WO2022201597A1 - Vehicle control device - Google Patents

Vehicle control device Download PDF

Info

Publication number
WO2022201597A1
WO2022201597A1 PCT/JP2021/035372 JP2021035372W WO2022201597A1 WO 2022201597 A1 WO2022201597 A1 WO 2022201597A1 JP 2021035372 W JP2021035372 W JP 2021035372W WO 2022201597 A1 WO2022201597 A1 WO 2022201597A1
Authority
WO
WIPO (PCT)
Prior art keywords
core
communication
data memory
shared data
vehicle control
Prior art date
Application number
PCT/JP2021/035372
Other languages
French (fr)
Japanese (ja)
Inventor
朋仁 蛯名
Original Assignee
日立Astemo株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立Astemo株式会社 filed Critical 日立Astemo株式会社
Priority to DE112021005649.2T priority Critical patent/DE112021005649T5/en
Priority to JP2023508440A priority patent/JPWO2022201597A1/ja
Publication of WO2022201597A1 publication Critical patent/WO2022201597A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/023Avoiding failures by using redundant parts
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0225Failure correction strategy
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0062Adapting control system settings
    • B60W2050/0075Automatic parameter input, automatic initialising or calibrating means
    • B60W2050/0082Automatic parameter input, automatic initialising or calibrating means for initialising the control system
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0062Adapting control system settings
    • B60W2050/0075Automatic parameter input, automatic initialising or calibrating means
    • B60W2050/0083Setting, resetting, calibration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0736Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
    • G06F11/0739Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3024Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a central processing unit [CPU]

