WO2024219242A1 - 冗長系ecu、プログラム、及び情報処理方法 - Google Patents

冗長系ecu、プログラム、及び情報処理方法 Download PDF

Info

Publication number
WO2024219242A1
WO2024219242A1 PCT/JP2024/013877 JP2024013877W WO2024219242A1 WO 2024219242 A1 WO2024219242 A1 WO 2024219242A1 JP 2024013877 W JP2024013877 W JP 2024013877W WO 2024219242 A1 WO2024219242 A1 WO 2024219242A1
Authority
WO
WIPO (PCT)
Prior art keywords
ecu
vehicle
redundant
board
determined
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2024/013877
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
元太 山根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Original Assignee
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sumitomo Wiring Systems Ltd, AutoNetworks Technologies Ltd, Sumitomo Electric Industries Ltd filed Critical Sumitomo Wiring Systems Ltd
Priority to CN202480025616.6A priority Critical patent/CN121014194A/zh
Publication of WO2024219242A1 publication Critical patent/WO2024219242A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Definitions

  • the present disclosure relates to a redundant ECU, a program, and an information processing method.
  • This application claims priority based on Japanese Application No. 2023-067873 filed on April 18, 2023, and incorporates by reference all of the contents of the above-mentioned Japanese application.
  • Body ECU which is an on-board ECU that controls body-related devices such as the wiper drive device, interior and exterior lighting devices, door lock devices, and power windows (see, for example, Patent Document 1).
  • the wiper drive device of Patent Document 1 includes an on-board ECU (body ECU) and is driven by a control program applied to the on-board ECU (electronic control unit).
  • a redundant system ECU is mounted on a vehicle and communicatively connected to a plurality of on-board ECUs, and includes a control unit that performs processing related to status management of the on-board ECUs.
  • the control unit acquires status data related to the status of the on-board ECU from the on-board ECU, and when it determines that the on-board ECU is not operating normally based on the acquired status data, it acquires software for replacing the on-board ECU determined to be not operating normally, and replaces the on-board ECU determined to be not operating normally by executing the acquired software.
  • FIG. 1 is a schematic diagram illustrating a system configuration of an in-vehicle system according to a first embodiment
  • FIG. 2 is a block diagram illustrating an example of an internal configuration of a redundant ECU
  • FIG. 11 is an explanatory diagram illustrating an example of a management list.
  • FIG. 4 is an explanatory diagram illustrating a relay table used by the integrated ECU
  • FIG. 2 is an explanatory diagram illustrating a process flow (sequence) of a redundant ECU, an integrated ECU, and the like
  • 4 is a flowchart illustrating a process of a control unit of a redundant ECU.
  • the on-board ECU installed in the vehicle of Patent Document 1 does not take into consideration the processing required to replace another on-board ECU when the other on-board ECU breaks down or ceases to operate normally.
  • the purpose of this disclosure is to provide a redundant ECU etc. that can efficiently perform processing related to replacing an on-board ECU when any of the on-board ECUs installed in a vehicle stops functioning normally.
  • a redundant system ECU is mounted on a vehicle and communicatively connected to a plurality of on-board ECUs, and includes a control unit that performs processing related to status management of the on-board ECUs.
  • the control unit acquires status data related to the status of the on-board ECU from the on-board ECU, and when it determines that the on-board ECU is not operating normally based on the acquired status data, it acquires software for replacing the on-board ECU determined to be not operating normally, and replaces the on-board ECU determined to be not operating normally by executing the acquired software.
  • the redundant system ECU is communicatively connected to a plurality of on-board ECUs via an on-board network mounted on the vehicle. These multiple on-board ECUs perform processing for executing various services or functions provided in the vehicle.
  • the on-board ECU may include not only the on-board ECU mounted at the time of production of the vehicle, but also an on-board ECU (spare ECU) mounted (retrofitted) after production of the vehicle.
  • the spare ECU may acquire a message output from an on-board ECU (sensor/actuator control ECU) to which a sensor or actuator is directly connected via a signal line, and perform processing for executing various services or functions using the acquired message.
  • the redundant system ECU may be configured by a spare ECU retrofitted to the vehicle in order to add a new service or function.
  • each of the multiple spare ECUs retrofitted may function as a redundant system ECU that replaces the other spare ECUs, thereby constituting a group of redundant system ECUs.
  • the control unit of the redundant system ECU may collect information (status information) on the status of the vehicle-mounted ECUs including the spare ECU and the sensor/actuator control ECU, i.e., whether the vehicle-mounted ECUs are in an operating state (wake-up state) or a stopped state (sleep state), and perform processing related to the current status management of the vehicle-mounted ECUs.
  • the status information of the vehicle-mounted ECUs may include management information on the functions (services) performed by each vehicle-mounted ECU and whether the vehicle-mounted ECUs are operating normally (normal or abnormal). Furthermore, the control unit of the redundant system ECU periodically, periodically, or constantly performs polling communication with the vehicle-mounted ECUs to acquire status data on the status of the vehicle-mounted ECUs. The control unit of the redundant system ECU may determine that the vehicle-mounted ECU is not operating normally, for example, when the status data cannot be acquired beyond the transmission period, when the acquired status data includes an abnormality code indicating an abnormality in the vehicle-mounted ECU that is the transmission source, or when the acquired status data is determined to be fraudulent data due to, for example, spoofing, etc.
  • the case where the vehicle-mounted ECU is not operating normally includes, for example, a case where the vehicle-mounted ECU is broken or the vehicle-mounted ECU is removed from the vehicle.
  • the control unit of the redundant system ECU acquires software for substituting the vehicle-mounted ECU determined to be not operating normally.
  • the redundant system ECU is, for example, an in-vehicle ECU of the same type as the in-vehicle ECU determined to be not operating normally, or an in-vehicle ECU having compatibility, and by acquiring the software, it is possible to substitute the in-vehicle ECU determined to be not operating normally.
  • the redundant system ECU can provide various services or functions carried out by the in-vehicle ECU by executing software that is the same as or compatible with the software executed by the in-vehicle ECU determined to be not operating normally.
  • the redundant system ECU starts a process (substitution process) to substitute for the in-vehicle ECU determined to be not operating normally, and therefore the service or function performed by the in-vehicle ECU can be continued.
  • the redundant system ECU by replacing the onboard ECU that transmits and receives signals to and from the sensor/actuator control ECU without duplicating the onboard ECU to which the sensor, etc. is connected, the number of signal lines, such as harnesses, required to connect the sensor, etc. can be reduced.
  • the status data acquired from the vehicle ECU includes setting information regarding the operational settings of the vehicle ECU at the time the status data is transmitted, and when the control unit executes the acquired software, it applies the setting information to replace the vehicle ECU that is determined not to be operating normally.
  • the status data output (transmitted) by the on-board ECU to the redundant system ECU periodically, regularly, or steadily includes setting information related to the operational settings of the on-board ECU at the time the status data is transmitted.
  • the on-board ECU provides services or functions by executing software, and the setting information corresponds to, for example, various setting information for providing the services or functions.
  • the setting information may include, for example, user information related to the driver driving the vehicle, and may further include setting information associated with each piece of user information (setting information for each driver).
  • the setting information may include history information such as the operations performed by the driver currently driving the vehicle (current user) when using a service, etc.
  • the control unit of the redundant system ECU acquires setting information related to the operational settings of the on-board ECU at the time the status data is transmitted from the on-board ECU, in addition to the software required to replace the on-board ECU.
  • the control unit of the redundant ECU can execute the software by reflecting (applying) the setting information, and can continue to provide services or functions by inheriting the operational settings of the on-board ECU to be substituted.
