周期10,20,30を加算することで算出可能である。
 ただし、図3のように周期毎に起床時刻が異なるスケジューリングテーブル851からデッドラインテーブル831を生成する場合は、周期の代わりに初回のデッドライン時刻に各起床予定オフセット(t)を加算することで2回目起床以降のデッドライン時刻が算出可能である。 FIG. 9 shows an example in which the wake-up times of the execution tasks 1, 2 and 3 are all 1000, and the initial deadline time is 1000. The deadline times of each execution task shown in FIG. 2 are 8, 16, and 24. Can be calculated by adding. The deadline time after the second wake-up can be calculated by adding the cycles 10, 20, and 30 to the first deadline time.
However, when the deadline table 831 is generated from the scheduling table 851 whose wake-up time is different for each cycle as shown in FIG. 3, each wake-up schedule offset (t n ) is added to the first deadline time instead of the cycle. The deadline time after the second wake-up can be calculated with.
 また、デッドライン時刻は複数の実行タスクの複数の周期の最小公倍数(メジャーサイクル)毎に同じパターンが繰り返されるため、メジャーサイクル1周期分のみ作成すればよい。デッドラインテーブル831に設定される実行タスクが図4に示すタスク1,2,3のみ場合、各周期は10,20,30であるから、周期の最小公倍数は60となる。したがって、メジャーサイクルは60となる。図9は、メジャーサイクルが60のデッドラインテーブル831を示している。 Also, since the same pattern is repeated for each least common multiple (major cycle) of multiple cycles of multiple execution tasks, the deadline time need only be created for one major cycle. When the execution tasks set in the deadline table 831 are only tasks 1, 2, and 3 shown in FIG. 4, each cycle is 10, 20, and 30, so the least common multiple of the cycle is 60. Therefore, the major cycle is 60. FIG. 9 shows a deadline table 831 with a major cycle of 60.
 図9の左のデッドラインテーブル831は、初期化時のデッドラインテーブル831である。デッドラインテーブル831は、初期化時において図9の左に示すようにデッドライン時刻が早い順にソートされている。デッドラインテーブル831のデッドライン時刻は実行タスクの実行後に、サイクリックに上書きされる。図9の右のデッドラインテーブル831は、第1周期目途中のデッドラインテーブル831であり、上2行のデッドライン時刻が更新されたデッドラインテーブル831である。
 デッドラインテーブル831の構成は、初期化時とタスク構成の更新時に更新される。 The deadline table 831 on the left side of FIG. 9 is the deadline table 831 at the time of initialization. The deadline table 831 is sorted in order of earliest deadline time as shown on the left side of FIG. 9 at the time of initialization. The deadline time in the deadline table 831 is cyclically overwritten after the execution task is executed. The deadline table 831 on the right side of FIG. 9 is a deadline table 831 in the middle of the first cycle, and is a deadline table 831 in which the deadline times of the upper two rows are updated.
The configuration of the deadline table 831 is updated at the time of initialization and at the time of updating the task configuration.
 監視位置833は、異常判定対象とするタスクの位置を示すものであり、監視位置833には、デッドラインテーブル831上の行番号を設定する。監視位置833の初期値は1とする。
 起床位置834は、監視タスク84の起床時刻となるデッドライン時刻の位置を示すものであり、起床位置834には、デッドラインテーブル831の行番号を設定する。起床位置834の初期値は1とする。
 探索位置838は、起床時刻候補とするデッドライン時刻の位置を示すものであり、探索位置838には、デッドラインテーブル831の行番号を設定する。探索位置838の初期値は1とする。 The monitoring position 833 indicates the position of the task to be determined as an abnormality, and the line number on the deadline table 831 is set in the monitoring position 833. The initial value of the monitoring position 833 is 1.
The wake-up position 834 indicates the position of the deadline time that is the wake-up time of the monitoring task 84, and the line number of the deadline table 831 is set in the wake-up position 834. The initial value of the wake-up position 834 is 1.
The search position 838 indicates the position of the deadline time as a wake-up time candidate, and the line number of the deadline table 831 is set at the search position 838. The initial value of the search position 838 is 1.
 図10に、前回デッドライン時刻テーブル835の一例を示す。前回デッドライン時刻とは1周期前に到達したデッドライン時刻のことであり、前回デッドライン時刻テーブル835はタスク毎に前回デッドライン時刻の最新値を集約したものである。前回デッドライン時刻テーブル835は、実行タスク86の異常判定処理に利用し、異常判定処理が1回完了する度に更新する。前回デッドライン時刻の初期値は0とする。 FIG. 10 shows an example of the previous deadline timetable 835. The previous deadline time is the deadline time that arrived one cycle before, and the previous deadline time table 835 is a collection of the latest values of the previous deadline time for each task. The previous deadline timetable 835 is used for the abnormality determination process of the execution task 86, and is updated every time the abnormality determination process is completed once. The initial value of the previous deadline time is set to 0.
 図11に、異常処置時間テーブル836の一例を示す。異常処置時間テーブル836はタスク毎の異常処置に要する異常処置時間を集約したものである。異常処置時間とは、異常を検知してから安全状態への移行が完了するまでの時間である。図11は、異常が発生したタスク毎に処置内容が異なる場合の例である。もし全てのタスクで処置内容が同じ場合は異常処置時間を1つだけ定義すればよい。異常処置時間テーブル836の値は、プログラム生成前に静的に設定されるものである。 FIG. 11 shows an example of the abnormal treatment time table 836. The abnormal treatment time table 836 summarizes the abnormal treatment time required for the abnormal treatment for each task. The abnormality treatment time is the time from the detection of an abnormality to the completion of the transition to the safe state. FIG. 11 shows an example in which the treatment content differs for each task in which an abnormality has occurred. If the treatment content is the same for all tasks, only one abnormal treatment time needs to be defined. The values in the anomaly treatment time table 836 are statically set before the program is generated.
 図12に、探索テーブル837の一例を示す。探索テーブル837は起床時刻候補であるデッドライン時刻と、各デッドライン時刻に対する無検知時間を管理するためのものであり、探索位置が更新されるたびに追加していく。各実行タスクの無検知時間とは、各実行タスクの各デッドライン時刻から起床時刻候補までの時間である。無検知時間は最新の探索位置が示す起床時刻候補であるデッドライン時刻から各実行タスクの各デッドライン時刻を減算することで算出可能である。無検知時間は、監視タスク84が実行されない時間であり、実行タスクの異常検知がされない時間を示している。 FIG. 12 shows an example of the search table 837. The search table 837 is for managing the deadline time which is a wake-up time candidate and the non-detection time for each deadline time, and is added every time the search position is updated. The undetected time of each execution task is the time from each deadline time of each execution task to the wake-up time candidate. The undetected time can be calculated by subtracting each deadline time of each execution task from the deadline time which is a wake-up time candidate indicated by the latest search position. The non-detection time is the time during which the monitoring task 84 is not executed, and indicates the time during which the abnormality of the execution task is not detected.
<動作の説明>
 以降より、実施の形態1に係る動作について説明する。 <Explanation of operation>
Hereinafter, the operation according to the first embodiment will be described.
<初期化処理手順>
 まず、タスク実行部85とタスク監視部83における初期化処理手順を説明する。 <Initialization procedure>
First, the initialization processing procedure in the task execution unit 85 and the task monitoring unit 83 will be described.
 図13は、タスク実行部85における初期化処理のフローチャートである。 FIG. 13 is a flowchart of the initialization process in the task execution unit 85.
 (ステップS101)
 タスクスケジューリング部871は、スケジューリングテーブル851に従ってタスクのスケジューリングを開始する。 (Step S101)
The task scheduling unit 871 starts task scheduling according to the scheduling table 851.
 (ステップS102)
 タスク情報更新部872は、共有部88のタスクテーブル883を更新する。更新方法としては、基本的にスケジューリングテーブル851の内容を流用し、タスク更新種別は全て「追加」とする。 (Step S102)
The task information update unit 872 updates the task table 883 of the shared unit 88. As the update method, basically, the contents of the scheduling table 851 are diverted, and all task update types are set to "addition".
 (ステップS103)
 タスク情報更新部872は、共有部88のタスク起床時刻テーブル882を更新する。時刻を取得する好適な方法としては、タイマ20から読み出す方法がある。時刻は現在時刻でもよいし、システムが起動してからの経過時間でもよい。ただし、取得する時間の精度は全ての実行タスクのデッドライン時間の中の最短のデッドライン時間以下でなければならない。 (Step S103)
The task information update unit 872 updates the task wake-up time table 882 of the shared unit 88. A preferred method for acquiring the time is a method of reading from the timer 20. The time may be the current time or the elapsed time since the system booted. However, the accuracy of the acquired time must be less than or equal to the shortest deadline time among the deadline times of all execution tasks.
 (ステップS104)
 タスク情報更新部872は、タスクテーブル更新状態884を「初期化済み(タスクテーブル状態=1)」に更新して、タスク実行部85の初期化処理を終了する。 (Step S104)
The task information update unit 872 updates the task table update state 884 to "initialized (task table state = 1)", and ends the initialization process of the task execution unit 85.
 図14は、タスク監視部83における初期化処理のフローチャートである。なお、タスク監視部83の初期化処理はタスク実行部85の初期化処理が完了後に開始されるものとする。 FIG. 14 is a flowchart of the initialization process in the task monitoring unit 83. It is assumed that the initialization process of the task monitoring unit 83 is started after the initialization process of the task execution unit 85 is completed.
 (ステップS201)
 デッドラインテーブル更新部843は、共有部88からタスク情報を取得する。具体的には、タスクテーブル883とタスク起床時刻テーブル882である。 (Step S201)
The deadline table update unit 843 acquires task information from the shared unit 88. Specifically, it is a task table 883 and a task wake-up time table 882.
 (ステップS202)
 デッドラインテーブル更新部843は、初期化時に追加されたタスク情報の取得が完了したことを示すために、タスクテーブル更新状態884を「タスク更新無(タスクテーブル状態=2)」に更新する。 (Step S202)
The deadline table update unit 843 updates the task table update state 884 to "no task update (task table state = 2)" in order to indicate that the acquisition of the task information added at the time of initialization is completed.
 (ステップS203)
 デッドラインテーブル更新部843は、共有部88から取得したタスクテーブル883とタスク起床時刻テーブル882に基づいて、デッドラインテーブル831を生成する。デッドラインテーブル831の生成方法は前述したとおりである。 (Step S203)
The deadline table update unit 843 generates the deadline table 831 based on the task table 883 and the task wake-up time table 882 acquired from the shared unit 88. The method of generating the deadline table 831 is as described above.
 (ステップS204)
 起床時刻設定部844は、監視タスク84の初回の起床時刻を設定する。起床時刻を算出するためのフローチャートは図20に示す。具体的な算出方法は通常動作時と同様であるため、詳細は後述する。また、初期化処理に時間を要する場合、最初の数回は毎デッドライン時刻を起床時刻にセットし、デッドラインテーブル831の生成と起床時刻の算出処理を複数回の起床に分けて実行してもよい。また、起床時刻の好適な設定方法としては、次回起床するまでの時間をタイマ20にセットした後に監視タスクを休眠させ、タイマ割り込みによって起床させるといった方法が考えられる。 (Step S204)
The wake-up time setting unit 844 sets the first wake-up time of the monitoring task 84. A flowchart for calculating the wake-up time is shown in FIG. Since the specific calculation method is the same as during normal operation, the details will be described later. If the initialization process takes time, the deadline time is set to the wake-up time for the first few times, and the deadline table 831 is generated and the wake-up time is calculated by dividing it into a plurality of wake-up times. May be good. Further, as a preferable setting method of the wake-up time, a method of putting the monitoring task to sleep after setting the time until the next wake-up in the timer 20 and waking up by the timer interrupt can be considered.
<通常動作手順>
 次に、タスク実行部85とタスク監視部83における通常動作手順を説明する。 <Normal operation procedure>
Next, the normal operation procedure in the task execution unit 85 and the task monitoring unit 83 will be described.
 図15は実行タスク86における通常動作時のフローチャートである。 FIG. 15 is a flowchart of the execution task 86 during normal operation.
 (ステップS301)
 実行タスク86は、メイン処理を実行する。ここでのメイン処理とは監視機能とは関係のない、ECU100としての機能を実現するための処理である。 (Step S301)
Execution task 86 executes the main process. The main process here is a process for realizing the function as the ECU 100, which has nothing to do with the monitoring function.
 (ステップS302)
 実行時刻記録部861は、メイン処理の終了時刻をタスク実行ログ881に記録する。終了時刻はタイマ20を利用して取得する。また、ここで取得する値は初回の起床時刻と同種(現在時刻、又は、起動開始からの経過時間など)の内容でなければならない。実行時刻記録部861は、メイン処理を実行した実行タスク86の実行ログ位置859が示す位置に終了時刻を書き込む。 (Step S302)
The execution time recording unit 861 records the end time of the main process in the task execution log 881. The end time is acquired by using the timer 20. In addition, the value acquired here must be of the same type as the first wake-up time (current time, elapsed time from the start of startup, etc.). The execution time recording unit 861 writes the end time at the position indicated by the execution log position 859 of the execution task 86 that has executed the main process.
 (ステップS303)
 実行時刻記録部861は、タスク実行ログ881を更新したため、実行ログ位置859も併せて更新する。具体的には、現在のログ位置に1を加算した値をリングバッファのサイズで除算した時の剰余に更新すればよい。 (Step S303)
Since the execution time recording unit 861 has updated the task execution log 881, the execution log position 859 is also updated. Specifically, the value obtained by adding 1 to the current log position may be updated to the remainder when divided by the size of the ring buffer.
 図16はタスク制御部87における通常動作時のフローチャートである。 FIG. 16 is a flowchart of the task control unit 87 during normal operation.
