WO2023281766A1 - Automotive computer control method and vehicular electronic control device - Google Patents

Automotive computer control method and vehicular electronic control device Download PDF

Info

Publication number
WO2023281766A1
WO2023281766A1 PCT/JP2021/045351 JP2021045351W WO2023281766A1 WO 2023281766 A1 WO2023281766 A1 WO 2023281766A1 JP 2021045351 W JP2021045351 W JP 2021045351W WO 2023281766 A1 WO2023281766 A1 WO 2023281766A1
Authority
WO
WIPO (PCT)
Prior art keywords
thread
functional safety
abnormality
execution
interrupt
Prior art date
Application number
PCT/JP2021/045351
Other languages
French (fr)
Japanese (ja)
Inventor
宏治 今井
Original Assignee
株式会社デンソー
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社デンソー filed Critical 株式会社デンソー
Priority to JP2023533039A priority Critical patent/JP7409567B2/en
Publication of WO2023281766A1 publication Critical patent/WO2023281766A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt

Definitions

  • the present disclosure relates to a method of controlling a computer for a vehicle and an electronic control device for a vehicle.
  • Patent Document 1 describes a vehicle application that determines whether or not an abnormality has occurred in a program being executed, and switches the processing order of the program from a normal control scheduling pattern to a safety control scheduling pattern when an abnormality occurs in the program.
  • An electronic controller is disclosed.
  • the safety monitoring program detects an abnormality in the program including the normal control program, but after detecting the abnormality, the schedule is switched to the safety control scheduling pattern.
  • the time-partitioned program that is the source of program execution after switching includes threads that normally perform monitoring of the control program, but does not include threads that originally perform functions (for example, non-functional safety requirements). presumably not.
  • all functions, including original functions in which no abnormality has occurred are under degenerate control.
  • Patent Document 1 partitions non-functional safety requirement threads and functional safety requirement threads when an abnormality is detected in the safety monitoring program. And by focusing only on the functional safety thread in functional safety design, we aim to reduce the cost of system design. On the other hand, no mention is made of the real-time nature of non-functionally safe threads after switching to the safety control scheduling pattern.
  • claim 1 of the above Patent Document 1 states that the normal control program is excluded in the time partition after shifting to the safety control scheduling pattern. It can also be interpreted as degenerate processing.
  • One aspect of the present disclosure is to provide a control method for a threaded automobile computer or an electronic control device for a vehicle, in which all threads are likely to be executed within a specified time.
  • One aspect of the present disclosure is control of a vehicle computer executed by a vehicle computer capable of executing a functional safety thread and at least one non-functional safety thread in parallel based on a pre-defined scheduler priority.
  • a functional safety thread represents a thread that computes safety-related values for the vehicle.
  • a non-functionally safe thread represents a thread other than a functionally safe thread.
  • an abnormality in the functional safety thread is detected, and when an abnormality in the functional safety thread is detected, the scheduler is changed to change the priority.
  • the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread. Even if the safety mechanism of the functional safety thread detects an abnormality and the thread that executes the abnormal action is waiting for execution because another thread is running, the relative execution priority of both threads is changed to achieve functional safety. It is possible to make it easier to complete the processing within the allowable time that ensures the safety of the system. In addition, it is possible to minimize the chances of degenerating the original functions of non-functionally safe threads.
  • FIG. 1 is a block diagram showing the configuration of a vehicle control system;
  • FIG. 3 is a functional block diagram of a control calculation unit;
  • FIG. 8 is a flowchart of thread execution control processing;
  • FIG. 10 is a flowchart of the first half of thread execution priority determination processing;
  • FIG. 11 is a flowchart of the second half of thread execution priority determination processing;
  • FIG. 4 is an explanatory diagram showing an example of priority rules; 4 is a timing chart showing a first operation example; 9 is a timing chart showing a second operation example;
  • FIG. 11 is a flowchart of the first half of normal scheduler execution processing;
  • FIG. 11 is a flowchart of the second half of normal scheduler execution processing;
  • FIG. 10 is a flowchart of the first half of the scheduler execution process in the event of an abnormality;
  • FIG. 10 is a flowchart of the second half of the scheduler execution process in the event of an abnormality;
  • FIG. 13 is a flowchart of the first half of the execution process of the scheduler AN[1] in abnormal conditions;
  • FIG. 13 is a flowchart of the second half of the abnormal scheduler AN[1] execution process;
  • FIG. 10 is a flowchart of the first half of the abnormal scheduler AN[2] execution process;
  • FIG. 13 is a flowchart of the second half of the abnormal scheduler AN[2] execution process;
  • safety goals are set when an abnormality occurs in a component (hereafter, element) to realize a vehicle function (hereafter, item). set.
  • a safety mechanism SM
  • FTTI Fault Tolerant Time Interval
  • a task schedule is designed in consideration of the worst execution time of each task and combinations of execution cycles.
  • Task schedule design includes, for example, priority setting, deadline monitoring, and the like.
  • an architecture that prioritizes the processing of the safety mechanism (SM) of functional safety in the event of an abnormality in the system even in the event that an unexpected event enters from the world connected to the vehicle after SOP.
  • Unanticipated events include application additions that were not originally anticipated, application connections by end users that were not anticipated by the product seller, and incidents that occurred. It also includes unexpected disturbances (for example, network anomalies, AI module deadlocks, etc.).
  • the architecture of the present disclosure it is possible to simplify design changes and verifications of OTA-modified software programs.
  • the degeneracy control of the vehicle as a safety requirement specification for ensuring functional safety in the event of system failure, the effect of improving marketability can be expected.
  • a highly experienced designer establishes the architecture in the base development, there is an advantage that subsequent software maintenance can be easily performed by a relatively inexperienced designer with highly reliable branch development. be. As a result, a more reusable and robust software lifecycle can be built with less man-hours.
  • the processing executed by the control calculation unit 11 corresponds to the control method of the automobile computer in the present disclosure.
  • the processes of S130, S150, and S170 correspond to the functions of the abnormality detection unit in the present disclosure
  • the processes of S10, S20, S30, and S180 are It corresponds to the function of the order changing unit in the present disclosure.
  • a vehicle control system 1 shown in FIG. 1 is mounted in a vehicle such as a passenger car, for example, and includes an ECU 10 .
  • the ECU 10 is an electronic control unit, particularly an electronic control unit for a vehicle in this embodiment.
  • the vehicle control system 1 may include sensors 21 and various actuators 22. Further, the vehicle control system 1 may be configured to communicate with the cloud server 23 outside the vehicle.
  • the ECU 10, the sensors 21, various actuators 22, and the cloud server 23 are configured to be able to communicate with each other via the communication bus 5, a wireless network (not shown), or the like.
  • the ECU 10 includes a power supply circuit and a watchdog timer 36, which will be described later.
  • the ECU 10 includes a control calculation unit 11, an input/output unit 12, and a memory 13.
  • the ECU 10 also includes a vehicle application function 16 as part of the functions executed by the control calculation unit 11 .
  • vehicle application function 16 In the program that implements the vehicle application function 16, related threads are partitioned according to the non-functional safety functional requirements and the functional safety functional requirements.
  • the control calculation unit 11 is configured as, for example, a CPU.
  • the control calculation unit 11 implements various functions such as a vehicle application function 16 by executing programs stored in the memory 13 .
  • Various functions executed by the control calculation unit 11 include processing using the control method of the automobile computer.
  • the control calculation unit 11 performs pseudo-parallel processing on a plurality of threads in a time-sharing manner. A plurality of threads is hereinafter referred to as a thread group.
  • control calculation unit 11 implements various functions such as abnormality detection, abnormality treatment for ensuring safety in response to the abnormality detection, run-time error detection of the thread itself, and abnormality treatment for dealing with the run-time error detection. perform the operation for
  • the input/output unit 12 is configured, for example, as a communication module that performs communication using the communication bus 5 or the like, and controls input/output of data input/output to/from the ECU 10 .
  • the vehicle application function 16 includes, as shown in FIG. non-functional safety requirements) 34 (hereinafter referred to as non-functional requirement part 34).
  • the inter-core control thread control unit 32 has the following functions. i.e. (A1) Core, memory 13, input/output unit 12, function of dispatching runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU), (A2) A function to arbitrate threads executed by each core program (e.g., application), in particular, core program startup, degeneration, ignore, self-reset, external reset, etc. (A3) a function of outputting a watchdog signal to the power supply circuit and watchdog timer 36; (A4) a function of instructing the functional requirements section 33 and the non-functional requirements section 34 to allocate resources and schedules; Prepare.
  • A1 Core Core
  • memory 13 input/output unit 12
  • function of dispatching runtime more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU)
  • A2 A function to arbitrate threads executed by each core program (e.g., application), in particular, core program startup, degeneration
  • Each function of the inter-core control thread control unit 32 is realized by the ECU 10 executing a program.
  • a functional safety thread represents a thread that calculates values related to vehicle safety (for example, values related to vehicle acceleration/deceleration, steering, etc.).
  • the functional requirement part 33 has the following functions. i.e. (B1) Function of dispatching memory 13, input/output unit 12, and runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU); (B2) A function of changing the scheduler so as to relatively raise the execution priority of the thread in which the error occurred; (B3) Control execution priority of core occupancy rate, safety mechanism requirements, FTTI, Automotive Safety Integrity Level (ASIL), deadline information, etc. for the inter-core control thread control unit 32. the ability to send sources of information to Prepare.
  • B1 Function of dispatching memory 13, input/output unit 12, and runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU);
  • B2 A function of changing the scheduler so as to relatively raise the execution priority of the thread in which the error occurred;
  • B3 Control execution priority of core occupancy rate, safety mechanism requirements, FTTI, Automotive Safety Integrity Level (ASIL), deadline information, etc. for
  • Each function of the functional requirement section 33 is realized by the ECU 10 executing a program.
  • the non-functional requirements part 34 handles non-functional safety threads, which are threads other than functional safety threads.
  • the non-functional requirement part 34 has the following functions. i.e. (C1) Function of dispatching memory 13, input/output unit 12, runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU); (C2) A function of changing the scheduler so as to interrupt a thread in execution and relatively lower the execution priority of a thread waiting to be executed; (C3) a function of transmitting an information source for controlling the execution priority such as the core occupancy rate to the inter-core control thread control unit 32; Prepare.
  • C1 Function of dispatching memory 13, input/output unit 12, runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU);
  • C2 A function of changing the scheduler so as to interrupt a thread in execution and relatively lower the execution priority of a thread waiting to be executed;
  • C3 a function of transmitting an
  • Each function of the non-functional requirement part 34 is realized by the ECU 10 executing a program.
  • inter-core control thread control unit 32, the functional requirement unit 33, and the non-functional requirement unit 34 cannot continue execution when an abnormality occurs such that the continuation of thread execution violates the safety goal (SG) of functional safety. Notifications are sent, and execution continuation impossibility notifications are shared by each.
  • the thread execution control process is a process of obtaining the thread execution priority tables set in the functional requirement part 33 and the non-functional requirement part 34 and executing the processes in the order based on these tables.
  • the thread execution control process is performed, for example, at preset intervals.
  • the control calculation unit 11 takes in the thread execution priority table determined and rewritten by the function requirement unit 33.
  • the thread execution priority table is set according to the priority rules shown in FIG. Note that the priority rules will be described later.
  • control calculation unit 11 takes in the thread execution priority table determined and rewritten by the non-functional requirement unit 34. Subsequently, in S30, the control calculation unit 11 uses the function of the inter-core control thread control unit 32 to update the dispatch contents of the core of the thread to be executed and the dynamic scheduler, and execute each core program (for example, an application). Arbitrate threads.
  • control calculation unit 11 updates the hardware resources to be used (for example, the core, the memory 13, the input/output unit 12 , runtime) allocation review.
  • the inter-core control thread control unit 32 functions like a task manager in a general personal computer.
  • control calculation unit 11 effectively utilizes cores with low core operating rates.
  • control calculation unit 11 ensures non-interference so that the memory 13 and the input/output unit 12 shared by different programs of each core do not compete with each other.
  • control calculation unit 11 coordinates the memory 13, read/write attributes, runtime, etc. in cooperation with the dynamic scheduler of each core.
  • control calculation unit 11 performs processing such as core program activation, degeneracy, ignoring, self-resetting, and external resetting. After that, the thread execution control process of FIG. 3 ends.
  • the thread execution priority determination process uses the functions of the functional requirement section 33 and the non-functional requirement section 34 to select an appropriate schedule according to the presence or absence of an abnormality in the functional safety thread, and the inter-core control thread control section 32: This is the process of requesting to use the selected schedule.
  • the thread execution control process is performed, for example, at preset intervals. It should be noted that if the control calculation unit 11 has a plurality of cores, this processing is executed for each core. Further, this process is executed in functional safety (hereinafter referred to as constant SM) described as constant periodic interrupts shown in FIG.
  • constant SM functional safety
  • the control calculation unit 11 determines whether or not there is a thread group waiting to be executed by a scheduler timer interrupt.
  • a scheduler timer interrupt is included that takes place when an anomaly is detected in the functional safety thread.
  • Abnormality of the functional safety thread includes not only the detection of abnormalities in the function of the functional safety thread, but also events such as the failure of the functional safety thread to terminate normally within the specified time (i.e. deadline), and the occurrence of execution errors. do.
  • control operation unit 11 determines in S110 that there is no execution waiting for the interrupt thread group, the control operation unit 11 proceeds to S120, executes the interrupt timer process, and then executes the thread execution priority determination process of FIGS. 4A and 4B. finish.
  • control operation unit 11 determines in S110 that there is a wait for the execution of the thread group of the scheduler timer interrupt, it proceeds to S130 to determine whether the abnormality of the functional safety thread is an abnormality that prevents the thread group from continuing execution. determine whether That is, it is determined whether or not the safety goal (hereinafter referred to as SG) of functional safety is violated. Whether or not there is an abnormality that prevents the execution of the thread group from continuing is determined, for example, by determining whether or not the type of abnormality is associated in advance with an abnormality that prevents the execution of the thread group from continuing.
  • control operation unit 11 determines in S130 that there is an abnormality in which the execution of the thread group cannot be continued, the control operation unit 11 proceeds to S140, requests the inter-core control thread control unit 32 to control the execution of the thread group, and degenerates the system. Enforce controls.
  • an interrupt thread prepared in advance which is a functional safety thread that is executed under the interrupt control of the kernel, may be executed. After ensuring the functional safety in this way, the thread execution priority determination process of FIGS. 4A and 4B is terminated.
  • control operation unit 11 determines in S130 that there is an abnormality that allows the execution of the thread group to continue, the control operation unit 11 proceeds to S150 and checks whether or not there is an execution wait for the thread group for an event interrupt to an IO port or the like. judge. Event interrupts here exclude forced interrupts in hardware.
  • control calculation unit 11 determines in S150 that there is an event interrupt thread group waiting to be executed, it proceeds to S160, performs software-maskable forced interrupt processing, and then proceeds to S170.
  • control calculation unit 11 determines in S150 that there is no event interrupt thread group waiting to be executed, it skips S160 and proceeds to S170. Subsequently, in S170, the control calculation unit 11 detects an abnormality in the functional safety requirements, and determines whether or not it is waiting for an abnormality treatment.
  • Abnormality action waiting means a state in which the action against the abnormality has not been completed after the detection of the abnormality.
  • control calculation unit 11 When the control calculation unit 11 detects an abnormality in the functional safety requirements in S170 and determines that it is waiting for an abnormality treatment, it proceeds to S180.
  • the execution priority schedule of threads waiting for execution is changed depending on whether the setting of the safety mechanism requirements for functional safety prioritizes the remaining time for FTTI or prioritizes the safety level. That is, any one of the abnormal time AN, FTTI priority rewrite AN[1], and ASIL priority rewrite AN[2], which is a table corresponding to an abnormality, is selected from the execution priority table described later.
  • This schedule change requires the temporary suspension of non-functional safety requirements and the handling of abnormalities in functional safety requirements to be prioritized.
  • This request is realized by requesting the inter-core control thread control unit 32 to control the execution of the thread group. This request causes the kernel's interrupt control to be enforced and the functional safety thread (ie, the interrupt thread in this disclosure) to be enforced early. After S180, the thread execution priority determination process of FIGS. 4A and 4B ends.
  • control calculation unit 11 determines in S170 that an abnormality of the functional safety requirements is not detected or that an abnormality action of the functional safety requirements is not awaited, the process proceeds to S190.
  • S190 for the safety mechanism of the functional safety, the schedule for the normal determination is selected, and the inter-core control thread control unit 32 is requested to execute control of the thread group.
  • normal time N which is a table corresponding to normal time, is selected from the execution priority table, which will be described later.
  • control calculation unit 11 detects an abnormality in the non-functional safety requirements and determines whether or not to wait for an abnormality treatment. If the control calculation unit 11 determines in S200 that no non-functional safety requirement abnormality has been detected or is not waiting for non-functional safety requirement abnormality treatment, the process proceeds to S210.
  • the control calculation unit 11 requests the inter-core control thread control unit 32 to control the execution of the thread group for the processing of the non-functional safety requirements, and guarantees the continuation of the processing of the basic function (for example, corresponding to the original function described above). do. At this time, since the processing order is the same as when no abnormalities in functional safety threads are detected, there is no loss of marketability.
  • the thread execution priority determination process of FIGS. 4A and 4B ends.
  • control calculation unit 11 detects an abnormality of the non-functional safety requirements in S200 and determines that the abnormality is waiting for an abnormality treatment
  • the control operation unit 11 proceeds to S220 and performs inter-core control thread control for the abnormality treatment of the non-functional safety requirements. It requests the execution control of the thread group to the unit 32 . After that, the thread execution priority determination process of FIGS. 4A and 4B ends.
  • priority rules will be described with reference to FIG.
  • the priority rule is a correspondence relationship between a plurality of schedules that can be selected by the functional requirement section 33 and the non-functional requirement section 34 in the thread execution priority determination process of FIGS. 4A and 4B and the execution priority of each thread for each schedule. indicates
  • the schedule will hereinafter be referred to as a thread execution priority table, or simply as a table.
  • the table labeled "Normal N" is selected.
  • the priorities of the non-functional safety threads 01 and 02 to which the non-functional safety requirements of the application thread layer are associated are the priorities of the functional safety threads m1, n1 and n2 to which the functional safety requirements are associated. is set higher than
  • a table labeled "Abnormal AN" is selected.
  • the priority of the functional safety threads m1, n1, n2 is set higher than the priority of the non-functional safety threads 01, 02.
  • FTTI priority rewriting AN[1] and ASIL priority rewriting AN[2] can be selected depending on the situation.
  • priority rules may be arbitrarily rewritable.
  • an automatic program from a formal design specification and implementing an executable code in flash memory it is possible to rewrite parts that may be changed in the life cycle according to the functional specification. It is also possible to construct In particular, each table may be dynamically rewritten according to the FTTI for each thread waiting to be executed.
  • a first operation example in the configuration of this embodiment will be described with reference to FIG.
  • This operation example is an example of a thread execution procedure when an abnormality is simultaneously detected for thread m1 and thread n1 for which all SM processes are not completed within the execution cycle of thread 01, which has a higher priority than the functional safety SM. indicate.
  • the first operation example is a scheduling example in which the remaining execution time is compared with FTTI, which is a functional safety requirement, and the priority of the thread that should be treated earlier from the functional safety point of view is increased.
  • the control calculation unit 11 schedules the execution priority of the functional safety thread relatively higher than the execution priority of the non-functional safety thread within the FTTI. make changes.
  • a functional safety thread that is, an interrupt thread
  • the limit waiting time is less than the FTTI.
  • the arrows indicate the timing at which the timer interrupts of the three threads are synchronized. Thus, when three threads are waiting for execution, the thread with the highest priority is executed first.
  • FTTI priority rewriting AN[1] is selected as the table described above. It should be noted that if the runtime of each thread exceeds its corresponding latency timer (that is, the limit latency in the present disclosure), it is set to execute degeneracy processing.
  • thread 01 After execution of thread 01, an abnormality is detected in thread m1 and thread n1. At this time, if there is no change in execution priority, threads 01, m1, and n1 are executed in this order, as indicated by the dotted line in FIG. Assuming that thread 01, which runs first, has been extended for some reason, if an abnormal action (that is, an interrupt thread) is performed in threads m1 and n1 and FTTI is set for each, the order of this thread is , thread n1 does not meet the requirements of FTTI.
  • an abnormal action that is, an interrupt thread
  • the execution priority of thread 01 is lower than that of thread m1 and thread n1 by the scheduler.
  • the thread 01 is set to have a higher execution priority than the thread m1 and the thread n1 when the abnormality detection function (SM) of functional safety is normal.
  • SM abnormality detection function
  • the thread n1 and the thread m1 can be processed in the order of the thread 01, and the execution of the thread 01 completes the specified error handling for the thread n1 and the thread m1. is delayed until In other words, the execution of the thread 01 is delayed until the error handling thread specified in the schedule is completed, and the thread 01 is executed after the error handling of the thread within the predetermined schedule is completed. At this time, the execution of the thread 01 is not necessarily delayed until all abnormal measures are completed. Note that thread 01 is preferably scheduled so as not to exceed the normal deadline watchdog timer.
  • the inter-core control thread control unit 32 including the scheduler is desirably configured as the highest ASIL functional safety requirement.
  • the design structure ensures that non-functional safety requirements and functional safety requirements do not interfere. Therefore, it is possible to more easily design a structure that appropriately dispatches multithreaded resources by focusing only on the difference in ASIL of each thread within the functional safety requirements and the priority on the FTTI runtime.
  • the memory 13, the schedule, and the input/output unit 12 correspond to multithread resources, for example.
  • the configuration of the second operation example is designed, for example, as follows.
  • the minimum interrupt cycle of the aggregated functional safety-related thread group is scheduled from the maximum allowable interrupt interval (that is, the interval at which the FTTI can be guaranteed even if the process is delayed the most). For example, when periodic threads of 2, 4, 8, and 16 ms are aggregated, 2 ms is designed as a timer interrupt independent from the general OS.
  • the interrupt disabled time in threads related to non-functional safety requirements should be sufficiently shorter than 2ms with a margin, and the design should ensure 2ms periodic interrupts.
  • the normal scheduler execution processing executed by the control calculation unit 11 will be described with reference to the flowcharts of FIGS. 8A and 8B.
  • the normal time scheduler execution process is a process that is executed according to the normal time N table under the condition that no abnormality has occurred in the functional safety thread.
  • the normal scheduler execution process is performed, for example, at each preset cycle.
  • control calculation unit 11 determines whether or not execution of an execution period interrupt, here, (minimum time interval) X (2 raised to the 0th power), is waiting. If the control calculation unit 11 determines in S310 that the execution of the execution cycle interrupt is not waiting, the process proceeds to S410.
  • an execution period interrupt here, (minimum time interval) X (2 raised to the 0th power
  • control calculation unit 11 determines in S310 that it is waiting for the execution of the execution cycle interrupt (minimum time interval) X (2 raised to the 0th power), it proceeds to S320 and waits for the execution of the non-functional safety thread 01. It is determined whether or not.
  • control operation unit 11 determines in S320 that the non-functional safety thread 01 is waiting for execution
  • the control operation unit 11 shifts to S330, dispatches the non-functional safety thread 01, and executes a kernel call to execute this thread. to run.
  • the thread is temporarily interrupted (that is, preempted) to give priority to the execution of the current thread.
  • the normal time scheduler execution processing of FIGS. 8A and 8B ends.
  • control calculation unit 11 determines in S320 that the non-functional safety thread 01 is not waiting for execution, it proceeds to S340 and determines whether or not the non-functional safety thread 02 is waiting for execution.
  • control operation unit 11 determines in S340 that the non-functional safety thread 02 is waiting for execution, it proceeds to S350, dispatches the non-functional safety thread 02, and executes a kernel call to execute this thread. do.
  • control calculation unit 11 determines in S340 that the non-functional safety thread 02 is not waiting for execution, the process proceeds to S410.
  • control calculation unit 11 determines whether or not execution of an execution period interrupt (minimum time interval) X (2 to the mth power) is waiting. If the control calculation unit 11 determines in S410 that the execution of the execution cycle interrupt is not waiting, the process proceeds to S510.
  • execution period interrupt minimum time interval
  • control calculation unit 11 determines in S410 that it is waiting for execution of the execution cycle interrupt, it proceeds to S420 and determines whether it is waiting for execution of the functional safety thread m1.
  • control calculation unit 11 determines in S420 that the functional safety thread m1 is waiting for execution, it proceeds to S430, dispatches the functional safety thread m1, and executes a kernel call to execute this thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
  • control calculation unit 11 determines in S420 that the functional safety thread m1 is not waiting for execution, it proceeds to S510.
  • the control calculation unit 11 determines in S510 whether or not execution of an execution cycle interrupt (minimum time interval) X (2 to the nth power) is waiting. If the control calculation unit 11 determines in S510 that the execution of the execution cycle interrupt is not waiting, it ends the normal scheduler execution processing of FIGS. 8A and 8B.
  • execution cycle interrupt minimum time interval
  • control calculation unit 11 determines in S510 that it is waiting for execution of the execution cycle interrupt, it proceeds to S520 and determines whether it is waiting for execution of the functional safety thread n1.
  • control calculation unit 11 determines in S520 that the functional safety thread n1 is waiting for execution, it proceeds to S530, dispatches the functional safety thread n1, and executes a kernel call to execute this thread. At this time, even if a thread with a lower priority than the current thread is running, the current thread is temporarily interrupted and given priority to the current thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
  • control calculation unit 11 determines in S520 that the functional safety thread n1 is not waiting for execution, it proceeds to S540 and determines whether or not the functional safety thread n2 is waiting for execution.
  • control calculation unit 11 determines in S540 that the functional safety thread n2 is waiting for execution, it proceeds to S550, dispatches the functional safety thread n2, and executes a kernel call to execute this thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
  • control calculation unit 11 determines in S540 that the functional safety thread n2 is not waiting for execution, it ends the normal scheduler execution processing in FIGS. 8A and 8B.
  • FIGS. 9A to 11B Abnormal scheduler execution process 9A, 9B, 10A, 10B, 11A, and 11B (hereinafter referred to as FIGS. 9A to 11B), the abnormal scheduler execution processing executed by the control calculation unit 11 will be described.
  • the thread execution order is changed to be different from that in the normal scheduler execution process according to the priority rule.
  • the execution processing of the abnormal scheduler AN[1] shown in FIGS. 10A and 10B corresponds to the processing when the FTTI priority rewriting AN[1] is selected.
  • the process executed by the scheduler AN[2] for abnormal times corresponds to the process when ASIL priority rewrite AN[2] is selected.
  • the abnormal scheduler AN[1] shown in FIGS. 10A and 10B and the abnormal scheduler AN[2] shown in FIGS. 11A and 11B respectively correspond to the "scheduler selection table" shown in FIG.
  • the processes of S410 to S550 are executed before the processes of S310 to S350.
  • the process of S510 is first performed, and then the processes of S540 to S550, S520 to S530, S410 to S430, and S310 to S350 are performed in this order. be done.
  • the processing is performed in the order of S510-S550, S410-S430, and S310-S350.
  • One aspect of the present disclosure is a vehicular computer (for example, the control calculation unit 11) capable of executing a functional safety thread and at least one non-functional safety thread in parallel processing based on priorities defined in advance by a scheduler. It is a control method of an automobile computer executed in.
  • Parallel processing can include scheduling including parallel processing by multiple cores, and quasi-parallel processing by time division by a certain core.
  • a functional safety thread represents a thread that computes safety-related values for the vehicle.
  • a non-functionally safe thread represents a thread other than a functionally safe thread.
  • an abnormality in the functional safety thread is detected, and when an abnormality in the functional safety thread is detected, the scheduler is changed to change the thread execution priority.
  • the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread. Therefore, while the functional safety thread is making a normal determination, it is possible to schedule the original functions of the vehicle with priority.
  • the priority table of the scheduler is relatively rewritten. Therefore, even if the safety mechanism described above detects an error and the thread that executes the error action is waiting for execution because another thread is running, the relative execution priority of both threads is changed and the function is executed. Processing can be completed reliably within the allowable time that ensures safety and security. In addition, it is possible to minimize the chances of degenerating the original functions of non-functionally safe threads.
  • the functional safety thread detects an abnormality
  • the prescribed functional safety requirements are processed with the highest priority, and the original function (non-functional safety requirements) that is not directly related to the cause of the abnormality is degraded as much as possible. can be avoided.
  • the functional safety thread may, for example, realize the functional safety requirement specifications. It is the minimum execution unit that defines the execution priority when the original function and safety mechanism in this case are made into a software module and implemented in semiconductor memory. Hardware resources are linked by time division.
  • functional safety requirement specifications mean that safety goals and safety mechanisms (for example, fail-safe mechanisms and FTTI) are generally may be defined.
  • TSR is a technical specification for requesting what kind of safety protection function is necessary to ensure safety when an abnormality occurs in the system.
  • the TSC is a technical specification that summarizes how to realize the safety protection function.
  • the estimated time from detection of an abnormality to occurrence of a dangerous event in the vehicle is FTTI (Fault Tolerant Time Interval). If an anomaly is detected, a rescheduling is implemented within the FTTI so that the execution priority of the functional safety threads is relatively higher than the execution priority of the non-functional safety threads.
  • FTTI ault Tolerant Time Interval
  • non-functionally safe threads can be temporarily suspended in consideration of FTTI.
  • kernel interrupt control is used to detect whether there is an abnormality in the functional safety thread, and if an abnormality is detected, the schedule is changed.
  • a functional safety mechanism for diagnosing whether an abnormality of the functional safety thread is detected is implemented as a thread, and the scheduler is executed according to whether an abnormality is detected. Determines whether or not a change is necessary, and switches the scheduler.
  • the determination of whether or not to switch the scheduler is preferably performed at an appropriate timing in which the scheduler can be switched in time.
  • a method of assigning the functional safety always SM to all periodic interrupts (for example, assigning it to the shortest periodic interrupt) can be adopted.
  • At least an interrupt thread implemented by kernel interrupt control has a waiting time limit that represents the upper limit of the time from receiving an instruction to execute until the thread is executed. is set.
  • the interrupt thread's latency limit is set to be less than the FTTI.
  • the interrupt thread can be executed before the FTTI, so the interrupt thread can be executed more safely.
  • an interrupt thread, a functional safety thread, and a non-functional safety thread have a latency limit that represents an upper bound on the amount of time from when an instruction to execute is received until the thread is executed. is set. If the limit waiting time (Twait_NSR) of a thread other than the interrupt thread exceeds before the interrupt thread is executed (before Twait_SR is exceeded), the system corresponding to the other thread is degenerated. In the degeneration of the system, for example, a restriction mode that restricts a part of the original functions, and a shift control mode that requires manual operation by the driver in the event of an automatic operation system failure, or the like can be implemented.
  • anomalies may be detected in multiple functional safety threads.
  • An interrupt thread is executed for each thread that detects an abnormality, and at this time, the execution priority of the interrupt threads is increased in ascending order of the time remaining with respect to the limit waiting time (i.e., the execution priority of the interrupt threads change the contents of the scheduler (so that the
  • the interrupt threads when multiple interrupt threads are executed in response to detection of an abnormality in multiple functional safety threads, the interrupt threads can be executed in ascending order of the remaining time with respect to the limit waiting time. Therefore, it is possible to prevent any of the interrupt threads from being executed within the limit waiting time.
  • One aspect of the present disclosure is a vehicle electronic control device (this This is the control calculation unit 11) in the disclosure.
  • the anomaly detection unit is configured to detect an anomaly in the functional safety thread.
  • the sequence changing unit changes the priority by changing the scheduler when an abnormality is detected in the functional safety thread and an abnormality handling is required.
  • the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread.
  • the vehicle electronic control unit can configure a system in which a plurality of cores are mounted and threads share hardware resources such as cores and memory in a time-sharing manner by a scheduler.
  • a scheduler such as a system in which a plurality of cores are mounted and threads share hardware resources such as cores and memory in a time-sharing manner by a scheduler.
  • the safety mechanism of the functional safety thread detects an error
  • the execution of other threads is temporarily suspended to complete the error handling within the system allowable time, or and memory resources can be preferentially used.
  • the execution time of the entire system becomes critical, in other words, it is possible to reduce potential cases where threads do not finish within the allowable time. can be constructed.
  • the security of the entire system it is easy to improve marketability by reducing the need for degenerate design of system functions and securing the original functions of the system by designing the system with a margin of execution time. Become.
  • each functional safety thread may be associated with an automotive safety integrity level (ASIL).
  • ASIL automotive safety integrity level
  • an abnormality is detected in a plurality of functional safety threads, an interrupt thread is executed for each thread in which an abnormality is detected, and at this time, the execution priority of the interrupt thread is increased in descending order of vehicle safety level.
  • the control calculation unit 11 may dynamically rewrite the abnormal scheduler AN[2] shown in FIG. 5 so that each thread is executed in descending order of vehicle safety standard level.
  • the threads are executed in the order of higher automobile safety level, so the threads that should be executed with higher priority can be executed with priority.
  • each function of the vehicle application function 16 shown in FIG. may be implemented. That is, the functions of the inter-core control thread control unit 32 and the functional requirement unit 33 may be implemented in one SOC that implements the OS, and the functions of the non-functional requirement unit 34 may be implemented in an SOC different from the SOC. .
  • control computing unit 11 and techniques described in this disclosure were provided by configuring a processor and memory programmed to perform one or more functions embodied by a computer program. It may also be implemented by a dedicated computer. Alternatively, the control computation unit 11 and techniques thereof described in the present disclosure may be implemented by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits. Alternatively, the control computation unit 11 and techniques thereof described in the present disclosure are a combination of a processor and memory programmed to perform one or more functions and a processor configured by one or more hardware logic circuits. It may also be implemented by one or more dedicated computers configured in combination. Computer programs may also be stored as computer-executable instructions on a computer-readable non-transitional tangible storage medium. The method of realizing the function of each part included in the control calculation part 11 does not necessarily include software, and all the functions may be realized using one or a plurality of pieces of hardware.
  • a plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or a function possessed by one component may be realized by a plurality of components. . Also, a plurality of functions possessed by a plurality of components may be realized by a single component, or a function realized by a plurality of components may be realized by a single component. Also, part of the configuration of the above embodiment may be omitted. Moreover, at least part of the configuration of the above embodiment may be added or replaced with respect to the configuration of the other above embodiment.
  • a device such as a vehicle control device that is a component of the vehicle control system 1, a program for causing a computer to function as the device, a semiconductor memory that stores the program, etc.
  • the present disclosure can also be implemented in various forms, such as a transitional material recording medium, various methods including a control method for an automobile computer, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

This automotive computer control method is executed by a vehicular computer (11) that is capable of executing, by using parallel processing based on priorities pre-defined by a scheduler, at least one functional safety thread representing a thread for calculating a value related to vehicle safety and at least one non-functional safety thread representing a thread other than said functional safety thread, and the method involves: detecting abnormality in a functional safety thread; and, upon detection of the abnormality in the functional safety thread, changing the scheduler and alter the priorities.