  • control unit uses the acquired software and setting information to perform a self-diagnosis process to check the operation of the alternative function when replacing an on-board ECU that is determined to be malfunctioning.
  • control unit of the redundant system ECU performs a self-diagnosis process using the acquired software and setting information to confirm whether the software operates normally with the setting information applied when starting the process of replacing the in-vehicle ECU determined to be not operating normally.
  • the control unit of the redundant system ECU may, for example, execute emulation software stored in the storage unit to generate an emulation environment for performing the self-diagnosis process, and determine whether the software to which the setting information has been applied operates in the emulation environment.
  • control unit of the redundant system ECU may, for example, input (transfer) the acquired software and setting information to a self-diagnosis program stored in the storage unit, execute the self-diagnosis program, and confirm whether the software operates normally by obtaining a determination result from the self-diagnosis program.
  • control unit of the redundant system ECU obtains (derives) a determination result indicating normal operation as a result of the self-diagnosis process, it starts the process of replacing the in-vehicle ECU determined to be not operating normally.
  • control unit of the redundant ECU may execute the software in an initialized state or with a predetermined standard setting (initial parameters) without using the obtained setting information.
  • the self-diagnosis process is performed using the obtained software and setting information, and the replacement can be started after verifying the normal operation of the software and setting information.
  • the self-diagnosis process does not obtain (derive) a result of the determination that the ECU operates normally, that is, if a result of the determination that the ECU is malfunctioning is obtained (derive), it is assumed that there may be a problem with the setting information last obtained (received) from the in-vehicle ECU determined to be not operating normally.
  • the software can be executed in an initialized state or with a predetermined standard setting (initial parameters), and the software can be executed with the standard setting or the like to replace the in-vehicle ECU determined to be not operating normally.
  • a management list for identifying replaceable on-board ECUs among a plurality of on-board ECUs mounted on the vehicle is stored in a storage area accessible to the control unit, and the control unit identifies the replaceable on-board ECU by referring to the management list.
  • a management list for identifying a replaceable on-board ECU among a plurality of on-board ECUs mounted on a vehicle is stored in a storage area accessible by the control unit of the redundant system ECU, such as the storage unit of the redundant system ECU.
  • the management list includes information on the on-board ECUs that can be replaced by the redundant system ECU, i.e., the functions (services) performed by the on-board ECUs.
  • the management list may be defined by associating the ECU names (ECU-IDs) of the plurality of on-board ECUs mounted on a vehicle with the names of the functions (services) performed by each of the on-board ECUs.
  • the storage unit of the redundant system ECU stores the names of one or more functions (services) that can be replaced by the control unit of the redundant system ECU, and the control unit of the redundant system ECU may identify a replaceable on-board ECU based on the identity or compatibility of the functions (services) by comparing the names of the functions (services) performed by each of the on-board ECUs included in the management list with the names of the functions (services) that can be replaced by the redundant system ECU (itself).
  • control unit requests the multiple vehicle ECUs to transmit information related to the services provided by the multiple vehicle ECUs, and generates or updates the management list based on the information related to the services received from each of the multiple vehicle ECUs.
  • the control unit of the redundant system ECU requests all in-vehicle ECUs connected to the in-vehicle network to transmit information related to the services provided by the in-vehicle ECUs.
  • the control unit of the redundant system ECU may request the spare ECU, etc. to transmit information related to the services.
  • the control unit of the redundant system ECU may request the spare ECU, etc. to transmit information related to the services.
  • the control unit of the redundant system ECU acquires (receives) information transmitted by the in-vehicle ECU in response to the request (the name of the service or function provided by the in-vehicle ECU), and generates a management list based on each piece of received information.
  • the control unit of the redundant system ECU may periodically, regularly, or constantly request the transmission of information related to services and receive the information from each of the vehicle-mounted ECUs even after generating the management list.
  • the control unit of the redundant system ECU updates the management list based on subsequently received information (the name of the service or function performed by the vehicle-mounted ECU).
  • the control unit of the redundant system ECU may delete the removed in-vehicle ECU from the management list.
  • the control unit of the redundant system ECU requests the transmission of information related to the services performed by the in-vehicle ECUs to the multiple in-vehicle ECUs connected to the in-vehicle network at a predetermined timing, such as when the spare ECU is connected to the in-vehicle network or when the IG switch is turned off and the vehicle transitions to a stopped state, or periodically.
  • the control unit of the redundant ECU generates or updates the management list based on information sent (returned) from the vehicle-mounted ECU (the name of the service or function performed by the vehicle-mounted ECU), and can constantly keep the management list up to date.
  • the control unit of the redundant ECU can efficiently identify vehicle-mounted ECUs that the redundant ECU (itself) can replace, that is, identify (pre-identify) the vehicle-mounted ECU before it fails (is determined not to be operating normally).
  • the vehicle is equipped with an on-board device having a communication function with the outside of the vehicle, and the control unit acquires software via the on-board device to replace an on-board ECU that is determined to be malfunctioning.
  • the vehicle is equipped with an on-board device having a communication function with the outside of the vehicle
  • the on-board device is an integrated ECU that is configured with a central control device such as a vehicle computer and performs overall control of the vehicle C.
  • the integrated ECU (on-board device) is communicatively connected to an external server, such as an OTA (Over The Air) server located outside the vehicle, for example, via an external communication device having a wireless function.
  • the control unit of the redundant system ECU can obtain the latest version of software from an external server, such as an OTA (Over The Air) server, via the integrated ECU (on-board device) to obtain software for replacing an on-board ECU that has been determined to be malfunctioning.
  • the redundant system ECU By obtaining (downloading) software from an external server via the integrated ECU (on-board device) in this way, the redundant system ECU does not need to hold (store) the software of the on-board ECU in advance when replacing one of the on-board ECUs, and this makes it possible to prevent the storage area of the redundant system ECU from becoming congested.
  • the vehicle-mounted device has a relay function for communication between the multiple vehicle-mounted ECUs, and the control unit transmits a preparation completion notification to the vehicle-mounted device indicating that preparations for replacing an in-vehicle ECU determined to be malfunctioning are complete, and by transmitting the preparation completion notification to the vehicle-mounted device, causes the vehicle-mounted device to change the relay table used when executing the relay function.
  • the integrated ECU has multiple in-vehicle communication units and relays communication data transmitted and received by the vehicle ECUs connected to each of the multiple in-vehicle communication units.
  • the integrated ECU has a relay function when multiple vehicle ECUs communicate with each other, and also functions as an Ethernet switch or a CAN gateway, for example.
  • a relay table used (referenced) for relay processing is stored in the memory unit of the integrated ECU (vehicle device).
  • the control unit of the redundant ECU When the control unit of the redundant ECU is ready to replace the vehicle ECU determined to be malfunctioning, it transmits a preparation completion notification (function handover completion) indicating that the preparation is complete to the integrated ECU (vehicle device).