 (ステップS401)
 タスクスケジューリング部871は、スケジューリングテーブル851に従ってタスクのスケジューリングを行う。 (Step S401)
The task scheduling unit 871 schedules tasks according to the scheduling table 851.
 (ステップS402)
 タスク情報更新部872は、タスク構成が更新されているか確認する。前提として、本タスク異常監視装置では、タスクの追加要求又は削除要求に応じてタスク制御部87がスケジューリングテーブル851の内容を更新するような環境を想定している。そのため、タスク情報更新部872はスケジューリングテーブル851を参照して追加タスク又は削除タスクの有無を確認可能である。タスク構成が更新されていなければ、何もせず終了する。 (Step S402)
The task information update unit 872 confirms whether the task configuration has been updated. As a premise, the task abnormality monitoring device assumes an environment in which the task control unit 87 updates the contents of the scheduling table 851 in response to a task addition request or a task deletion request. Therefore, the task information update unit 872 can confirm the presence / absence of the additional task or the deletion task by referring to the scheduling table 851. If the task configuration has not been updated, it ends without doing anything.
 (ステップS403)
 タスク情報更新部872は、タスク構成が更新されていれば共有部88のタスクテーブル883を更新する。この時、タスクテーブル883を更新する前にタスクテーブル更新状態884を確認する。タスクテーブル更新状態884が「タスク更新有(タスクテーブル状態=3)」であれば、監視タスク84がタスクテーブル883の情報をまだ確認できていないことを意味するため、既存の情報は残しつつ、更新タスク情報を追加する。一方、タスクテーブル更新状態884が「タスク更新無(タスクテーブル状態=2)」であれば、監視タスク84は全ての更新情報を確認済みであるため、既存の情報をクリアしたうえで更新タスク情報を追加する。 (Step S403)
The task information update unit 872 updates the task table 883 of the shared unit 88 if the task configuration is updated. At this time, the task table update status 884 is confirmed before updating the task table 883. If the task table update status 884 is "task update available (task table status = 3)", it means that the monitoring task 84 has not yet confirmed the information of the task table 883, so that the existing information is retained while leaving the existing information. Add update task information. On the other hand, if the task table update status 884 is "no task update (task table status = 2)", the monitoring task 84 has confirmed all the update information, so the update task information is cleared after clearing the existing information. To add.
 (ステップS404)
 タスク情報更新部872は、更新タスク種別が「追加」であるか確認する。これは、追加タスクの場合、タスク起床時刻テーブル882をタスク監視部83に通知する必要があるためである。 (Step S404)
The task information update unit 872 confirms whether the update task type is "addition". This is because, in the case of an additional task, it is necessary to notify the task monitoring unit 83 of the task wake-up time table 882.
 (ステップS405)
 タスク情報更新部872は、更新タスク種別が「追加」であれば、共有部88のタスク起床時刻テーブル882を更新する。起床時刻の取得方法は初期化時と同じである。 (Step S405)
If the update task type is "addition", the task information update unit 872 updates the task wake-up time table 882 of the shared unit 88. The method of acquiring the wake-up time is the same as that at the time of initialization.
 (ステップS406)
 タスク情報更新部872は、タスク構成が更新されたことをタスク監視部83に通知するために、共有部88のタスクテーブル更新状態884を「タスク更新有(タスクテーブル状態=3)」に更新する。最後にタスクテーブル更新状態884を更新することで、タスク起床時刻テーブル882又はタスクテーブル883を更新中にタスク監視部83からアクセスされることを防止することが可能である。 (Step S406)
The task information update unit 872 updates the task table update status 884 of the shared unit 88 to "task update available (task table status = 3)" in order to notify the task monitoring unit 83 that the task configuration has been updated. .. Finally, by updating the task table update state 884, it is possible to prevent the task monitoring unit 83 from accessing the task wake-up time table 882 or the task table 883 during the update.
 図17は監視タスク84における通常動作時のフローチャートである。 FIG. 17 is a flowchart of the monitoring task 84 during normal operation.
 (ステップS501)
 異常判定部841は、タスク実行ログ881とデッドラインテーブル831を利用して、実行タスクがデッドラインを超過したか否かを判定する。異常判定部841の詳細な処理手順は後述する。 (Step S501)
The abnormality determination unit 841 uses the task execution log 881 and the deadline table 831 to determine whether or not the execution task has exceeded the deadline. The detailed processing procedure of the abnormality determination unit 841 will be described later.
 (ステップS502)
 デッドラインテーブル更新部843は、タスク構成が更新された場合にデッドラインテーブル831を更新する。デッドラインテーブル831を更新する必要が無い場合、本ステップでは何もしない。また、動作中にタスク構成が更新されないような環境においては、本ステップ自体不要である。 (Step S502)
The deadline table update unit 843 updates the deadline table 831 when the task configuration is updated. If there is no need to update the deadline table 831, nothing is done in this step. Further, in an environment where the task configuration is not updated during operation, this step itself is unnecessary.
 (ステップS503)
 起床時刻設定部844は、デッドラインテーブル831を利用して、監視タスク84の次回起床時刻を算出し、タイマ20にセットする。
 ただし、動作中にタスク構成が更新されないような環境においては、監視タスク84の起床時刻はメジャーサイクル毎に一意に決定できる。この場合、監視タスク84の起床時刻は初期化時に一度のみ算出すればよく、本ステップでは、起床時刻設定部844は、監視タスク84の次回起床時刻を算出することはせず、タイマ20へのセットのみ行う。なお、そのような環境においては、図22に示すように、デッドラインテーブル831に起床時刻の項目を追加すればよい。図22では、デッドラインテーブル831に起床時刻の項目を追加しており、起床時刻の項目に、デッドライン時刻が起床時刻であれば1、起床時刻でなければ0と設定する。詳細は、後述する。 (Step S503)
The wake-up time setting unit 844 uses the deadline table 831 to calculate the next wake-up time of the monitoring task 84 and sets it in the timer 20.
However, in an environment where the task configuration is not updated during operation, the wake-up time of the monitoring task 84 can be uniquely determined for each major cycle. In this case, the wake-up time of the monitoring task 84 needs to be calculated only once at the time of initialization, and in this step, the wake-up time setting unit 844 does not calculate the next wake-up time of the monitoring task 84, and the timer 20 is set. Only set. In such an environment, as shown in FIG. 22, an item of wake-up time may be added to the deadline table 831. In FIG. 22, the item of the wake-up time is added to the deadline table 831, and the item of the wake-up time is set to 1 if the deadline time is the wake-up time and 0 if the deadline time is not the wake-up time. Details will be described later.
 図17における各ステップの詳細な動作について、順に説明する。 The detailed operation of each step in FIG. 17 will be described in order.
 図18は、異常判定部841及び異常処置部842における通常動作時(ステップS501)のフローチャートである。 FIG. 18 is a flowchart of the abnormality determination unit 841 and the abnormality treatment unit 842 during normal operation (step S501).
 (ステップS601)
 まず、異常判定部841は、デッドラインテーブル831内の監視位置833が示す実行タスクを異常判定対象タスクと判断する。実行時刻取得部845は、異常判定対象タスクの終了時刻をタスク実行ログ881から取得する。この時、当該タスクの監視ログ位置839が示す終了時刻を取得する。 (Step S601)
First, the abnormality determination unit 841 determines that the execution task indicated by the monitoring position 833 in the deadline table 831 is the abnormality determination target task. The execution time acquisition unit 845 acquires the end time of the task subject to abnormality determination from the task execution log 881. At this time, the end time indicated by the monitoring log position 839 of the task is acquired.
 (ステップS602)
 異常判定部841は、デッドラインテーブル831の監視位置833が示す実行タスクを異常判定対象タスクとし、この異常判定対象タスクのデッドライン時刻を最新デッドライン時刻として取得する。 (Step S602)
The abnormality determination unit 841 sets the execution task indicated by the monitoring position 833 of the deadline table 831 as the abnormality determination target task, and acquires the deadline time of the abnormality determination target task as the latest deadline time.
 (ステップS603)
 異常判定部841は、前回デッドライン時刻テーブル835から異常判定対象タスクの前回デッドライン時刻を取得する。 (Step S603)
The abnormality determination unit 841 acquires the previous deadline time of the task subject to abnormality determination from the previous deadline time table 835.
 (ステップS604)
 異常判定部841は、実行タスク86がデッドライン時間以内に終了したか否かを判定する。判定方法としては、タスク実行ログ881から取得した終了時刻が前回デッドライン時刻と最新デッドライン時刻の間に収まっているか否かで判断する。
 「前回デッドライン時刻<終了時刻<最新デッドライン時刻」
 実行タスク86の起床に失敗した場合は、終了時刻が前回デッドライン時刻よりも前の時間になるため、この判定方法であればデッドラインの超過だけでなく起床失敗も検知可能である。 (Step S604)
The abnormality determination unit 841 determines whether or not the execution task 86 has been completed within the deadline time. As a determination method, it is determined whether or not the end time acquired from the task execution log 881 is within the interval between the previous deadline time and the latest deadline time.
"Last deadline time <end time <latest deadline time"
If the wake-up of the execution task 86 fails, the end time becomes a time before the previous deadline time. Therefore, with this determination method, not only the deadline is exceeded but also the wake-up failure can be detected.
 (ステップS605)
 異常処置部842は、異常と判定されたタスクに対して処置を行う。処置内容としては、ログの保存、タスクの停止・再起動、システム全体の再起動などが考えられる。なお、異常処置内容はタスク毎に個別に設定してもよいし、全てのタスクで同じ内容としてもよい。 (Step S605)
The abnormality treatment unit 842 takes measures for the task determined to be abnormal. Possible actions include saving logs, stopping / restarting tasks, and restarting the entire system. The content of the abnormal treatment may be set individually for each task, or may be the same for all tasks.
 (ステップS606)
 異常判定部841は、次周期の異常判定のために前回デッドライン時刻テーブル835の前回デッドライン時刻を最新デッドライン時刻で更新する。 (Step S606)
The abnormality determination unit 841 updates the previous deadline time of the previous deadline time table 835 with the latest deadline time for the abnormality determination of the next cycle.
 (ステップS607)
 異常判定部841は、異常判定対象を次のタスクに移すため、監視位置833を更新する。更新方法としては、現在の値に1を加算し、デッドラインテーブル831の最終行を超える値になれば0にクリアする。 (Step S607)
The abnormality determination unit 841 updates the monitoring position 833 in order to move the abnormality determination target to the next task. As an update method, 1 is added to the current value, and if the value exceeds the last row of the deadline table 831, it is cleared to 0.
 (ステップS608)
 異常判定部841は、デッドラインテーブル831内の監視が終了したデッドライン時刻を更新する。これは、デッドラインテーブル831を1周した場合に備えるためであり、周期の最小公倍数を加算することで、次のメジャーサイクルにおける時刻に更新することが可能である。 (Step S608)
The abnormality determination unit 841 updates the deadline time in the deadline table 831 when the monitoring is completed. This is to prepare for the case where the deadline table 831 makes one round, and it is possible to update the time in the next major cycle by adding the least common multiple of the cycle.
 (ステップS609)
 異常判定部841は、次周期の判定のために監視ログ位置839を更新する。ログ位置の更新方法としては、実行ログ位置859と同様に図15のステップS303の方法とする。 (Step S609)
The abnormality determination unit 841 updates the monitoring log position 839 for the determination of the next cycle. The log position is updated by the method of step S303 in FIG. 15 as in the execution log position 859.
 (ステップS610)
 異常判定部841は、更新した監視位置833と起床位置834を比較し、監視位置833が起床位置834よりも大きい値になれば、今回の起床時に実施すべき異常判定処理は全て完了したと判断し、処理を終了する。一方、監視位置が起床位置以下であれば、未判定のタスクがまだ存在しているため、ステップS601に戻り、次のタスクの異常判定処理に進む。 (Step S610)
The abnormality determination unit 841 compares the updated monitoring position 833 with the wake-up position 834, and if the monitoring position 833 becomes a value larger than the wake-up position 834, it is determined that all the abnormality determination processes to be performed at the time of this wake-up have been completed. And end the process. On the other hand, if the monitoring position is equal to or lower than the wake-up position, the undetermined task still exists, so the process returns to step S601 and proceeds to the abnormality determination process of the next task.
 図19は、デッドラインテーブル更新部843における通常動作時(ステップS502)のフローチャートである。 FIG. 19 is a flowchart of the deadline table update unit 843 during normal operation (step S502).
 (ステップS701)
 デッドラインテーブル更新部843は、タスクテーブル更新状態884が「タスク更新有(タスクテーブル状態=2)」であるか否か判定し、タスク構成の更新を確認する。タスクテーブル更新状態884が「タスク更新有(タスクテーブル状態=2)」以外であれば、タスク構成は更新されていないため、デッドラインテーブル831の更新は不要であり、デッドラインテーブル更新部843は、何もせずに終了する。タスク構成が動作中に更新される場合のユースケースとしては、例えば、タスクに異常が発生した場合に当該タスクを再起動するために、一旦当該タスクをスケジューリング対象から削除し、当該タスクの再起動完了後に再び当該タスクをスケジューリング対象に追加する場合等が考えられる。 (Step S701)
The deadline table update unit 843 determines whether or not the task table update state 884 is "task update available (task table state = 2)", and confirms the update of the task configuration. If the task table update status 884 is other than "task update available (task table status = 2)", the task configuration has not been updated, so it is not necessary to update the deadline table 831, and the deadline table update unit 843 , Finish without doing anything. As a use case when the task configuration is updated during operation, for example, in order to restart the task when an abnormality occurs in the task, the task is temporarily deleted from the scheduling target and the task is restarted. It is conceivable that the task is added to the scheduling target again after completion.