Description

自動車用コンピュータの制御方法、及び車両用電子制御装置Automotive computer control method and vehicle electronic control device 関連出願の相互参照Cross-reference to related applications
 本国際出願は、2021年7月9日に日本国特許庁に出願された日本国特許出願第2021-114366号に基づく優先権を主張するものであり、日本国特許出願第2021-114366号の全内容を本国際出願に参照により援用する。 This international application claims priority based on Japanese Patent Application No. 2021-114366 filed with the Japan Patent Office on July 9, 2021. The entire contents are incorporated by reference into this international application.
 本開示は、自動車用コンピュータの制御方法、及び車両用電子制御装置に関する。 The present disclosure relates to a method of controlling a computer for a vehicle and an electronic control device for a vehicle.
 下記特許文献1には、実行中のプログラムに異常が生じたか否かを判定し、プログラムに異常が生じた場合に、プログラムの処理順序を、通常制御スケジューリングパターンから安全制御スケジューリングパターンに切り替える車両用電子制御装置が開示されている。 Patent Document 1 below describes a vehicle application that determines whether or not an abnormality has occurred in a program being executed, and switches the processing order of the program from a normal control scheduling pattern to a safety control scheduling pattern when an abnormality occurs in the program. An electronic controller is disclosed.
特許第5446477号公報Japanese Patent No. 5446477
 特許文献1では、安全監視プログラムで通常制御プログラムを含むプログラムの異常が検出されるが、異常を検出した後は、スケジュールが安全制御スケジューリングパターンへ切替られる。しかし、切り替え後のプログラムの実行の元となるタイムパーテションされたプログラムには、通常制御プログラムの監視を実行するスレッドは含まれるが、本来機能を実行するスレッド(例えば非機能安全要件)は、含まれていないと推察される。この結果、安全制御スケジュールパターンへ切替後は、異常が発生していない本来機能も含めて、全て縮退制御していると推察される。 In Patent Document 1, the safety monitoring program detects an abnormality in the program including the normal control program, but after detecting the abnormality, the schedule is switched to the safety control scheduling pattern. However, the time-partitioned program that is the source of program execution after switching includes threads that normally perform monitoring of the control program, but does not include threads that originally perform functions (for example, non-functional safety requirements). presumably not. As a result, after switching to the safety control schedule pattern, it is inferred that all functions, including original functions in which no abnormality has occurred, are under degenerate control.
 発明者の詳細な検討の結果、この構成では、安全制御を優先して実行できるものの、安全制御スケジュールで非優先となるスレッドが長時間完了できないなど、非優先となるスレッド、特に非機能安全要件のスレッドへの悪影響が生じやすいという課題が見出された。 As a result of the inventor's detailed study, although safety control can be executed with priority in this configuration, non-prioritized threads, especially non-functional safety requirements, such as the non-prioritized threads being unable to complete for a long time in the safety control schedule A problem was found that the thread is likely to be adversely affected.
 より詳細には、上記特許文献1の技術は、安全監視プログラムで、異常が検出されたときに、非機能安全要件のスレッドと機能安全要件のスレッドをパーテショニングする。そして、機能安全対応設計を機能安全スレッドのみに注力することにより、システム設計のコストダウンを狙っている。反面、安全制御スケジューリングパターンに切り替えられた後の非機能安全スレッドのリアルタイム性については、言及されていない。また、上記特許文献1の請求項1には、安全制御スケジューリングパターンへ移行した後のタイムパーテションでは、通常制御プログラムを除くと記載されているので、極論すれば、非機能安全要件のスレッドはすべて縮退処理となるとも解釈できる。 More specifically, the technology of Patent Document 1 partitions non-functional safety requirement threads and functional safety requirement threads when an abnormality is detected in the safety monitoring program. And by focusing only on the functional safety thread in functional safety design, we aim to reduce the cost of system design. On the other hand, no mention is made of the real-time nature of non-functionally safe threads after switching to the safety control scheduling pattern. In addition, claim 1 of the above Patent Document 1 states that the normal control program is excluded in the time partition after shifting to the safety control scheduling pattern. It can also be interpreted as degenerate processing.
 本開示の1つの局面は、全てのスレッドが規定時間内に実行されやすいスレッド自動車用コンピュータの制御方法、或いは車両用電子制御装置を提供できるようにすることにある。 One aspect of the present disclosure is to provide a control method for a threaded automobile computer or an electronic control device for a vehicle, in which all threads are likely to be executed within a specified time.
 本開示の一態様は、機能安全スレッド、及び少なくとも1つの非機能安全スレッド、を予めスケジューラで定義された優先順位に基づく並列処理で実行可能な車両用コンピュータにて実行される自動車用コンピュータの制御方法である。機能安全スレッドは、車両の安全に関する値を演算するスレッドを表す。また、非機能安全スレッドは、機能安全スレッドを除くスレッドを表す。 One aspect of the present disclosure is control of a vehicle computer executed by a vehicle computer capable of executing a functional safety thread and at least one non-functional safety thread in parallel based on a pre-defined scheduler priority. The method. A functional safety thread represents a thread that computes safety-related values for the vehicle. Also, a non-functionally safe thread represents a thread other than a functionally safe thread.
 自動車用コンピュータの制御方法では、機能安全スレッドの異常を検知し、機能安全スレッドの異常が検知された場合に、スケジューラを変更して優先順位を変更する。 In the automotive computer control method, an abnormality in the functional safety thread is detected, and when an abnormality in the functional safety thread is detected, the scheduler is changed to change the priority.
 このような制御方法によれば、機能安全スレッドに異常が生じた場合だけ、スレッドを実行する際の優先順位を変更できる。機能安全スレッドの安全機構が異常を検出して異常処置を実行するスレッドが他のスレッドが実行中のため実行待ちになっていても、両スレッドの相対的実行優先順位を変更して、機能安全の安全を担保する許容時間内に処理を完了しやすくすることができる。かつ、非機能安全スレッドについても本来機能を縮退させる機会を極力減らすことができる。 According to this control method, the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread. Even if the safety mechanism of the functional safety thread detects an abnormality and the thread that executes the abnormal action is waiting for execution because another thread is running, the relative execution priority of both threads is changed to achieve functional safety. It is possible to make it easier to complete the processing within the allowable time that ensures the safety of the system. In addition, it is possible to minimize the chances of degenerating the original functions of non-functionally safe threads.
 つまり、スケジューラを変更して異常検出時のスケジュールに切り替える場合、機能安全要件のスレッドの規定の処理を実行後に非機能安全要件の規定の処理の実行を許容するので、非機能安全要件の不要な縮退を避けるスケジューリングが可能となる。よって、全てのスレッドが規定時間内に実行されやすい構成とすることができる。 In other words, when changing the scheduler to switch to the schedule at the time of abnormality detection, it is possible to execute the prescribed processing of non-functional safety requirements after executing the prescribed processing of the thread of functional safety requirements. Scheduling that avoids degeneracy is possible. Therefore, it is possible to have a configuration in which all threads are likely to be executed within the specified time.
車両制御システムの構成を示すブロック図である。1 is a block diagram showing the configuration of a vehicle control system; FIG. 制御演算部の機能ブロック図である。3 is a functional block diagram of a control calculation unit; FIG. スレッド実行制御処理のフローチャートである。8 is a flowchart of thread execution control processing; スレッド実行優先順位判定処理の前半部分のフローチャートである。FIG. 10 is a flowchart of the first half of thread execution priority determination processing; FIG. スレッド実行優先順位判定処理の後半部分のフローチャートである。FIG. 11 is a flowchart of the second half of thread execution priority determination processing; FIG. 優先順位ルールの一例を示す説明図である。FIG. 4 is an explanatory diagram showing an example of priority rules; 第1作動例を示すタイミングチャートである。4 is a timing chart showing a first operation example; 第2作動例を示すタイミングチャートである。9 is a timing chart showing a second operation example; 正常時スケジューラ実行処理の前半部分のフローチャートである。FIG. 11 is a flowchart of the first half of normal scheduler execution processing; FIG. 正常時スケジューラ実行処理の後半部分のフローチャートである。FIG. 11 is a flowchart of the second half of normal scheduler execution processing; FIG. 異常時スケジューラ実行処理の前半部分のフローチャートである。FIG. 10 is a flowchart of the first half of the scheduler execution process in the event of an abnormality; FIG. 異常時スケジューラ実行処理の後半部分のフローチャートである。FIG. 10 is a flowchart of the second half of the scheduler execution process in the event of an abnormality; FIG. 異常時スケジューラAN[1]実行処理の前半部分のフローチャートである。FIG. 13 is a flowchart of the first half of the execution process of the scheduler AN[1] in abnormal conditions; FIG. 異常時スケジューラAN[1]実行処理の後半部分のフローチャートである。FIG. 13 is a flowchart of the second half of the abnormal scheduler AN[1] execution process; FIG. 異常時スケジューラAN[2]実行処理の前半部分のフローチャートである。FIG. 10 is a flowchart of the first half of the abnormal scheduler AN[2] execution process; FIG. 異常時スケジューラAN[2]実行処理の後半部分のフローチャートである。FIG. 13 is a flowchart of the second half of the abnormal scheduler AN[2] execution process; FIG.
 [1.本開示の概要]
 [1-1.背景]
 CASE(Connected、Autonomous、Shared & Services、Electric)、Maas(Mobility as a Service)社会においては、機能安全、セキュリティ、SOTIF(Safety of the Intended Functionality)等の諸要件が三つ巴になったより複雑なシステムの中で、諸要件の相互作用や排他的制御を考慮する必要がある。その際、システムの機能安全を第1に、性能や利便やコストとのバランスを考え、商品性を向上するアーキテクチャを設計することが、システム・製品の差別化を考えるうえで有意義である。 [1. Overview of the present disclosure]
[1-1. background]
In the CASE (Connected, Autonomous, Shared & Services, Electric) and Maas (Mobility as a Service) societies, more complex systems with various requirements such as functional safety, security, and SOTIF (Safety of the Intended Functionality) become a triad. In doing so, it is necessary to consider the interaction of various requirements and exclusive control. In doing so, it is meaningful to think about the differentiation of systems and products by considering the balance between performance, convenience, and cost, and designing an architecture that improves marketability, with the functional safety of the system as the first priority.
 特に、OTA(Over The Air)や5G技術を活用した拡張性のある、つながるシステムが存在する。つながるシステムでは、車両に実装したソフトウェアがSOP(Start Of Production;量産の開始)時点と、SOP後のライフサイクルの間に、システムに搭載されるアプリケーションが逐次変化して行くことが予測される。その変化の都度、例えば当初実装されたソフトウェアに更新プログラムを充てる都度、プログラムの実行検証をベースからやり直すのは、非効率で経済的ではない。また、セキュリティインシデント対策を考慮したソフトウェアライフサイクルにおいては、この傾向がより顕著となることが予測される。 In particular, there are scalable and connected systems that utilize OTA (Over The Air) and 5G technology. In a connected system, it is expected that the applications installed in the system will change sequentially during the life cycle after the SOP (Start Of Production) of the software installed in the vehicle and after the SOP. It is inefficient and uneconomical to redo the execution verification of the program from the beginning each time the change occurs, for example, each time an update program is applied to the originally installed software. In addition, it is expected that this trend will become more pronounced in the software life cycle that considers security incident countermeasures.
 さらに、車両においても、今後は、非論理的と言われるAIも多く実装される。一旦、システム異常が発生した時の論理性と論証を重視される機能安全の担保は、システム異常や構成部品故障、セキュリティインシデント又は性能限界、或いは、ミスユースにおいてもロバスト性の高いシステムアーキテクチャを要求される。 In addition, many AIs that are said to be illogical will be implemented in vehicles in the future. Functional safety, which emphasizes logic and proof when a system malfunction occurs, requires a highly robust system architecture even in the event of system malfunction, component failure, security incident, performance limit, or misuse. be.
 [1-2.機能安全エレメント実装上の課題]
 今後も、車両に実装されるいろいろなアプリケーションでは、ドメイン化(例えば、分散化)と統合化とが車両のセグメント毎に最適化されるようにトライされると思われる。この際、統合化されたアプリケーションをプロセスに分割し、最終的には、CPUコア(以下、単にコアともいう)やメモリ或いは入出力群を共有化するスレッドを疑似並列的にスケジュール制御するニーズは不可欠である。この様子は、PCソフトウェアに実装されるOSのタスクマネージャの制御に類似している。 [1-2. Issues in implementing functional safety elements]
In the future, it is expected that various applications installed in vehicles will try to optimize domainization (for example, decentralization) and integration for each segment of the vehicle. In this case, there is a need to divide the integrated application into processes, and finally to schedule and control threads sharing a CPU core (hereinafter simply referred to as a core), memory, or an input/output group in a pseudo-parallel manner. It is essential. This situation is similar to the control of the OS task manager implemented in PC software.
 機能安全エレメントの実装の場合は、車両機能(以下、アイテム)に対して、その機能を実現するための構成要素(以下、エレメント)に異常が発生したとき、安全目標(SG:Safety Goal)を設定する。そして、安全機構(SM:Safety Mechanism)を付加し、許容された時間(FTTI:Fault Tolelant Time Interval)以内に安全目標を、機能安全以外のエレメントと無干渉になることを担保して実行させる。この手順は、セキュリティやSOTIFが要求されたシステムでも例外ではなく実施されうる。本開示では、機能安全のSMの実行を担保するため、CPUコアを共有する他のスレッドのコア処理が競合する場合においても、動的スケジューリングの設計手法を活用し、機能安全のSMの実行を担保する設計アーキテクチャを提供する。 In the case of implementing functional safety elements, safety goals (SG: Safety Goals) are set when an abnormality occurs in a component (hereafter, element) to realize a vehicle function (hereafter, item). set. Then, a safety mechanism (SM) is added, and the safety goal is executed within the allowable time (FTTI: Fault Tolerant Time Interval) while ensuring that there is no interference with elements other than functional safety. This procedure can be implemented without exception in systems requiring security or SOTIF. In the present disclosure, in order to ensure execution of functionally safe SM, even when core processing of other threads sharing the CPU core competes, a dynamic scheduling design method is utilized to execute functionally safe SM. Provide a collateral design architecture.
 [1-3.本開示でのアーキテクチャ採用の効果]
 一方、従来のソフトスケジューリングにおいては、タイムトリガ制御(例えば周期制御を含む)、或いは各スレッドをパーテションし、カーネル特権による割り込み制御が行われるのが一般的である。いずれの場合も機能安全の安全要求仕様(例えば、FTTI等)と直接的に関連付けられたスケジューリングをディスパッチするわけではない。 [1-3. Effect of adopting architecture in the present disclosure]
On the other hand, in conventional soft scheduling, it is common to perform time-trigger control (including periodic control, for example) or partition each thread and perform interrupt control with kernel privilege. Neither case dispatches scheduling that is directly associated with the safety requirement specification of functional safety (eg, FTTI, etc.).
 一般的な自動車用のソフトウェアのプロセスでは、想定されたアプリケーションの内部の動作状態がスレッドレベルまで、カバレッジされて検証し、有害なバグのない状態で、SOP時に実装されてリリースする。また、一般的な機能安全エレメントの組込実装では、ソフトウェアの継続に深刻なランタイムエラーが発生した時のみ冗長な他のデバイスからのリセット制御を期待する(例えば、ウォッチドッグリセット)。そして、その他のアプリケーションプログラムの機能上の診断異常(例えば、センサ、負荷、内部機能構成パーツのダイアグ診断)では、各タスクのワースト実行時間や実行周期の組合せを考慮したタスクスケジュール設計をする。タスクスケジュール設計には、例えば、プライオリティ設定、デッドライン監視等が含まれる。 In the general automotive software process, the internal operating state of the assumed application is covered and verified up to the thread level, and is implemented and released at the time of SOP without harmful bugs. Also, typical embedded implementations of functional safety elements expect redundant reset control from other devices only when serious runtime errors occur in software continuation (eg, watchdog reset). Then, for functional diagnosis abnormalities of other application programs (for example, diagnostic diagnosis of sensors, loads, and internal functional components), a task schedule is designed in consideration of the worst execution time of each task and combinations of execution cycles. Task schedule design includes, for example, priority setting, deadline monitoring, and the like.
 この場合は、前述のように、SOP後に、当初想定していなかったシステムにつながるアプリケーションが当初設計したタイムスケジュールに影響があるかどうかを、仕様変化点の都度チェックする。このため、必要により、アーキテクチャ自体に設計変更をかける必要性が発生する。また、この可能性を極力回避するために、システムの異常時にはより安全側に振った仕様が採用され、この結果、車両として過度に縮退制御が多くなり商品性が低下する懸念もある。 In this case, as described above, after the SOP, we will check each time the specifications change to see if the application that leads to the system that was not initially expected will affect the originally designed time schedule. Therefore, it is necessary to change the design of the architecture itself, if necessary. Also, in order to avoid this possibility as much as possible, specifications that are more on the safe side are adopted when the system is abnormal, and as a result, there is a concern that the degeneration control will be excessive as a vehicle and the marketability will decrease.
 そこで、本開示では、SOP後に、想定されていなかった事象が、車両とつながる世界から入ってきた不測の場合においても、システムの異常時には、機能安全の安全機構(SM)の処理を優先するアーキテクチャを提供する。想定されていなかった事象には、当初想定されていなかったアプリケーション追加又は商品の売り手側も想定していないエンドユーザによるアプリケーション接続やインシデント発生が含まれる。また、想定外の外乱(例えば、ネットワーク異常、AIモジュールのデッドロック等)が含まれる。 Therefore, in the present disclosure, an architecture that prioritizes the processing of the safety mechanism (SM) of functional safety in the event of an abnormality in the system even in the event that an unexpected event enters from the world connected to the vehicle after SOP. I will provide a. Unanticipated events include application additions that were not originally anticipated, application connections by end users that were not anticipated by the product seller, and incidents that occurred. It also includes unexpected disturbances (for example, network anomalies, AI module deadlocks, etc.).