  • the preparation completion notification includes, for example, an ECU name (ECU-ID) that identifies the vehicle ECU to be replaced (the vehicle ECU determined to be malfunctioning) and an ECU name (ECU-ID) of the redundant ECU that replaces the vehicle ECU to be replaced.
  • ECU-ID ECU name
  • the integrated ECU receives a preparation completion notification (function takeover completion) transmitted from the redundant ECU, and changes (updates) the relay table in response to the received preparation completion notification (function takeover completion).
  • the relay table of the redundant ECU having a relay function is changed (updated), so that communication data to be transmitted to the in-vehicle ECU to be substituted can be transmitted (relayed) to the redundant ECU. That is, by changing the transmission destination of communication data that is originally transmitted to the in-vehicle ECU to be substituted (the in-vehicle ECU determined not to be operating normally) to the redundant ECU, the redundant ECU can receive communication data necessary for executing substitution processing.
  • the control unit of the redundant ECU transmits a preparation completion notification (function takeover completion) to the integrated ECU (vehicle-mounted device) as a trigger for executing processing to change (update) the relay table, so that the timing of the change of the relay table by the integrated ECU (vehicle-mounted device) can be controlled. This ensures that changes to the relay table by the ECU (on-board device) are made only after preparations for substitution by the redundant ECU (such as software installation) have been completed.
  • the control unit transmits a request notification to the in-vehicle device indicating a request to acquire software to replace an in-vehicle ECU determined to be malfunctioning, and by transmitting the request notification to the in-vehicle device, causes the in-vehicle device to accumulate communication data to the in-vehicle ECU to be replaced that is received between the request notification and the preparation completion notification, and transmits the communication data to the redundant ECU after the preparation completion notification is received.
  • the control unit of the redundant system ECU transmits a request notification to the integrated ECU (on-board device) indicating a request to acquire software to replace the on-board ECU determined to be malfunctioning.
  • the request notification corresponds to, for example, a fault notification regarding the on-board ECU determined to be malfunctioning, and is a notification requesting the acquisition of an ECU name (ECU-ID) that uniquely identifies the on-board ECU, and software to replace the on-board ECU.
  • the request notification may include the ECU name (ECU-ID) of the on-board ECU determined to be malfunctioning, and the name of the software to replace the on-board ECU (the software that the on-board ECU was executing).
  • the integrated ECU acquires (downloads) the software to be replaced from an external server, such as an OTA (Over The Air) server located outside the vehicle, via an external communication device.
  • the integrated ECU transmits the software acquired from the external server to the redundant system ECU.
  • the integrated ECU stores and holds communication data sent to the vehicle-mounted ECU determined not to be operating normally, without relaying it, during the period from when the integrated ECU (vehicle-mounted device) receives a request notification from the redundant ECU to when the integrated ECU (vehicle-mounted device) receives a preparation completion notification from the redundant ECU.
  • the integrated ECU After receiving the preparation completion notification from the redundant ECU, the integrated ECU (vehicle-mounted device) relays the communication data it has held to the redundant ECU based on the changed relay table. From the time when the redundant ECU determines that the vehicle-mounted ECU to be replaced is not operating normally (the time when the request notification is sent) to the time when the redundant ECU completes preparation for replacement (the time when the preparation completion notification is sent), the function (service) of the vehicle-mounted ECU to be replaced is not normally executed (provided).
  • the integrated ECU (vehicle-mounted device) stores and holds communication data received during the period (the period from when the request notification is received to when the preparation completion notification is received) to the vehicle-mounted ECU to be replaced, without relaying it, in the memory of the integrated ECU (vehicle-mounted device). Then, after receiving a notification of completion of preparation from the redundant ECU, the integrated ECU (vehicle device) relays the communication data it has been holding to the redundant ECU that has completed preparation for substitution and has begun substitution processing, thereby avoiding the generation of communication data that has not been processed and beginning substitution processing, thereby enabling the function (service) previously performed by the vehicle ECU to be substituted to be continued.
  • the integrated ECU may cut off the power supply to the ECU name (ECU-ID) included in the request notification, i.e., the vehicle ECU that has been determined not to be operating normally.
  • the integrated ECU may be a PLB (Power Lan Box) that has a power distribution function for distributing power from a power supply device in addition to the relay function.
  • the integrated ECU turns off the power of the vehicle ECU that has been determined not to be operating normally, triggered by the request notification from the redundant ECU, thereby preventing the vehicle ECU from adversely affecting the vehicle network.
  • a program causes a computer communicatively connected to a plurality of vehicle ECUs to acquire status data relating to the status of the vehicle ECUs from the vehicle ECUs, and if it is determined based on the acquired status data that the vehicle ECU is not operating normally, to acquire software for replacing the vehicle ECU determined to be not operating normally, and to execute the acquired software to perform a process of replacing the vehicle ECU determined to be not operating normally.
  • a program can be provided that causes a computer to function as a redundant ECU that efficiently performs processing to replace an on-board ECU installed in a vehicle when the on-board ECU no longer operates normally.
  • An information processing method causes a computer communicatively connected to a plurality of vehicle ECUs to acquire status data relating to the status of the vehicle ECUs from the vehicle ECUs, and if it is determined based on the acquired status data that the vehicle ECU is not operating normally, acquire software for replacing the vehicle ECU determined to be not operating normally, and execute the acquired software to perform a process of replacing the vehicle ECU determined to be not operating normally.
  • Fig. 1 is a schematic diagram illustrating a system configuration of an in-vehicle system S according to the first embodiment.
  • Fig. 2 is a block diagram illustrating an internal configuration of a redundant ECU 32.
  • the in-vehicle system S is configured with an integrated ECU 2 (in-vehicle device) and a redundant ECU 32 mounted on a vehicle C as main devices, and the redundant ECU 32 is connected to a plurality of in-vehicle ECUs 3 including a spare ECU 31 via an in-vehicle network 4 so as to be able to communicate with each other.
  • the integrated ECU 2 (on-board device) includes a control unit, a storage unit, and an in-vehicle communication unit, similar to the redundant ECU 32 described below, and is configured with a central control unit such as a vehicle computer, and performs overall control of the vehicle C.
  • the integrated ECU 2 may have a relay function and may relay messages transmitted and received by each of the on-board ECUs 3.
  • a relay device such as a CAN gateway or an Ether switch may be connected under the integrated ECU 2, and the relay device may relay messages transmitted and received by each of the on-board ECUs 3.
  • the integrated ECU 2 is connected via the exterior communication device 1 so as to be able to communicate with an external server S1, such as an OTA (Over The Air) server connected to an exterior network such as the Internet.
  • the exterior communication device 1 includes an exterior communication unit and an input/output I/F (interface) for communicating with the integrated ECU 2.
  • the exterior communication unit is a communication device for wireless communication using a mobile communication protocol such as LTE, 4G, 5G, or WiFi, and transmits and receives data to and from the external server S1 via an antenna 11 connected to the exterior communication unit.
  • the communication between the exterior communication device 1 and the external server S1 is performed via an external network such as a public line network or the Internet.
  • the on-board ECU 3 includes the on-board ECU 3 that is mounted during the production stage of the vehicle C (installed at the time of shipment), as well as a spare ECU 31 that is retrofitted (installed after the production and shipment of the vehicle C) when adding a new service or function to the vehicle C.
  • the spare ECU 31 may include a spare ECU 31 (redundant system ECU 32) that is a redundant spare and has the function of substituting for another on-board ECU 3 (spare ECU 31).