 (ステップS702)
 デッドラインテーブル更新部843は、タスク構成が更新されていれば、タスクテーブル883から更新内容(タスク更新種別、更新されたタスクの識別子、周期、優先度、デッドライン時間など)を取得する。タスク更新種別が「追加」であれば、タスク起床時刻テーブル882も取得する。 (Step S702)
If the task configuration is updated, the deadline table update unit 843 acquires the update contents (task update type, updated task identifier, cycle, priority, deadline time, etc.) from the task table 883. If the task update type is "addition", the task wake-up time table 882 is also acquired.
 (ステップS703)
 デッドラインテーブル更新部843は、タスク更新種別が「追加」であるかを確認する。 (Step S703)
The deadline table update unit 843 confirms whether the task update type is "addition".
 (ステップS704)
 デッドラインテーブル更新部843は、タスク更新種別が「追加」であった場合、デッドラインテーブル831に追加タスクのデッドライン時刻を追加する。この時、タスク追加前のメジャーサイクル分だけデッドライン時刻を追加する。 (Step S704)
The deadline table update unit 843 adds the deadline time of the additional task to the deadline table 831 when the task update type is "addition". At this time, the deadline time is added for the major cycle before the task is added.
 (ステップS705)
 デッドラインテーブル更新部843は、タスク更新種別が「削除」であるかを確認する。タスク更新種別が「追加」でも「削除」でもなかった場合は、タスクテーブル更新状態884が誤っていると判断し、デッドラインテーブル831は更新せずに終了する。 (Step S705)
The deadline table update unit 843 confirms whether the task update type is "delete". If the task update type is neither "add" nor "delete", it is determined that the task table update status 884 is incorrect, and the deadline table 831 ends without updating.
 (ステップS706)
 デッドラインテーブル更新部843は、タスク更新種別が「削除」であった場合、デッドラインテーブル831から該当タスクのデッドライン時刻を全て削除する。 (Step S706)
When the task update type is "delete", the deadline table update unit 843 deletes all the deadline times of the corresponding task from the deadline table 831.
 (ステップS707)
 デッドラインテーブル更新部843は、タスクテーブル883を参照し次の更新内容があるかを確認する。次の更新内容があれば、ステップS701に戻る。タスクテーブル883の最後まで更新内容を確認した場合は、次のステップに進む。 (Step S707)
The deadline table update unit 843 refers to the task table 883 and confirms whether or not there is the next update content. If there is the next update content, the process returns to step S701. When the updated contents are confirmed up to the end of the task table 883, the process proceeds to the next step.
 (ステップS708)
 デッドラインテーブル更新部843は、タスク構成の更新によってメジャーサイクルの変更が必要か否かを確認する。これは、メジャーサイクルが変更となる場合、デッドラインテーブルに登録するデッドライン時刻の範囲を変更する必要があるためである。 (Step S708)
The deadline table update unit 843 confirms whether or not the major cycle needs to be changed by updating the task configuration. This is because when the major cycle changes, it is necessary to change the range of deadline time registered in the deadline table.
 (ステップS709)
 デッドラインテーブル更新部843は、メジャーサイクルの変更に応じてデッドライン時刻を更新する。メジャーサイクルが長くなる場合は、不足範囲のデッドライン時刻を追加する。一方、メジャーサイクルが短くなる場合は、不要なデッドライン時刻を削除する。 (Step S709)
The deadline table update unit 843 updates the deadline time according to the change in the major cycle. If the major cycle is long, add the deadline time in the shortage range. On the other hand, if the major cycle becomes shorter, the unnecessary deadline time is deleted.
 (ステップS710)
 デッドラインテーブル更新部843は、デッドラインテーブル831の更新完了後にタスクテーブル更新状態884を「タスク更新無(タスクテーブル状態=2)」に更新する。
 デッドラインテーブル831の更新に必要なタスクテーブル883、タスク起床時刻テーブル882、及び、タスクテーブル更新状態884はタスク実行部85から更新されるデータである。このため、タスクテーブル883を参照する必要がある場合、デッドラインテーブル更新部843は排他制御によって、タスクテーブル更新状態884を更新するまでの間、タスク実行部85からの更新を禁止する。 (Step S710)
The deadline table update unit 843 updates the task table update state 884 to "no task update (task table state = 2)" after the update of the deadline table 831 is completed.
The task table 883, the task wake-up time table 882, and the task table update state 884 required for updating the deadline table 831 are data updated from the task execution unit 85. Therefore, when it is necessary to refer to the task table 883, the deadline table update unit 843 prohibits the update from the task execution unit 85 until the task table update state 884 is updated by exclusive control.
 図20は、起床時刻設定部844における通常動作時(ステップS503)のフローチャートである。 FIG. 20 is a flowchart of the wake-up time setting unit 844 during normal operation (step S503).
<1回目の探索>
 (ステップS801)
 起床時刻設定部844は、デッドラインテーブル831内から監視タスク84の次の起床時刻を探索する。探索は現在の起床位置834の次から開始するため、最初の探索位置838は起床位置834+1にセットする。デッドラインテーブル831は時刻の早い順にソートされているため、現在時刻から最も近いデッドライン時刻が最初の起床候補となる。
 図12は、図9のデッドラインテーブル831の起床位置834が行番号9の場合の探索テーブル837を示している。起床時刻設定部844は、探索テーブル837の1行目に、最初の探索位置838として「行番号9+1=行番号10」をセットする。 <First search>
(Step S801)
The wake-up time setting unit 844 searches the deadline table 831 for the next wake-up time of the monitoring task 84. Since the search starts after the current wake-up position 834, the first search position 838 is set to the wake-up position 834 + 1. Since the deadline table 831 is sorted in the order of earliest time, the deadline time closest to the current time is the first wake-up candidate.
FIG. 12 shows the search table 837 when the wake-up position 834 of the deadline table 831 of FIG. 9 is the row number 9. The wake-up time setting unit 844 sets "line number 9 + 1 = line number 10" as the first search position 838 in the first row of the search table 837.
 (ステップS802)
 起床時刻設定部844は、デッドラインテーブル831から探索位置838が示すデッドライン時刻を取得する。ここで、取得したデッドライン時刻は起床時刻が決定するまで利用するため、探索テーブル837に登録する。これはタスク毎に異常処置時間が異なるため、必ずしも最初の探索位置838が示す行が異常検知から異常処置完了までに最も時間を要するとは限らないためである。
 図12では、起床時刻設定部844は、デッドラインテーブル831から探索位置838が示すタスク2のデッドライン時刻1056を取得し、探索テーブル837の1行目に登録する。 (Step S802)
The wake-up time setting unit 844 acquires the deadline time indicated by the search position 838 from the deadline table 831. Here, since the acquired deadline time is used until the wake-up time is determined, it is registered in the search table 837. This is because the abnormality treatment time differs for each task, so that the line indicated by the first search position 838 does not always take the longest time from the abnormality detection to the completion of the abnormality treatment.
In FIG. 12, the wake-up time setting unit 844 acquires the deadline time 1056 of the task 2 indicated by the search position 838 from the deadline table 831 and registers it in the first row of the search table 837.
 (ステップS803)
 起床時刻設定部844は、異常処置時間テーブル836から探索位置838が示すタスクの異常処置時間を取得する。起床時刻設定部844は、異常処置時間テーブル836から探索位置838が示すタスク2の異常処置時間8を取得する。 (Step S803)
The wake-up time setting unit 844 acquires the abnormal treatment time of the task indicated by the search position 838 from the abnormal treatment time table 836. The wake-up time setting unit 844 acquires the abnormal treatment time 8 of the task 2 indicated by the search position 838 from the abnormal treatment time table 836.
 (ステップS804)
 起床時刻設定部844は、ステップS802で取得したデッドライン時刻と探索テーブル837内の各デッドライン時刻との差分を算出する。このデッドライン時刻の差分がデッドラインテーブル831の各行に対する無検知時間となる。なお、最新の探索位置838におけるデッドライン時刻の差分は当然0である。ここで算出した各デッドライン時刻の差分は無検知時間として探索テーブル837に登録する。
 図12の探索テーブル837の1行目は、最初で最新の探索位置838なのでデッドライン時刻の差分は0である。
 探索テーブル837の1行目:1056-1056=0 (Step S804)
The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837. The difference between the deadline times is the undetected time for each row in the deadline table 831. The difference in deadline time at the latest search position 838 is naturally 0. The difference between the deadline times calculated here is registered in the search table 837 as the non-detection time.
Since the first row of the search table 837 in FIG. 12 is the first and latest search position 838, the difference in deadline time is 0.
First row of search table 837: 1056-1056 = 0
 (ステップS805)
 起床時刻設定部844は、ステップS804で算出したデッドライン時刻の差分(無検知時間)に当該タスクの異常処置時間を加算した合計時間GがシステムのFTTI(Fault Tolerant Time Interval)未満であるか判定する。
 無検知時間は、監視タスクを実行しない時間であり、異常検知をしない時間であり、かつ、異常検知を開始するまでの待ち時間である。
 異常処置時間は、異常処置部842が動作する時間であり、異常検知から安全状態に復帰するまでの時間である。図11に示すように、異常処置時間は、実行タスクごとに異なる時間で構わない。 (Step S805)
The wake-up time setting unit 844 determines whether the total time G obtained by adding the abnormal treatment time of the task to the difference (non-detection time) of the deadline time calculated in step S804 is less than the FTTI (Fault Tolerant Time Interval) of the system. do.
The non-detection time is a time during which the monitoring task is not executed, a time during which the abnormality is not detected, and a waiting time until the abnormality detection is started.
The abnormal treatment time is the time during which the abnormal treatment unit 842 operates, and is the time from the detection of the abnormality to the return to the safe state. As shown in FIG. 11, the abnormality treatment time may be different for each execution task.
 したがって、合計時間Gは、異常発生から異常処置完了までの時間であり、安全状態あることが保証されない時間を示している。
 無検知時間=探索位置のデッドライン時刻-探索テーブル内の各デッドライン時刻
 合計時間G=無検知時間+異常処置時間
 監視タスク84の監視実行時間は無検知時間と異常処置時間と比較して無視できるものとしている。 Therefore, the total time G is the time from the occurrence of the abnormality to the completion of the abnormal treatment, and indicates the time during which the safe state is not guaranteed.
Undetected time = Deadline time of search position-Total time of each deadline in the search table G = Undetected time + Abnormal treatment time The monitoring execution time of monitoring task 84 is ignored compared to the undetected time and abnormal treatment time. It is supposed to be possible.
 監視タスク84の監視実行時間が無検知時間と異常処置時間と比較して無視できない場合、合計時間Gは、以下のようになる。
 合計時間G=無検知時間+監視実行時間+異常処置時間
 FTTIとは故障発生から安全状態に移行するまでの許容時間であり、車載機器向けの機能安全規格ISO26262で定義されている。合計時間GがFTTI未満であることを満たすことで、故障要因の他機能への波及を防止することが可能である。
 なお、FTTIはシステム毎に定義される値である。
 ここで比較する時間としては、異常発生から異常処置完了までの許容時間であれば、FTTIに限らない。 When the monitoring execution time of the monitoring task 84 cannot be ignored as compared with the no-detection time and the abnormality treatment time, the total time G is as follows.
Total time G = non-detection time + monitoring execution time + abnormal treatment time FTTI is the permissible time from the occurrence of a failure to the transition to a safe state, and is defined in the functional safety standard ISO26262 for in-vehicle devices. By satisfying that the total time G is less than FTTI, it is possible to prevent the failure factor from spreading to other functions.
FTTI is a value defined for each system.
The time to be compared here is not limited to FTTI as long as it is the allowable time from the occurrence of the abnormality to the completion of the abnormal treatment.
 図12の探索テーブル837の1行目では、以下のようになる。
 探索テーブル837の1行目:無検知時間=1056-1056=0
 探索テーブル837の1行目:合計時間G=0+8=8 The first row of the search table 837 in FIG. 12 is as follows.
First row of search table 837: No detection time = 1056-1056 = 0
First row of search table 837: Total time G = 0 + 8 = 8
 (ステップS806)
 起床時刻設定部844は、合計時間GがFTTI未満であれば、監視タスク84を実行するにはまだ時間的猶予があると考え、探索位置に1を加算し、デッドラインテーブル内の次の行に判定を進める。
 図12の探索テーブル837の1行目では、FTTIを25とすると、FTTI>合計時間Gとなるので、探索位置に1を加算し、デッドラインテーブル内の次の行に判定を進める。
 探索テーブル837の1行目:FTTI=25>合計時間G=8 (Step S806)
The wake-up time setting unit 844 considers that if the total time G is less than FTTI, there is still time to execute the monitoring task 84, adds 1 to the search position, and the next row in the deadline table. Proceed with the judgment.
In the first row of the search table 837 in FIG. 12, assuming that FTTI is 25, FTTI> total time G, so 1 is added to the search position and the determination proceeds to the next row in the deadline table.
First row of search table 837: FTTI = 25> total time G = 8
 FTTI>合計時間Gであれば、以下のように、ステップS801からステップS806が繰り返される。 If FTTI> total time G, steps S801 to S806 are repeated as follows.
<2回目の探索>
 (ステップS801)
 起床時刻設定部844は、探索テーブル837の2行目に、探索位置838として「行番号10+1=行番号11」をセットする。 <Second search>
(Step S801)
The wake-up time setting unit 844 sets "line number 10 + 1 = line number 11" as the search position 838 in the second row of the search table 837.
 (ステップS802)
 起床時刻設定部844は、デッドラインテーブル831から探索位置838が示すタスク1のデッドライン時刻1058を取得し、探索テーブル837の2行目に登録する。 (Step S802)
The wake-up time setting unit 844 acquires the deadline time 1058 of task 1 indicated by the search position 838 from the deadline table 831 and registers it in the second row of the search table 837.
 (ステップS803)
 起床時刻設定部844は、異常処置時間テーブル836から探索位置838が示すタスク1の異常処置時間1を取得する。 (Step S803)
The wake-up time setting unit 844 acquires the abnormal treatment time 1 of the task 1 indicated by the search position 838 from the abnormal treatment time table 836.