 本開示のアーキテクチャによれば、OTAで変更されたソフトウェアプログラムの設計変更や検証を簡単にすることができる。また、システム異常時の機能安全担保のための安全要求仕様として車両の縮退制御を緩めることにより、商品性が向上する効果が期待できる。また、ベース開発で、経験度の高い設計者がアーキテクチャを確立しておけば、以降のソフトウェアの保守は比較的経験度の浅い設計者において容易に信頼度の高いブランチ開発が可能となるメリットがある。この結果、より再利用性が高くロバスト性の高いソフトウェアライフサイクルが省工数で構築できる。 According to the architecture of the present disclosure, it is possible to simplify design changes and verifications of OTA-modified software programs. In addition, by loosening the degeneracy control of the vehicle as a safety requirement specification for ensuring functional safety in the event of system failure, the effect of improving marketability can be expected. In addition, if a highly experienced designer establishes the architecture in the base development, there is an advantage that subsequent software maintenance can be easily performed by a relatively inexperienced designer with highly reliable branch development. be. As a result, a more reusable and robust software lifecycle can be built with less man-hours.
 [2.実施形態の構成と本開示の構成との対応関係]
 実施形態において、制御演算部11が実行する処理は、本開示での自動車用コンピュータの制御方法に相当する。また、実施形態において、制御演算部11が実行する処理のうち、S130,S150,S170の処理は、本開示での異常検知部による機能に相当し、S10,S20,S30,S180の処理は、本開示での順序変更部による機能に相当する。 [2. Correspondence between the configuration of the embodiment and the configuration of the present disclosure]
In the embodiment, the processing executed by the control calculation unit 11 corresponds to the control method of the automobile computer in the present disclosure. In the embodiment, among the processes executed by the control calculation unit 11, the processes of S130, S150, and S170 correspond to the functions of the abnormality detection unit in the present disclosure, and the processes of S10, S20, S30, and S180 are It corresponds to the function of the order changing unit in the present disclosure.
 [3.実施形態]
 以下、図面を参照しながら、本開示の実施形態を説明する。 [3. embodiment]
Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.
 [3-1.構成]
 図1に示す車両制御システム1は、例えば乗用車等の車両に搭載され、ECU10を備える。ECU10は、電子制御装置であり、特に、本実施形態では車両用の電子制御装置である。 [3-1. Constitution]
A vehicle control system 1 shown in FIG. 1 is mounted in a vehicle such as a passenger car, for example, and includes an ECU 10 . The ECU 10 is an electronic control unit, particularly an electronic control unit for a vehicle in this embodiment.
 車両制御システム1は、センサ類21、各種アクチュエータ22を備えてもよい。また、車両制御システム1は、車両外のクラウドサーバ23と通信可能に構成されてもよい。ECU10、センサ類21、各種アクチュエータ22、クラウドサーバ23は、通信バス5或いは図示しない無線ネットワーク等を介して互いに通信可能に構成される。なおECU10には、後述する電源回路及びウォッチドッグタイマ36が含まれる。 The vehicle control system 1 may include sensors 21 and various actuators 22. Further, the vehicle control system 1 may be configured to communicate with the cloud server 23 outside the vehicle. The ECU 10, the sensors 21, various actuators 22, and the cloud server 23 are configured to be able to communicate with each other via the communication bus 5, a wireless network (not shown), or the like. The ECU 10 includes a power supply circuit and a watchdog timer 36, which will be described later.
 ECU10は、制御演算部11と、入出力部12と、メモリ13と、を備える。また、ECU10は、制御演算部11が実行する機能の一部として、車両アプリケーション機能16を備える。なお、車両アプリケーション機能16を実現するプログラムの中では、非機能安全機能要件と機能安全機能要件とに従い関連するスレッドがパーテションされる。 The ECU 10 includes a control calculation unit 11, an input/output unit 12, and a memory 13. The ECU 10 also includes a vehicle application function 16 as part of the functions executed by the control calculation unit 11 . In the program that implements the vehicle application function 16, related threads are partitioned according to the non-functional safety functional requirements and the functional safety functional requirements.
 制御演算部11は、例えば、CPUとして構成される。制御演算部11は、メモリ13に格納されたプログラムを実行することで、車両アプリケーション機能16等の各種機能を実現する。制御演算部11が実行する各種機能には、自動車用コンピュータの制御方法を利用する処理が含まれる。制御演算部11は、疑似並列処理で、複数のスレッドを時分割で実施する。以下、複数のスレッドをスレッド群と表記する。 The control calculation unit 11 is configured as, for example, a CPU. The control calculation unit 11 implements various functions such as a vehicle application function 16 by executing programs stored in the memory 13 . Various functions executed by the control calculation unit 11 include processing using the control method of the automobile computer. The control calculation unit 11 performs pseudo-parallel processing on a plurality of threads in a time-sharing manner. A plurality of threads is hereinafter referred to as a thread group.
 なお、制御演算部11は、異常検知、異常検知に対応して安全を担保するための異常処置、スレッド自体のランタイムエラー検知、ランタイムエラー検知に対応するための異常処置等、各機能を実現するための演算を実施する。 Note that the control calculation unit 11 implements various functions such as abnormality detection, abnormality treatment for ensuring safety in response to the abnormality detection, run-time error detection of the thread itself, and abnormality treatment for dealing with the run-time error detection. perform the operation for
 入出力部12は、例えば、通信バス5等を用いた通信を行う通信モジュールとして構成され、ECU10に入出力されるデータについての入出力制御を行う。 The input/output unit 12 is configured, for example, as a communication module that performs communication using the communication bus 5 or the like, and controls input/output of data input/output to/from the ECU 10 .
 車両アプリケーション機能16は、図2に示すように、コア間制御スレッド制御部32、コア内制御スレッド制御部(機能安全要件)33(以下、機能要件部33という)、コア内制御スレッド制御部(非機能安全要件)34(以下、非機能要件部34という)とを備える。 The vehicle application function 16 includes, as shown in FIG. non-functional safety requirements) 34 (hereinafter referred to as non-functional requirement part 34).
 コア間制御スレッド制御部32は、下記機能を備える。すなわち、
 (A1)コア、メモリ13、入出力部12、ランタイムをディスパッチする機能、詳細には、動的スケジューラとしての機能(例えば、MMU/MPUと連携してスレッド制御を行う場合もある)、
 (A2)各コアプログラム(例えばアプリケーション)により実行するスレッドを調停する機能、詳細には、コアプログラムの起動、縮退、無視、自己リセット、外部リセット等の処理を含む、
 (A3)電源回路及びウォッチドッグタイマ36に対してウォッチドック信号を出力する機能、
 (A4)機能要件部33及び非機能要件部34に対してリソース、スケジュールの配分指示を行う機能、
を備える。 The inter-core control thread control unit 32 has the following functions. i.e.
(A1) Core, memory 13, input/output unit 12, function of dispatching runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU),
(A2) A function to arbitrate threads executed by each core program (e.g., application), in particular, core program startup, degeneration, ignore, self-reset, external reset, etc.
(A3) a function of outputting a watchdog signal to the power supply circuit and watchdog timer 36;
(A4) a function of instructing the functional requirements section 33 and the non-functional requirements section 34 to allocate resources and schedules;
Prepare.
 上記コア間制御スレッド制御部32の各機能は、ECU10がプログラムを実行することによって実現される。 Each function of the inter-core control thread control unit 32 is realized by the ECU 10 executing a program.
 次に、機能要件部33は、機能安全要件に関するスレッド(以下、機能安全スレッド)を取り扱う。機能安全スレッドとは、車両の安全に関する値(例えば、車両の加減速、操舵に関する値等)を演算するスレッドを表す。 Next, the functional requirements section 33 handles threads related to functional safety requirements (hereinafter referred to as functional safety threads). A functional safety thread represents a thread that calculates values related to vehicle safety (for example, values related to vehicle acceleration/deceleration, steering, etc.).
 機能要件部33は、下記機能を備える。すなわち、
 (B1)メモリ13、入出力部12、ランタイムをディスパッチする機能、詳細には、動的スケジューラとしての機能(例えば、MMU/MPUと連携してスレッド制御を行う場合もある)、
 (B2)異常が発生したスレッドの実行優先順位を相対的に上げるようにスケジューラを変更する機能、
 (B3)コア間制御スレッド制御部32に対して、コア占有時間率、安全機構要件、 FTTI、自動車安全水準レベル(以下、ASIL:Automotive Safety Integrity Level)、デッドライン情報等の実行優先順位を制御する情報源を送信する機能、
を備える。 The functional requirement part 33 has the following functions. i.e.
(B1) Function of dispatching memory 13, input/output unit 12, and runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU);
(B2) A function of changing the scheduler so as to relatively raise the execution priority of the thread in which the error occurred;
(B3) Control execution priority of core occupancy rate, safety mechanism requirements, FTTI, Automotive Safety Integrity Level (ASIL), deadline information, etc. for the inter-core control thread control unit 32. the ability to send sources of information to
Prepare.
 上記機能要件部33の各機能は、ECU10がプログラムを実行することによって実現される。 Each function of the functional requirement section 33 is realized by the ECU 10 executing a program.
 次に、非機能要件部34は、機能安全スレッド以外のスレッドである非機能安全スレッドを取り扱う。非機能要件部34は、下記機能を備える。すなわち、
 (C1)メモリ13、入出力部12、ランタイムをディスパッチする機能、詳細には、動的スケジューラとしての機能(例えば、MMU/MPUと連携してスレッド制御を行う場合もある)、
 (C2)実行中のスレッドの中断や実行待ちスレッドの実行優先順位を相対的に下げるようにスケジューラを変更する機能、
 (C3)コア間制御スレッド制御部32に対して、コア占有時間率等の実行優先順位を制御する情報源を送信する機能、
を備える。 Next, the non-functional requirements part 34 handles non-functional safety threads, which are threads other than functional safety threads. The non-functional requirement part 34 has the following functions. i.e.
(C1) Function of dispatching memory 13, input/output unit 12, runtime, more specifically, function as a dynamic scheduler (for example, thread control may be performed in cooperation with MMU/MPU);
(C2) A function of changing the scheduler so as to interrupt a thread in execution and relatively lower the execution priority of a thread waiting to be executed;
(C3) a function of transmitting an information source for controlling the execution priority such as the core occupancy rate to the inter-core control thread control unit 32;
Prepare.
 上記非機能要件部34の各機能は、ECU10がプログラムを実行することによって実現される。 Each function of the non-functional requirement part 34 is realized by the ECU 10 executing a program.
 なお、コア間制御スレッド制御部32、機能要件部33、非機能要件部34は、スレッドの実行継続が機能安全の安全目標(SG)の侵害につながるような異常が生じた際に実行継続不可通知を送信し、実行継続不可通知はそれぞれで共有される。 Note that the inter-core control thread control unit 32, the functional requirement unit 33, and the non-functional requirement unit 34 cannot continue execution when an abnormality occurs such that the continuation of thread execution violates the safety goal (SG) of functional safety. Notifications are sent, and execution continuation impossibility notifications are shared by each.
 [3-2.処理]
 [3-2-1.スレッド実行制御処理]
 次に、制御演算部11、特にコア間制御スレッド制御部32が実行するスレッド実行制御処理について、図3のフローチャートを用いて説明する。スレッド実行制御処理は、機能要件部33及び非機能要件部34のそれぞれで設定されたスレッド実行優先順位テーブルを取得し、これらのテーブルに基づく順序で処理を実行させる処理である。スレッド実行制御処理は、例えば、予め設定された周期で実施される。 [3-2. process]
[3-2-1. Thread execution control processing]
Next, the thread execution control processing executed by the control calculation unit 11, particularly the inter-core control thread control unit 32 will be described using the flowchart of FIG. The thread execution control process is a process of obtaining the thread execution priority tables set in the functional requirement part 33 and the non-functional requirement part 34 and executing the processes in the order based on these tables. The thread execution control process is performed, for example, at preset intervals.
 スレッド実行制御処理では、まず、S10で、制御演算部11は、機能要件部33で判定及び書き替えられたスレッド実行優先順位テーブルの取り込みをする。スレッド実行優先順位テーブルは、図5にて示す優先順位ルールで設定される。なお、優先順位ルールについては後述する。 In the thread execution control process, first, in S10, the control calculation unit 11 takes in the thread execution priority table determined and rewritten by the function requirement unit 33. The thread execution priority table is set according to the priority rules shown in FIG. Note that the priority rules will be described later.
 続いて、S20で、制御演算部11は、非機能要件部34で判定及び書き替えられたスレッド実行優先順位テーブルの取り込みをする。続いて、S30で、制御演算部11は、コア間制御スレッド制御部32の機能を用いて、実行するスレッドのコアと動的スケジューラのディスパッチ内容更新、及び各コアプログラム(例えばアプリケーション)で実行するスレッドの調停をする。 Subsequently, in S20, the control calculation unit 11 takes in the thread execution priority table determined and rewritten by the non-functional requirement unit 34. Subsequently, in S30, the control calculation unit 11 uses the function of the inter-core control thread control unit 32 to update the dispatch contents of the core of the thread to be executed and the dynamic scheduler, and execute each core program (for example, an application). Arbitrate threads.
 ディスパッチ内容更新では、制御演算部11は、各コアのスレッド実行情報に基づき、各コアで選択された動的スケジューラに対して、使用するハードウェア資源(例えば、コア、メモリ13、入出力部12、ランタイム)の割り当ての見直しを行う。なお、コア間制御スレッド制御部32の機能は、一般的なパーソナルコンピュータでいうところのタスクマネージャのような役割を担う。 In the dispatch content update, the control calculation unit 11 updates the hardware resources to be used (for example, the core, the memory 13, the input/output unit 12 , runtime) allocation review. The inter-core control thread control unit 32 functions like a task manager in a general personal computer.
 また、スレッドの調停では、制御演算部11は、コア稼働率の低いコアの有効活用等を実施する。また、制御演算部11は、各コアの異なるプログラム間で共有するメモリ13や入出力部12が競合しないように、無干渉を担保する。詳細には、制御演算部11は、各コアの動的スケジューラと連携して、メモリ13、読み書き属性、ランタイム等を調停する。 In addition, in thread arbitration, the control calculation unit 11 effectively utilizes cores with low core operating rates. In addition, the control calculation unit 11 ensures non-interference so that the memory 13 and the input/output unit 12 shared by different programs of each core do not compete with each other. Specifically, the control calculation unit 11 coordinates the memory 13, read/write attributes, runtime, etc. in cooperation with the dynamic scheduler of each core.
 なお、制御演算部11は、コアプログラムの起動、縮退、無視、自己リセット、外部リセット等の処理を実施する。その後、図3のスレッド実行制御処理を終了する。 It should be noted that the control calculation unit 11 performs processing such as core program activation, degeneracy, ignoring, self-resetting, and external resetting. After that, the thread execution control process of FIG. 3 ends.
 [3-2-2.スレッド実行制御処理]
 次に、制御演算部11が実行するスレッド実行優先順位判定処理について、図4A及び図4Bのフローチャートを用いて説明する。スレッド実行優先順位判定処理は、機能要件部33及び非機能要件部34の機能を用いて、機能安全スレッドの異常の有無に応じて適切なスケジュールを選択し、コア間制御スレッド制御部32に、選択したスケジュールを利用するように要求する処理である。スレッド実行制御処理は、例えば予め設定された周期毎に実施される。なお、制御演算部11が備えるコアが複数の場合は、本処理はコアごとに実行される。また、本処理は、図5にて示す常時周期割り込みとして記載された機能安全(以下、常時SM)にて実行される。 [3-2-2. Thread execution control processing]
Next, the thread execution priority determination process executed by the control calculation unit 11 will be described with reference to the flowcharts of FIGS. 4A and 4B. The thread execution priority determination process uses the functions of the functional requirement section 33 and the non-functional requirement section 34 to select an appropriate schedule according to the presence or absence of an abnormality in the functional safety thread, and the inter-core control thread control section 32: This is the process of requesting to use the selected schedule. The thread execution control process is performed, for example, at preset intervals. It should be noted that if the control calculation unit 11 has a plurality of cores, this processing is executed for each core. Further, this process is executed in functional safety (hereinafter referred to as constant SM) described as constant periodic interrupts shown in FIG.
 スレッド実行制御処理では、まず、S110で、制御演算部11は、スケジューラタイマ割り込みで実行するスレッド群の実行待ちはあるか否かを判定する。スケジューラタイマ割り込みには、機能安全スレッドに異常が検知された場合に実施されることが含まれる。機能安全スレッドの異常とは、機能安全スレッドの機能の異常検出だけでなく、例えば、機能安全スレッドが規定時間(すなわち、デッドライン)以内に正常に終了しない事象、実行エラーを生じる事象等が該当する。 In the thread execution control process, first, at S110, the control calculation unit 11 determines whether or not there is a thread group waiting to be executed by a scheduler timer interrupt. A scheduler timer interrupt is included that takes place when an anomaly is detected in the functional safety thread. Abnormality of the functional safety thread includes not only the detection of abnormalities in the function of the functional safety thread, but also events such as the failure of the functional safety thread to terminate normally within the specified time (i.e. deadline), and the occurrence of execution errors. do.
 制御演算部11は、S110で割り込みのスレッド群の実行待ちがないと判定した場合には、S120へ移行し、割り込みタイマ処理を実行した後、図4A及び図4Bのスレッド実行優先順位判定処理を終了する。 When the control operation unit 11 determines in S110 that there is no execution waiting for the interrupt thread group, the control operation unit 11 proceeds to S120, executes the interrupt timer process, and then executes the thread execution priority determination process of FIGS. 4A and 4B. finish.
 一方、制御演算部11は、S110でスケジューラタイマ割り込みのスレッド群の実行待ちがあると判定した場合には、S130へ移行し、機能安全スレッドの異常が、スレッド群の実行を継続できない異常か否かを判定する。すなわち、機能安全の安全目標(以下、SG)を侵害するか否かを判定する。スレッド群の実行を継続できない異常か否かは、例えば、異常の種別が予めスレッド群の実行を継続できない異常に対応付けられているか否かによって判定される。 On the other hand, if the control operation unit 11 determines in S110 that there is a wait for the execution of the thread group of the scheduler timer interrupt, it proceeds to S130 to determine whether the abnormality of the functional safety thread is an abnormality that prevents the thread group from continuing execution. determine whether That is, it is determined whether or not the safety goal (hereinafter referred to as SG) of functional safety is violated. Whether or not there is an abnormality that prevents the execution of the thread group from continuing is determined, for example, by determining whether or not the type of abnormality is associated in advance with an abnormality that prevents the execution of the thread group from continuing.