  • the on-board ECU 3 that is installed at the time of shipment includes an on-board ECU 3 (sensor/actuator control ECU) to which a sensor 301 or actuator 302 is directly connected via a signal line or the like, and an on-board ECU 3 that does not have such a sensor 301 etc. directly connected and outputs calculation results etc. obtained by processing information based on messages etc. obtained from the sensor/actuator control ECU.
  • an on-board ECU 3 sensor/actuator control ECU
  • the spare ECU 31 that is additionally connected (newly installed) may include a redundant system ECU 32 (substitute ECU) that has the function of substituting (replacing) the other in-vehicle ECU 3 by executing the same software as the other in-vehicle ECU 3.
  • a redundant system ECU 32 substitute ECU
  • the redundant system ECU 32 even if the added spare ECU 31 or the in-vehicle ECU 3 installed at the time of shipment no longer operates normally, it is possible to substitute for the in-vehicle ECU 3 and continue or resume the provision of the services etc. that were provided by the in-vehicle ECU 3.
  • the redundant system ECU 32 includes a control unit 321, a storage unit 322, and an in-vehicle communication unit 323, and may be configured as a redundant system spare ECU 31 having a function of substituting for another on-vehicle ECU 3 (spare ECU 31) among the spare ECUs 31 that are retrofitted (installed after production and shipping of the vehicle C).
  • the redundant system ECU 32 requests the multiple on-vehicle ECUs 3 connected to the on-vehicle network 4 to transmit information related to the services performed by these on-vehicle ECUs, and by acquiring the information, generates and updates a management list including information that associates the on-vehicle ECUs with the names of the services or functions performed by the on-vehicle ECUs. Furthermore, the redundant system ECU 32 performs processing related to the status management of the on-vehicle ECUs 3 by acquiring and aggregating status data periodically transmitted from the multiple on-vehicle ECUs 3 connected to the on-vehicle network 4.
  • the control unit 321 is configured with a CPU (Central Processing Unit) or MPU (Micro Processing Unit), and performs various control processes and arithmetic processes by reading and executing a program P (program product) and data pre-stored in the memory unit 322.
  • the control unit 321 is not limited to only a software processing unit that performs software processing such as a CPU, but may also include a hardware processing unit that performs various control processes and arithmetic processes by hardware processing such as an FPGA, ASIC, or SOC.
  • the storage unit 322 is composed of a volatile memory element such as a RAM (Random Access Memory) or a non-volatile memory element such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, and stores in advance a program P (program product) and data to be referenced during processing.
  • the program P (program product) stored in the storage unit 322 may be a program P (program product) read from a recording medium M readable by the redundant ECU 32.
  • the program P (program product) may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 322.
  • the storage unit 322 may further store a management list. Details of the management list will be described later.
  • the in-vehicle communication unit 323 is an input/output interface (CAN transceiver, Ethernet PHY) using a communication protocol such as CAN (Control Area Network), CAN-FD, or Ethernet (registered trademark).
  • a communication line 41 such as a CAN bus or an Ethernet cable is connected to the in-vehicle communication unit 323 in accordance with the communication protocol.
  • the control unit 321 communicates with the in-vehicle ECUs 3 such as the spare ECU 31 connected to the in-vehicle network 4 and the integrated ECU 2 via the in-vehicle communication unit 323.
  • the on-board ECUs 3, such as the spare ECU 31, include a control unit, a storage unit, and an in-vehicle communication unit, similar to the redundant ECU 32. These on-board ECUs 3 and the integrated ECU 2 are connected by a power line, and the on-board ECU 3 may obtain (receive) power distributed from the integrated ECU 2.
  • FIG. 3 is an explanatory diagram illustrating an example of a management list.
  • the memory unit 322 of the redundant ECU 32 stores ECU management information, which consolidates information about the vehicle ECUs 3 based on information about services acquired from the spare ECU 31 and the sensor/actuator control ECU, and status data, for example in table or list format (management list).
  • the management list (ECU management information) includes management items (fields), such as ECU name (ECU-ID), function (service), type, status, and whether or not replacement is possible.
  • the management item for ECU name stores, for example, the ECU number, ECU name, and an identification number (ECU-ID) that uniquely identifies the vehicle ECU 3.
  • the function management item stores the name (function name) of a function or service that is realized or assumed by the in-vehicle ECU 3 (ECU name) stored in the same record by executing software.
  • the redundant system ECU 32 can identify other in-vehicle ECUs 3 that the redundant system ECU 32 can replace (in-vehicle ECUs 3 to be replaced) based on the function name.
  • the type management item stores the type of the in-vehicle ECU 3 (ECU name) stored in the same record.
  • the type includes, for example, spare, redundant spare, sensor connection, actuator connection, and installation.
  • the on-board ECU 3 of the spare type indicates a spare ECU 31, and is an on-board ECU 3 that can be retrofitted (installed after the production and shipment of the vehicle C) when, for example, adding a new service or function to the vehicle C.
  • the on-board ECU 3 of the redundant spare type indicates a redundant ECU 32, and is an on-board ECU 3 that can be substituted for another on-board ECU 3 among the spare ECUs 31 that can be retrofitted.
  • An on-board ECU 3 of the sensor connection type is an on-board ECU 3 to which a sensor 301 such as a LiDAR, infrared sensor 301, or CMOS camera is directly connected via a signal line or the like.
  • An on-board ECU 3 of the actuator 302 connection type is an on-board ECU 3 to which an actuator 302 such as a switch, lamp, or drive motor is directly connected via a signal line or the like.
  • An on-board ECU 3 of the installed type is an on-board ECU 3 that is installed in vehicle C during the production stage of vehicle C (installed at the time of shipment).
  • the status management item stores the operating status of the in-vehicle ECU 3 (ECU name) stored in the same record.
  • the operating status includes, for example, In Operation, which indicates normal operation, Out of Order, which indicates abnormal operation, In Redundant Operation, which indicates replacement processing (redundant ECU 32 is replacing), and Standby, which indicates a sleep state, etc.
  • the replacement possibility management item stores a value (yes, no) or flag indicating whether the redundant ECU 32 can replace the on-board ECU 3 (ECU name) stored in the same record.
  • the memory unit 322 of the redundant ECU 32 stores the names of one or more functions (services) that can be replaced by the control unit 321 of the redundant ECU 32, and the on-board ECU 3 (ECU name) that performs the same function (service) as the function (service) is the on-board ECU 3 that can be replaced.
  • the control unit 321 of the redundant system ECU 32 requests all in-vehicle ECUs 3 connected to the in-vehicle network 4 to send information related to the services provided by the in-vehicle ECUs 3.
  • the control unit 321 of the redundant system ECU 32 acquires (receives) the information (the names of the services or functions provided by the in-vehicle ECUs 3) sent by the in-vehicle ECUs 3 in response to the request, generates a management list based on each piece of received information, and subsequently updates the management list to the latest state as appropriate. This makes it possible to manage the association between the in-vehicle ECUs 3 and the functions (services) provided by the in-vehicle ECUs 3.
  • control unit 321 of the redundant system ECU 32 periodically performs polling communication (status inquiry) with all on-board ECUs 3, and updates the contents of the status management items included in the management list based on the status data acquired from these on-board ECUs 3.
  • the status data includes the operating status of the on-board ECU 3 that is the sender of the status data, and the operational settings, which are the setting information of the software being executed. Therefore, the control unit 321 of the redundant system ECU 32 can grasp the current operating status and operational settings (software setting information) of each on-board ECU 3, using the transmission cycle (reception cycle) of the status data as the processing unit time.
  • FIG. 4 is an explanatory diagram illustrating an example of a relay table used by the integrated ECU 2.
  • the integrated ECU 2 vehicle-mounted device that functions as a relay device performs relay processing of messages transmitted and received between multiple vehicle-mounted ECUs 3 by referring to the relay table stored in the memory unit of the integrated ECU 2.