 (ステップS804)
 起床時刻設定部844は、ステップS802で取得したデッドライン時刻と探索テーブル837内の各デッドライン時刻との差分を算出し探索テーブル837に登録する。 (Step S804)
The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
 (ステップS805)
 探索テーブル837の1行目:無検知時間=1058-1056=2
 探索テーブル837の1行目:合計時間G=2+8=10
 探索テーブル837の2行目:無検知時間=1058-1058=0
 探索テーブル837の2行目:合計時間G=0+1=1 (Step S805)
First row of search table 837: No detection time = 1058-1056 = 2
First row of search table 837: Total time G = 2 + 8 = 10
Second row of search table 837: No detection time = 1058-1058 = 0
Second row of search table 837: Total time G = 0 + 1 = 1
 (ステップS806)
 探索テーブル837の1行目:FTTI=25>合計時間G=10
 探索テーブル837の2行目:FTTI=25>合計時間G=1
 いずれもFTTI>合計時間Gとなるので、探索位置に1を加算し、デッドラインテーブル内の次の行に判定を進める。 (Step S806)
First row of search table 837: FTTI = 25> total time G = 10
Second row of search table 837: FTTI = 25> total time G = 1
Since FTTI> total time G in each case, 1 is added to the search position, and the judgment is advanced to the next row in the deadline table.
<3回目の探索>
 (ステップS801)
 探索位置838は「行番号11+1=行番号12」となるが、デッドラインテーブルが11行しかないので、起床時刻設定部844は、探索テーブル837の3行目に、探索位置838として「行番号1」をセットする。 <Third search>
(Step S801)
The search position 838 is "line number 11 + 1 = line number 12", but since there are only 11 rows in the deadline table, the wake-up time setting unit 844 sets the search position 838 as the "line number" in the third row of the search table 837. 1 ”is set.
 (ステップS802)
 起床時刻設定部844は、デッドラインテーブル831から探索位置838が示すタスク1のデッドライン時刻1068を取得し、探索テーブル837の3行目に登録する。 (Step S802)
The wake-up time setting unit 844 acquires the deadline time 1068 of task 1 indicated by the search position 838 from the deadline table 831 and registers it in the third row of the search table 837.
 (ステップS803)
 起床時刻設定部844は、異常処置時間テーブル836から探索位置838が示すタスク1の異常処置時間1を取得する。 (Step S803)
The wake-up time setting unit 844 acquires the abnormal treatment time 1 of the task 1 indicated by the search position 838 from the abnormal treatment time table 836.
 (ステップS804)
 起床時刻設定部844は、ステップS802で取得したデッドライン時刻と探索テーブル837内の各デッドライン時刻との差分を算出し探索テーブル837に登録する。 (Step S804)
The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
 (ステップS805)
 探索テーブル837の1行目:無検知時間=1068-1056=12
 探索テーブル837の1行目:合計時間G=12+8=20
 探索テーブル837の2行目:無検知時間=1068-1058=10
 探索テーブル837の2行目:合計時間G=10+1=11
 探索テーブル837の3行目:無検知時間=1068-1068=0
 探索テーブル837の3行目:合計時間G=0+1=1 (Step S805)
First row of search table 837: No detection time = 1068-1056 = 12
First row of search table 837: Total time G = 12 + 8 = 20
Second row of search table 837: No detection time = 1068-1058 = 10
Second row of search table 837: total time G = 10 + 1 = 11
Third row of search table 837: No detection time = 1068-1068 = 0
3rd row of search table 837: Total time G = 0 + 1 = 1
 (ステップS806)
 探索テーブル837の1行目:FTTI=25>合計時間G=20
 探索テーブル837の2行目:FTTI=25>合計時間G=11
 探索テーブル837の3行目:FTTI=25>合計時間G=1
 いずれもFTTI>合計時間Gとなるので、探索位置に1を加算し、デッドラインテーブル内の次の行に判定を進める。 (Step S806)
First row of search table 837: FTTI = 25> total time G = 20
Second row of search table 837: FTTI = 25> total time G = 11
3rd row of search table 837: FTTI = 25> total time G = 1
Since FTTI> total time G in each case, 1 is added to the search position, and the judgment is advanced to the next row in the deadline table.
 <4回目の探索>
(ステップS801)
 起床時刻設定部844は、探索テーブル837の4行目に、探索位置838として「行番号1+1=行番号2」をセットする。 <Fourth search>
(Step S801)
The wake-up time setting unit 844 sets "line number 1 + 1 = line number 2" as the search position 838 in the fourth row of the search table 837.
 (ステップS802)
 起床時刻設定部844は、デッドラインテーブル831から探索位置838が示すタスク2のデッドライン時刻1076を取得し、探索テーブル837の4行目に登録する。 (Step S802)
The wake-up time setting unit 844 acquires the deadline time 1076 of the task 2 indicated by the search position 838 from the deadline table 831 and registers it in the fourth row of the search table 837.
 (ステップS803)
 起床時刻設定部844は、異常処置時間テーブル836から探索位置838が示すタスク2の異常処置時間8を取得する。 (Step S803)
The wake-up time setting unit 844 acquires the abnormal treatment time 8 of the task 2 indicated by the search position 838 from the abnormal treatment time table 836.
 (ステップS804)
 起床時刻設定部844は、ステップS802で取得したデッドライン時刻と探索テーブル837内の各デッドライン時刻との差分を算出し探索テーブル837に登録する。 (Step S804)
The wake-up time setting unit 844 calculates the difference between the deadline time acquired in step S802 and each deadline time in the search table 837 and registers it in the search table 837.
 (ステップS805)
 探索テーブル837の1行目:無検知時間=1076-1056=20
 探索テーブル837の1行目:合計時間G=20+8=28
 探索テーブル837の2行目:無検知時間=1076-1058=18
 探索テーブル837の2行目:合計時間G=18+1=19
 探索テーブル837の3行目:無検知時間=1076-1068=8
 探索テーブル837の3行目:合計時間G=8+1=9
 探索テーブル837の4行目:無検知時間=1076-1068=0
 探索テーブル837の4行目:合計時間G=0+8=8 (Step S805)
First row of search table 837: No detection time = 1076-1056 = 20
First row of search table 837: Total time G = 20 + 8 = 28
Second row of search table 837: No detection time = 1076-1058 = 18
Second row of search table 837: total time G = 18 + 1 = 19
Third row of search table 837: No detection time = 1076-1068 = 8
3rd row of search table 837: Total time G = 8 + 1 = 9
4th row of search table 837: No detection time = 1076-1068 = 0
Fourth row of search table 837: Total time G = 0 + 8 = 8
 (ステップS806)
 探索テーブル837の1行目:FTTI=25<合計時間G=28
 探索テーブル837の2行目:FTTI=25>合計時間G=19
 探索テーブル837の3行目:FTTI=25>合計時間G=9
 探索テーブル837の4行目:FTTI=25>合計時間G=8
 探索テーブル837の1行目において、FTTI=25<合計時間G=28となるので、ステップS807に進む。 (Step S806)
First row of search table 837: FTTI = 25 <total time G = 28
Second row of search table 837: FTTI = 25> total time G = 19
3rd row of search table 837: FTTI = 25> total time G = 9
4th row of search table 837: FTTI = 25> total time G = 8
In the first row of the search table 837, FTTI = 25 <total time G = 28, so the process proceeds to step S807.
 (ステップS807)
 起床位置834の設定例1
 起床時刻設定部844は、合計時間GがFTTIを超過した場合、探索位置-1の行番号を起床位置834に設定する。これは、ステップS805の判断の結果より、最新の探索位置838では異常処置の完了がFTTIに間に合わないため、1つ手前の探索位置838を次の起床位置834として設定するためである。
 起床位置834:探索位置-1
 探索位置-1のデッドライン時刻は、各実行タスクのデッドライン時刻と各実行タスクの異常処置時間とから計算した合計時間Gが安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻である。この探索位置-1を起床位置834に設定することは、FTTI未満で最も遅いデッドライン時刻が監視タスク84の次回の起床時刻として設定されることを意味する。
 図12の場合、以下のようになる。
 起床位置834:探索位置-1=行番号1 (Step S807)
Setting example of wake-up position 834 1
When the total time G exceeds the FTTI, the wake-up time setting unit 844 sets the line number of the search position -1 to the wake-up position 834. This is because, from the result of the determination in step S805, the completion of the abnormal treatment is not in time for FTTI at the latest search position 838, so the search position 838 immediately before is set as the next wake-up position 834.
Wake-up position 834: Search position-1
The deadline time of the search position-1 is the latest deadline time among the deadline times in which the total time G calculated from the deadline time of each execution task and the abnormal treatment time of each execution task is less than the safe allowable time. be. Setting this search position -1 to the wake-up position 834 means that the latest deadline time less than FTTI is set as the next wake-up time of the monitoring task 84.
In the case of FIG. 12, it is as follows.
Wake-up position 834: Search position-1 = Line number 1
 以上のように、設定例1では、起床時刻設定部844は、デッドラインテーブル831から、以下の条件を満足する実行タスクを探索する。
1.デッドライン時刻が前回の起床時刻以後の実行タスクであること、
2.実行タスクの最新デッドライン時刻と実行タスクの前回デッドライン時刻との差分に実行タスクの異常処置時間を加算した合計時間Gが安全許容時間未満であること、
3.合計時間Gが安全許容時間未満である実行タスクのうち合計時間Gが最大となる実行タスクであること。
 起床時刻設定部844は、探索した実行タスクのうち合計時間Gが最大となる実行タスクのデッドライン時刻を監視タスク84の次回の起床時刻とする。 As described above, in the setting example 1, the wake-up time setting unit 844 searches the deadline table 831 for an execution task that satisfies the following conditions.
1. 1. The deadline time is an execution task since the last wake-up time,
2. The total time G, which is the difference between the latest deadline time of the execution task and the previous deadline time of the execution task plus the abnormal treatment time of the execution task, is less than the safe allowable time.
3. 3. Among the execution tasks whose total time G is less than the allowable safety time, the execution task has the maximum total time G.
The wake-up time setting unit 844 sets the deadline time of the execution task that maximizes the total time G among the searched execution tasks as the next wake-up time of the monitoring task 84.
 起床位置834の設定例2
 探索位置-1の行番号を起床位置834に設定するとともに、以下のように、探索位置のデッドライン時刻からFTTIを超過した時間Eを差し引いた時刻T1を設定してもよい。超過した時間Eとは、異常発生から異常処置完了までの時間(合計時間G)がFTTIを超過した時間である。時刻T1とは、探索位置のデッドライン時刻から時間Eを差し引いた時刻である。
 超過した時間E=合計時間G-FTTI
 時刻T1=探索位置のデッドライン時刻-超過した時間E
 ただし、時刻T1が探索位置-1のデッドライン時刻よりも前の場合は、設定例1のほうが監視タスク84の実行が遅くなるので設定例1を採用する。
 起床位置834:探索位置-1、さらに、時刻T1
 (ただし、時刻T1>探索位置-1のデッドライン時刻)
 この場合は、探索位置-1の行番号とともに、FTTI未満で最も遅い時刻T1が起床位置834に設定される。すなわち、起床位置834には、これ以上遅い場合はFTTIが守れない時刻T1が設定される。 Setting example 2 of wake-up position 834
The line number of the search position-1 may be set to the wake-up position 834, and the time T1 may be set as follows, which is obtained by subtracting the time E exceeding the FTTI from the deadline time of the search position. The excess time E is the time during which the time from the occurrence of the abnormality to the completion of the abnormal treatment (total time G) exceeds the FTTI. The time T1 is the time obtained by subtracting the time E from the deadline time of the search position.
Exceeded time E = total time G-FTTI
Time T1 = Deadline time of search position-Exceeded time E
However, when the time T1 is earlier than the deadline time of the search position-1, the setting example 1 adopts the setting example 1 because the execution of the monitoring task 84 is slower.
Wake-up position 834: Search position-1, and time T1
(However, the deadline time of time T1> search position-1)
In this case, the latest time T1 less than FTTI is set at the wake-up position 834 together with the line number of the search position-1. That is, the wake-up position 834 is set to the time T1 at which the FTTI cannot be observed if it is later than this.
 図12の場合は、以下のようになる。
 超過した時間E=合計時間G-FTTI=28-25=3
 起床時刻
 =探索位置のデッドライン時刻-超過した時間E
 =1076-3
 =1073
 =時刻T1
 (時刻T1=1073>探索位置-1のデッドライン時刻=1068)
 起床位置834には、行番号1と、起床時刻となる時刻T1=1703とを設定する。
 起床位置834:探索位置-1=行番号1、及び、時刻T1=1703 In the case of FIG. 12, it is as follows.
Exceeded time E = total time G-FTTI = 28-25 = 3
Wake-up time = Deadline time of search position-Exceeded time E
= 1076-3
= 1073
= Time T1
(Time T1 = 1073> Deadline time of search position-1 = 1068)
At the wake-up position 834, the line number 1 and the time T1 = 1703, which is the wake-up time, are set.
Wake-up position 834: Search position-1 = line number 1, and time T1 = 1703
 起床位置834の設定例3
 探索位置-1の行番号とともに、前述した設定例1と設定例2との間の時刻T2を起床位置834に設定する。
 図12の場合は、時刻T2は1068と1073の間であればよい。
 具体例として設定例1と設定例2との中間の時刻を起床位置834に設定する場合、以下のようになる。ただし、時刻T2が探索位置-1のデッドライン時刻よりも前の場合は、設定例1のほうが監視タスク84の実行が遅くなるので設定例1を採用する。
 起床時刻=(設定例1の時刻+設定例2の時刻)÷2=T2
 (ただし、T2>探索位置-1のデッドライン時刻) Setting example 3 of wake-up position 834
Along with the line number of the search position-1, the time T2 between the setting example 1 and the setting example 2 described above is set at the wake-up position 834.
In the case of FIG. 12, the time T2 may be between 1068 and 1073.
As a specific example, when the time between the setting example 1 and the setting example 2 is set to the wake-up position 834, the time is as follows. However, when the time T2 is earlier than the deadline time of the search position-1, the setting example 1 adopts the setting example 1 because the execution of the monitoring task 84 is slower.
Wake-up time = (time of setting example 1 + time of setting example 2) ÷ 2 = T2
(However, the deadline time of T2> search position-1)
 図12の場合は、以下のようになる。
 起床時刻
 =(1068+1073)÷2
 =1070.5
 =時刻T2
 (時刻T2=1070.5>探索位置-1のデッドライン時刻=1068)
 起床位置834には、行番号1と、起床時刻となる時刻T2=1070.5とを設定する。
 起床位置834:探索位置-1=行番号1、及び、時刻T1=1070.5 In the case of FIG. 12, it is as follows.
Wake-up time = (1068 + 1073) / 2
= 1070.5
= Time T2
(Time T2 = 1070.5> Deadline time of search position-1 = 1068)
At the wake-up position 834, the line number 1 and the time T2 = 1070.5, which is the wake-up time, are set.
Wake-up position 834: Search position-1 = line number 1, and time T1 = 1070.5
 起床位置834の設定例4