Definitions

  • the present invention relates to a vehicle control device, and more particularly to a vehicle control device having a multi-core CPU.
  • ECUs Electronic Control Units, that is, vehicle control devices
  • engine control brake control
  • transmission control transmission control
  • door control air conditioner control
  • ECUs Electronic Control Units
  • the ECU may have a multi-core CPU with multiple cores.
  • a multi-core CPU generally, when an abnormality occurs in one of the cores, the entire multi-core CPU is reset in order to recover from the abnormal state.
  • the entire multi-core CPU is reset, there is a problem that communication is interrupted between reset release and completion of OS initialization. Also, due to the communication interruption, other ECUs will determine that there is an abnormality.
  • Patent Document 1 can shorten the time from reset release to completion of OS initialization, there is still room for improvement.
  • the present invention has been made to solve such technical problems, and an object of the present invention is to provide a vehicle control device that can prevent interruption of communication from reset release to completion of OS initialization.
  • a vehicle control device comprises a multi-core CPU having at least a first core and a second core, a shared data memory configured to be accessible by each core and storing at least communication parameters, and operations of the multi-core CPU.
  • a monitoring circuit for monitoring and outputting a reset signal to the multi-core CPU, wherein the second core accesses the shared data memory from reset release to completion of OS initialization by the first core. It is characterized in that the communication parameters are confirmed, and communication with the outside is performed based on the communication parameters stored in the shared data memory.
  • the second core accesses the shared data memory to confirm the communication parameters and saves them in the shared data memory after the reset is released until the OS initialization is completed by the first core. Since communication with the outside is performed based on the communication parameters, communication can be performed without waiting for the completion of OS initialization. As a result, it is possible to prevent interruption of communication from reset release to completion of OS initialization.
  • FIG. 1 is a configuration diagram showing a vehicle control system including a vehicle control device according to a first embodiment
  • FIG. FIG. 5 is a sequence diagram showing control after reset release of the vehicle control device according to the first embodiment
  • FIG. 9 is a sequence diagram showing control before and after resetting of the vehicle control device according to the second embodiment
  • FIG. 11 is a sequence diagram showing control before and after resetting of the vehicle control device according to the third embodiment
  • FIG. 1 is a configuration diagram showing a vehicle control system provided with a vehicle control device according to the first embodiment.
  • a vehicle control device 10 of the present embodiment is configured by an ECU, and forms a vehicle control system together with a plurality of other ECUs (ECU 20, ECU 30).
  • the vehicle control device 10 is in charge of engine control
  • the ECU 20 is in charge of brake control
  • the ECU 30 is in charge of transmission control.
  • the vehicle control device 10, the ECU 20, and the ECU 30 are connected by an in-vehicle network 15 such as a CAN (Controller Area Network), etc., and communicate with each other through the in-vehicle network 15 to realize safe driving of the vehicle.
  • CAN Controller Area Network
  • the vehicle control device 10 mainly includes a multi-core CPU 11 and a monitoring IC (Integrated Circuit) 12 that monitors the operation of the multi-core CPU 11 .
  • a monitoring IC Integrated Circuit
  • the multi-core CPU 11 includes a plurality of cores (first core 111-1, second core 111-2, . . . n-th core 111-n) and a program memory (program memory 112-1, program memory 112-2, . . . program memory 112-n) and data memory (data memory 113-1, data memory 113-2, .
  • Each program memory and each data memory store programs and data for performing the functions of the corresponding core.
  • n is a natural number of 2 or more.
  • the program memory 112-1 corresponding to the first core 111-1 contains an initialization program for initializing the OS (Operating System) to be executed after the reset is released, and an initialization program assigned to the first core 111-1.
  • Application software hereinafter simply referred to as "application” for performing the processing is stored.
  • a program memory 112-2 corresponding to the second core 111-2 stores a communication program relating to communication processing to be executed after reset release and an application for performing processing assigned to the second core 111-2.
  • the monitoring IC 12 corresponds to the "monitoring unit" described in the claims, and monitors whether the multi-core CPU 11 is operating normally based on the signal 13 output from the multi-core CPU 11. Further, when the signal 13 is interrupted, the monitor IC 12 can output the reset signal 14 to the multi-core CPU 11 assuming that the multi-core CPU 11 is abnormal, and reset the multi-core CPU 11 . Furthermore, immediately after power-on (in other words, power-on), the power supply voltage is low, so the monitoring IC 12 can output the reset signal 14 to the multi-core CPU 11 to reset the multi-core CPU 11 . After the power supply voltage is stabilized, the monitor IC 12 stops outputting the reset signal 14 . As a result, the reset of the multi-core CPU 11 is released, and the multi-core CPU 11 starts operating.
  • the multi-core CPU 11 further comprises a shared data memory 115 accessible by each core, and a communication device 114 connected to each core. Each core is respectively connected to communication device 114 and shared data memory 115 via bus 116 .
  • the shared data memory 115 stores data such as communication parameters shared between cores. Communication parameters include communication speed, data size, and transmission cycle.
  • the multi-core CPU 11 may be composed of one IC, or may be composed of a plurality of ICs. Also, the monitoring IC 12 does not necessarily have to be provided independently from the multi-core CPU 11 , and a monitoring function corresponding to the monitoring IC 12 may be incorporated into the multi-core CPU 11 .
  • the vehicle control device 10 configured as described above is equipped with an OS, and programs related to each control process operate under the control of the OS. Then, when the multi-core CPU 11 is reset due to an abnormality or the like, the OS performs an initialization process after canceling the reset. In the OS initialization process, the OS initializes devices and applications, and further executes applications.
  • initialization is performed by one core in order to maintain initialization consistency.
  • the program memory 112-1 corresponding to the first core 111-1 stores an initialization program for initializing the OS to be executed after the reset is released. performs OS initialization processing after reset release.
  • the second core 111-2 executes the communication processing after the reset is released. conduct. At that time, the second core 111-2 accesses the shared data memory 115 to confirm the communication parameters by the communication program executed after the reset is released, and furthermore, based on the communication parameters saved in the shared data memory 115, Communicate with the outside world.
  • the communication processing of the second core 111-2 is executed in parallel with the initialization processing of the OS by the first core 111-1.
  • the communication is switched. That is, the communication program of the second core 111-2 is stopped, and communication processing led by the first core 111-1 is started.
  • steps S211 to S214 are processes performed by the first core 111-1
  • steps S221 to S225 are processes performed by the second core 111-2.
  • the first core 111-1 first activates the OS (step S211), and then performs OS initialization processing (step S212). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
  • the second core 111-2 first accesses the shared data memory 115 and confirms the communication parameters (step S221). Confirmation of the communication parameters in this step is confirmation of whether or not normal communication parameters are set in the shared data memory 115 . Since the values in the shared data memory 115 are indefinite immediately after the power is turned on (in other words, immediately after the reset is released), normal communication parameters are not set. Therefore, the second core 111-2 performs communication parameter initialization processing (step S222). Subsequently, the second core 111-2 starts communication with an external device (eg, the ECU 20 or the ECU 30) via the communication device 114 based on the initialized communication parameters (step S223).
  • an external device eg, the ECU 20 or the ECU 30
  • the first core 111-1 activates an application related to communication (step S213).
  • the second core 111-2 performs communication switching processing (step S224). Specifically, the communication program of the second core 111-2 is stopped, and communication processing led by the first core 111-1 is performed. Subsequently, the first core 111-1 and the second core 111-2 execute their respective applications (steps S214 and S225).
  • the second core 111-2 accesses the shared data memory 115 for communication during the period from reset cancellation by turning on the power to completion of OS initialization by the first core 111-1.
  • communication with the external device is performed based on the initialized communication parameters, so communication is possible without waiting for the completion of OS initialization.
  • interruption of communication from reset release to completion of OS initialization is possible to avoid an abnormality determination from another ECU due to a communication interruption.
  • a vehicle control device 10 according to the second embodiment has the same structure as that of the first embodiment, but differs from the first embodiment in the control contents of the vehicle control device 10 . Only the differences will be described below.
  • an abnormality When an abnormality occurs, there is a method of resolving it by software-initializing the function in which the anomaly occurred, but there is also a method of resolving the anomaly by hardware-resetting the entire multi-core CPU.
  • a method of resolving an abnormality by resetting the entire multi-core CPU in terms of hardware is adopted.
  • the communication parameters currently in use Prior to resetting the entire multi-core CPU 11, the communication parameters currently in use are saved in the shared data memory 115, and after the reset is released, communication is performed based on the saved communication parameters currently in use. Continuity of communication before and after can be maintained.
  • the abnormality referred to in this embodiment is an abnormality that can be detected via a sensor or the like attached to the vehicle. Resets resulting from such anomalies are therefore intended resets.
  • steps S311 to S315 are processes performed by the first core 111-1
  • steps S321 to S325 are processes performed by the second core 111-2.
  • the first core 111-1 detects an abnormality (step S311), it instructs the second core 111-2 to save the currently used communication parameters.
  • the second core 111-2 stores the currently used communication parameters based on the instruction from the first core 111-1 (step S321). At this time, the second core 111-2 stores the currently used communication parameters in the shared data memory 115 instead of the data memory 113-2 corresponding to the second core 111-2.
  • communication parameters stored in shared data memory 115 are assumed to be communication parameters 331 .
  • the first core 111-1 transmits an instruction to generate a reset to the monitoring IC 12 (step S312). Subsequently, the multicore CPU 11 is reset.
  • the first core 111-1 first starts up the OS (step S313), and then performs OS initialization processing (step S314). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
  • the second core 111-2 accesses the shared data memory 115 and checks the communication parameters 331 stored in the shared data memory 115 (step S322).
  • the confirmation of the communication parameters in this step is confirmation that the values in the memory are not undefined immediately after the power is turned on.
  • the second core 111-2 refers to the communication parameter 331 and performs communication parameter restoration processing (step S323).
  • the second core 111-2 starts communication with an external device (for example, the ECU 20 or the ECU 30) via the communication device 114 based on the restored communication parameter (that is, the communication parameter 331) (step S324).
  • the first core 111-1 activates an application related to communication and the like (step S315), and the second core 111-1 111-2 performs communication switching processing (step S325). After that, each process described in the first embodiment is performed.
  • the vehicle control device 10 of this embodiment in addition to obtaining the same effects as those of the first embodiment, the following effects are obtained. That is, the communication parameters currently in use are stored in the shared data memory 115 before resetting, and the second core 111-2 is set to the shared data memory 115 after the reset is released until the OS initialization by the first core 111-1 is completed. Since communication is performed based on the currently used communication parameters saved in the , it is possible to maintain continuity of communication before and after the reset. In addition, in the technique described in Patent Document 1, only initial communication is performed after the reset is canceled, so it is considered that there is a problem in that the continuity of communication cannot be maintained before and after the reset. According to the vehicle control device 10 of the present embodiment, it is possible to solve the technical problem described in Patent Document 1 above.
  • each data related to the communication parameter is duplicated or a checksum or hash is added. etc., can be used.
  • a communication program may be further stored in the shared data memory 115 in addition to the communication parameters.
  • shared data memory 115 may store a program that interprets and executes a script, such as a communication program written in a script language. In this way, even complicated communication processing can be handled.
  • a vehicle control device 10 according to the third embodiment has the same structure as that of the first embodiment, but differs from the first embodiment in the processing contents of the vehicle control device 10 . Only the differences will be described below.
  • FIG. 4 is a sequence diagram showing control before and after resetting of the vehicle control device according to the third embodiment.
  • steps S411 to S414 are processes performed by the first core 111-1
  • steps S421 to S424 are processes performed by the second core 111-2.
  • the first core 111-1 first performs processing for saving default values of communication parameters (step S411).
  • the default value of the communication parameter is the value of the communication parameter that is used when resetting occurs due to an unexpected abnormality, and is set in advance. A communication pattern indicating that the reset is due to an unexpected abnormality is preliminarily incorporated in this default value.
  • Default values are stored in shared data memory 115 using the techniques described above to distinguish them from indeterminate values in memory.
  • the default values stored in shared data memory 115 are assumed to be communication parameters 431 .
  • the monitoring IC 12 outputs a reset signal 14 to the multi-core CPU 11.
  • the multi-core CPU 11 is thereby reset.
  • the first core 111-1 first starts up the OS (step S412), and then performs OS initialization processing (step S413). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
  • the second core 111-2 accesses the shared data memory 115, confirms the communication parameter 431 stored in the shared data memory 115, and checks that it is not an undefined value in the memory (step S421). ), and acquires the communication parameter 431 (step S422). As a result, the default value set in step S411 is acquired.
  • the second core 111-2 starts communication with an external device (eg, the ECU 20 or the ECU 30) via the communication device 114 based on the obtained communication parameters 431 (step S423). Since the communication parameter 431 incorporates a communication pattern indicating a reset due to an unexpected abnormality, the other ECUs (ECU 20 and ECU 30) can grasp it with the vehicle control device 10.
  • an external device eg, the ECU 20 or the ECU 30
  • the first core 111-1 activates an application related to communication (step S414)
  • the core 111-2 performs communication switching processing (step S424). After that, each process described in the first embodiment is performed.
  • the first core 111-1 presets default values of communication parameters and stores them in the shared data memory 115.
  • FIG. 1 When resetting occurs due to an unexpected abnormality, the second core 111-2 performs communication based on the default value, thereby enabling communication without waiting for completion of OS initialization. As a result, it is possible to prevent interruption of communication from reset release to completion of OS initialization. In addition, as a result, it is possible to avoid an abnormality determination from another ECU due to the communication interruption.
  • the default values of the communication parameters are set by the first core 111-1 in step S411. For example, only the flag is set. may be transmitted to the second core 111-2.
  • the reset pattern due to power-on (first embodiment), the intended reset pattern (second embodiment), and the reset pattern due to an unexpected abnormality (third embodiment).
  • first embodiment the reset pattern due to power-on
  • second embodiment the intended reset pattern
  • third embodiment the reset pattern due to an unexpected abnormality
  • vehicle control device 11 multi-core CPU 12 monitoring IC (monitoring unit) 13 signal 14 reset signal 15 in-vehicle network 20, 30 ECU 111-1 1st core 111-2 2nd core 111-n nth core 112-1, 112-2, . . . 112-n program memory 113-1, 113-2, . shared data memory 116 bus