  • the relay table includes, as management items (fields), for example, a message ID and a relay destination ECU.
  • the message ID management item stores an identifier indicating the type of communication data to be relayed, such as a message, frame, or packet. For example, if the communication protocol is CAN or CAN/FD, the message ID may store a CAN-ID. If the communication protocol is TCP/IP, the message ID may store a TCP port number or a UDP port number.
  • the destination ECU management item stores the ECU name of the in-vehicle ECU 3 that is the destination for relaying communication data (messages, etc.) of the message ID stored in the same record.
  • the integrated ECU 2 When the redundant ECU 32 starts replacement processing (when the integrated ECU 2 receives a notification of completion of preparation from the redundant ECU 32), the integrated ECU 2 changes the relay table according to the redundant ECU 32. This makes it possible to reliably relay messages and the like required to execute a service or function to the redundant ECU 32 in place of the in-vehicle ECU 3 (the in-vehicle ECU 3 to be replaced) that has been determined to be not operating normally (has an abnormality).
  • FIG. 5 is an explanatory diagram illustrating the process flow (sequence) of the redundant ECU 32 and the integrated ECU 2.
  • the integrated ECU 2 (on-board device), the spare ECU 31, the redundant ECU 32, and the sensor/actuator control ECU included in the on-board system S are communicatively connected via the on-board network 4, and perform the following processes in association with each other.
  • the redundant system ECU 32 requests the multiple on-board ECUs 3 to transmit information related to the services provided by the on-board ECUs 3 (S01). For example, when the redundant system ECU 32 (itself) is connected to the on-board network 4, or when the IG switch of the vehicle C is turned off or on, the redundant system ECU 32 requests all on-board ECUs 3 connected to the on-board network 4 to transmit information related to the services provided by the on-board ECUs 3.
  • the redundant system ECU 32 generates a management list based on the information about the services received from each of the vehicle ECUs 3 (S03).
  • the information about the services received from each of the vehicle ECUs 3 includes an ECU name (ECU-ID) that uniquely identifies the vehicle ECU 3 that is the source of the information, and the name of the service or function that the vehicle ECU 3 performs, in association with each other.
  • ECU-ID ECU name
  • the redundant system ECU 32 when the redundant system ECU 32 (itself) is connected to the in-vehicle network 4, the redundant system ECU 32 generates a management list based on information about services received from each of the in-vehicle ECUs 3, and stores the management list in the memory unit 322 of the redundant system ECU 32. Even after generating the management list, the redundant system ECU 32 periodically or constantly requests the multiple in-vehicle ECUs 3 to send information about services, and updates the management list based on the information about services sent (returned) from each of the in-vehicle ECUs 3 in response to the request.
  • the memory unit 322 of the redundant system ECU 32 stores the names of one or more functions (services) that can be substituted by the control unit 321 of the redundant system ECU 32. Substitutability in the redundant system ECU 32 is determined based on product specifications including, for example, the hardware configuration of the redundant system ECU 32, the installed OS or class library, and functions (services) corresponding to the names or types of executable software are stored (defined) in the memory unit 322 as substitutable functions (services).
  • the control unit 321 of the redundant system ECU 32 compares the names of the functions (services) performed by each of the on-board ECUs 3 included in the management list with the names of the functions (services) that the redundant system ECU 32 (itself) can replace, thereby identifying the on-board ECU 3 that can be replaced based on the identity or compatibility of the functions (services).
  • the control unit 321 of the redundant system ECU 32 may store (define) yes (replaceable) or no (not replaceable) in the replacement possibility management item of the management list based on the identification result of the on-board ECU 3 that can be replaced.
  • the redundant system ECU 32 detects the newly connected spare ECU 31 (S04).
  • the redundant system ECU 32 updates the management list in response to the detection of the newly connected or disconnected spare ECU 31 (S05).
  • the redundant system ECU 32 can recognize that the spare ECU 31 has been newly connected to the in-vehicle network 4, for example, by acquiring status data from the newly installed spare ECU 31.
  • a new service or function is added to the vehicle C, it is assumed that the spare ECU 31 will be retrofitted (installed after the production and shipment of the vehicle C).
  • the redundant system ECU 32 can timely recognize that the spare ECU 31 has been newly installed.
  • the redundant system ECU 32 also requests the newly installed standby ECU 31 to send information about the service, and updates the management list based on the information about the service sent (returned) from the newly installed standby ECU 31 in response to the request.
  • the redundant system ECU 32 performs polling communication (status inquiry) with the spare ECU 31 (spare ECU1) and acquires status data (normal response, operation setting) related to the status of the spare ECU 31 (spare ECU1) (S06).
  • a plurality of on-board ECUs 3 including the integrated ECU 2, spare ECU 31, and redundant system ECU 32 are connected to the on-board network 4, and the redundant system ECU 32 continuously performs status inquiries with the on-board ECUs 3 by polling communication with the plurality of on-board ECUs 3.
  • the redundant ECU 32 can recognize whether the on-board ECU 3 is operating or stopped (removed from the on-board network 4) based on whether or not it has acquired status data transmitted periodically from the multiple on-board ECUs 3.
  • the status data output (transmitted) from the on-board ECU 3 includes information indicating whether the on-board ECU 3 is operating normally (operating normally) and information indicating that the on-board ECU 3 is not operating normally and is in an abnormal state (operating abnormally). Therefore, the spare ECU 31 can determine the operating state of the on-board ECU 3, i.e., whether or not it is operating normally (operating abnormally), based on the status data acquired from the on-board ECU 3.
  • the redundant system ECU 32 stores the status data acquired from the on-board ECU 3 in the storage unit 322 of the redundant system ECU 32.
  • the redundant system ECU 32 may update the management information (management list) of the on-board ECU 3 to the latest state by storing the operating status (normal or abnormal) and operation settings of the on-board ECU 3 contained in the status data acquired from the on-board ECU 3 in a management list.
  • the operational settings of the on-board ECU 3 correspond to various setting information (information related to the operational settings) of the software when the on-board ECU 3 executes the software to provide a service, etc.
  • the various setting information of the software may include, for example, user information related to the driver driving the vehicle C, and may further include setting information associated with each piece of user information (setting information for each driver).
  • the operational settings of the on-board ECU 3 may include history information such as the operations performed by the driver (current user) currently driving the vehicle C when using a service, etc.
  • the redundant system ECU 32 determines that the spare ECU 31 (spare ECU1) is abnormal based on whether or not status data has been acquired, or on the acquired abnormal response (S07). As described above, the redundant system ECU 32 performs polling communication (status inquiry) on all in-vehicle ECUs 3 connected to the in-vehicle network 4, and for example, acquires the latest operational settings of the spare ECU 31 (spare ECU1). If a problem occurs in the spare ECU 31 (spare ECU1), the redundant system ECU 32 determines that the spare ECU 31 (spare ECU1) is abnormal based on the presence or absence of status data from the spare ECU 31 (spare ECU1) or the contents of the status data.
  • polling communication status inquiry
  • the redundant system ECU 32 determines that the spare ECU 31 (spare ECU1) is abnormal based on the presence or absence of status data from the spare ECU 31 (spare ECU1) or the contents of the status data.
  • the redundant system ECU 32 may determine that the spare ECU 31 (spare ECU1) has failed or has been removed from the in-vehicle network 4 and is not operating normally. If the status data received from the spare ECU 31 (spare ECU1) indicates an abnormal response, the redundant system ECU 32 may determine that the spare ECU 31 (spare ECU1) is not operating normally.
  • the redundant system ECU 32 transmits a request notification (fault notification) to the integrated ECU 2 requesting the acquisition of software (S08).
  • the redundant system ECU 32 refers to the management list to identify the function (service) performed by the spare ECU 31 (spare ECU1) that has been determined not to be operating normally.