 異常処置部842が、異常処置を全てのタスクで共通の異常処置とする場合、異常処置時間は全てのタスクで同じである。このため、探索テーブル837は不要になり、最初の探索位置838における合計時間Gのみを利用して判定すればよい。
 具体的には、起床時刻設定部844は、探索位置に1を加算するたびに、最初の探索位置838の無検知時間に異常処置時間を加算した合計時間GがFTTI未満であるかを判定する。
 起床時刻設定部844は、最初の探索位置838により計算された合計時間GがFTTIを超過した場合、設定例1と同様に、探索位置-1を起床位置834に設定する。
 起床位置834=探索位置-1 Setting example 4 of wake-up position 834
When the abnormal treatment unit 842 sets the abnormal treatment as a common abnormal treatment for all tasks, the abnormal treatment time is the same for all tasks. Therefore, the search table 837 is no longer necessary, and the determination may be made using only the total time G at the first search position 838.
Specifically, each time 1 is added to the search position, the wake-up time setting unit 844 determines whether the total time G obtained by adding the abnormal treatment time to the non-detection time of the first search position 838 is less than FTTI. ..
When the total time G calculated by the first search position 838 exceeds the FTTI, the wake-up time setting unit 844 sets the search position -1 to the wake-up position 834 as in the setting example 1.
Wake-up position 834 = Search position-1
 図12において、異常処置時間は全てのタスクで同じであり異常処置時間=11とすると、ステップS805において、最初の探索位置838により計算された合計時間Gは以下のように計算される。
 1回目の探索:合計時間G=最初の探索位置838の無検知時間0+8=8
 2回目の探索:合計時間G=最初の探索位置838の無検知時間2+8=10
 3回目の探索:合計時間G=最初の探索位置838の無検知時間12+8=20
 4回目の探索:合計時間G=最初の探索位置838の無検知時間20+8=28
 起床時刻設定部844は、4回目の探索で、最初の探索位置838により計算された合計時間GがFTTIを超過するので、設定例1と同様に、探索位置-1の行番号1を起床位置834に設定する。 In FIG. 12, assuming that the abnormal treatment time is the same for all tasks and the abnormal treatment time = 11, the total time G calculated by the first search position 838 in step S805 is calculated as follows.
First search: Total time G = Undetected time of first search position 838 0 + 8 = 8
Second search: Total time G = No detection time at first search position 838 2 + 8 = 10
Third search: Total time G = Undetected time of first search position 838 12 + 8 = 20
Fourth search: Total time G = Undetected time of first search position 838 20 + 8 = 28
In the fourth search, the wake-up time setting unit 844 sets the line number 1 of the search position -1 to the wake-up position because the total time G calculated by the first search position 838 exceeds the FTTI. Set to 834.
 実行タスク毎に異常処置時間が異なり、仮に、図11のタスク1の異常処置時間が16である場合、3回目の探索で以下のようになる。 The abnormal treatment time differs for each execution task, and if the abnormal treatment time of task 1 in FIG. 11 is 16, the third search will result in the following.
 (ステップS805)
 探索テーブル837の1行目:無検知時間=1068-1056=12
 探索テーブル837の1行目:合計時間G=12+8=20
 探索テーブル837の2行目:無検知時間=1068-1058=10
 探索テーブル837の2行目:合計時間G=10+16=26
 探索テーブル837の3行目:無検知時間=1068-1068=0
 探索テーブル837の3行目:合計時間G=0+16=16 (Step S805)
First row of search table 837: No detection time = 1068-1056 = 12
First row of search table 837: Total time G = 12 + 8 = 20
Second row of search table 837: No detection time = 1068-1058 = 10
Second row of search table 837: total time G = 10 + 16 = 26
Third row of search table 837: No detection time = 1068-1068 = 0
Third row of search table 837: Total time G = 0 + 16 = 16
 (ステップS806)
 探索テーブル837の1行目:FTTI=25>合計時間G=20
 探索テーブル837の2行目:FTTI=25<合計時間G=26
 探索テーブル837の3行目:FTTI=25>合計時間G=16 (Step S806)
First row of search table 837: FTTI = 25> total time G = 20
Second row of search table 837: FTTI = 25 <total time G = 26
3rd row of search table 837: FTTI = 25> total time G = 16
 探索テーブル837の2行目において、FTTI=25<合計時間G=26となる。2番目の探索位置838により計算された合計時間Gにより探索が終了する。
 このように、実行タスク毎に異常処置時間が異なる場合は、最初の探索位置838により計算された合計時間Gのみを用いて判断することができない。 In the second row of the search table 837, FTTI = 25 <total time G = 26. The search ends with the total time G calculated by the second search position 838.
As described above, when the abnormal treatment time is different for each execution task, it cannot be determined using only the total time G calculated by the first search position 838.
 このように、起床時刻設定部844は、前記各実行タスクの前記デッドライン時刻と前記各実行タスクの異常処置時間とから合計時間を計算し、前記合計時間が前回の監視タスクの起床時刻から起算して安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻以降であり前回の監視タスクの起床時刻から起算して安全許容時間未満となる時刻を監視タスクの次の起床時刻として設定し、前記起床時刻に監視タスクを起床させる。 In this way, the wake-up time setting unit 844 calculates the total time from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task. Then, the time that is after the latest deadline time that is less than the allowable safety time and is less than the allowable safety time calculated from the wake-up time of the previous monitoring task is set as the next wake-up time of the monitoring task. , The monitoring task is woken up at the wake-up time.
 (ステップS808)
 起床時刻設定部844は、探索テーブル837の内容を初期化する。探索テーブル837は、監視タスク84が起床する度に作成するものであり、探索テーブル837の値は次の周期に繰り越す必要はないためである。 (Step S808)
The wake-up time setting unit 844 initializes the contents of the search table 837. This is because the search table 837 is created every time the monitoring task 84 wakes up, and the value of the search table 837 does not need to be carried over to the next cycle.
 (ステップS809)
 起床時刻設定部844は、起床位置834に起床時刻(時刻T1又は時刻T2)が設定されていない場合、起床位置834の行番号を取得し、デッドラインテーブル831の行番号に設定されているデッドライン時刻を起床時刻として取得する。
 起床時刻設定部844は、起床位置834に起床時刻(時刻T1又は時刻T2)が設定されている場合、起床位置834に設定されている起床時刻を取得する。
 起床時刻設定部844は、起床時刻と現在時刻の差分を算出し、監視タスク84の休眠時間としてタイマ20にセットする。 (Step S809)
When the wake-up time (time T1 or time T2) is not set at the wake-up position 834, the wake-up time setting unit 844 acquires the line number of the wake-up position 834 and sets the dead line number in the deadline table 831. Get the line time as the wake-up time.
When the wake-up time (time T1 or time T2) is set at the wake-up position 834, the wake-up time setting unit 844 acquires the wake-up time set at the wake-up position 834.
The wake-up time setting unit 844 calculates the difference between the wake-up time and the current time, and sets the timer 20 as the dormant time of the monitoring task 84.
<実施の形態の特徴>
 この実施の形態のタスク異常監視装置は、以下を備える。
1.実行タスクの周期、起床時刻、デッドライン時間を監視タスクに通知するタスク情報更新部872、
2.タスク情報から算出した実行タスクがデッドラインに到達する時刻を記憶したデッドラインテーブル831を生成するデッドラインテーブル更新部843、
3.デッドラインテーブル831と実行タスク毎の異常処置時間に基づいてFTTIを満たす範囲で最も遅い時刻を次の起床時刻として設定する起床時刻設定部844、
4.デッドラインテーブル831において、前回起床時に異常判定を完了したタスクから今回起床時刻に設定されているデッドライン時刻のタスクまでを異常判定対象タスクとし、実行タスクの終了時刻がデッドライン時刻の前回値と最新値の間に収まっているか否かで異常判定を行う異常判定部841、
5.実行タスクの処理が終了した時刻を記憶するリングバッファ構造のタスク実行ログ881に対して、リングバッファ構造における書き込み先を示す位置情報に基づいて書き込みを行う実行時刻記録部861、
6.リングバッファ構造における読み込み先を示す位置情報に基づいてタスク実行ログ881の読み込みを行う実行時刻取得部845 <Characteristics of the embodiment>
The task abnormality monitoring device of this embodiment includes the following.
1. 1. Task information update unit 872, which notifies the monitoring task of the execution task cycle, wake-up time, and deadline time.
2. Deadline table update unit 843, which generates a deadline table 831 that stores the time when the execution task calculated from the task information reaches the deadline.
3. 3. Wake-up time setting unit 844, which sets the latest time within the range that satisfies FTTI as the next wake-up time based on the deadline table 831 and the abnormal treatment time for each execution task.
4. In the deadline table 831, the tasks from the task that completed the abnormality judgment at the time of the previous wakeup to the task at the deadline time set at the wakeup time this time are set as the tasks subject to the abnormality judgment, and the end time of the execution task is the previous value of the deadline time. Abnormality determination unit 841 that performs abnormality determination based on whether or not it is within the latest value,
5. Execution time recording unit 861 that writes to the task execution log 881 of the ring buffer structure that stores the time when the processing of the execution task is completed based on the position information indicating the write destination in the ring buffer structure.
6. Execution time acquisition unit 845 that reads the task execution log 881 based on the position information indicating the read destination in the ring buffer structure.
<実施の形態における効果>
 以上のように、実施の形態1に係るタスク異常監視装置において、デッドラインテーブル更新部843は実行タスク86のデッドライン時刻を算出し、デッドラインテーブル831を生成する。異常判定部841はデッドラインテーブル831に基づいて、監視位置833が示すタスクから順に異常判定処理を行う。また、起床時刻設定部844はデッドラインテーブル831に基づいて、FTTIを満たせる範囲で最も遅い時刻を次の監視タスク84の起床時刻としてセットする。 <Effect in the embodiment>
As described above, in the task abnormality monitoring device according to the first embodiment, the deadline table update unit 843 calculates the deadline time of the execution task 86 and generates the deadline table 831. The abnormality determination unit 841 performs abnormality determination processing in order from the task indicated by the monitoring position 833 based on the deadline table 831. Further, the wake-up time setting unit 844 sets the latest time within the range in which the FTTI can be satisfied as the wake-up time of the next monitoring task 84 based on the deadline table 831.
 監視機能における処理負荷としては、(1)監視タスク84の起床処理、(2)異常判定対象タスクの決定処理、(3)異常判定処理の3つに大別できる。実施の形態1に係るタスク異常監視装置では、実行タスク86のデッドライン時刻とFTTIから最も遅い起床時刻を算出するため、監視タスク84の起床回数を最低限に抑えることができ、(1)の処理負荷を低減可能である。また、デッドラインテーブル831に従って順に異常判定処理を行うため、異常判定対象タスクの決定処理が不要になり、(2)の処理負荷も低減可能である。 The processing load in the monitoring function can be roughly divided into three types: (1) wake-up processing of the monitoring task 84, (2) determination processing of the task subject to abnormality determination, and (3) abnormality determination processing. In the task abnormality monitoring device according to the first embodiment, since the latest wake-up time is calculated from the deadline time of the execution task 86 and the FTTI, the number of wake-up times of the monitoring task 84 can be minimized, and the number of wake-ups of the monitoring task 84 can be minimized. The processing load can be reduced. Further, since the abnormality determination processing is performed in order according to the deadline table 831, the determination processing of the abnormality determination target task becomes unnecessary, and the processing load of (2) can be reduced.
<変形例1>
 実施の形態1ではタスク起床時刻テーブル882の更新は、初期化時とタスク構成の変更時のみと説明したが、タイマ20の精度又は割り込みタスクなどの影響により、実行タスク86の起床時刻が徐々にずれる可能性がある。そういった場合に備え、タスク情報更新部872が定期的(10回に1回など)にタスク起床時刻テーブル882を更新し、デッドラインテーブル更新部843にてずれを補正するような動作手順としてもよい。また、その場合はタスクテーブル更新状態884に起床時刻更新(タスクテーブル状態=4)を追加する。 <Modification example 1>
In the first embodiment, the task wake-up time table 882 is updated only at the time of initialization and at the time of changing the task configuration. However, the wake-up time of the execution task 86 gradually changes due to the accuracy of the timer 20 or the influence of the interrupt task. There is a possibility of deviation. In preparation for such a case, the task information update unit 872 may periodically update the task wake-up time table 882 (such as once in 10 times), and the deadline table update unit 843 may perform an operation procedure for correcting the deviation. .. In that case, the wake-up time update (task table state = 4) is added to the task table update state 884.
<変形例2>
 実施の形態1では、異常判定対象タスクは周期タスクとして説明したが、割り込みタスクも含めて異常判定処理を行ってもよい。割り込みタスクを異常判定対象タスクに含める場合、タスク情報更新部872がタスクテーブル883を更新する際に、周期を0に設定する。さらに、デッドラインテーブル更新部843は、割り込みタスクについてデッドラインテーブル831に1回分のデッドライン時刻だけを追加し、異常判定完了後に異常判定部841が割り込みタスクをデッドラインテーブルから削除する。このような動作手順とすることで周期タスクと同様に割り込みタスクの異常判定処理も行うことが可能である。 <Modification 2>
In the first embodiment, the abnormality determination target task has been described as a periodic task, but the abnormality determination process may be performed including the interrupt task. When the interrupt task is included in the task subject to abnormality determination, the cycle is set to 0 when the task information update unit 872 updates the task table 883. Further, the deadline table update unit 843 adds only one deadline time to the deadline table 831 for the interrupt task, and the abnormality determination unit 841 deletes the interrupt task from the deadline table after the abnormality determination is completed. By adopting such an operation procedure, it is possible to perform the abnormality determination process of the interrupt task as well as the periodic task.
 実施の形態2.