 制御演算部11は、S130でスレッド群の実行を継続できない異常であると判定した場合には、S140へ移行し、コア間制御スレッド制御部32へスレッド群の実行制御を要求し、システムの縮退制御を実施する。ここでは、例えば、カーネルの割り込み制御にて実施される機能安全スレッドであって、予め準備された割込スレッドを実施してもよい。このように機能安全を担保した後、図4A及び図4Bのスレッド実行優先順位判定処理を終了する。 If the control operation unit 11 determines in S130 that there is an abnormality in which the execution of the thread group cannot be continued, the control operation unit 11 proceeds to S140, requests the inter-core control thread control unit 32 to control the execution of the thread group, and degenerates the system. Enforce controls. Here, for example, an interrupt thread prepared in advance, which is a functional safety thread that is executed under the interrupt control of the kernel, may be executed. After ensuring the functional safety in this way, the thread execution priority determination process of FIGS. 4A and 4B is terminated.
 一方、制御演算部11は、S130でスレッド群の実行を継続できる異常あると判定した場合には、S150へ移行し、IOポート等へのイベント割り込みのスレッド群の実行待ちがあるか否かを判定する。ここでのイベント割り込みには、ハードウェアでの強制割り込みを除く。 On the other hand, if the control operation unit 11 determines in S130 that there is an abnormality that allows the execution of the thread group to continue, the control operation unit 11 proceeds to S150 and checks whether or not there is an execution wait for the thread group for an event interrupt to an IO port or the like. judge. Event interrupts here exclude forced interrupts in hardware.
 制御演算部11は、S150でイベント割り込みのスレッド群の実行待ちがあると判定した場合には、S160へ移行し、ソフトウェアマスカブルな強制割り込み処理した後、S170に移行する。 When the control calculation unit 11 determines in S150 that there is an event interrupt thread group waiting to be executed, it proceeds to S160, performs software-maskable forced interrupt processing, and then proceeds to S170.
 一方、制御演算部11は、S150でイベント割り込みのスレッド群の実行待ちがないと判定した場合には、S160をスキップしてS170へ移行する。続いて、S170で、制御演算部11は、機能安全要件の異常を検知し、異常処置待ちであるか否かを判定する。異常処置待ちとは、異常の検知後に、異常に対する処置が完了されていない状態を表す。 On the other hand, if the control calculation unit 11 determines in S150 that there is no event interrupt thread group waiting to be executed, it skips S160 and proceeds to S170. Subsequently, in S170, the control calculation unit 11 detects an abnormality in the functional safety requirements, and determines whether or not it is waiting for an abnormality treatment. Abnormality action waiting means a state in which the action against the abnormality has not been completed after the detection of the abnormality.
 制御演算部11は、S170で機能安全要件の異常を検出し、異常処置待ちであると判定した場合には、S180へ移行する。S180では、機能安全の安全機構要件の設定が、FTTIに対する残り時間優先か、安全度レベル優先か、によって、実行待ちのスレッドの実行優先順位のスケジュールを変更する。つまり、後述する実行優先順位テーブルのうちの、異常時に対応するテーブルである、異常時AN、FTTI優先書き替えAN[1]、ASIL優先書き替えAN[2]の何れかが選択される。 When the control calculation unit 11 detects an abnormality in the functional safety requirements in S170 and determines that it is waiting for an abnormality treatment, it proceeds to S180. In S180, the execution priority schedule of threads waiting for execution is changed depending on whether the setting of the safety mechanism requirements for functional safety prioritizes the remaining time for FTTI or prioritizes the safety level. That is, any one of the abnormal time AN, FTTI priority rewrite AN[1], and ASIL priority rewrite AN[2], which is a table corresponding to an abnormality, is selected from the execution priority table described later.
 このスケジュールの変更では、非機能安全要件の一時中断と機能安全要件の異常処置について優先的に実行するよう要求される。この要求は、コア間制御スレッド制御部32へスレッド群の実行制御を要求することで実現される。この要求によって、カーネルの割り込み制御が実施され、早期に機能安全スレッド(すなわち本開示での割込スレッド)が実施される。S180の後、図4A及び図4Bのスレッド実行優先順位判定処理は終了する。 This schedule change requires the temporary suspension of non-functional safety requirements and the handling of abnormalities in functional safety requirements to be prioritized. This request is realized by requesting the inter-core control thread control unit 32 to control the execution of the thread group. This request causes the kernel's interrupt control to be enforced and the functional safety thread (ie, the interrupt thread in this disclosure) to be enforced early. After S180, the thread execution priority determination process of FIGS. 4A and 4B ends.
 一方、制御演算部11は、S170で機能安全要件の異常検出でない、或いは機能安全要件の異常処置待ちでないと判定した場合には、S190へ移行する。S190では、機能安全の安全機構について、全て正常判定時のスケジュールを選択し、コア間制御スレッド制御部32へスレッド群の実行制御を要求する。つまり、異常が発生していない場合、或いは、異常発生後の処置が終了した場合には、後述する実行優先順位テーブルのうちの、正常時に対応するテーブルである、正常時Nが選択される。 On the other hand, if the control calculation unit 11 determines in S170 that an abnormality of the functional safety requirements is not detected or that an abnormality action of the functional safety requirements is not awaited, the process proceeds to S190. In S190, for the safety mechanism of the functional safety, the schedule for the normal determination is selected, and the inter-core control thread control unit 32 is requested to execute control of the thread group. In other words, when no abnormality has occurred, or when the treatment after the occurrence of an abnormality has been completed, normal time N, which is a table corresponding to normal time, is selected from the execution priority table, which will be described later.
 続いて、S200で、制御演算部11は、非機能安全要件の異常を検出し、異常処置待ちであるか否かを判定する。制御演算部11は、S200で非機能安全要件の異常を検出していない、或いは非機能安全要件の異常処置待ちでないと判定した場合には、S210へ移行する。 Subsequently, in S200, the control calculation unit 11 detects an abnormality in the non-functional safety requirements and determines whether or not to wait for an abnormality treatment. If the control calculation unit 11 determines in S200 that no non-functional safety requirement abnormality has been detected or is not waiting for non-functional safety requirement abnormality treatment, the process proceeds to S210.
 S210では、制御演算部11は、非機能安全要件の処理をコア間制御スレッド制御部32へスレッド群の実行制御を要求し、基本機能(例えば、前述した本来機能に相当)の処理継続を担保する。この際、処理順序は機能安全のスレッドの異常を検知していない場合と同様であるため、商品性の低下がない。S210の後、図4A及び図4Bのスレッド実行優先順位判定処理は終了する。 In S210, the control calculation unit 11 requests the inter-core control thread control unit 32 to control the execution of the thread group for the processing of the non-functional safety requirements, and guarantees the continuation of the processing of the basic function (for example, corresponding to the original function described above). do. At this time, since the processing order is the same as when no abnormalities in functional safety threads are detected, there is no loss of marketability. After S210, the thread execution priority determination process of FIGS. 4A and 4B ends.
 一方、制御演算部11は、S200で非機能安全要件の異常を検出し、異常処置待ちであると判定した場合には、S220へ移行し、非機能安全要件の異常処置についてコア間制御スレッド制御部32へスレッド群の実行制御を要求する。その後、図4A及び図4Bのスレッド実行優先順位判定処理は終了する。 On the other hand, if the control calculation unit 11 detects an abnormality of the non-functional safety requirements in S200 and determines that the abnormality is waiting for an abnormality treatment, the control operation unit 11 proceeds to S220 and performs inter-core control thread control for the abnormality treatment of the non-functional safety requirements. It requests the execution control of the thread group to the unit 32 . After that, the thread execution priority determination process of FIGS. 4A and 4B ends.
 [3-2-3.優先順位ルール]
 ここで、優先順位ルールについて図5を用いて説明する。優先順位ルールは、機能要件部33及び非機能要件部34が図4A及び図4Bのスレッド実行優先順位判定処理で選択可能な複数のスケジュールと、スケジュール毎に各スレッドの実行優先順位との対応関係を示す。スケジュールについては、以下、スレッド実行優先順位テーブル、或いは単にテーブルともいう。 [3-2-3. Priority rule]
Here, priority rules will be described with reference to FIG. The priority rule is a correspondence relationship between a plurality of schedules that can be selected by the functional requirement section 33 and the non-functional requirement section 34 in the thread execution priority determination process of FIGS. 4A and 4B and the execution priority of each thread for each schedule. indicates The schedule will hereinafter be referred to as a thread execution priority table, or simply as a table.
 複数のテーブルとして、例えば、正常時N、異常時AN、FTTI優先書き替えAN[1]、ASIL優先書き替えAN[2]が準備されている。これらのテーブルでは、初期診断スレッド、ソフトウェアマスカブルなハードウェア割り込みスレッド、実行周期割り込みスレッドの順で実行されるように実行優先順位が記載されている点が共通する。しかし、実行周期割り込みスレッド内には複数のスレッドが対応付けられており、実行周期割り込みスレッド内の各スレッドの実行優先順位がテーブル毎に異なるように設定される。 As a plurality of tables, for example, normal N, abnormal AN, FTTI priority rewriting AN[1], and ASIL priority rewriting AN[2] are prepared. These tables have in common that the execution priority is described so that the initial diagnosis thread, the software maskable hardware interrupt thread, and the execution cycle interrupt thread are executed in this order. However, a plurality of threads are associated with the execution cycle interrupt thread, and the execution priority of each thread in the execution cycle interrupt thread is set differently for each table.
 例えば、機能安全スレッドに異常がない正常時には、「正常時N」と表記されたテーブルが選択される。このテーブルでは、アプリケーションスレッド層の非機能安全要件が対応付けられた、非機能安全スレッド01,02の優先順位が、機能安全要件が対応付けられた、機能安全スレッドm1,n1,n2の優先順位よりも高く設定される。 For example, when there is no abnormality in the functional safety thread, the table labeled "Normal N" is selected. In this table, the priorities of the non-functional safety threads 01 and 02 to which the non-functional safety requirements of the application thread layer are associated are the priorities of the functional safety threads m1, n1 and n2 to which the functional safety requirements are associated. is set higher than
 また、機能安全スレッドに異常がある場合には、例えば、「異常時AN」と表記されたテーブルが選択される。このテーブルでは、機能安全スレッドm1,n1,n2の優先順位が非機能安全スレッド01,02の優先順位よりも高く設定される。 Also, if there is an abnormality in the functional safety thread, for example, a table labeled "Abnormal AN" is selected. In this table, the priority of the functional safety threads m1, n1, n2 is set higher than the priority of the non-functional safety threads 01, 02.
 その他、機能安全スレッドに異常がある場合には、状況に応じて、FTTI優先書き替えAN[1]、ASIL優先書き替えAN[2]が選択されうる。 In addition, if there is an abnormality in the functional safety thread, FTTI priority rewriting AN[1] and ASIL priority rewriting AN[2] can be selected depending on the situation.
 なお、優先順位ルールは、任意に書き替え可能であってもよい。例えば、形式的な設計仕様書から自動プログラムを用いて、実行形式のコードをフラッシュメモリに実装することによって、機能仕様書に従いライフサイクルの中で設計変更する可能性のある部分を書き替える仕組みを構築することも可能である。特に、実行待ちスレッド毎のFTTIに応じて、動的に各テーブルを書き換えてもよい。 It should be noted that the priority rules may be arbitrarily rewritable. For example, by using an automatic program from a formal design specification and implementing an executable code in flash memory, it is possible to rewrite parts that may be changed in the life cycle according to the functional specification. It is also possible to construct In particular, each table may be dynamically rewritten according to the FTTI for each thread waiting to be executed.
 [3-2-4.第1作動例]
 図6を用いて本実施形態の構成での第1作動例を説明する。本作動例は、機能安全のSMよりも優先度の高いスレッド01の実行周期内で、SMの処理が全て完了しないスレッドm1とスレッドn1に対して同時に異常検知された場合のスレッド実行手順の一例を示す。第1作動例では、機能安全要件であるFTTIに対する実行残時間を比較し、機能安全上より早く処置すべきスレッドの優先度を上げて処理するスケジューリング例である。 [3-2-4. First operation example]
A first operation example in the configuration of this embodiment will be described with reference to FIG. This operation example is an example of a thread execution procedure when an abnormality is simultaneously detected for thread m1 and thread n1 for which all SM processes are not completed within the execution cycle of thread 01, which has a higher priority than the functional safety SM. indicate. The first operation example is a scheduling example in which the remaining execution time is compared with FTTI, which is a functional safety requirement, and the priority of the thread that should be treated earlier from the functional safety point of view is increased.
 つまり、制御演算部11は、機能安全スレッドの異常が検知された場合、FTTI内は、機能安全スレッドの実行優先順位を非機能安全スレッドの実行優先順位よりも相対的に高くするようにスケジュールの変更を行う。この際、優先的に実行される機能安全スレッド(すなわち割込スレッド)は、限界待ち時間がFTTI未満になるようなテーブルが選択される。 In other words, when an abnormality in the functional safety thread is detected, the control calculation unit 11 schedules the execution priority of the functional safety thread relatively higher than the execution priority of the non-functional safety thread within the FTTI. make changes. At this time, a functional safety thread (that is, an interrupt thread) that is preferentially executed is selected from a table such that the limit waiting time is less than the FTTI.
 なお、図6では、3つのスレッドのタイマ割り込みが同期したタイミングを矢印で図示している。このように、3つのスレッドが実行待ち状態である場合は、最も、優先度が高いスレッドから実行される。 In FIG. 6, the arrows indicate the timing at which the timer interrupts of the three threads are synchronized. Thus, when three threads are waiting for execution, the thread with the highest priority is executed first.
 前述したテーブルとしては、FTTI優先書き替えAN[1]が選択されている。なお、各スレッドのランタイムがそれぞれ対応する待ち時間タイマ(すなわち本開示での限界待ち時間)を超過した場合は縮退処理を実行するように設定される。 FTTI priority rewriting AN[1] is selected as the table described above. It should be noted that if the runtime of each thread exceeds its corresponding latency timer (that is, the limit latency in the present disclosure), it is set to execute degeneracy processing.
 スレッド01の実行後、スレッドm1及びスレッドn1で異常が検知される。この際、実行優先順位に変更がない場合、図6の点線にて示すように、スレッド01,m1,n1の順で実行される。何らかの原因で、先に実行するスレッド01が延長したことを想定すると、スレッドm1,n1にて異常処置(すなわち割込スレッド)を実施し、それぞれにFTTIが設定されている場合、このスレッドの順序では、スレッドn1がFTTIの要件を満たさない。 After execution of thread 01, an abnormality is detected in thread m1 and thread n1. At this time, if there is no change in execution priority, threads 01, m1, and n1 are executed in this order, as indicated by the dotted line in FIG. Assuming that thread 01, which runs first, has been extended for some reason, if an abnormal action (that is, an interrupt thread) is performed in threads m1 and n1 and FTTI is set for each, the order of this thread is , thread n1 does not meet the requirements of FTTI.
 そこで、スレッド01は、スレッドm1とスレッドn1が異常を検知した場合は、スレッドm1及びスレッドn1よりも実行優先順位がスケジューラにより下げられる。なお、スレッド01は、機能安全の異常検知機能(SM)の正常時において、スレッドm1及びスレッドn1よりも、実行優先順位が高く設定されている。 Therefore, when thread m1 and thread n1 detect an abnormality, the execution priority of thread 01 is lower than that of thread m1 and thread n1 by the scheduler. Note that the thread 01 is set to have a higher execution priority than the thread m1 and the thread n1 when the abnormality detection function (SM) of functional safety is normal.
 この結果、図6の実線にて示すように、スレッド01に対して、スレッドn1、スレッドm1の順に処理が可能となり、スレッド01の実行は、スレッドn1、スレッドm1の規定の異常処置が完了するまで遅延される。つまり、スレッド01の実行は、スケジュールで規定された異常処置のスレッドを完了するまで遅延され、所定のスケジュール内でのスレッドの異常処置が完了後、スレッド01の実行に移る。この際、必ずしも、全ての異常処置が完了するまでスレッド01の実行が遅延されるわけではない。なお、スレッド01は、通常のデッドライン監視タイマを超過しないようにスケジューリングされることが好ましい。 As a result, as shown by the solid line in FIG. 6, the thread n1 and the thread m1 can be processed in the order of the thread 01, and the execution of the thread 01 completes the specified error handling for the thread n1 and the thread m1. is delayed until In other words, the execution of the thread 01 is delayed until the error handling thread specified in the schedule is completed, and the thread 01 is executed after the error handling of the thread within the predetermined schedule is completed. At this time, the execution of the thread 01 is not necessarily delayed until all abnormal measures are completed. Note that thread 01 is preferably scheduled so as not to exceed the normal deadline watchdog timer.
 [3-2-5.第2作動例]
 第1作動例では、機能安全要件も非機能安全要件も同一のスケジューラの管理下で各関連スレッドが制御される前提で記載している。つまり、主としてコア間制御スレッド制御部32が備えるスケジューラの機能を用いて、スレッドの実行順序を管理している。しかし、図7の第2作動例に示すように、非機能安全要件に関連したスレッドを制御するスケジューラと、機能安全要件に関連したスレッドを制御するスケジューラとを独立させてもよい。つまり、機能要件部33のスケジューラの機能及び非機能要件部34のスケジューラの機能をそれぞれ用いて、コア間制御スレッド制御部32がこれらを調停することで、スレッドの実行順序を管理している。 [3-2-5. Second operation example]
In the first operation example, the description is based on the premise that each related thread is controlled under the control of the same scheduler for both the functional safety requirement and the non-functional safety requirement. In other words, the execution order of the threads is managed mainly using the scheduler function of the inter-core control thread control unit 32 . However, as shown in the second operation example of FIG. 7, the scheduler controlling threads related to non-functional safety requirements and the scheduler controlling threads related to functional safety requirements may be independent. That is, the inter-core control thread control unit 32 uses the scheduler function of the functional requirement unit 33 and the scheduler function of the non-functional requirement unit 34 to arbitrate between them, thereby managing the thread execution order.