  • the redundant system ECU 32 refers to the management list to determine whether the identified function (service) is substitutable, and if so, transmits a request notification to the integrated ECU 2 requesting software to substitute for (execute) the function (service).
  • the request notification may include the name and version of the requested software.
  • the redundant system ECU 32 may transmit a fault notification to the integrated ECU 2 together with the request notification, indicating that it has been determined that the spare ECU 31 (spare ECU1) is not operating normally.
  • the request notification for requesting software may include the ECU name (ECU-ID) of the spare ECU 31 (spare ECU 1) that has been determined to be malfunctioning, so that the request notification may include a notification function as a fault notification.
  • the integrated ECU 2 In response to a request notification (fault notification) from the redundant system ECU 32, the integrated ECU 2 cuts off the power supply to the on-board ECU 3 determined to be malfunctioning and suspends (suspends) the relaying of communication data to the on-board ECU 3 (S09).
  • the integrated ECU 2 can recognize the ECU name (ECU-ID) of the spare ECU 31 (spare ECU1) determined to be malfunctioning (abnormal), and the name of the software to replace the spare ECU 31.
  • the integrated ECU 2 can recognize the ECU name (ECU-ID) of the redundant system ECU 32 that is the sender of the request notification (fault notification).
  • the integrated ECU2 is triggered by receiving a request notification (fault notification) from the redundant system ECU32 to cut off the power supply to the spare ECU31 (spare ECU1) that is determined to be not operating normally (abnormal).
  • the integrated ECU2 is composed of a PLB (Power Lan Box) that has a power distribution function that distributes power from a power supply device in addition to a relay function, and has a relay that starts or cuts off the power supply to each of the multiple on-board ECUs3 connected via power lines.
  • the integrated ECU2 cuts off the power supply to the spare ECU31 (spare ECU1) by turning off the relay connected to the spare ECU31 (spare ECU1) that is determined to be not operating normally (abnormal).
  • the integrated ECU 2 when triggered by receiving a request notification (fault notification) from the redundant ECU 32, temporarily suspends (suspends) relaying communication data whose destination is the spare ECU 31 (spare ECU 1) that has been determined to be not operating normally (abnormal), and stores and holds the communication data in the memory unit of the integrated ECU 2.
  • the integrated ECU2 acquires software for replacing the spare ECU31 (spare ECU1) determined to be abnormal from the external server S1 (S10).
  • the integrated ECU2 acquires software for replacing the spare ECU31 (spare ECU1) determined to be abnormal from the external server S1 functioning as an OTA server, for example.
  • the integrated ECU2 may acquire (download) the software from the external server S1 by transmitting a request signal including the name of the software to the external server S1.
  • the integrated ECU 2 outputs the software to the redundant system ECU 32 (redundant system standby ECU 3) (S11).
  • the integrated ECU 2 outputs the software acquired (downloaded) from the external server S1 to the redundant system ECU 32 (redundant system standby ECU 3).
  • the redundant system ECU 32 installs the software acquired from the integrated ECU 2 and applies the operational settings (S12).
  • the redundant system ECU 32 installs the software acquired from the integrated ECU 2. Furthermore, based on the status data last acquired from the spare ECU 31 (spare ECU1) that was determined to be not operating normally (abnormal), the redundant system ECU 32 applies the operational settings (software setting information) included in the status data. By using such operational settings (software setting information) included in the status data, it is possible to continue providing services or functions by inheriting the operational settings immediately before the spare ECU 31 (spare ECU1) was determined to be not operating normally.
  • the redundant system ECU 32 uses the software and the setting information to perform a self-diagnosis process to check whether the software operates normally (S13).
  • the redundant system ECU 32 generates an emulation environment for performing the self-diagnosis process, for example by executing emulation software, and determines whether the software to which the setting information has been applied operates in the emulation environment.
  • the redundant system ECU 32 transmits a preparation completion notification (function handover completion) to the integrated ECU 2 indicating that preparation for substitution is complete (S14). If the result of the self-diagnosis process is positive (determination result that the system will operate normally), the redundant system ECU 32 transmits a preparation completion notification (function handover completion) to the integrated ECU 2 indicating that preparation for substitution is complete, and notifies the integrated ECU 2 that the handover of the function (service) of the spare ECU 31 (spare ECU1) to be substituted is complete. If the result of the self-diagnosis process is negative (determination result that the system will not operate normally), the redundant system ECU 32 may interrupt the series of processes related to the substitution process.
  • the integrated ECU 2 changes (updates) the relay table (S15).
  • the integrated ECU 2 changes (updates) the relay table stored in the storage unit of the integrated ECU 2 when triggered by receiving a preparation completion notification (function takeover completion) from the redundant system ECU 32.
  • the integrated ECU 2 updates (changes) the relay table in accordance with the redundant system ECU 32 (redundant system standby ECU 3).
  • the integrated ECU 2 uses the relay table to relay messages (frames) transmitted and received between the on-board ECUs 3. For example, the integrated ECU 2 updates the relay table to change the relay destination for a specific message (frame) from the spare ECU 31 (spare ECU 1), which has been determined to be malfunctioning, to the redundant system ECU 32 (redundant system spare ECU 3). This causes messages (frames) required for the redundant system ECU 32 (redundant system spare ECU 3) to execute software to be relayed from the on-board ECU 3 that sent them via the integrated ECU 2.
  • the integrated ECU 2 transmits (resumes relaying) the communication data for which relaying has been stopped (put on hold) to the redundant system ECU 32 (S16). After changing (updating) the relay table, the integrated ECU 2 transmits (resumes relaying) the communication data for which relaying has been stopped (put on hold) to the redundant system ECU 32. During the period from when the integrated ECU 2 receives the request notification from the redundant system ECU 32 until when it receives the preparation completion notification, the integrated ECU 2 stores and holds the communication data sent to the on-board ECU 3 determined not to be operating normally in the memory unit of the integrated ECU 2 without relaying it.
  • the integrated ECU 2 receives a preparation completion notification from the redundant system ECU 32, changes (updates) the relay table, and then relays (sends) the communication data that it has held (suspended relaying) to the redundant system ECU 32 using the changed (updated) relay table. Thereafter, the integrated ECU 2 continues relaying all communication data by using the changed (updated) relay table, and as a result, communication data sent to the on-board ECU 3 that has been determined to be malfunctioning is also relayed to the redundant system ECU 32, which performs alternative processing.
  • the redundant system ECU 32 starts a process (alternative process) to substitute for the standby ECU 31 (standby ECU1) determined to be abnormal (S17).
  • the redundant system ECU 32 receives communication data transmitted (relayed) from the integrated ECU 2, etc., and starts (executes) the alternative process based on the communication data. This allows the function (service) performed by the vehicle ECU 3 determined to be malfunctioning (the vehicle ECU 3 to be substituted) to be continued. This ensures the availability of the vehicle system S including the standby ECU 31 and redundant system ECU 32.
  • the redundant system ECU 32 may update the management list to the latest state by storing in the management list information indicating that the redundant system ECU 32 (standby ECU3) is performing the alternative process and that the standby ECU 31 (standby ECU1) determined to be malfunctioning is malfunctioning.
  • FIG. 6 is a flowchart illustrating the processing of the control unit 321 of the redundant system ECU 32.
  • the control unit 321 of the redundant system ECU 32 steadily performs the following processing, for example, when the vehicle C is stopped (power switch or IG switch is off) or started (power switch or IG switch is on).