 実施の形態1では、タスク実行部85から共有メモリを介して、タスク実行ログ881、タスク起床時刻テーブル882、タスクテーブル883、及び、タスクテーブル更新状態884をタスク監視部83へ受け渡す例を説明した。実施の形態2は、これらデータの内、タスク構成の更新情報に関するタスク起床時刻テーブル882とタスクテーブル883とを共有メモリではなくタスク間通信を利用して受け渡しする場合の例である。実施の形態2では、実施の形態1と異なる点のみを説明し、同一の点については説明を省略する。 Embodiment 2.
In the first embodiment, an example of passing the task execution log 881, the task wake-up time table 882, the task table 883, and the task table update state 884 from the task execution unit 85 to the task monitoring unit 83 via the shared memory will be described. bottom. The second embodiment is an example in which, among these data, the task wake-up time table 882 and the task table 883 related to the update information of the task configuration are passed by using the inter-task communication instead of the shared memory. In the second embodiment, only the points different from the first embodiment will be described, and the same points will be omitted.
<構成の説明>
 図21は、実施の形態2に係るタスク異常監視装置の構成図である。実施の形態2は、タスク制御部87がタスク間通信によってタスク情報を送信するタスク情報送信部873を有し、タスク監視部83が受信タスク89を有する点が、実施の形態1とは異なる。
 受信タスク89は、タスク間通信によってタスク情報を受信するタスク情報受信部891を備える。また、実施の形態2では、実施の形態1において監視タスク84に備わっていたデッドラインテーブル更新部843と起床時刻設定部844が受信タスク89に備わっている。
 タスク情報送信部873は、実行タスクの構成が更新された時点で、実行タスクの周期と、実行タスクの起床時刻と、実行タスクのデッドライン時間とを含むタスク情報をタスク間通信によって送信する。
 タスク情報受信部891は、タスク情報を受信する。 <Explanation of configuration>
FIG. 21 is a configuration diagram of the task abnormality monitoring device according to the second embodiment. The second embodiment is different from the first embodiment in that the task control unit 87 has a task information transmission unit 873 for transmitting task information by inter-task communication, and the task monitoring unit 83 has a reception task 89.
The receiving task 89 includes a task information receiving unit 891 that receives task information by inter-task communication. Further, in the second embodiment, the reception task 89 includes the deadline table update unit 843 and the wake-up time setting unit 844 provided in the monitoring task 84 in the first embodiment.
When the configuration of the execution task is updated, the task information transmission unit 873 transmits task information including the execution task cycle, the wake-up time of the execution task, and the deadline time of the execution task by inter-task communication.
The task information receiving unit 891 receives the task information.
 図21において、タスク情報送信部873はタスク制御部87に含まれる構成であるが、送信機能専用のタスクを用意してもよい。
 タスク監視部83はデータ領域82に、タスク起床時刻テーブル882aと、タスクテーブル883aとを記憶する。タスク実行部85はデータ領域82に、タスク起床時刻テーブル882bとタスクテーブル883bとを記憶する。 In FIG. 21, the task information transmission unit 873 is included in the task control unit 87, but a task dedicated to the transmission function may be prepared.
The task monitoring unit 83 stores the task wake-up time table 882a and the task table 883a in the data area 82. The task execution unit 85 stores the task wake-up time table 882b and the task table 883b in the data area 82.
 図22に、実施の形態2に係るデッドラインテーブル831の一例を示す。実施の形態2では、デッドラインテーブル831上に起床時刻という項目を追加しており、監視タスク84はこの起床時刻に従って休眠時間をタイマ20にセットする。 FIG. 22 shows an example of the deadline table 831 according to the second embodiment. In the second embodiment, an item called a wake-up time is added on the deadline table 831, and the monitoring task 84 sets the sleep time in the timer 20 according to the wake-up time.
<動作の説明> <Explanation of operation>
 図23は、タスク制御部87における通常動作時のフローチャートである。図23のステップS401~ステップS406の動作は、図16に示したフローチャートにおけるステップS401~ステップS406と同じ動作である。そのため、ここでは新たに追加したステップS407についてのみ説明する。 FIG. 23 is a flowchart of the task control unit 87 during normal operation. The operations of steps S401 to S406 of FIG. 23 are the same as the operations of steps S401 to S406 in the flowchart shown in FIG. Therefore, only the newly added step S407 will be described here.
 (ステップS407)
 タスク情報送信部873は、タスク構成に変更があった場合、タスクテーブル883bとタスク起床時刻テーブル882bとを監視タスクに送信する。好適な送信方法としては、キューを利用した通信又はソケット通信などが考えられる。タスクテーブル883bとタスク起床時刻テーブル882bとは実施の形態1とは異なり、共有部ではなくローカル領域に記憶されるため、排他制御は不要なる。また、タスク情報の送信がタスク構成の変更を意味するため、実施の形態1におけるタスク情報更新部872も不要になる。 (Step S407)
When the task configuration is changed, the task information transmission unit 873 transmits the task table 883b and the task wake-up time table 882b to the monitoring task. As a preferable transmission method, communication using a queue, socket communication, or the like can be considered. Unlike the first embodiment, the task table 883b and the task wake-up time table 882b are stored in the local area instead of the shared unit, so that exclusive control is not required. Further, since the transmission of the task information means the change of the task configuration, the task information update unit 872 in the first embodiment is also unnecessary.
 図24は、受信タスク89におけるタスク情報受信時のフローチャートである。受信タスク89はタスク実行部85からタスク情報を受信したことをトリガとして起床するタスクである。 FIG. 24 is a flowchart at the time of receiving task information in the receiving task 89. The receiving task 89 is a task that wakes up triggered by receiving task information from the task execution unit 85.
 (ステップS901)
 タスク情報受信部891は、タスク実行部85から送信されてきたタスク情報をタスクテーブル883a及びタスク起床時刻テーブル882aとして保存する。 (Step S901)
The task information receiving unit 891 stores the task information transmitted from the task execution unit 85 as the task table 883a and the task wake-up time table 882a.
 (ステップS902)
 デッドラインテーブル更新部843は、更新されたタスク情報に基づいてデッドラインテーブル831を更新する。デッドラインテーブル831の更新手順は、図19におけるステップS701と、ステップS710を除いたものと同様である。 (Step S902)
The deadline table update unit 843 updates the deadline table 831 based on the updated task information. The procedure for updating the deadline table 831 is the same as that except for step S701 and step S710 in FIG.
 (ステップS903)
 起床時刻設定部844は、デッドラインテーブル831に基づいて起床時刻を算出する。起床時刻設定部844の起床時刻の算出手順は図20と同様であるが、起床時刻設定部844は、ステップS809ではタイマ20に休眠時間をセットせず、デッドラインテーブル831の起床時刻の項目に1を設定する。ここで、デッドライン時刻が起床時刻である行の起床時刻の項目に1を設定する。また、タスク構成の更新時に、メジャーサイクル分の起床時刻を算出することで、起床時刻設定部844による監視タスク84の起床時刻の算出が不要になる。 (Step S903)
The wake-up time setting unit 844 calculates the wake-up time based on the deadline table 831. The procedure for calculating the wake-up time of the wake-up time setting unit 844 is the same as that in FIG. Set to 1. Here, 1 is set in the item of the wake-up time of the line whose deadline time is the wake-up time. Further, by calculating the wake-up time for the major cycle when updating the task configuration, it is not necessary to calculate the wake-up time of the monitoring task 84 by the wake-up time setting unit 844.
 (ステップS904)
 起床時刻設定部844は、デッドラインテーブル831に基づいて現在時刻から最も近い起床時刻に起床位置834を更新する。 (Step S904)
The wake-up time setting unit 844 updates the wake-up position 834 at the wake-up time closest to the current time based on the deadline table 831.
 (ステップS905)
 起床時刻設定部844は、起床位置834が示すデッドライン時刻までの時間を休眠時間として、タイマ20にセットする。 (Step S905)
The wake-up time setting unit 844 sets the timer 20 with the time until the deadline time indicated by the wake-up position 834 as the dormant time.
 図25は、監視タスク84における通常動作時のフローチャートである。 FIG. 25 is a flowchart of the monitoring task 84 during normal operation.
 (ステップS1001)
 異常判定部841及び異常処置部842は、デッドラインテーブル831に基づいて異常判定処理を行う。異常判定処理の動作手順は、図18と同様である。 (Step S1001)
The abnormality determination unit 841 and the abnormality treatment unit 842 perform the abnormality determination process based on the deadline table 831. The operation procedure of the abnormality determination process is the same as that in FIG.
 (ステップS1002)
 監視タスク84は、デッドラインテーブル831の起床時刻の項目に基づいて、起床位置834を更新する。具体的には、監視タスク84は、次に起床時刻が1に設定されている行に起床位置834を更新する。 (Step S1002)
The monitoring task 84 updates the wake-up position 834 based on the wake-up time item in the deadline table 831. Specifically, the monitoring task 84 then updates the wake-up position 834 to the line where the wake-up time is set to 1.
 (ステップS1003)
 監視タスク84は、起床位置834が示すデッドライン時刻までの時間を休眠時間として、タイマ20にセットする。
 実施の形態2では、監視タスク84の動作中に受信タスク89が動作する可能性がある。そこで、実施の形態2では、監視タスク84におけるステップS1001の実行優先度を最も高く設定し、その次に受信タスク89の実行優先度を高く設定し、監視タスク84におけるステップS1002、S1003の実行優先度を最も低く設定する。こうすることで、実施の形態2では、常に最新のタスク構成に応じて監視タスク84の起床時刻を設定することが可能である。監視タスク84において、マルチスレッド構成とすることで、処理毎に異なる実行優先度を設定することが可能である。 (Step S1003)
The monitoring task 84 sets the time until the deadline time indicated by the wake-up position 834 as the dormant time in the timer 20.
In the second embodiment, the receiving task 89 may operate during the operation of the monitoring task 84. Therefore, in the second embodiment, the execution priority of step S1001 in the monitoring task 84 is set to the highest, then the execution priority of the receiving task 89 is set to the highest, and the execution priority of steps S1002 and S1003 in the monitoring task 84 is set. Set the degree to the lowest. By doing so, in the second embodiment, it is possible to always set the wake-up time of the monitoring task 84 according to the latest task configuration. In the monitoring task 84, it is possible to set different execution priorities for each process by adopting a multi-thread configuration.
<実施の形態の特徴>
 この実施の形態のタスク異常監視装置は、以下を備える。
1.タスクの構成が更新された時点で追加タスク又は削除タスクの周期、デッドライン時間、起床時刻といったタスク情報をタスク間通信によって送信するタスク情報送信部873、
2.タスク間通信によってタスク情報を受信するタスク情報受信部891、 <Characteristics of the embodiment>
The task abnormality monitoring device of this embodiment includes the following.
1. 1. Task information transmission unit 873, which transmits task information such as the cycle of additional tasks or deletion tasks, deadline time, and wake-up time by inter-task communication when the task configuration is updated.
2. Task information receiver 891, which receives task information by inter-task communication,
<実施の形態における効果>
 実施の形態1では、監視タスク84は起床した時にタスク構成の更新を確認すると説明したが、監視タスク84が休眠中に追加されたタスクのデッドライン時刻に到達する可能性もある。実施の形態2は、そういった可能性を考慮したものである。実施の形態2では、タスク情報更新部872がタスクテーブル883を更新したことが即座にタスク監視部83に通知される。このため、実施の形態2では、リアルタイムにタスク構成の更新を把握することができ、確実にFTTIを満たすような時刻に監視タスク84を起床させることが可能である。 <Effect in the embodiment>
In the first embodiment, it has been explained that the monitoring task 84 confirms the update of the task configuration when it wakes up, but there is a possibility that the monitoring task 84 reaches the deadline time of the task added while it is dormant. The second embodiment considers such a possibility. In the second embodiment, the task monitoring unit 83 is immediately notified that the task information updating unit 872 has updated the task table 883. Therefore, in the second embodiment, it is possible to grasp the update of the task configuration in real time, and it is possible to wake up the monitoring task 84 at a time that surely satisfies the FTTI.
 100 ECU、10 CPU、20 タイマ、30 二次記憶装置、40 通信インタフェース、50 入出力回路、60 センサ、70 アクチュエータ、80 メモリ、81 プログラム領域、82 データ領域、83 タスク監視部、84 監視タスク、841 異常判定部、842 異常処置部、843 デッドラインテーブル更新部、844 起床時刻設定部、845 実行時刻取得部、831 デッドラインテーブル、832 監視ログ位置テーブル、833 監視位置、834 起床位置、835 前回デッドライン時刻テーブル、836 異常処置時間テーブル、837 探索テーブル、838 探索位置、839 監視ログ位置、85 タスク実行部、86 実行タスク、861 実行時刻記録部、87 タスク制御部、871 タスクスケジューリング部、872 タスク情報更新部、873 タスク情報送信部、851 スケジューリングテーブル、852 実行ログ位置テーブル、859 実行ログ位置、88 共有部、881 タスク実行ログ、882,882a,882b タスク起床時刻テーブル、883,883a,883b タスクテーブル、884 タスクテーブル更新状態、89 受信タスク、891 タスク情報受信部。 100 ECU, 10 CPU, 20 timer, 30 secondary storage device, 40 communication interface, 50 input / output circuit, 60 sensor, 70 actuator, 80 memory, 81 program area, 82 data area, 83 task monitoring unit, 84 monitoring task, 841 abnormality judgment unit, 842 abnormality treatment unit, 843 deadline table update unit, 844 wake-up time setting unit, 845 execution time acquisition unit, 831 deadline table, 832 monitoring log position table, 833 monitoring position, 834 wake-up position, 835 last time Deadline time table, 836 Abnormal treatment time table, 837 search table, 838 search position, 839 monitoring log position, 85 task execution unit, 86 execution task, 861 execution time recording unit, 87 task control unit, 871 task scheduling unit, 872 Task information update unit, 873 task information transmission unit, 851 scheduling table, 852 execution log position table, 859 execution log position, 88 shared unit, 881 task execution log, 882,882a, 882b task wake-up time table, 883,883a, 883b Task table, 884 task table update status, 89 received task, 891 task information receiver.