 この構成では、個々のスケジューラの管理下で、全ての機能安全要件に関連するスレッドを集約し、機能安全の安全機構の実行をいかなる排他的侵害要因からも保護し安全を担保するように構成することができる。この場合、スケジューラを含むコア間制御スレッド制御部32は、最高ASILの機能安全要件として構成することが望ましい。 In this configuration, under the control of individual schedulers, threads related to all functional safety requirements are aggregated to protect the execution of the safety mechanism of functional safety from any exclusive infringement factor and ensure safety. be able to. In this case, the inter-core control thread control unit 32 including the scheduler is desirably configured as the highest ASIL functional safety requirement.
 このような構成にした場合は、非機能安全要件と機能安全要件が無干渉になることが、設計構造的に担保される。このため、機能安全要件内の各スレッドのASILの違いや、FTTIのランタイム上の優先度のみにフォーカスして、マルチスレッドのリソーセスを適切にディスパッチすることがより容易に構造設計可能となる。 With this configuration, the design structure ensures that non-functional safety requirements and functional safety requirements do not interfere. Therefore, it is possible to more easily design a structure that appropriately dispatches multithreaded resources by focusing only on the difference in ASIL of each thread within the functional safety requirements and the priority on the FTTI runtime.
 換言すれば、機能安全要件と非機能安全要件が確実にパーテショニングされ、ソフトウェアの再利用性が高くなる。この結果、ソフトウェアライフサイクルにおける機能安全に適合するためのアーキテクチャ変更及び検証工数の節約と実装したソフトウェアのロバスト性の向上の両立を図ることができる。なお、マルチスレッドのリソーセスには、例えば、メモリ13、スケジュール、入出力部12が該当する。 In other words, functional safety requirements and non-functional safety requirements are reliably partitioned, increasing software reusability. As a result, it is possible to improve the robustness of the implemented software while saving the architecture change and verification man-hours for conforming to functional safety in the software life cycle. The memory 13, the schedule, and the input/output unit 12 correspond to multithread resources, for example.
 また、第2作動例の構成は、例えば下記のように設計される。 Also, the configuration of the second operation example is designed, for example, as follows.
 各種機能安全要件のFTTIを担保するために、最大割り込み許容間隔(すなわち、最も遅れて処理してもFTTIは担保できる間隔)から、集約した機能安全関連スレッド群の最小割り込み周期をスケジューリングする。例えば、2,4,8,16msの周期的スレッドを集約した場合、2msを一般OSから独立したタイマ割り込みとして設計する。  In order to guarantee the FTTI of various functional safety requirements, the minimum interrupt cycle of the aggregated functional safety-related thread group is scheduled from the maximum allowable interrupt interval (that is, the interval at which the FTTI can be guaranteed even if the process is delayed the most). For example, when periodic threads of 2, 4, 8, and 16 ms are aggregated, 2 ms is designed as a timer interrupt independent from the general OS.
 非機能安全要件関連のスレッド内での割り込み禁止時間は、余裕をとって2msより十分小さくし、2ms周期割り込みを担保する設計とする。  The interrupt disabled time in threads related to non-functional safety requirements should be sufficiently shorter than 2ms with a margin, and the design should ensure 2ms periodic interrupts.
 [3-2-6.正常時スケジューラ実行処理]
 制御演算部11が実行する正常時スケジューラ実行処理について、図8A及び図8Bのフローチャートを用いて説明する。正常時スケジューラ実行処理は、機能安全スレッドの異常が発生していない状況での正常時Nのテーブルに従って実行される処理である。正常時スケジューラ実行処理は、例えば、予め設定された周期毎に実施される。 [3-2-6. Normal time scheduler execution process]
The normal scheduler execution processing executed by the control calculation unit 11 will be described with reference to the flowcharts of FIGS. 8A and 8B. The normal time scheduler execution process is a process that is executed according to the normal time N table under the condition that no abnormality has occurred in the functional safety thread. The normal scheduler execution process is performed, for example, at each preset cycle.
 正常時スケジューラ実行処理では、まず、S310で、制御演算部11は、実行周期割り込み、ここでは、(最小時間間隔)X(2の0乗)の実行待ちであるか否かを判定する。制御演算部11は、S310で実行周期割り込みの実行待ちでないと判定した場合には、S410へ移行する。 In the normal scheduler execution process, first, in S310, the control calculation unit 11 determines whether or not execution of an execution period interrupt, here, (minimum time interval) X (2 raised to the 0th power), is waiting. If the control calculation unit 11 determines in S310 that the execution of the execution cycle interrupt is not waiting, the process proceeds to S410.
 一方、制御演算部11は、S310で実行周期割り込み(最小時間間隔)X(2の0乗)の実行待ちであると判定した場合には、S320へ移行し、非機能安全スレッド01の実行待ちであるか否かを判定する。 On the other hand, if the control calculation unit 11 determines in S310 that it is waiting for the execution of the execution cycle interrupt (minimum time interval) X (2 raised to the 0th power), it proceeds to S320 and waits for the execution of the non-functional safety thread 01. It is determined whether or not.
 例えば、制御演算部11は、S320で非機能安全スレッド01の実行待ちであると判定した場合には、S330へ移行し、非機能安全スレッド01をディスパッチして当スレッドを実行するためのカーネルコールを実行する。この際、当スレッドより優先度の低いスレッドが実行中であっても、そのスレッドを一時中断(すなわちプリエンプション)して当スレッドの実行を優先する。その後、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 For example, when the control operation unit 11 determines in S320 that the non-functional safety thread 01 is waiting for execution, the control operation unit 11 shifts to S330, dispatches the non-functional safety thread 01, and executes a kernel call to execute this thread. to run. At this time, even if a thread with a lower priority than the current thread is running, the thread is temporarily interrupted (that is, preempted) to give priority to the execution of the current thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
 一方、制御演算部11は、S320で非機能安全スレッド01の実行待ちでないと判定した場合には、S340へ移行し、非機能安全スレッド02の実行待ちであるか否かを判定する。 On the other hand, if the control calculation unit 11 determines in S320 that the non-functional safety thread 01 is not waiting for execution, it proceeds to S340 and determines whether or not the non-functional safety thread 02 is waiting for execution.
 制御演算部11は、S340で非機能安全スレッド02の実行待ちであると判定した場合には、S350へ移行し、非機能安全スレッド02をディスパッチして当スレッドを実行するためのカーネルコールを実行する。一方、制御演算部11は、S340で非機能安全スレッド02の実行待ちでないと判定した場合には、S410に移行する。 If the control operation unit 11 determines in S340 that the non-functional safety thread 02 is waiting for execution, it proceeds to S350, dispatches the non-functional safety thread 02, and executes a kernel call to execute this thread. do. On the other hand, when the control calculation unit 11 determines in S340 that the non-functional safety thread 02 is not waiting for execution, the process proceeds to S410.
 続いてS410で、制御演算部11は、実行周期割り込み(最小時間間隔)X(2のm乗)の実行待ちであるか否かを判定する。制御演算部11は、S410で実行周期割り込みの実行待ちでないと判定した場合には、S510へ移行する。 Subsequently, in S410, the control calculation unit 11 determines whether or not execution of an execution period interrupt (minimum time interval) X (2 to the mth power) is waiting. If the control calculation unit 11 determines in S410 that the execution of the execution cycle interrupt is not waiting, the process proceeds to S510.
 一方、制御演算部11は、S410で実行周期割り込みの実行待ちであると判定した場合には、S420へ移行し、機能安全スレッドm1の実行待ちであるか否かを判定する。 On the other hand, if the control calculation unit 11 determines in S410 that it is waiting for execution of the execution cycle interrupt, it proceeds to S420 and determines whether it is waiting for execution of the functional safety thread m1.
 制御演算部11は、S420で機能安全スレッドm1の実行待ちであると判定した場合には、S430へ移行し、機能安全スレッドm1をディスパッチして当スレッドを実行するためのカーネルコールを実行する。その後、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 If the control calculation unit 11 determines in S420 that the functional safety thread m1 is waiting for execution, it proceeds to S430, dispatches the functional safety thread m1, and executes a kernel call to execute this thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
 一方、制御演算部11は、S420で機能安全スレッドm1の実行待ちでないと判定した場合には、S510に移行する。 On the other hand, if the control calculation unit 11 determines in S420 that the functional safety thread m1 is not waiting for execution, it proceeds to S510.
 制御演算部11は、S510で実行周期割り込み(最小時間間隔)X(2のn乗)の実行待ちであるか否かを判定する。制御演算部11は、S510で実行周期割り込みの実行待ちでないと判定した場合には、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 The control calculation unit 11 determines in S510 whether or not execution of an execution cycle interrupt (minimum time interval) X (2 to the nth power) is waiting. If the control calculation unit 11 determines in S510 that the execution of the execution cycle interrupt is not waiting, it ends the normal scheduler execution processing of FIGS. 8A and 8B.
 一方、制御演算部11は、S510で実行周期割り込みの実行待ちかであると判定した場合には、S520へ移行し、機能安全スレッドn1の実行待ちであるか否かを判定する。 On the other hand, if the control calculation unit 11 determines in S510 that it is waiting for execution of the execution cycle interrupt, it proceeds to S520 and determines whether it is waiting for execution of the functional safety thread n1.
 制御演算部11は、S520で機能安全スレッドn1の実行待ちであると判定した場合には、S530へ移行し、機能安全スレッドn1をディスパッチして当スレッドを実行するためのカーネルコールを実行する。この際、当スレッドより優先度の低いスレッドが実行中でも、一時中断して当スレッドの実行を優先する。その後、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 If the control calculation unit 11 determines in S520 that the functional safety thread n1 is waiting for execution, it proceeds to S530, dispatches the functional safety thread n1, and executes a kernel call to execute this thread. At this time, even if a thread with a lower priority than the current thread is running, the current thread is temporarily interrupted and given priority to the current thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
 一方、制御演算部11は、S520で機能安全スレッドn1の実行待ちでないと判定した場合には、S540へ移行し、機能安全スレッドn2の実行待ちであるか否かを判定する。 On the other hand, if the control calculation unit 11 determines in S520 that the functional safety thread n1 is not waiting for execution, it proceeds to S540 and determines whether or not the functional safety thread n2 is waiting for execution.
 制御演算部11は、S540で機能安全スレッドn2の実行待ちであると判定した場合には、S550へ移行し、機能安全スレッドn2をディスパッチして当スレッドを実行するためのカーネルコールを実行する。その後、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 When the control calculation unit 11 determines in S540 that the functional safety thread n2 is waiting for execution, it proceeds to S550, dispatches the functional safety thread n2, and executes a kernel call to execute this thread. After that, the normal time scheduler execution processing of FIGS. 8A and 8B ends.
 一方、制御演算部11は、S540で機能安全スレッドn2の実行待ちでないと判定した場合には、図8A及び図8Bの正常時スケジューラ実行処理を終了する。 On the other hand, when the control calculation unit 11 determines in S540 that the functional safety thread n2 is not waiting for execution, it ends the normal scheduler execution processing in FIGS. 8A and 8B.
 [3-2-7.異常時スケジューラ実行処理]
 制御演算部11が実行する異常時スケジューラ実行処理について、図9A、図9B、図10A、図10B、図11A、及び図11B(以下、図9A~図11B)のフローチャートを用いて説明する。図9A~図11Bに示す異常時スケジューラ実行処理では、優先順位ルールに従って、正常時スケジューラ実行処理とはスレッドの実行順序が異なるように変更されている。なお、図10A及び図10Bに示す異常時スケジューラAN[1]の実行処理は、FTTI優先書き替えAN[1]が選択された場合の処理に該当する。また、図11A及び図11Bに示す異常時スケジューラAN[2]の実行処理は、ASIL優先書き替えAN[2]が選択された場合の処理に該当する。換言すれば、図10A及び図10Bに示す異常時スケジューラAN[1]及び図11A及び図11Bに示す異常時スケジューラAN[2]は、図5で示した「スケジューラ選択テーブル」にそれぞれ該当する。 [3-2-7. Abnormal scheduler execution process]
9A, 9B, 10A, 10B, 11A, and 11B (hereinafter referred to as FIGS. 9A to 11B), the abnormal scheduler execution processing executed by the control calculation unit 11 will be described. In the abnormal scheduler execution process shown in FIGS. 9A to 11B, the thread execution order is changed to be different from that in the normal scheduler execution process according to the priority rule. Note that the execution processing of the abnormal scheduler AN[1] shown in FIGS. 10A and 10B corresponds to the processing when the FTTI priority rewriting AN[1] is selected. 11A and 11B, the process executed by the scheduler AN[2] for abnormal times corresponds to the process when ASIL priority rewrite AN[2] is selected. In other words, the abnormal scheduler AN[1] shown in FIGS. 10A and 10B and the abnormal scheduler AN[2] shown in FIGS. 11A and 11B respectively correspond to the "scheduler selection table" shown in FIG.
 図9A及び図9Bに示す異常時スケジューラANの実行処理では、S410~S550の処理が、S310~S350の処理よりも前に実行される。図10A及び図10Bに示す異常時スケジューラAN[1]の実行処理では、まず、S510の処理が実施され、その後、S540~S550、S520~S530、S410~S430、S310~S350の順に処理が実施される。 In the execution process of the abnormal scheduler AN shown in FIGS. 9A and 9B, the processes of S410 to S550 are executed before the processes of S310 to S350. In the execution process of the abnormal scheduler AN[1] shown in FIGS. 10A and 10B, the process of S510 is first performed, and then the processes of S540 to S550, S520 to S530, S410 to S430, and S310 to S350 are performed in this order. be done.
 図11A及び図11Bに示す異常時スケジューラAN[2]の実行処理では、S510~S550、S410~S430、S310~S350の順に処理が実施される。 In the execution processing of the abnormal scheduler AN[2] shown in FIGS. 11A and 11B, the processing is performed in the order of S510-S550, S410-S430, and S310-S350.
 [3-3.効果]
 以上詳述した第1実施形態によれば、以下の効果を奏する。 [3-3. effect]
According to 1st Embodiment detailed above, there exist the following effects.
 (3a)本開示の一態様は、機能安全スレッド、及び少なくとも1つの非機能安全スレッド、を予めスケジューラで定義された優先順位に基づく並列処理で実行可能な車両用コンピュータ(例えば制御演算部11)にて実行される自動車用コンピュータの制御方法である。並列処理には、マルチコアによる並列処理を含むスケジューリング、あるコアによる時分割による疑似並列処理が含まれうる。機能安全スレッドは、車両の安全に関する値を演算するスレッドを表す。また、非機能安全スレッドは、機能安全スレッドを除くスレッドを表す。 (3a) One aspect of the present disclosure is a vehicular computer (for example, the control calculation unit 11) capable of executing a functional safety thread and at least one non-functional safety thread in parallel processing based on priorities defined in advance by a scheduler. It is a control method of an automobile computer executed in. Parallel processing can include scheduling including parallel processing by multiple cores, and quasi-parallel processing by time division by a certain core. A functional safety thread represents a thread that computes safety-related values for the vehicle. Also, a non-functionally safe thread represents a thread other than a functionally safe thread.
 自動車用コンピュータの制御方法では、機能安全スレッドの異常を検知し、機能安全スレッドの異常が検知された場合に、スケジューラを変更してスレッドの実行優先順位を変更する。 In the automotive computer control method, an abnormality in the functional safety thread is detected, and when an abnormality in the functional safety thread is detected, the scheduler is changed to change the thread execution priority.
 このような制御方法によれば、機能安全スレッドに異常が生じた場合だけ、スレッドを実行する際の優先順位を変更できる。よって、機能安全スレッドが正常判定している間は、車両の本来機能を優先したスケジューリングが可能となる。 According to this control method, the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread. Therefore, while the functional safety thread is making a normal determination, it is possible to schedule the original functions of the vehicle with priority.
 つまり、優先順位が変更される状況を、機能安全スレッドに異常が生じた場合に限定するので、全てのスレッドが限界待ち時間内に実行されやすくする様なスケジュール設計が容易となる。 In other words, since the situation in which the priority is changed is limited to the case where an abnormality occurs in the functional safety thread, it becomes easier to design a schedule that makes it easier for all threads to be executed within the limit waiting time.
 より詳細には、スレッドの実行優先順位を制御する構成によれば、相対的にスケジューラの優先順位テーブルの書替えを実施する。このため、前述した安全機構が異常を検出して異常処置を実行するスレッドが他のスレッドが実行中のため実行待ちになっていても、両スレッドの相対的実行優先順位を変更して、機能安全の安全を担保する許容時間内に確実に処理を完了できる。かつ、非機能安全スレッドについても本来機能を縮退させる機会を極力減らすことができる。 More specifically, according to the configuration for controlling the execution priority of threads, the priority table of the scheduler is relatively rewritten. Therefore, even if the safety mechanism described above detects an error and the thread that executes the error action is waiting for execution because another thread is running, the relative execution priority of both threads is changed and the function is executed. Processing can be completed reliably within the allowable time that ensures safety and security. In addition, it is possible to minimize the chances of degenerating the original functions of non-functionally safe threads.
 すなわち、本願構成では、機能安全スレッドが異常を検出した場合に、規定の機能安全要件を最優先に処理したうえで、異常原因と直接関係しない本来機能(非機能安全要件)は、極力縮退を回避することができる。また、リアルタイム性を確保したスケジュール設計を実現できる。 In other words, in the configuration of the present application, when the functional safety thread detects an abnormality, the prescribed functional safety requirements are processed with the highest priority, and the original function (non-functional safety requirements) that is not directly related to the cause of the abnormality is degraded as much as possible. can be avoided. In addition, it is possible to realize a schedule design that ensures real-time performance.