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Human Computer Interaction (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Debugging And Monitoring (AREA)
  • Hardware Redundancy (AREA)

Abstract

A vehicle control device 10 comprising a multicore CPU 11 having at least a first core 111-1 and a second core 111-2, a shared data memory 115 configured to be accessible by each core and storing at least a communication parameter, and a monitoring IC 12 that monitors operation of the multicore CPU 11 and outputs a reset signal to the multicore CPU 11. The second core 111-2 accesses the shared data memory 115 to check the communication parameter and communicates with the outside on the basis of the communication parameter stored in the shared data memory 115 within a period from cancellation of resetting until completion of OS initialization by the first core 111-1.

Description

車両制御装置vehicle controller
 本発明は、車両制御装置に関し、特にマルチコアCPUを備える車両制御装置に関する。
 本願は、2021年3月22日に出願された日本国特願2021-046953号に基づき優先権を主張し、その内容をここに援用する。 The present invention relates to a vehicle control device, and more particularly to a vehicle control device having a multi-core CPU.
This application claims priority based on Japanese Patent Application No. 2021-046953 filed on March 22, 2021, the contents of which are incorporated herein.
 近年、自動車等の車両において、エンジン制御、ブレーキ制御、トランスミッション制御、ドア制御、エアコン制御等を行うために複数のECU(Electronic Control Unit、すなわち車両制御装置)が搭載されている。これらのECUは、車載ネットワークを介して互いに通信し協働することにより、車両の安全走行等を実現している。 In recent years, vehicles such as automobiles are equipped with a plurality of ECUs (Electronic Control Units, that is, vehicle control devices) for performing engine control, brake control, transmission control, door control, air conditioner control, etc. These ECUs communicate and cooperate with each other via an in-vehicle network to realize safe driving of the vehicle.
 ECUは、複数のコアを有するマルチコアCPUを備える場合がある。マルチコアCPUでは、一般的に、いずれかのコアに異常が生じた場合、異常状態から回復させるべくマルチコアCPU全体のリセットが行われる。しかし、マルチコアCPU全体がリセットされると、リセット解除からOS初期化完了までの間に通信が途絶する問題がある。また、通信途絶によって、他のECUからは異常であると判定されてしまう。 The ECU may have a multi-core CPU with multiple cores. In a multi-core CPU, generally, when an abnormality occurs in one of the cores, the entire multi-core CPU is reset in order to recover from the abnormal state. However, when the entire multi-core CPU is reset, there is a problem that communication is interrupted between reset release and completion of OS initialization. Also, due to the communication interruption, other ECUs will determine that there is an abnormality.
 このような問題を解決するため、例えば下記特許文献1に記載のように、FPGA(Field Programmable Gate Array)を使用してリセット解除からOS初期化完了までの時間を短縮する技術が検討されている。 In order to solve such problems, for example, as described in Patent Document 1 below, a technology is being studied that uses an FPGA (Field Programmable Gate Array) to shorten the time from reset release to completion of OS initialization. .
特開2013-246495号公報JP 2013-246495 A
 しかし、上記特許文献1に記載の技術では、リセット解除からOS初期化完了までの時間を短縮できるが、改善余地があった。 However, although the technology described in Patent Document 1 can shorten the time from reset release to completion of OS initialization, there is still room for improvement.
 本発明は、このような技術課題を解決するためになされたものであって、リセット解除からOS初期化完了までの間の通信の途絶を防止できる車両制御装置を提供することを目的とする。 The present invention has been made to solve such technical problems, and an object of the present invention is to provide a vehicle control device that can prevent interruption of communication from reset release to completion of OS initialization.
 本発明に係る車両制御装置は、第1コアと第2コアとを少なくとも有するマルチコアCPUと、各コアがアクセス可能に構成され、少なくとも通信パラメータを保存する共有データメモリと、前記マルチコアCPUの動作を監視するとともに前記マルチコアCPUにリセット信号を出力する監視回路と、を備え、前記第2コアは、リセット解除から前記第1コアによるOS初期化完了までの間に、前記共有データメモリにアクセスして通信パラメータの確認を行い、前記共有データメモリに保存される通信パラメータに基づいて外部との通信を行うことを特徴としている。 A vehicle control device according to the present invention comprises a multi-core CPU having at least a first core and a second core, a shared data memory configured to be accessible by each core and storing at least communication parameters, and operations of the multi-core CPU. a monitoring circuit for monitoring and outputting a reset signal to the multi-core CPU, wherein the second core accesses the shared data memory from reset release to completion of OS initialization by the first core. It is characterized in that the communication parameters are confirmed, and communication with the outside is performed based on the communication parameters stored in the shared data memory.
 本発明に係る車両制御装置では、第2コアは、リセット解除から第1コアによるOS初期化完了までの間に、共有データメモリにアクセスして通信パラメータの確認を行い、共有データメモリに保存される通信パラメータに基づいて外部との通信を行うので、OS初期化の完了を待たずに通信が可能となる。その結果、リセット解除からOS初期化完了までの間の通信の途絶を防止することができる。 In the vehicle control device according to the present invention, the second core accesses the shared data memory to confirm the communication parameters and saves them in the shared data memory after the reset is released until the OS initialization is completed by the first core. Since communication with the outside is performed based on the communication parameters, communication can be performed without waiting for the completion of OS initialization. As a result, it is possible to prevent interruption of communication from reset release to completion of OS initialization.
 本発明によれば、リセット解除からOS初期化完了までの間の通信の途絶を防止することができる。 According to the present invention, it is possible to prevent disruption of communication during the period from reset release to completion of OS initialization.
第1実施形態に係る車両制御装置を備えた車両制御システムを示す構成図である。1 is a configuration diagram showing a vehicle control system including a vehicle control device according to a first embodiment; FIG. 第1実施形態に係る車両制御装置のリセット解除後の制御を示すシーケンス図である。FIG. 5 is a sequence diagram showing control after reset release of the vehicle control device according to the first embodiment; 第2実施形態に係る車両制御装置のリセット前後の制御を示すシーケンス図である。FIG. 9 is a sequence diagram showing control before and after resetting of the vehicle control device according to the second embodiment; 第3実施形態に係る車両制御装置のリセット前後の制御を示すシーケンス図である。FIG. 11 is a sequence diagram showing control before and after resetting of the vehicle control device according to the third embodiment;
 以下、図面を参照して本発明に係る車両制御装置の実施形態について説明する。 An embodiment of a vehicle control device according to the present invention will be described below with reference to the drawings.
[第1実施形態]
 図1は第1実施形態に係る車両制御装置を備えた車両制御システムを示す構成図である。本実施形態の車両制御装置10は、ECUにより構成され、他の複数のECU(ECU20、ECU30)とともに車両制御システムを形成する。ここでは、例えば車両制御装置10はエンジン制御を担当し、ECU20はブレーキ制御を担当し、ECU30はトランスミッション制御を担当する。そして、車両制御装置10、ECU20及びECU30は、CAN(Controller Area Network)等の車載ネットワーク15により接続され、該車載ネットワーク15で通信を行い協働することで、車両の安全走行等を実現している。 [First Embodiment]
FIG. 1 is a configuration diagram showing a vehicle control system provided with a vehicle control device according to the first embodiment. A vehicle control device 10 of the present embodiment is configured by an ECU, and forms a vehicle control system together with a plurality of other ECUs (ECU 20, ECU 30). Here, for example, the vehicle control device 10 is in charge of engine control, the ECU 20 is in charge of brake control, and the ECU 30 is in charge of transmission control. The vehicle control device 10, the ECU 20, and the ECU 30 are connected by an in-vehicle network 15 such as a CAN (Controller Area Network), etc., and communicate with each other through the in-vehicle network 15 to realize safe driving of the vehicle. there is
 図1に示すように、車両制御装置10は主に、マルチコアCPU11と、マルチコアCPU11の動作を監視する監視IC(Integrated Circuit)12とを備えている。 As shown in FIG. 1, the vehicle control device 10 mainly includes a multi-core CPU 11 and a monitoring IC (Integrated Circuit) 12 that monitors the operation of the multi-core CPU 11 .
 マルチコアCPU11は、複数のコア(第1コア111-1,第2コア111-2,…第nコア111-n)と、複数のコアに対して1対1に設けられたプログラムメモリ(プログラムメモリ112-1,プログラムメモリ112-2,…プログラムメモリ112-n)及びデータメモリ(データメモリ113-1,データメモリ113-2,…データメモリ113-n)とを有する。各プログラムメモリ及び各データメモリは、対応するコアの機能を果たすためのプログラム及びデータを保存する。なお、nは2以上の自然数である。 The multi-core CPU 11 includes a plurality of cores (first core 111-1, second core 111-2, . . . n-th core 111-n) and a program memory (program memory 112-1, program memory 112-2, . . . program memory 112-n) and data memory (data memory 113-1, data memory 113-2, . Each program memory and each data memory store programs and data for performing the functions of the corresponding core. Note that n is a natural number of 2 or more.
 本実施形態において、第1コア111-1に対応するプログラムメモリ112-1には、リセット解除後に実行するOS(Operating System)の初期化に関する初期化プログラムと、第1コア111-1に割り当てられた処理を行うためのアプリケーションソフトウェア(以下では、単に「アプリケーション」という)とが保存されている。第2コア111-2に対応するプログラムメモリ112-2には、リセット解除後に実行する通信処理に関する通信プログラムと、第2コア111-2に割り当てられた処理を行うためのアプリケーションとが保存されている。 In this embodiment, the program memory 112-1 corresponding to the first core 111-1 contains an initialization program for initializing the OS (Operating System) to be executed after the reset is released, and an initialization program assigned to the first core 111-1. Application software (hereinafter simply referred to as "application") for performing the processing is stored. A program memory 112-2 corresponding to the second core 111-2 stores a communication program relating to communication processing to be executed after reset release and an application for performing processing assigned to the second core 111-2. there is
 監視IC12は、特許請求の範囲に記載の「監視部」に相当するものであり、マルチコアCPU11から出力される信号13に基づいて、マルチコアCPU11が正常に動作しているか否かを監視する。また、監視IC12は、信号13が途絶した場合、マルチコアCPU11に異常が発生しているものとしてリセット信号14をマルチコアCPU11に出力し、マルチコアCPU11をリセットさせることができる。更に、電源投入(言い換えれば、電源ON)直後の場合、電源電圧が低電圧であるため、監視IC12はリセット信号14をマルチコアCPU11に出力し、マルチコアCPU11をリセットさせることができる。そして、電源電圧が安定した後、監視IC12はリセット信号14の出力を停止する。これによって、マルチコアCPU11のリセットが解除され、マルチコアCPU11が動作を開始する。 The monitoring IC 12 corresponds to the "monitoring unit" described in the claims, and monitors whether the multi-core CPU 11 is operating normally based on the signal 13 output from the multi-core CPU 11. Further, when the signal 13 is interrupted, the monitor IC 12 can output the reset signal 14 to the multi-core CPU 11 assuming that the multi-core CPU 11 is abnormal, and reset the multi-core CPU 11 . Furthermore, immediately after power-on (in other words, power-on), the power supply voltage is low, so the monitoring IC 12 can output the reset signal 14 to the multi-core CPU 11 to reset the multi-core CPU 11 . After the power supply voltage is stabilized, the monitor IC 12 stops outputting the reset signal 14 . As a result, the reset of the multi-core CPU 11 is released, and the multi-core CPU 11 starts operating.
 マルチコアCPU11は、各コアがアクセスできる共有データメモリ115と、各コアと接続される通信デバイス114とを更に備えている。各コアは、バス116を介して通信デバイス114及び共有データメモリ115とそれぞれ接続されている。共有データメモリ115には、コア間で共有する通信パラメータ等のデータが保存されている。通信パラメータとしては、通信速度、データサイズ及び送信周期等が挙げられる。 The multi-core CPU 11 further comprises a shared data memory 115 accessible by each core, and a communication device 114 connected to each core. Each core is respectively connected to communication device 114 and shared data memory 115 via bus 116 . The shared data memory 115 stores data such as communication parameters shared between cores. Communication parameters include communication speed, data size, and transmission cycle.
 マルチコアCPU11は、一つのICで構成されても良く、複数のICで構成されても良い。また、監視IC12は、必ずしもマルチコアCPU11から独立して設ける必要がなく、該監視IC12に相当する監視機能をマルチコアCPU11に組み込むようにしても良い。 The multi-core CPU 11 may be composed of one IC, or may be composed of a plurality of ICs. Also, the monitoring IC 12 does not necessarily have to be provided independently from the multi-core CPU 11 , and a monitoring function corresponding to the monitoring IC 12 may be incorporated into the multi-core CPU 11 .
 このように構成された車両制御装置10では、OSを搭載しており、各制御処理に関するプログラムはOSの管理下で動作する。そして、異常等の原因でマルチコアCPU11がリセットされた場合、OSは、リセット解除後に初期化処理を行う。OSの初期化処理では、OSはデバイスの初期化及びアプリケーションの初期化を行い、更にアプリケーションの実行を行う。 The vehicle control device 10 configured as described above is equipped with an OS, and programs related to each control process operate under the control of the OS. Then, when the multi-core CPU 11 is reset due to an abnormality or the like, the OS performs an initialization process after canceling the reset. In the OS initialization process, the OS initializes devices and applications, and further executes applications.
 そして、複数のコアを有するマルチコアCPU11では、初期化の一貫性を保つために、1つのコアにより初期化を実行するようになっている。上述したように、第1コア111-1に対応するプログラムメモリ112-1には、リセット解除後に実行するOSの初期化に関する初期化プログラムが保存されているので、従って、第1コア111-1はリセット解除後のOS初期化処理を行う。 In addition, in the multi-core CPU 11 having multiple cores, initialization is performed by one core in order to maintain initialization consistency. As described above, the program memory 112-1 corresponding to the first core 111-1 stores an initialization program for initializing the OS to be executed after the reset is released. performs OS initialization processing after reset release.
 一方、第2コア111-2に対応するプログラムメモリ112-2には、リセット解除後に実行する通信処理に関する通信プログラムが保存されているので、第2コア111-2はリセット解除後の通信処理を行う。その際に、第2コア111-2は、リセット解除後に実行する通信プログラムによって、共有データメモリ115にアクセスして通信パラメータの確認を行い、更に共有データメモリ115に保存される通信パラメータに基づいて外部との通信を行う。なお、第2コア111-2の通信処理は、第1コア111-1によるOSの初期化処理と並行して実行される。 On the other hand, since the program memory 112-2 corresponding to the second core 111-2 stores a communication program related to communication processing to be executed after the reset is released, the second core 111-2 executes the communication processing after the reset is released. conduct. At that time, the second core 111-2 accesses the shared data memory 115 to confirm the communication parameters by the communication program executed after the reset is released, and furthermore, based on the communication parameters saved in the shared data memory 115, Communicate with the outside world. The communication processing of the second core 111-2 is executed in parallel with the initialization processing of the OS by the first core 111-1.
 そして、第1コア111-1によるOS初期化処理が完了し、第1コア111-1におけるアプリケーションの起動した時点で、通信の切り替えが行われる。すなわち、第2コア111-2の通信プログラムが停止し、第1コア111-1が主導する通信処理を開始する。 Then, when the OS initialization process by the first core 111-1 is completed and the application in the first core 111-1 is activated, the communication is switched. That is, the communication program of the second core 111-2 is stopped, and communication processing led by the first core 111-1 is started.
 以下、図2を基に車両制御装置10におけるリセット解除後の制御を説明する。ここでは、電源ONによるリセットの解除から、OSの初期化、通信、アプリケーション実行といった一連の処理の例を挙げて説明する。なお、図2において、ステップS211~S214は第1コア111-1により行われる処理であり、ステップS221~S225は第2コア111-2により行われる処理である。 The control after reset cancellation in the vehicle control device 10 will be described below based on FIG. Here, an example of a series of processes from reset release by power-on to OS initialization, communication, and application execution will be described. In FIG. 2, steps S211 to S214 are processes performed by the first core 111-1, and steps S221 to S225 are processes performed by the second core 111-2.
 図2に示すように、電源ONによるリセット解除後、第1コア111-1は、まずOSを起動し(ステップS211)、次にOSの初期化処理を行う(ステップS212)。このとき、第2コア111-2は、第1コア111-1の処理と並行して各処理を行う。 As shown in FIG. 2, after the reset is released by turning on the power, the first core 111-1 first activates the OS (step S211), and then performs OS initialization processing (step S212). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
 具体的には、第2コア111-2は、まず共有データメモリ115にアクセスし、通信パラメータの確認を行う(ステップS221)。本ステップにおける通信パラメータの確認は、共有データメモリ115に正常な通信パラメータが設定されているか否かの確認である。電源ON直後(言い換えれば、リセット解除直後)は、共有データメモリ115の値は不定値であるので、正常な通信パラメータは設定されていない。このため、第2コア111-2は通信パラメータ初期化の処理を行う(ステップS222)。続いて、第2コア111-2は、初期化した通信パラメータに基づき、通信デバイス114を介して外部装置(例えばECU20やECU30)との通信を開始する(ステップS223)。 Specifically, the second core 111-2 first accesses the shared data memory 115 and confirms the communication parameters (step S221). Confirmation of the communication parameters in this step is confirmation of whether or not normal communication parameters are set in the shared data memory 115 . Since the values in the shared data memory 115 are indefinite immediately after the power is turned on (in other words, immediately after the reset is released), normal communication parameters are not set. Therefore, the second core 111-2 performs communication parameter initialization processing (step S222). Subsequently, the second core 111-2 starts communication with an external device (eg, the ECU 20 or the ECU 30) via the communication device 114 based on the initialized communication parameters (step S223).
 そして、第1コア111-1によるOSの初期化処理が完了すると、第1コア111-1は、通信等に関するアプリケーションを起動する(ステップS213)。このとき、第2コア111-2は、通信切り替えの処理を行う(ステップS224)。具体的には、第2コア111-2の通信プログラムが停止し、第1コア111-1が主導する通信処理が行われる。続いて、第1コア111-1と第2コア111-2は、それぞれのアプリケーションを実行する(ステップS214とステップS225)。 Then, when the OS initialization process by the first core 111-1 is completed, the first core 111-1 activates an application related to communication (step S213). At this time, the second core 111-2 performs communication switching processing (step S224). Specifically, the communication program of the second core 111-2 is stopped, and communication processing led by the first core 111-1 is performed. Subsequently, the first core 111-1 and the second core 111-2 execute their respective applications (steps S214 and S225).
 本実施形態の車両制御装置10によれば、電源ONによるリセット解除から第1コア111-1によるOS初期化完了までの間に、第2コア111-2は共有データメモリ115にアクセスして通信パラメータの確認を行い、通信パラメータの初期化処理を行った後に、初期化した通信パラメータに基づいて外部装置との通信を行うので、OS初期化の完了を待たずに通信が可能となる。その結果、リセット解除からOS初期化完了までの間の通信の途絶を防止することができる。更に、これによって、通信途絶に起因する他のECUからの異常判定を回避することができる。 According to the vehicle control device 10 of the present embodiment, the second core 111-2 accesses the shared data memory 115 for communication during the period from reset cancellation by turning on the power to completion of OS initialization by the first core 111-1. After the parameters are confirmed and the communication parameters are initialized, communication with the external device is performed based on the initialized communication parameters, so communication is possible without waiting for the completion of OS initialization. As a result, it is possible to prevent interruption of communication from reset release to completion of OS initialization. Furthermore, this makes it possible to avoid an abnormality determination from another ECU due to a communication interruption.
[第2実施形態]
 第2実施形態に係る車両制御装置10は、上記第1実施形態と同様な構造を有するが、車両制御装置10の制御内容において上記第1実施形態と相違している。以下では、その相違点のみを説明する。 [Second embodiment]
A vehicle control device 10 according to the second embodiment has the same structure as that of the first embodiment, but differs from the first embodiment in the control contents of the vehicle control device 10 . Only the differences will be described below.
 従来では、例えばエンジン制御とモータ制御のような異なる機能について、別々のECUを設けてそれぞれの制御を行っていた。近年、装置のコンパクト化やコスト削減等を図るために、異なる機能を持つECUを統合することが進められている。そして、統合ECUにおいては、ある機能に異常が発生しても、他の機能の動作を継続することが求められている。 In the past, different functions such as engine control and motor control were controlled by separate ECUs. In recent years, integration of ECUs having different functions has been promoted in order to make devices more compact and to reduce costs. Further, in the integrated ECU, even if an abnormality occurs in a certain function, it is required to continue the operation of other functions.
 異常が発生した場合は、該異常が発生した機能をソフトウェア的に初期化することにより解消する手法があるが、マルチコアCPU全体をハードウェア的にリセットすることで異常を解消する手法も考えられる。本実施形態では、マルチコアCPU全体をハードウェア的にリセットすることで異常を解消する手法が採用されている。そして、マルチコアCPU11全体のリセットに先立ち、現在使用中の通信パラメータを共有データメモリ115に保存しておき、リセット解除後に上記保存された現在使用中の通信パラメータに基づいて通信を行うことにより、リセット前後における通信の連続性を維持することができる。なお、本実施形態でいう異常は、車両に取り付けられたセンサ等を介して検出できる異常である。従って、このような異常に起因するリセットは、意図したリセットである。 When an abnormality occurs, there is a method of resolving it by software-initializing the function in which the anomaly occurred, but there is also a method of resolving the anomaly by hardware-resetting the entire multi-core CPU. In the present embodiment, a method of resolving an abnormality by resetting the entire multi-core CPU in terms of hardware is adopted. Prior to resetting the entire multi-core CPU 11, the communication parameters currently in use are saved in the shared data memory 115, and after the reset is released, communication is performed based on the saved communication parameters currently in use. Continuity of communication before and after can be maintained. The abnormality referred to in this embodiment is an abnormality that can be detected via a sensor or the like attached to the vehicle. Resets resulting from such anomalies are therefore intended resets.
 以下、図3を基に本実施形態に係る車両制御装置のリセット前後の制御を説明する。図3において、ステップS311~S315は第1コア111-1により行われる処理であり、ステップS321~S325は第2コア111-2により行われる処理である。 The control before and after resetting of the vehicle control device according to this embodiment will be described below based on FIG. In FIG. 3, steps S311 to S315 are processes performed by the first core 111-1, and steps S321 to S325 are processes performed by the second core 111-2.
 図3に示すように、第1コア111-1は、異常を検出すると(ステップS311)、現在使用中の通信パラメータを保存するように第2コア111-2に指示する。第2コア111-2は、第1コア111-1からの指示に基づき、現在使用中の通信パラメータを保存する(ステップS321)。このとき、第2コア111-2は、現在使用中の通信パラメータを該第2コア111-2に対応するデータメモリ113-2ではなく、共有データメモリ115に保存させる。ここで、共有データメモリ115に保存される通信パラメータを通信パラメータ331とする。 As shown in FIG. 3, when the first core 111-1 detects an abnormality (step S311), it instructs the second core 111-2 to save the currently used communication parameters. The second core 111-2 stores the currently used communication parameters based on the instruction from the first core 111-1 (step S321). At this time, the second core 111-2 stores the currently used communication parameters in the shared data memory 115 instead of the data memory 113-2 corresponding to the second core 111-2. Here, communication parameters stored in shared data memory 115 are assumed to be communication parameters 331 .
 続いて、第1コア111-1は、監視IC12に対し、リセット発生する指示を送信する(ステップS312)。続いて、マルチコアCPU11はリセットされる。 Subsequently, the first core 111-1 transmits an instruction to generate a reset to the monitoring IC 12 (step S312). Subsequently, the multicore CPU 11 is reset.
 リセット解除後、第1コア111-1は、まずOSを起動し(ステップS313)、次にOS初期化の処理を行う(ステップS314)。このとき、第2コア111-2は、第1コア111-1の処理と並行して各処理を行う。 After the reset is released, the first core 111-1 first starts up the OS (step S313), and then performs OS initialization processing (step S314). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
 具体的には、第2コア111-2は、共有データメモリ115にアクセスし、共有データメモリ115に保存されている通信パラメータ331の確認を行う(ステップS322)。本ステップにおける通信パラメータの確認は、電源ON直後のメモリの不定値ではないことの確認である。続いて、第2コア111-2は、通信パラメータ331を参照し、通信パラメータの復帰処理を行う(ステップS323)。続いて、第2コア111-2は、復帰した通信パラメータ(すなわち、通信パラメータ331)に基づき、通信デバイス114を介して外部装置(例えばECU20やECU30)との通信を開始する(ステップS324)。 Specifically, the second core 111-2 accesses the shared data memory 115 and checks the communication parameters 331 stored in the shared data memory 115 (step S322). The confirmation of the communication parameters in this step is confirmation that the values in the memory are not undefined immediately after the power is turned on. Subsequently, the second core 111-2 refers to the communication parameter 331 and performs communication parameter restoration processing (step S323). Subsequently, the second core 111-2 starts communication with an external device (for example, the ECU 20 or the ECU 30) via the communication device 114 based on the restored communication parameter (that is, the communication parameter 331) (step S324).
 そして、第1コア111-1によるOSの初期化処理が完了すると、第1実施形態で述べたように、第1コア111-1は通信等に関するアプリケーションを起動し(ステップS315)、第2コア111-2は通信切り替えの処理を行う(ステップS325)。その後、第1実施形態で述べた各処理はそれぞれ行われる。 When the OS initialization process by the first core 111-1 is completed, the first core 111-1 activates an application related to communication and the like (step S315), and the second core 111-1 111-2 performs communication switching processing (step S325). After that, each process described in the first embodiment is performed.
 本実施形態の車両制御装置10によれば、上述第1実施形態と同様な作用効果を得られるほか、更に以下の作用効果を奏する。すなわち、リセット前に現在使用中の通信パラメータを共有データメモリ115に保存し、リセット解除から第1コア111-1によるOS初期化完了までの間に、第2コア111-2は共有データメモリ115に保存される現在使用中の通信パラメータに基づいて通信を行うので、リセット前後における通信の連続性を維持することができる。なお、上記特許文献1に記載の技術では、リセット解除後に初期通信のみを行うので、リセット前後における通信の連続性を維持できない問題が生じると考えられる。本実施形態の車両制御装置10によれば、上記特許文献1に記載の技術の問題を解決することができる。 According to the vehicle control device 10 of this embodiment, in addition to obtaining the same effects as those of the first embodiment, the following effects are obtained. That is, the communication parameters currently in use are stored in the shared data memory 115 before resetting, and the second core 111-2 is set to the shared data memory 115 after the reset is released until the OS initialization by the first core 111-1 is completed. Since communication is performed based on the currently used communication parameters saved in the , it is possible to maintain continuity of communication before and after the reset. In addition, in the technique described in Patent Document 1, only initial communication is performed after the reset is canceled, so it is considered that there is a problem in that the continuity of communication cannot be maintained before and after the reset. According to the vehicle control device 10 of the present embodiment, it is possible to solve the technical problem described in Patent Document 1 above.
 なお、本実施形態において、通信パラメータが正常な値か、電源ON直後のメモリの不定値かを区別するためには、通信パラメータに関する各データを二重化したり、チェックサムやハッシュを付加したりする等、既知の手法を用いることができる。 In this embodiment, in order to distinguish whether the communication parameter is a normal value or the undefined value in the memory immediately after the power is turned on, each data related to the communication parameter is duplicated or a checksum or hash is added. etc., can be used.
 また、本実施形態において、通信パラメータに加えて通信プログラムを更に共有データメモリ115に保存するようにしても良い。このようにすれば、複雑な通信処理にも対応できるので、例えば可変値を含む通信も可能となる。更に、共有データメモリ115には、スクリプトを解釈して実行するプログラムが保存されても良く、例えばスクリプト言語で記述された通信プログラムが保存される。このようにすれば、複雑な通信処理にも対応できる。 Also, in this embodiment, a communication program may be further stored in the shared data memory 115 in addition to the communication parameters. In this way, complicated communication processing can be dealt with, so communication including variable values, for example, is also possible. Further, shared data memory 115 may store a program that interprets and executes a script, such as a communication program written in a script language. In this way, even complicated communication processing can be handled.
[第3実施形態]
 第3実施形態に係る車両制御装置10は、上記第1実施形態と同様な構造を有するが、車両制御装置10の処理内容において上記第1実施形態と相違している。以下では、その相違点のみを説明する。 [Third Embodiment]
A vehicle control device 10 according to the third embodiment has the same structure as that of the first embodiment, but differs from the first embodiment in the processing contents of the vehicle control device 10 . Only the differences will be described below.
 図4は第3実施形態に係る車両制御装置のリセット前後の制御を示すシーケンス図である。図4において、ステップS411~S414は第1コア111-1により行われる処理であり、ステップS421~S424は第2コア111-2により行われる処理である。 FIG. 4 is a sequence diagram showing control before and after resetting of the vehicle control device according to the third embodiment. In FIG. 4, steps S411 to S414 are processes performed by the first core 111-1, and steps S421 to S424 are processes performed by the second core 111-2.
 図4に示すように、第1コア111-1は、まず通信パラメータのデフォルト値の保存処理を行う(ステップS411)。通信パラメータのデフォルト値は、予期せぬ異常によってリセットが起きた場合に使用される通信パラメータの値であって、予め設定されたものである。このデフォルト値には、予期せぬ異常によるリセットであることを示す通信パターンが予め組み込まれている。デフォルト値は、上述したメモリの不定値と区別するための手法を用いて共有データメモリ115に保存されている。ここで、共有データメモリ115に保存されるデフォルト値を通信パラメータ431とする。 As shown in FIG. 4, the first core 111-1 first performs processing for saving default values of communication parameters (step S411). The default value of the communication parameter is the value of the communication parameter that is used when resetting occurs due to an unexpected abnormality, and is set in advance. A communication pattern indicating that the reset is due to an unexpected abnormality is preliminarily incorporated in this default value. Default values are stored in shared data memory 115 using the techniques described above to distinguish them from indeterminate values in memory. Here, the default values stored in shared data memory 115 are assumed to be communication parameters 431 .
 そして、マルチコアCPU11に予期せぬ異常が発生した場合、監視IC12は、リセット信号14をマルチコアCPU11に出力する。これによって、マルチコアCPU11はリセットされる。 Then, when an unexpected abnormality occurs in the multi-core CPU 11, the monitoring IC 12 outputs a reset signal 14 to the multi-core CPU 11. The multi-core CPU 11 is thereby reset.
 リセット解除後、第1コア111-1は、まずOSを起動し(ステップS412)、次にOS初期化の処理を行う(ステップS413)。このとき、第2コア111-2は、第1コア111-1の処理と並行して各処理を行う。 After the reset is released, the first core 111-1 first starts up the OS (step S412), and then performs OS initialization processing (step S413). At this time, the second core 111-2 performs each process in parallel with the process of the first core 111-1.
 具体的には、第2コア111-2は、共有データメモリ115にアクセスし、共有データメモリ115に保存されている通信パラメータ431を確認し、メモリの不定値ではないことをチェックし(ステップS421)、通信パラメータ431を取得する(ステップS422)。これによって、ステップS411で設定されたデフォルト値が取得される。 Specifically, the second core 111-2 accesses the shared data memory 115, confirms the communication parameter 431 stored in the shared data memory 115, and checks that it is not an undefined value in the memory (step S421). ), and acquires the communication parameter 431 (step S422). As a result, the default value set in step S411 is acquired.
 続いて、第2コア111-2は、取得した通信パラメータ431に基づき、通信デバイス114を介して外部装置(例えばECU20やECU30)との通信を開始する(ステップS423)。そして、通信パラメータ431には予期せぬ異常によるリセットのことを示す通信パターンが組み込まれているため、他のECU(ECU20及びECU30)は車両制御装置10でそれを把握できる。 Subsequently, the second core 111-2 starts communication with an external device (eg, the ECU 20 or the ECU 30) via the communication device 114 based on the obtained communication parameters 431 (step S423). Since the communication parameter 431 incorporates a communication pattern indicating a reset due to an unexpected abnormality, the other ECUs (ECU 20 and ECU 30) can grasp it with the vehicle control device 10. FIG.
 そして、第1コア111-1によるOSの初期化処理が完了すると、第1実施形態で述べたように、第1コア111-1は、通信等に関するアプリケーションを起動し(ステップS414)、第2コア111-2は、通信切り替え処理を行う(ステップS424)。その後、第1実施形態で述べた各処理がそれぞれ行われる。 Then, when the OS initialization process by the first core 111-1 is completed, as described in the first embodiment, the first core 111-1 activates an application related to communication (step S414), The core 111-2 performs communication switching processing (step S424). After that, each process described in the first embodiment is performed.
 本実施形態の車両制御装置10では、第1コア111-1は通信パラメータのデフォルト値を予め設定し、共有データメモリ115に保存しておく。そして、予期せぬ異常によってリセットが生じた場合、第2コア111-2は該デフォルト値に基づいて通信を行うことで、OS初期化の完了を待たずに通信が可能となる。その結果、リセット解除からOS初期化完了までの間の通信の途絶を防止することができる。また、これによって、通信途絶に起因する他のECUからの異常判定を回避することができる。 In the vehicle control device 10 of the present embodiment, the first core 111-1 presets default values of communication parameters and stores them in the shared data memory 115. FIG. When resetting occurs due to an unexpected abnormality, the second core 111-2 performs communication based on the default value, thereby enabling communication without waiting for completion of OS initialization. As a result, it is possible to prevent interruption of communication from reset release to completion of OS initialization. In addition, as a result, it is possible to avoid an abnormality determination from another ECU due to the communication interruption.
 なお、本実施形態において、通信パラメータのデフォルト値はステップS411で第1コア111-1により設定されるが、例えばフラグのみを設定し、ステップS421では、フラグが検知されると、固定の通信パラメータを第2コア111-2に送信するようにしても良い。 In this embodiment, the default values of the communication parameters are set by the first core 111-1 in step S411. For example, only the flag is set. may be transmitted to the second core 111-2.
 また、上記3つの実施形態において、電源ONによるリセットのパターン(第1実施形態)、意図したリセットのパターン(第2実施形態)、及び、予期せぬ異常によるリセットのパターン(第3実施形態)をそれぞれ説明した。例えば他のECUへの通信データに上記3つのパターンをそれぞれ識別できる識別番号等を付した状態で送信すれば、他のECUに車両制御装置10が正常か異常かを明確に伝えることができる。 Further, in the above three embodiments, the reset pattern due to power-on (first embodiment), the intended reset pattern (second embodiment), and the reset pattern due to an unexpected abnormality (third embodiment). explained each. For example, if communication data to other ECUs is sent with an identification number or the like for identifying each of the above three patterns, it is possible to clearly inform the other ECUs whether the vehicle control device 10 is normal or abnormal.
 以上、本発明の実施形態について詳述したが、本発明は、上述の実施形態に限定されるものではなく、特許請求の範囲に記載された本発明の精神を逸脱しない範囲で、種々の設計変更を行うことができるものである。 Although the embodiments of the present invention have been described in detail above, the present invention is not limited to the above-described embodiments, and various designs can be made without departing from the spirit of the invention described in the claims. Changes can be made.
10  車両制御装置
11  マルチコアCPU
12  監視IC(監視部)
13  信号
14  リセット信号
15  車載ネットワーク
20,30  ECU
111-1  第1コア
111-2  第2コア
111-n  第nコア
112-1,112-2,…112-n  プログラムメモリ
113-1,113-2,…113-n  データメモリ
114  通信デバイス
115  共有データメモリ
116  バス 10 vehicle control device 11 multi-core CPU
12 monitoring IC (monitoring unit)
13 signal 14 reset signal 15 in- vehicle network 20, 30 ECU
111-1 1st core 111-2 2nd core 111-n nth core 112-1, 112-2, . . . 112-n program memory 113-1, 113-2, . shared data memory 116 bus

Claims (5)

  1.  第1コアと第2コアとを少なくとも有するマルチコアCPUと、
     各コアがアクセス可能に構成され、少なくとも通信パラメータを保存する共有データメモリと、
     前記マルチコアCPUの動作を監視するとともに前記マルチコアCPUにリセット信号を出力する監視部と、
    を備え、
     前記第2コアは、リセット解除から前記第1コアによるOS初期化完了までの間に、前記共有データメモリにアクセスして通信パラメータの確認を行い、前記共有データメモリに保存される通信パラメータに基づいて外部との通信を行うことを特徴とする車両制御装置。     a multi-core CPU having at least a first core and a second core;
    a shared data memory configured to be accessible by each core and storing at least communication parameters;
    a monitoring unit that monitors the operation of the multi-core CPU and outputs a reset signal to the multi-core CPU;
    with
    The second core accesses the shared data memory to confirm communication parameters during a period from reset release to completion of OS initialization by the first core, and based on the communication parameters saved in the shared data memory. A vehicle control device, characterized in that it communicates with the outside through a
  2.  前記共有データメモリには、リセット前の現在使用中の通信パラメータが保存され、
     前記第2コアは、前記共有データメモリに保存される現在使用中の通信パラメータに基づいて外部との通信を行う請求項1に記載の車両制御装置。     The shared data memory stores currently used communication parameters before resetting,
    2. The vehicle control device according to claim 1, wherein the second core communicates with the outside based on currently used communication parameters stored in the shared data memory.
  3.  前記共有データメモリには、通信を行うプログラムが更に保存されている請求項1又は2に記載の車両制御装置。 The vehicle control device according to claim 1 or 2, wherein the shared data memory further stores a program for communication.
  4.  前記共有データメモリには、スクリプトを解釈して実行するプログラムが更に保存されている請求項1又は2に記載の車両制御装置。 The vehicle control device according to claim 1 or 2, wherein the shared data memory further stores a program for interpreting and executing a script.
  5.  前記共有データメモリには、通信パラメータのデフォルト値が更に保存され、
     予期せぬ異常によってリセットされた場合に、前記第2コアは前記デフォルト値に基づいて外部との通信を行う請求項1~4のいずれか一項に記載の車両制御装置。     the shared data memory further stores default values for communication parameters;
    The vehicle control device according to any one of claims 1 to 4, wherein when reset due to an unexpected abnormality, said second core communicates with the outside based on said default value.
PCT/JP2021/035372 2021-03-22 2021-09-27 Vehicle control device WO2022201597A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
DE112021005649.2T DE112021005649T5 (en) 2021-03-22 2021-09-27 VEHICLE CONTROL DEVICE
JP2023508440A JPWO2022201597A1 (en) 2021-03-22 2021-09-27