Claims (8)

  1.  複数の実行タスクの各実行タスクのデッドラインに到達する時刻をデッドライン時刻として各実行タスクに対応させて記憶するデッドラインテーブルと、
     前記各実行タスクの前記デッドライン時刻と前記各実行タスクの異常処置時間とから安全状態あることが保証されない合計時間を計算し、前記合計時間が前回の監視タスクの起床時刻から起算して安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻以降であり前回の前記監視タスクの起床時刻から起算して安全許容時間未満となる時刻を前記監視タスクの次の起床時刻として設定し、前記起床時刻に前記監視タスクを起床させる起床時刻設定部と、
     前記起床時刻に起床した前記監視タスクを実行するタスク監視部と
    を備えるタスク異常監視装置。     A deadline table that stores the time when the deadline of each execution task of multiple execution tasks is reached as the deadline time corresponding to each execution task,
    The total time that is not guaranteed to be in a safe state is calculated from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task to allow safety. Among the deadline times that are less than the time, the time that is after the latest deadline time and is less than the safe allowable time calculated from the previous wake-up time of the monitoring task is set as the next wake-up time of the monitoring task. A wake-up time setting unit that wakes up the monitoring task at the wake-up time,
    A task abnormality monitoring device including a task monitoring unit that executes the monitoring task that wakes up at the wake-up time.
  2.  前記デッドラインテーブルは、前記複数の実行タスクを前記デッドライン時刻順に記憶しており、
     前記タスク監視部は、
     前記起床時刻より後のデッドライン時刻が設定されている実行タスクを異常判定対象タスクとし、前記異常判定対象タスクの終了時刻がデッドライン時刻の前回値とデッドライン時刻の最新値との間に収まっているか否かで異常判定を行う異常判定部を備える請求項1に記載のタスク異常監視装置。     The deadline table stores the plurality of execution tasks in the order of the deadline time.
    The task monitoring unit
    An execution task for which a deadline time after the wake-up time is set is set as an abnormality determination target task, and the end time of the abnormality determination target task falls between the previous value of the deadline time and the latest value of the deadline time. The task abnormality monitoring device according to claim 1, further comprising an abnormality determination unit that determines an abnormality based on whether or not the task is abnormal.
  3.  リングバッファ構造のタスク実行ログに対して、前記リングバッファ構造における書き込み先を示す位置情報に基づいて実行タスクの処理が終了した時刻を記憶する実行時刻記録部と、
     前記タスク実行ログに対して、リングバッファ構造における読み込み先を示す位置情報に基づいて実行タスクの処理が終了した時刻の読み込みを行う実行時刻取得部と
    を備える請求項1又は請求項2に記載のタスク異常監視装置。     An execution time recording unit that stores the time when the processing of the execution task is completed based on the position information indicating the write destination in the ring buffer structure for the task execution log of the ring buffer structure.
    The first or second aspect of the task execution log is provided with an execution time acquisition unit that reads the time when the processing of the execution task is completed based on the position information indicating the read destination in the ring buffer structure. Task error monitoring device.
  4.  実行タスクの周期と、実行タスクの起床時刻と、実行タスクのデッドライン時間とを含むタスク情報を通知するタスク情報更新部と、
     前記タスク情報に基づいて、前記デッドライン時刻を算出し、前記デッドラインテーブルを更新するデッドラインテーブル更新部と
    を備える請求項1から3のいずれか1項に記載のタスク異常監視装置。     A task information update unit that notifies task information including the execution task cycle, the wake-up time of the execution task, and the deadline time of the execution task.
    The task abnormality monitoring device according to any one of claims 1 to 3, further comprising a deadline table update unit that calculates the deadline time based on the task information and updates the deadline table.
  5.  実行タスクの構成が更新された時点で、実行タスクの周期と、実行タスクの起床時刻と、実行タスクのデッドライン時間とを含むタスク情報をタスク間通信によって送信するタスク情報送信部と、
     前記タスク情報を受信するタスク情報受信部と
    を備える請求項1から3のいずれか1項に記載のタスク異常監視装置。     When the configuration of the execution task is updated, the task information transmission unit that transmits task information including the execution task cycle, the wake-up time of the execution task, and the deadline time of the execution task by inter-task communication,
    The task abnormality monitoring device according to any one of claims 1 to 3, further comprising a task information receiving unit that receives the task information.
  6.  前記起床時刻設定部は、前記デッドラインテーブルから、前記デッドライン時刻が前回の起床時刻より後の実行タスクであって、前記実行タスクの前記デッドライン時刻と前記実行タスクの前回デッドライン時刻との差分に前記実行タスクの異常処置時間を加算した合計時間が前記安全許容時間未満である実行タスクを探索し、探索した実行タスクのうち前記合計時間が最大となる実行タスクのデッドライン時刻を前記起床時刻に設定する請求項1から5のいずれか1項に記載のタスク異常監視装置。 From the deadline table, the wake-up time setting unit determines that the deadline time is an execution task after the previous wake-up time, and the deadline time of the execution task and the previous deadline time of the execution task are The execution task whose total time obtained by adding the abnormal treatment time of the execution task to the difference is less than the safety allowable time is searched, and the deadline time of the execution task having the maximum total time among the searched execution tasks is set as the wake-up time. The task abnormality monitoring device according to any one of claims 1 to 5, which is set at a time.
  7.  デッドラインテーブルが、複数の実行タスクの各実行タスクのデッドラインに到達する時刻をデッドライン時刻として各実行タスクに対応させて記憶し、
     起床時刻設定部が、前記各実行タスクの前記デッドライン時刻と前記各実行タスクの異常処置時間とから安全状態あることが保証されない合計時間を計算し、前記合計時間が前回の監視タスクの起床時刻から起算して安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻以降であり前回の前記監視タスクの起床時刻から起算して安全許容時間未満となる時刻を前記監視タスクの次の起床時刻として設定し、前記起床時刻に前記監視タスクを起床させ、
     タスク監視部が、前記起床時刻に起床した前記監視タスクを実行するタスク異常監視方法。     The deadline table stores the time when the deadline of each execution task of multiple execution tasks is reached as the deadline time corresponding to each execution task.
    The wake-up time setting unit calculates the total time that is not guaranteed to be in a safe state from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is the wake-up time of the previous monitoring task. The time after the latest deadline time, which is less than the allowable safety time calculated from, and less than the allowable safety time calculated from the previous wake-up time of the monitoring task, is the next wake-up time of the monitoring task. Set as a time, wake up the monitoring task at the wake-up time,
    A task abnormality monitoring method in which the task monitoring unit executes the monitoring task that wakes up at the wake-up time.
  8.  デッドラインテーブルに複数の実行タスクの各実行タスクのデッドラインに到達する時刻をデッドライン時刻として各実行タスクに対応させて記憶させる処理と、
     前記各実行タスクの前記デッドライン時刻と前記各実行タスクの異常処置時間とから安全状態あることが保証されない合計時間を計算し、前記合計時間が前回の監視タスクの起床時刻から起算して安全許容時間未満であるデッドライン時刻のうち最も遅いデッドライン時刻以降であり前回の前記監視タスクの起床時刻から起算して安全許容時間未満となる時刻を前記監視タスクの次の起床時刻として設定し、前記起床時刻に前記監視タスクを起床させる起床時刻設定処理と、
     前記起床時刻に起床した前記監視タスクを実行するタスク監視処理と
    をコンピュータに実行させるタスク異常監視プログラム。     The process of storing the time when the deadline of each execution task of multiple execution tasks is reached in the deadline table as the deadline time corresponding to each execution task,
    The total time that is not guaranteed to be in a safe state is calculated from the deadline time of each execution task and the abnormal treatment time of each execution task, and the total time is calculated from the wake-up time of the previous monitoring task to allow safety. Among the deadline times that are less than the time, the time that is after the latest deadline time and is less than the safe allowable time calculated from the previous wake-up time of the monitoring task is set as the next wake-up time of the monitoring task. The wake-up time setting process that wakes up the monitoring task at the wake-up time,
    A task abnormality monitoring program that causes a computer to execute a task monitoring process that executes the monitoring task that wakes up at the wake-up time.
PCT/JP2020/006466 2020-02-19 2020-02-19 Task abnormality monitoring device, method, and program WO2021166108A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2020/006466 WO2021166108A1 (en) 2020-02-19 2020-02-19 Task abnormality monitoring device, method, and program
JP2021564624A JP7026870B2 (en) 2020-02-19 2020-02-19 Task anomaly monitoring device, method and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/006466 WO2021166108A1 (en) 2020-02-19 2020-02-19 Task abnormality monitoring device, method, and program