 なお、機能安全スレッドでは、例えば、機能安全要求仕様を実現してもよい。この場合の本来機能と安全機構をソフトウェアモジュールにして半導体メモリ内に実装した際の実行優先順位を定義する最小実行単位であり、スケジューラにより、一般的には、使用するコアやメモリ及び入出力等ハードウェア資源が時分割で紐付けられる。なお、機能安全要求仕様とは、安全目標や安全機構(例えば、フェールセーフ機構やFTTI)が技術安全要求(TSR:Technical Safety Requirement)や技術安全コンセプト(TSC:Technical Safety Concept)により一般的には定義されてもよい。なお、TSRは、システムの異常が発生した時に安全担保のため、どのような安全保護機能が必要かを要求するための技術仕様書である。また、TSCは、その安全保護機能をいかに実現するかを技術仕様書としてまとめたものである。  The functional safety thread may, for example, realize the functional safety requirement specifications. It is the minimum execution unit that defines the execution priority when the original function and safety mechanism in this case are made into a software module and implemented in semiconductor memory. Hardware resources are linked by time division. In addition, functional safety requirement specifications mean that safety goals and safety mechanisms (for example, fail-safe mechanisms and FTTI) are generally may be defined. Note that the TSR is a technical specification for requesting what kind of safety protection function is necessary to ensure safety when an abnormality occurs in the system. Also, the TSC is a technical specification that summarizes how to realize the safety protection function.
 (3b)本開示の一態様では、異常が検知された場合、予め設定された異常処置が完了するまで、非機能安全スレッドの実行を中断するように構成される。非機能安全スレッドの実行は、動的スケジューラで更新された期間のみ実行する関連スレッドの優先順位がカーネルにより制御される、実行すべき機能安全スレッド、或いは異常時に実施される割込スレッドの実行が完了するまで中断される。なお、非機能安全スレッドの実行は、全ての異常処置が完了するまで非機能安全スレッドを中断するのではない。 (3b) In one aspect of the present disclosure, when an anomaly is detected, execution of the non-functional safety thread is suspended until a preset anomaly action is completed. Execution of non-functionally safe threads only executes for periods updated by the dynamic scheduler. The priority of related threads is controlled by the kernel. Suspended until completed. Note that execution of the non-functional safety thread does not suspend the non-functional safety thread until all fault actions are completed.
 このような方法によれば、異常処置が完了するまで非機能安全スレッドの実行を中断するので、規定の異常処置を最優先で実行し、規定の異常処置が完了後は、中断した非機能安全スレッドの実行に戻ることが可能である。 According to this method, execution of the non-functional safety thread is suspended until the error handling is completed. It is possible to return to thread execution.
 (3c)本開示の一態様では、異常が検知されてから車両に危険事象が発生するまでの推定時間をFTTI(Fault Tolelant Time Interval)とする。異常が検知された場合、FTTI内は、機能安全スレッドの実行優先順位を非機能安全スレッドの実行優先順位よりも相対的に高くするようにスケジュールの変更を実施する。 (3c) In one aspect of the present disclosure, the estimated time from detection of an abnormality to occurrence of a dangerous event in the vehicle is FTTI (Fault Tolerant Time Interval). If an anomaly is detected, a rescheduling is implemented within the FTTI so that the execution priority of the functional safety threads is relatively higher than the execution priority of the non-functional safety threads.
 このような方法によれば、FTTIを考慮して非機能安全スレッドを一時的に中断することができる。 According to such a method, non-functionally safe threads can be temporarily suspended in consideration of FTTI.
 (3d)本開示の一態様では、カーネルの割り込み制御を使用し、機能安全スレッドの異常の有無を検出して、異常が検知された場合に、スケジュールを変更する。 (3d) In one aspect of the present disclosure, kernel interrupt control is used to detect whether there is an abnormality in the functional safety thread, and if an abnormality is detected, the schedule is changed.
 このような方法によれば、カーネル割り込み制御を実施するので、早急に異常に対処することができる。 According to this method, since kernel interrupt control is implemented, it is possible to deal with anomalies immediately.
 (3e)本開示の一態様では、機能安全スレッドの異常が検出されているか否かを診断する機能安全機構(SM)をスレッドとして実装し、異常が検出されているか否かに応じてスケジューラの変更の要否を判定し、スケジューラの切り替えを行う。 (3e) In one aspect of the present disclosure, a functional safety mechanism (SM) for diagnosing whether an abnormality of the functional safety thread is detected is implemented as a thread, and the scheduler is executed according to whether an abnormality is detected. Determines whether or not a change is necessary, and switches the scheduler.
 このような方法によれば、スケジューラの変更の要否を判定して、スケジューラの変更が必要な場合にスケジューラの切り替えを行うことができる。なお、スケジューラの切り替えの要否判定は、スケジューラの切り替えが間に合う適切なタイミングで実施されるとよい。 According to such a method, it is possible to determine whether the scheduler needs to be changed, and to switch the scheduler when the scheduler needs to be changed. It should be noted that the determination of whether or not to switch the scheduler is preferably performed at an appropriate timing in which the scheduler can be switched in time.
 また、スケジューラ切替の主な制御方法として図5で示すように、機能安全常時SMを全ての周期的割り込みに配置する方法(例えば、最短周期割り込みに配置)を採用できる。或いは、HW割り込みハンドラで機能安全SMを起床させる構造とする方法を採用できる。 Also, as a main control method for scheduler switching, as shown in FIG. 5, a method of assigning the functional safety always SM to all periodic interrupts (for example, assigning it to the shortest periodic interrupt) can be adopted. Alternatively, it is possible to employ a method in which the HW interrupt handler wakes up the functionally safe SM.
 (3f)本開示の一態様では、少なくともカーネルの割り込み制御にて実施される割込スレッドには、実行すべき指示を受けてから当該スレッドが実行されるまでの時間の上限を表す限界待ち時間が設定される。割込スレッドの限界待ち時間は、FTTI未満になるように設定される。 (3f) In one aspect of the present disclosure, at least an interrupt thread implemented by kernel interrupt control has a waiting time limit that represents the upper limit of the time from receiving an instruction to execute until the thread is executed. is set. The interrupt thread's latency limit is set to be less than the FTTI.
 このような方法によれば、FTTIまでに割込スレッドが実行することができるので、より安全に割込スレッドを実行することができる。 According to this method, the interrupt thread can be executed before the FTTI, so the interrupt thread can be executed more safely.
 (3g)本開示の一態様では、割込スレッド、機能安全スレッド、及び非機能安全スレッドには、実行すべき指示を受けてから当該スレッドが実行されるまでの時間の上限を表す限界待ち時間が設定されている。割込スレッドが実行されるまで(Twait_SRを超過する前)に、割込スレッド以外の他のスレッドの限界待ち時間(Twait_NSR)が超過した場合、当該他のスレッドに対応するシステムを縮退させる。システムの縮退では、例えば、本来機能の一部を制限する制限モード、自動運転のシステム異常時であれば、運転者による手動運転を要求する交替制御モード等が実施されうる。 (3g) In one aspect of the present disclosure, an interrupt thread, a functional safety thread, and a non-functional safety thread have a latency limit that represents an upper bound on the amount of time from when an instruction to execute is received until the thread is executed. is set. If the limit waiting time (Twait_NSR) of a thread other than the interrupt thread exceeds before the interrupt thread is executed (before Twait_SR is exceeded), the system corresponding to the other thread is degenerated. In the degeneration of the system, for example, a restriction mode that restricts a part of the original functions, and a shift control mode that requires manual operation by the driver in the event of an automatic operation system failure, or the like can be implemented.
 このような方法によれば、非機能安全スレッド等の他のスレッドが限界待ち時間以内に実行できない場合に、他のスレッドに対応するシステムを縮退させるので、より安全と利便を両立して車両を制御することができる。 According to this method, when other threads such as non-functional safety threads cannot be executed within the limit waiting time, the system corresponding to the other threads is degenerated, so that the vehicle can be operated with both safety and convenience. can be controlled.
 (3h)本開示の一態様では、複数の機能安全スレッドにおいて異常を検知してもよい。異常を検知したスレッド毎に、割込スレッドを実行し、この際、限界待ち時間に対する残り時間が小さい順に、割込スレッドの実行優先順位を高するように(すなわち、割込スレッドの実行優先順位がより高くなるように)スケジューラの内容を変更する。 (3h) In one aspect of the present disclosure, anomalies may be detected in multiple functional safety threads. An interrupt thread is executed for each thread that detects an abnormality, and at this time, the execution priority of the interrupt threads is increased in ascending order of the time remaining with respect to the limit waiting time (i.e., the execution priority of the interrupt threads change the contents of the scheduler (so that the
 このような方法によれば、複数の機能安全スレッドにおいて異常が検知されたことに伴い、複数の割込スレッドを実行する場合に、限界待ち時間に対する残り時間が小さい順に割込スレッドを実行できる。よって、割込スレッドの何れかが限界待ち時間以内に実行されない事態になることを抑制することができる。 According to this method, when multiple interrupt threads are executed in response to detection of an abnormality in multiple functional safety threads, the interrupt threads can be executed in ascending order of the remaining time with respect to the limit waiting time. Therefore, it is possible to prevent any of the interrupt threads from being executed within the limit waiting time.
 (3i)本開示の一態様は、少なくとも1つの機能安全スレッド、及び少なくとも1つの非機能安全スレッド、を予めスケジューラで定義された優先順位に基づく並列処理で実行可能な車両用電子制御装置(本開示での制御演算部11)である。 (3i) One aspect of the present disclosure is a vehicle electronic control device (this This is the control calculation unit 11) in the disclosure.
 異常検知部は、機能安全スレッドの異常を検知するように構成される。順序変更部は、機能安全スレッドで異常が検知され、異常処置が必要になった場合に、スケジューラを変更して優先順位を変更する。 The anomaly detection unit is configured to detect an anomaly in the functional safety thread. The sequence changing unit changes the priority by changing the scheduler when an abnormality is detected in the functional safety thread and an abnormality handling is required.
 このような構成によれば、機能安全スレッドに異常が生じた場合だけ、スレッドを実行する際の優先順位を変更できる。 With such a configuration, the priority of thread execution can be changed only when an abnormality occurs in the functional safety thread.
 (3j)特に、車両用電子制御装置は、コアを複数個実装して、スレッドがコアやメモリ等ハードウェア資源をスケジューラにより時分割で共有するシステムを構成できる。このようなシステムにおいては、機能安全スレッドの安全機構が異常を検出した際、他のスレッドの実行を一時中断して、システム許容時間内に異常処置を完了したり、時間的に余裕のあるコアやメモリの資源を優先的に使用したりすることが可能となる。 (3j) In particular, the vehicle electronic control unit can configure a system in which a plurality of cores are mounted and threads share hardware resources such as cores and memory in a time-sharing manner by a scheduler. In such a system, when the safety mechanism of the functional safety thread detects an error, the execution of other threads is temporarily suspended to complete the error handling within the system allowable time, or and memory resources can be preferentially used.
 このような構成によれば、システム全体として実行時間がクリティカルになる、つまり、スレッドが許容時間内に終了しない状況が頻発する、という潜在的なケースをより減らすことがき、ロバスト性の高いシステムが構築可能となる。また、システム全体の安全担保に関して、実行時間の余裕のあるシステム設計により、システム機能の縮退設計の必要性を削減し、システム本来の機能を確保することにより、商品性を向上することが容易となる。 With such a configuration, the execution time of the entire system becomes critical, in other words, it is possible to reduce potential cases where threads do not finish within the allowable time. can be constructed. In addition, regarding the security of the entire system, it is easy to improve marketability by reducing the need for degenerate design of system functions and securing the original functions of the system by designing the system with a margin of execution time. Become.
 [4.他の実施形態]
 以上、本開示の実施形態について説明したが、本開示は前述の実施形態に限定されることなく、種々変形して実施することができる。 [4. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments, and can be implemented in various modifications.
 (4a)上記実施形態では、機能安全スレッド毎にFTTIが対応付けられたが、これに限定されるものではない。例えば、FTTIに換えて、或いはFTTIに加えて、機能安全スレッド毎に自動車安全水準レベル(ASIL:Automotive Safety Integrity Level)が対応付けられていてもよい。この場合、複数の機能安全スレッドにおいて異常を検知し、異常を検知したスレッド毎に、割込スレッドを実行し、この際、自動車安全水準レベルが高い順に、割込スレッドの実行優先順位を高する様にスケジューラの内容を変更してもよい。例えば、制御演算部11は、自動車安全水準レベルが高い順に各スレッドが実行されるように図5に示す異常時スケジューラAN[2]を動的に書き換えるとよい。 (4a) In the above embodiment, the FTTI is associated with each functional safety thread, but the present invention is not limited to this. For example, instead of or in addition to FTTI, each functional safety thread may be associated with an automotive safety integrity level (ASIL). In this case, an abnormality is detected in a plurality of functional safety threads, an interrupt thread is executed for each thread in which an abnormality is detected, and at this time, the execution priority of the interrupt thread is increased in descending order of vehicle safety level. You may change the contents of the scheduler in the same way. For example, the control calculation unit 11 may dynamically rewrite the abnormal scheduler AN[2] shown in FIG. 5 so that each thread is executed in descending order of vehicle safety standard level.
 このような方法によれば、自動車安全水準レベルが高い順に、スレッドを実行するので、より優先して実行すべきスレッドを優先して実行することができる。 According to this method, the threads are executed in the order of higher automobile safety level, so the threads that should be executed with higher priority can be executed with priority.
 (4b)上記実施形態では、ECU10を構成する各構成要素11,12,13,16の配置について言及していないが、例えば、各構成要素11,12,13,16の実際のデバイスは、1つ又は複数のSOC(System On Chip)で構成することができる。 (4b) In the above embodiment, no reference is made to the arrangement of the components 11, 12, 13, 16 that make up the ECU 10. For example, the actual devices of the components 11, 12, 13, 16 are one It can consist of one or more SOCs (System On Chips).
 また、例えば、図2に示す車両アプリケーション機能16の各機能は、破線部31内の機能がOSを実装する1つのSOCによって実現され、破線部31外の機能が前記SOCとは別のSOCによって実現されてもよい。すなわち、コア間制御スレッド制御部32、及び機能要件部33の機能がOSを実装する1つのSOCで実現され、非機能要件部34の機能が前記SOCとは別のSOCで実現されてもよい。 Also, for example, each function of the vehicle application function 16 shown in FIG. may be implemented. That is, the functions of the inter-core control thread control unit 32 and the functional requirement unit 33 may be implemented in one SOC that implements the OS, and the functions of the non-functional requirement unit 34 may be implemented in an SOC different from the SOC. .
 このような構成によれば、オーバーヘッドを減少させ、リアルタイム性を向上させることができる。 With such a configuration, it is possible to reduce overhead and improve real-time performance.
 (4c)本開示に記載の制御演算部11及びその手法は、コンピュータプログラムにより具体化された1つ乃至は複数の機能を実行するようにプログラムされたプロセッサ及びメモリを構成することによって提供された専用コンピュータにより、実現されてもよい。あるいは、本開示に記載の制御演算部11及びその手法は、1つ以上の専用ハードウェア論理回路によってプロセッサを構成することによって提供された専用コンピュータにより、実現されてもよい。もしくは、本開示に記載の制御演算部11及びその手法は、1つ乃至は複数の機能を実行するようにプログラムされたプロセッサ及びメモリと1つ以上のハードウェア論理回路によって構成されたプロセッサとの組み合わせにより構成された1つ以上の専用コンピュータにより、実現されてもよい。また、コンピュータプログラムは、コンピュータにより実行されるインストラクションとして、コンピュータ読み取り可能な非遷移有形記録媒体に記憶されてもよい。制御演算部11に含まれる各部の機能を実現する手法には、必ずしもソフトウェアが含まれている必要はなく、その全部の機能が、1つあるいは複数のハードウェアを用いて実現されてもよい。 (4c) The control computing unit 11 and techniques described in this disclosure were provided by configuring a processor and memory programmed to perform one or more functions embodied by a computer program. It may also be implemented by a dedicated computer. Alternatively, the control computation unit 11 and techniques thereof described in the present disclosure may be implemented by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits. Alternatively, the control computation unit 11 and techniques thereof described in the present disclosure are a combination of a processor and memory programmed to perform one or more functions and a processor configured by one or more hardware logic circuits. It may also be implemented by one or more dedicated computers configured in combination. Computer programs may also be stored as computer-executable instructions on a computer-readable non-transitional tangible storage medium. The method of realizing the function of each part included in the control calculation part 11 does not necessarily include software, and all the functions may be realized using one or a plurality of pieces of hardware.
 (4d)上記実施形態における1つの構成要素が有する複数の機能を、複数の構成要素によって実現したり、1つの構成要素が有する1つの機能を、複数の構成要素によって実現したりしてもよい。また、複数の構成要素が有する複数の機能を、1つの構成要素によって実現したり、複数の構成要素によって実現される1つの機能を、1つの構成要素によって実現したりしてもよい。また、上記実施形態の構成の一部を省略してもよい。また、上記実施形態の構成の少なくとも一部を、他の上記実施形態の構成に対して付加又は置換してもよい。 (4d) A plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or a function possessed by one component may be realized by a plurality of components. . Also, a plurality of functions possessed by a plurality of components may be realized by a single component, or a function realized by a plurality of components may be realized by a single component. Also, part of the configuration of the above embodiment may be omitted. Moreover, at least part of the configuration of the above embodiment may be added or replaced with respect to the configuration of the other above embodiment.
 (4e)前述した車両制御システム1の他、当該車両制御システム1の構成要素となる車両制御装置等の装置、当該装置としてコンピュータを機能させるためのプログラム、このプログラムを記録した半導体メモリ等の非遷移的実体的記録媒体、自動車用コンピュータの制御方法を含む各種方法など、種々の形態で本開示を実現することもできる。
  (4e) In addition to the vehicle control system 1 described above, a device such as a vehicle control device that is a component of the vehicle control system 1, a program for causing a computer to function as the device, a semiconductor memory that stores the program, etc. The present disclosure can also be implemented in various forms, such as a transitional material recording medium, various methods including a control method for an automobile computer, and the like.