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021046953 2021-03-22
JP2021-046953 2021-03-22

Publications (1)

Publication Number Publication Date
WO2022201597A1 true WO2022201597A1 (en) 2022-09-29

Family

ID=83395502

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/035372 WO2022201597A1 (en) 2021-03-22 2021-09-27 Vehicle control device

Country Status (3)

Country Link
JP (1) JPWO2022201597A1 (en)
DE (1) DE112021005649T5 (en)
WO (1) WO2022201597A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008305317A (en) * 2007-06-11 2008-12-18 Toyota Motor Corp Multiprocessor system and control method thereof
JP2013054434A (en) * 2011-09-01 2013-03-21 Fujitsu Ltd I/o controller and i/o control method
WO2017022364A1 (en) * 2015-08-04 2017-02-09 オリンパス株式会社 Fault monitoring method and fault monitoring device
JP2018092571A (en) * 2016-04-20 2018-06-14 株式会社リコー Electronic equipment, reactivation method, and program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013246495A (en) 2012-05-23 2013-12-09 Hitachi Kokusai Electric Inc Communication device
JP7360285B2 (en) 2019-09-17 2023-10-12 東芝キヤリア株式会社 air conditioner

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008305317A (en) * 2007-06-11 2008-12-18 Toyota Motor Corp Multiprocessor system and control method thereof
JP2013054434A (en) * 2011-09-01 2013-03-21 Fujitsu Ltd I/o controller and i/o control method
WO2017022364A1 (en) * 2015-08-04 2017-02-09 オリンパス株式会社 Fault monitoring method and fault monitoring device
JP2018092571A (en) * 2016-04-20 2018-06-14 株式会社リコー Electronic equipment, reactivation method, and program

Also Published As

Publication number Publication date
JPWO2022201597A1 (en) 2022-09-29
DE112021005649T5 (en) 2023-10-05

Similar Documents

Publication Publication Date Title
EP2641176B1 (en) Microprocessorsystem with fault tolerant architecture
US10102045B2 (en) Control device, control method and program
US10698463B2 (en) Controller, control method, and program for power cut state restoration
EP3249534B1 (en) Vehicle control device
KR20160110203A (en) Method and device for handling safety critical errors
US11846923B2 (en) Automation system for monitoring a safety-critical process
CN110663006A (en) Resilient failover for industrial programmable logic controllers
CN105653306A (en) Method and device for displaying start Setup interface
CN115408371B (en) Dynamic redundancy deployment method and device for redis database
JP2003115847A (en) Control system and redundant signal processor
WO2022201597A1 (en) Vehicle control device
KR20090000008A (en) Anticollision system among diagnosis terminals and method thereof
CA2106899A1 (en) Central unit for a process control system
US11982984B2 (en) Automation system for monitoring a safety-critical process
JP4793589B2 (en) Safety remote I / O terminal
US11385977B2 (en) Reconfiguration control device
JP2004221904A (en) Method for controlling communication speed of field bus system, and master unit
KR102275869B1 (en) Apparatus and method of vehicle control
WO2022209458A1 (en) Display control device and display control method
JPH03219333A (en) Stand-by duplex system device
CN110103858B (en) Automobile electronic ECU and sensor connection system and method
JP2018151717A (en) Automobile electronic control device
GB2146810A (en) Achieving redundancy in a distributed process control system
JPH06161974A (en) Diagnosing method for multi-cpu board
CN117687338A (en) High-security multistage watchdog architecture control system, method and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21933196

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 112021005649

Country of ref document: DE

WWE Wipo information: entry into national phase

Ref document number: 2023508440

Country of ref document: JP

122 Ep: pct application non-entry in european phase

Ref document number: 21933196

Country of ref document: EP

Kind code of ref document: A1