  • the control unit 321 of the redundant system ECU 32 periodically, regularly, or steadily performs polling communication with the on-board ECUs 3 including the spare ECU 31 and redundant system ECU 32 via the on-board network 4, and continues to acquire status data from these on-board ECUs 3. This allows the control unit 321 of the redundant system ECU 32 to recognize the spare ECU 31 that has been newly connected (installed) to the on-board network 4, and to recognize the on-board ECUs 3 (including the spare ECU 31) that have been removed (disconnected) from the on-board network 4.
  • the control unit 321 of the redundant system ECU 32 continuously performs processing to change (update) the management list stored in the storage unit 322 in response to the recognition of the installation or removal of these on-board ECUs 3. Then, in response to the determination of the operating state of these on-board ECUs 3, the redundant system ECU 32 performs processing (substitution processing) to substitute for on-board ECUs 3 that are determined not to be operating normally.
  • the control unit 321 of the redundant system ECU 32 acquires status data from the on-board ECU 3 via the on-board network 4 (S101).
  • the control unit 321 of the redundant system ECU 32 acquires status data from all on-board ECUs 3 connected to the on-board network 4 periodically, regularly, or steadily via the on-board network 4.
  • the status data includes information regarding the operating state (normal or abnormal) and operational settings (setting information for the running software, etc.) of the on-board ECU 3 that is the sender.
  • the control unit 321 of the redundant system ECU 32 may update the contents of the status management items included in the management list stored in the memory unit 322 based on the acquired status data.
  • the control unit 321 of the redundant system ECU 32 may use the information stored in the management list updated in this manner to generate screen data showing the status of each of the on-board ECUs 3 connected to the on-board network 4, and output the screen data to an HMI (Human Machine Interface) device such as a display. This makes it possible to notify the operator of the vehicle C of information regarding the status of each of the on-board ECUs 3.
  • HMI Human Machine Interface
  • the control unit 321 of the redundant system ECU 32 determines whether any of the on-board ECUs 3 is abnormal (S102). Based on the acquired status data, the control unit 321 of the redundant system ECU 32 determines whether the on-board ECU 3 that is the sender of the status data is abnormal, i.e., whether it is operating normally. For example, by referring to a management list, the control unit 321 of the redundant system ECU 32 determines the operating status of the on-board ECUs 3 of all ECU names included in the management list.
  • the control unit 321 of the redundant system ECU 32 determines that the on-board ECU 3 is abnormal, for example, when the status data cannot be acquired for a period exceeding the transmission period, when the acquired status data contains an abnormality code indicating an abnormality in the on-board ECU 3 that is the sender, or when the acquired status data is determined to be fraudulent data, for example, due to spoofing. Cases when the on-board ECU 3 is not operating normally (is abnormal) include, for example, when the on-board ECU 3 is broken or when the on-board ECU 3 is removed from the vehicle C.
  • the control unit 321 of the redundant system ECU 32 performs loop processing by executing S101 again. As a result, the control unit 321 of the redundant system ECU 32 continues the process of acquiring status data from all on-board ECUs 3 connected to the on-board network 4. Since the status data includes information regarding the current operational settings and processing load of each on-board ECU 3 (at the time the status data is transmitted), the control unit 321 of the redundant system ECU 32 can acquire the latest operational settings and processing load of each on-board ECU 3. The control unit 321 of the redundant system ECU 32 stores these acquired operational settings in the memory unit 322, for example by storing (updating) them in a management list.
  • the control unit 321 of the redundant system ECU 32 acquires software to replace the on-board ECU 3 determined to be abnormal (not operating normally) (S103).
  • the control unit 321 of the redundant system ECU 32 determines whether it is possible to replace the on-board ECU 3 determined to be abnormal (not operating normally), for example by referring to a management list. If it is possible to replace it, the control unit 321 of the redundant system ECU 32 identifies the function (service) performed by the on-board ECU 3, and transmits a request notification (fault notification) to the integrated ECU 2 requesting the acquisition of software to execute the function (service).
  • the request notification also serves as a fault notification, and may include the ECU name (ECU-ID) of the on-board ECU 3 determined to be not operating normally.
  • the integrated ECU 2 In response to a request notification (fault notification) from the redundant system ECU 32, the integrated ECU 2 acquires (downloads) from the external server S1 the functions performed or software executed by the on-board ECU 3 determined to be abnormal. The integrated ECU 2 outputs the acquired (downloaded) software to the redundant system ECU 32. Furthermore, the integrated ECU 2, triggered by receipt of a request notification (fault notification) from the redundant system ECU 32, cuts off the power supply to the on-board ECU 3 determined to be abnormal and suspends (suspends) the relaying of communication data to the on-board ECU 3, and stores and retains the communication data in the memory unit of the integrated ECU 2.
  • the control unit 321 of the redundant system ECU 32 installs the software acquired from the integrated ECU 2.
  • the redundant system ECU 32 further applies the operational settings (software setting information) included in the status data last acquired from the in-vehicle ECU 3 that was determined to be not operating normally (abnormal), based on the status data.
  • the control unit 321 of the redundant system ECU 32 performs self-diagnosis processing using the acquired software and setting information to determine whether the alternative function operates normally (S104).
  • the control unit 321 of the redundant system ECU 32 determines whether the software to which the setting information is applied operates, for example, by executing emulation software. If it is determined that the alternative function does not operate normally (S104: NO), the control unit 321 of the redundant system ECU 32 stops executing the alternative processing (S1041).
  • the control unit 321 of the redundant system ECU 32 transmits a preparation completion notification to the integrated ECU 2 indicating that preparation for substitution is complete (S105). If the control unit 321 of the redundant system ECU 32 determines that the alternative function operates normally as a result of the self-diagnosis process, it transmits a preparation completion notification (function handover complete) to the integrated ECU 2 indicating that preparation for substitution is complete.
  • the integrated ECU 2 changes (updates) the relay table when it receives a notification of completion of preparation (completion of function takeover) from the redundant ECU 32. Furthermore, the integrated ECU 2 transmits (resumes relaying) the communication data for which relaying was stopped (put on hold). After that, the integrated ECU 2 performs relay processing for all communication data based on the changed relay table.
  • the control unit 321 of the redundant system ECU 32 starts the replacement process (S106).
  • the control unit 321 of the redundant system ECU 32 receives communication data transmitted (relayed) from the integrated ECU 2, etc., and starts (executes) the replacement process based on the communication data.
  • the control unit 321 of the redundant system ECU 32 installs software for replacing the on-board ECU 3 determined to be malfunctioning, and executes the software by applying the operation settings used by the on-board ECU 3. This allows the operation settings of the on-board ECU to be replaced to be inherited, and the provision of the service or function to be continued (resumed).
  • control unit 321 of the redundant system ECU 32 may update the management list to the latest state by storing (adding) information indicating that the on-board ECU 3 to be replaced is malfunctioning and that the redundant system ECU 32 (itself) is performing replacement process in the management list.
  • the claims described in the claims may be combined with each other regardless of the form of reference.
  • the claims may contain multiple dependent claims that depend on multiple claims. Multiple dependent claims that depend on multiple dependent claims may be contained. Even if a multiple dependent claim that depends on a multiple dependent claim is not contained, this does not limit the description of multiple dependent claims that depend on a multiple dependent claim.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)
  • Small-Scale Networks (AREA)
PCT/JP2024/013877 2023-04-18 2024-04-04 冗長系ecu、プログラム、及び情報処理方法 Ceased WO2024219242A1 (ja)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202480025616.6A CN121014194A (zh) 2023-04-18 2024-04-04 冗余系统ecu、程序及信息处理方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2023-067873 2023-04-18
JP2023067873A JP2024154179A (ja) 2023-04-18 2023-04-18 冗長系ecu、プログラム、及び情報処理方法