Claims (10)

  1.  車両の安全に関する値を演算するスレッドを表す少なくとも1つの機能安全スレッド、及び前記機能安全スレッドを除くスレッドを表す少なくとも1つの非機能安全スレッド、を予めスケジューラで定義された優先順位に基づく並列処理で実行可能な車両用コンピュータ(11)にて実行される自動車用コンピュータの制御方法であって、
     前記機能安全スレッドの異常を検知し、
     前記機能安全スレッドの異常が検知された場合に、前記スケジューラを変更して前記優先順位を変更する
     自動車用コンピュータの制御方法。     at least one functional safety thread representing threads that compute safety-related values of the vehicle, and at least one non-functional safety thread representing threads other than said functional safety thread, in parallel processing based on pre-defined priorities in a scheduler; A method of controlling a vehicle computer executed in an executable vehicle computer (11), comprising:
    detecting an abnormality in the functional safety thread;
    A control method for an automobile computer, wherein when an abnormality of the functional safety thread is detected, the scheduler is changed to change the priority.
  2.  請求項1に記載の自動車用コンピュータの制御方法であって、
     前記異常が検知された場合、予め設定された異常処置が完了するまで、前記非機能安全スレッドの実行を中断する
     自動車用コンピュータの制御方法。     A control method for an automotive computer according to claim 1,
    A control method for an automotive computer, wherein, when the abnormality is detected, the execution of the non-functional safety thread is suspended until a preset abnormality treatment is completed.
  3.  請求項1又は請求項2に記載の自動車用コンピュータの制御方法であって、
     前記異常が検知されてから当該車両に危険事象が発生するまでの推定時間をFTTI(Fault Tolelant Time Interval)として、前記異常が検知された場合、前記FTTI内は、前記機能安全スレッドの実行優先順位を前記非機能安全スレッドの実行優先順位よりも相対的に高くするスケジュールの変更を行う
     自動車用コンピュータの制御方法。     A control method for an automobile computer according to claim 1 or claim 2,
    Estimated time from the detection of the abnormality to the occurrence of a dangerous event in the vehicle is FTTI (Fault Tolerant Time Interval), and when the abnormality is detected, the execution priority of the functional safety thread in the FTTI relatively higher than the execution priority of the non-functional safety thread.
  4.  請求項3に記載の自動車用コンピュータの制御方法であって、
     カーネルの割り込み制御を使用し、前記機能安全スレッドの異常の有無を検出して、前記異常が検知された場合に、前記スケジュールを変更する
     自動車用コンピュータの制御方法。     A control method for an automotive computer according to claim 3,
    A control method for an automobile computer, wherein the interrupt control of the kernel is used to detect whether or not there is an abnormality in the functional safety thread, and when the abnormality is detected, the schedule is changed.
  5.  請求項4に記載の自動車用コンピュータの制御方法であって、
     前記機能安全スレッドの異常が検出されているか否かを診断する機能安全機構をスレッドとして実装し、前記異常が検出されているか否かに応じて前記スケジューラの変更の要否を判定し、前記スケジューラの切り替えを行う
     自動車用コンピュータの制御方法。     A control method for an automotive computer according to claim 4,
    A functional safety mechanism for diagnosing whether or not an abnormality is detected in the functional safety thread is implemented as a thread, and whether or not the scheduler needs to be changed is determined according to whether or not the abnormality is detected, and the scheduler A control method for an automotive computer.
  6.  請求項4又は請求項5に記載の自動車用コンピュータの制御方法であって、
     少なくとも前記カーネルの割り込み制御にて実施される割込スレッドには、実行すべき指示を受けてから当該スレッドが実行されるまでの時間の上限を表す限界待ち時間が設定されており、
     前記割込スレッドの限界待ち時間は、前記FTTI未満になるように設定される
     自動車用コンピュータの制御方法。     A control method for an automobile computer according to claim 4 or claim 5,
    At least the interrupt thread executed by the interrupt control of the kernel is set with a limit waiting time representing the upper limit of the time from receiving an instruction to be executed until the thread is executed,
    The threshold latency of the interrupt thread is set to be less than the FTTI. A control method for an automotive computer.
  7.  請求項6に記載の自動車用コンピュータの制御方法であって、
     前記割込スレッド、前記機能安全スレッド、及び前記非機能安全スレッドには、前記限界待ち時間が設定されており、
     前記割込スレッドが実行されるまでの時間が、前記割込スレッド以外の他のスレッドの限界待ち時間が超過した場合、当該他のスレッドに対応するシステムを縮退させる
     自動車用コンピュータの制御方法。     A control method for an automotive computer according to claim 6,
    the limit waiting time is set for the interrupt thread, the functional safety thread, and the non-functional safety thread;
    A control method for an automobile computer, wherein a system corresponding to a thread other than the interrupt thread is degenerated when the time until the interrupt thread is executed exceeds the limit waiting time of the thread other than the interrupt thread.
  8.  請求項6又は請求項7に記載の自動車用コンピュータの制御方法であって、
     複数の機能安全スレッドにおいて異常を検知し、
     前記異常を検知したスレッド毎に、前記割込スレッドを実行し、この際、限界待ち時間に対する残り時間が小さい順に、前記割込スレッドの実行優先順位を高する様にスケジューラの内容を変更する
     自動車用コンピュータの制御方法。     A control method for an automobile computer according to claim 6 or claim 7,
    Detect anomalies in multiple functional safety threads,
    The interrupt thread is executed for each thread that detects the abnormality, and at this time, the content of the scheduler is changed so that the execution priority of the interrupt thread is increased in ascending order of the remaining time with respect to the limit waiting time. computer control method.
  9.  請求項6から請求項8の何れか1項に記載の自動車用コンピュータの制御方法であって、
     前記割込スレッド毎に自動車安全水準レベルが対応付けられており、
     複数の機能安全スレッドにおいて異常を検知し、
     前記異常を検知したスレッド毎に、前記割込スレッドを実行し、この際、前記自動車安全水準レベルが高い順に、前記割込スレッドの実行優先順位を高する様にスケジューラの内容を変更する
     自動車用コンピュータの制御方法。     A control method for an automobile computer according to any one of claims 6 to 8,
    an automobile safety standard level is associated with each interrupt thread;
    Detect anomalies in multiple functional safety threads,
    The interrupt thread is executed for each thread that detects the abnormality, and at this time, the contents of the scheduler are changed so that the execution priority of the interrupt thread is increased in order of the vehicle safety level level. Computer control method.
  10.  車両の安全に関する値を演算するスレッドを表す少なくとも1つの機能安全スレッド、及び前記機能安全スレッドを除くスレッドを表す少なくとも1つの非機能安全スレッド、を予めスケジューラで定義された優先順位に基づく並列処理で実行可能な車両用電子制御装置(10)であって、
     前記機能安全スレッドの異常を検知するように構成された異常検知部(S130,S150,S170)と、
     前記機能安全スレッドの異常が検知された場合に、前記スケジューラを変更して前記優先順位を変更する順序変更部(S10,S20,S30,S180)と、を備える
     車両用電子制御装置。     at least one functional safety thread representing threads that compute safety-related values of the vehicle, and at least one non-functional safety thread representing threads other than said functional safety thread, in parallel processing based on pre-defined priorities in a scheduler; An executable vehicle electronic controller (10) comprising:
    an abnormality detection unit (S130, S150, S170) configured to detect an abnormality in the functional safety thread;
    An electronic control unit for a vehicle, comprising: an order change unit (S10, S20, S30, S180) that changes the priority by changing the scheduler when an abnormality in the functional safety thread is detected.
PCT/JP2021/045351 2021-07-09 2021-12-09 Automotive computer control method and vehicular electronic control device WO2023281766A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023533039A JP7409567B2 (en) 2021-07-09 2021-12-09 Automotive computer control method and vehicle electronic control device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021114366 2021-07-09
JP2021-114366 2021-07-09