Publications (1)

Publication Number Publication Date
WO2021166108A1 true WO2021166108A1 (en) 2021-08-26

Family

ID=77390776

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/006466 WO2021166108A1 (en) 2020-02-19 2020-02-19 Task abnormality monitoring device, method, and program

Country Status (2)

Country Link
JP (1) JP7026870B2 (en)
WO (1) WO2021166108A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014136302A1 (en) * 2013-03-04 2014-09-12 日本電気株式会社 Task management device and task management method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014136302A1 (en) * 2013-03-04 2014-09-12 日本電気株式会社 Task management device and task management method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
TAKAHIRO FUJITANI; YUTAKA MATSUBARA; SHINPEI KATO; HIROAKI TAKADA: "Schedulability Evaluation of FIFO-Method Preemptive Synchronization Protocols for Multicore", IPSJ SIG NOTES, vol. 2013-OS-124, no. 3, 15 April 2013 (2013-04-15), pages 1 - 8, XP009530599, ISSN: 2186-2583 *
TSUNAMICHI TSUKIDATE; FUMIO NARISAWA; KOTA ASAKURA; TOMOHITO EBINA: "Efficient Timing Protection for Automotive System compliant with IS0 26262", 17 March 2016 (2016-03-17), JP, pages 1 - 5, XP009530598, ISSN: 2188-868X, Retrieved from the Internet <URL:http://id.nii.ac.jp/1001/00158279/> [retrieved on 20200407] *
YUMI MIZUNO; HIDEKI TAKASE; KAZUYOSHI TAKAGI; NAOFUMI TAKAGI: "Dynamic Voltage Frequency Control in Weak-Hardware Real-Time Systems under (m, k)-firm Constraints", IPSG SIG TECHNICAL REPORT, vol. 2018-ARC-230, no. 29, 28 February 2018 (2018-02-28), JP, pages 1 - 6, XP009530601, ISSN: 2188-8574 *

Also Published As

Publication number Publication date
JP7026870B2 (en) 2022-02-28
JPWO2021166108A1 (en) 2021-08-26

Similar Documents

Publication Publication Date Title
US9058195B2 (en) Virtual machines failover
US10248322B2 (en) Memory system
US7823008B2 (en) Maintaining consistency in a remote copy data storage system
CN101946235A (en) Method and apparatus for moving threads in a shared processor partitioning environment
US9423847B2 (en) Method and apparatus for transitioning a system to an active disconnect state
JP6123626B2 (en) Process resumption method, process resumption program, and information processing system
US20080126650A1 (en) Methods and apparatus for parallel processing in system management mode
US11455251B2 (en) Enhanced durability for systems on chip (SOCs)
JP2009238159A (en) Storage system
US10146483B2 (en) Memory system
JP6123388B2 (en) Fault tolerant server
JP2008299695A (en) Database management system for controlling power consumption of storage system
US8543803B2 (en) Apparatus, system, and method for accurate automated scheduling of computer suspend and resume
US7461299B2 (en) Monitoring writes to cache as part of system error handling
WO2021166108A1 (en) Task abnormality monitoring device, method, and program
CN113934571A (en) Method and apparatus for page cache management
JP5672521B2 (en) Computer system and checkpoint restart method thereof
US9952941B2 (en) Elastic virtual multipath resource access using sequestered partitions
JP6677021B2 (en) Information processing apparatus, information processing method, and program
KR20190024576A (en) Method and system for preventing execution of a dirty virtual machine on an undesirable host server in a virtualization cluster environment
WO2023206693A1 (en) System sleep method and apparatus and system wake-up method and apparatus
US11663098B2 (en) Maintaining durability of a data object using unplanned delta components during transient failures
EP4068096A1 (en) Data processing program, information processing system, and data processing method
KR20220138324A (en) Method of supporting persistence and computing device
JP2003131893A (en) Arithmetic processing system, task control method in a computer system and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20920550

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021564624

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20920550

Country of ref document: EP

Kind code of ref document: A1