Publications (1)

Publication Number Publication Date
WO2024219242A1 true WO2024219242A1 (ja) 2024-10-24

Family

ID=93152908

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2024/013877 Ceased WO2024219242A1 (ja) 2023-04-18 2024-04-04 冗長系ecu、プログラム、及び情報処理方法

Country Status (3)

Country Link
JP (1) JP2024154179A (https=)
CN (1) CN121014194A (https=)
WO (1) WO2024219242A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119734734A (zh) * 2025-03-05 2025-04-01 北京全路通信信号研究设计院集团有限公司 一种车载运控设备的冗余控制方法、系统、设备及介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020107355A (ja) * 2015-09-14 2020-07-09 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 仮想マシンモニタ、ソフトウェア及びファームウェア更新方法
JP2021034881A (ja) * 2019-08-23 2021-03-01 株式会社デンソー 監視装置
JP2023041817A (ja) * 2019-03-11 2023-03-24 株式会社オートネットワーク技術研究所 代替装置、代替制御プログラム及び代替方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020107355A (ja) * 2015-09-14 2020-07-09 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 仮想マシンモニタ、ソフトウェア及びファームウェア更新方法
JP2023041817A (ja) * 2019-03-11 2023-03-24 株式会社オートネットワーク技術研究所 代替装置、代替制御プログラム及び代替方法
JP2021034881A (ja) * 2019-08-23 2021-03-01 株式会社デンソー 監視装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119734734A (zh) * 2025-03-05 2025-04-01 北京全路通信信号研究设计院集团有限公司 一种车载运控设备的冗余控制方法、系统、设备及介质

Also Published As

Publication number Publication date
CN121014194A (zh) 2025-11-25
JP2024154179A (ja) 2024-10-30

Similar Documents

Publication Publication Date Title
JP7160111B2 (ja) 監視装置、監視プログラム及び監視方法
JP7192415B2 (ja) プログラム更新システム及び更新処理プログラム
CN113498509B (zh) 替代装置、替代控制程序产品及替代方法
US11507365B2 (en) On-board update device, update processing program, program update method, and on-board update system
US20220156057A1 (en) In-vehicle update device, update processing program, and program update method
WO2020080273A1 (ja) 車載更新装置、更新処理プログラム及び、プログラムの更新方法
JP7310570B2 (ja) 車載更新装置、プログラム及び、プログラムの更新方法
JP7835261B2 (ja) 車載装置、プログラム及び、プログラムの更新方法
WO2024219242A1 (ja) 冗長系ecu、プログラム、及び情報処理方法
JP7331818B2 (ja) 車載更新装置、更新処理プログラム及び、プログラムの更新方法
US20230195445A1 (en) On-board device, information processing method, and computer program
JP7794060B2 (ja) 車載装置、コンピュータプログラム及びプログラム更新方法
WO2024219090A1 (ja) 車載装置、プログラム、及び情報処理方法
JP7690912B2 (ja) 車載装置、プログラム、及びプログラムの更新方法
JP7643315B2 (ja) 車載装置、プログラム、プログラムの更新方法、及び車載更新システム
JP2025068421A (ja) 車載装置、更新処理方法、及び車載更新システム
JP2023102647A (ja) 中継装置、プログラム及び、プログラムの更新方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24792517

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 24792517

Country of ref document: EP

Kind code of ref document: A1