Publications (1)

Publication Number Publication Date
WO2023281766A1 true WO2023281766A1 (en) 2023-01-12

Family

ID=84800594

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/045351 WO2023281766A1 (en) 2021-07-09 2021-12-09 Automotive computer control method and vehicular electronic control device

Country Status (2)

Country Link
JP (1) JP7409567B2 (en)
WO (1) WO2023281766A1 (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008123439A (en) * 2006-11-15 2008-05-29 Denso Corp Operating system, program and mobile body manipulation support apparatus
JP2013003724A (en) * 2011-06-14 2013-01-07 Denso Corp In-vehicle electronic control unit
JP2014081847A (en) * 2012-10-17 2014-05-08 Renesas Electronics Corp Multi-thread processor
JP2014170477A (en) * 2013-03-05 2014-09-18 Mitsubishi Electric Corp High availability system
JP2016157247A (en) * 2015-02-24 2016-09-01 トヨタ自動車株式会社 Information processor
JP2016181868A (en) * 2015-03-25 2016-10-13 コニカミノルタ株式会社 Image formation apparatus, control method and control program
JP2017111662A (en) * 2015-12-17 2017-06-22 日立オートモティブシステムズ株式会社 Electronic controller
JP2017173947A (en) * 2016-03-22 2017-09-28 三菱電機株式会社 On-vehicle controller and rom for on-vehicle controller

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008123439A (en) * 2006-11-15 2008-05-29 Denso Corp Operating system, program and mobile body manipulation support apparatus
JP2013003724A (en) * 2011-06-14 2013-01-07 Denso Corp In-vehicle electronic control unit
JP2014081847A (en) * 2012-10-17 2014-05-08 Renesas Electronics Corp Multi-thread processor
JP2014170477A (en) * 2013-03-05 2014-09-18 Mitsubishi Electric Corp High availability system
JP2016157247A (en) * 2015-02-24 2016-09-01 トヨタ自動車株式会社 Information processor
JP2016181868A (en) * 2015-03-25 2016-10-13 コニカミノルタ株式会社 Image formation apparatus, control method and control program
JP2017111662A (en) * 2015-12-17 2017-06-22 日立オートモティブシステムズ株式会社 Electronic controller
JP2017173947A (en) * 2016-03-22 2017-09-28 三菱電機株式会社 On-vehicle controller and rom for on-vehicle controller

Also Published As

Publication number Publication date
JP7409567B2 (en) 2024-01-09
JPWO2023281766A1 (en) 2023-01-12

Similar Documents

Publication Publication Date Title
US20120198464A1 (en) Safety controller and safety control method
KR100983061B1 (en) Interrupt control function adapted to control the execution of interrupt requests of differing criticality
US8756606B2 (en) Safety controller and safety control method in which time partitions are scheduled according to a scheduling pattern
Zhao et al. PT-AMC: Integrating preemption thresholds into mixed-criticality scheduling
JP4213572B2 (en) Electronic device and processor speed control method
CN114637598A (en) Vehicle controller and scheduling method of operating system thereof
WO2023281766A1 (en) Automotive computer control method and vehicular electronic control device
US20150205635A1 (en) Method and lightweight mechanism for mixed-critical applications
JP5699896B2 (en) Information processing apparatus and abnormality determination method
JP2011216004A (en) Microprocessor, electronic control unit, execution ratio switching method
JP6838234B2 (en) Vehicle control device
Kim et al. Reducing memory interference latency of safety-critical applications via memory request throttling and Linux Cgroup
JP2013152636A (en) Information processing device and task scheduling method
CN114633705A (en) Vehicle control device with synchronous drive program
CN115175413A (en) Enhanced service calling method and device for vehicle position lamp, vehicle and medium
JP5633501B2 (en) Control apparatus and control method
JP5906584B2 (en) Control apparatus and control method
JPWO2018211865A1 (en) Vehicle control device
Fuhrman et al. On designing software architectures for next-generation multi-core ECUs
CN115248724A (en) Real-time scheduling for heterogeneous multi-core systems
Waszniowski et al. Analysis of real time operating system based applications
WO2019188177A1 (en) Information processing device
JPH0926888A (en) Exclusive controller
JP7333251B2 (en) electronic controller
JP5703505B2 (en) Computer with bus partition structure

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2023533039

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21949398

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE