1. Field of the Invention
The present invention relates to a vehicle control system in which a series of processes is allocated to and executed by a plurality of electronic control units (ECUs) and the series of processes is repeatedly executed to control a vehicle.
2. Description of Related Art
A conventional vehicle distributed control system has been proposed in which various functions of a vehicle such as antilock braking of an antilock brake system (ABS), engine fuel injection, ignition, reading of throttle sensor value, throttle motor driving and the like are realized by use of a plurality of ECUs. This system is, for example, disclosed in Published Japanese Patent First Publication No. 2000-339001. For communication, protocols, e.g. TTP/C (time-triggered protocol, SAE Class C), Flex-Ray and the like, have been proposed to perform time division multiplex communication among ECUs. The term “time division multiplex communication” means that one ECU communicates with another ECU at a predetermined timing which is allocated in advance to the former ECU (see, for example, Published Japanese Patent First Publication No. H07-089398).
In a vehicle distributed control system using such a time division multiplex communication as mentioned above, a series of processes that is repeatedly executed for the control of a vehicle is allocated to and executed by a plurality of functional blocks of the ECUs to divide the series of processes into a plurality of separate processes. The functional blocks are configured and arranged to repeatedly execute the series of processes to control a vehicle. Each functional block executing a corresponding separate process delivers a signal indicating a result of the separate process to another functional block by using the time division multiplex communication. Then, each functional block receiving the signal from the preceding functional block executes a corresponding separate process according to the received signal. The signals of the functional blocks are delivered in a predetermined order.
As a typical example, a vehicle control system for executing a series of processes for vehicle control in functional blocks of two ECUs is described with reference to FIG. 19 and FIG. 20. In this system, one functional block of one ECU receives a value outputted from a given sensor, and a functional block of another ECU controls a given actuator according to the value received from the former ECU.
FIG. 19 is an explanatory view showing separate processes executed in this vehicle control system. Two ECUs 161 and 162 can communicate with each other through an in-vehicle LAN (local area network) line 163 by using time division multiplex communication based on a protocol such as TTP/C, Flex-Ray or the like. A series of processes is executed in the vehicle control system according to the procedure of processes (1) to (6).
(1) A sensor 164 connected to the ECU 161 detects a predetermined physical state (including, for example, an engine speed, a vehicle speed, a position of an accelerator, an outside temperature or the like) of a vehicle, and outputs a signal indicating the detected state to the ECU 161.(2) The ECU 161 calculates a target value of a predetermined state (for example, torque, braking or the like) of the vehicle according to the signal received from the sensor 164, and writes the calculated target value in a memory (RAM) 165 of the ECU 161. A signal flow in the processes (1) and (2) is shown in FIG. 19 by an arrow indicated by a circled numeral “1”.(3) The ECU 161 renews the target value stored in the memory 165 according to another physical state of the vehicle. A signal flow in the process (3) is shown in FIG. 19 by an arrow of a circled numeral “2”.(4) The ECU 161 transmits a signal indicating the renewed target value stored in the memory 165 to the ECU 162 through the inner-LAN line 163 at a predetermined timing allocated to the ECU 161.(5) The ECU 162 receives the signal from the ECU 161, and writes the received target value in a memory 166. A signal flow in the processes (4) and (5) is shown in FIG. 19 by an arrow of a circled numeral “3”.(6) The ECU 162 calculates a degree of driving power and a timing of driving in an actuator 167 according to the target value written in the memory 166, and drives the actuator 167. A signal flow in the process (6) is shown in FIG. 19 by an arrow of a circled numeral “4”.
This series of processes (1) to (6) can be divided into a phase (hereinafter, called phase A) of a separate process executed by the ECU 161, a phase (hereinafter, called phase B) of delivering a result of the separate process of the ECU 161 in the communication, and a phase (hereinafter, called phase C) of a separate process executed by the ECU 162. The phase A includes the processes (1), (2) and (3), the phase B includes the processes (4) and (5), and the phase C includes the process (6). Each of the phases is performed at a predetermined timing in the order of phase A, phase B and phase C.
This series of processes for controlling the vehicle is allocated to and executed by a functional block of the ECU 161 corresponding to the phase A and a functional block of the ECU 162 corresponding to the phase C. The functional block of the ECU 161 delivers a signal indicating a result of the processes of the phase A to the functional block of the ECU 162 in a predetermined order in the phase B, and the functional block of the ECU 162 executes the process of the phase C according to the signal outputted from the functional block of the ECU 161.
FIG. 20 is a timing chart showing timings at which the phase A, the phase B and the phase C for the series of processes are repeatedly performed. In FIG. 20, time passes along the right direction, and each of rectangles 181 to 191 indicates one phase. A position of each rectangle indicates a processing timing of the corresponding phase, and a width of each rectangle indicates an execution time of the process(es) of the corresponding phase. One series of processes is executed in each of a first cycle, a second cycle, a third cycle and a fourth cycle to repeatedly execute the series of processes in the cycles. In each of the first and second cycles, the series of processes are normally executed. That is, the phase B is started after completion of the processes of the phase A, and the phase C is started after completion of the processes of the phase B.
However, in the third cycle, the processes of the phase A (corresponding to the rectangle 187) are excessively loaded on the ECU 161 for some reason, and the execution time of the processes of the phase A becomes longer than that in normal operations. Therefore, a signal indicating a result of the processes of the phase A is outputted from the ECU 161 at a time later than a predetermined timing. In the fourth cycle, a signal indicating a result of the processes of the phase A is not outputted from the ECU 161 because the ECU 161 is not normally operated. In these cases, data of the memory 165 stored in the phase A (corresponding to the result of the processes outputted in the phase of the rectangle 184 or 187) is undesirably read out and transmitted to the ECU 162 in the phase B (corresponding to the phase B of the rectangle 188 or 190) Therefore, the ECU 162 works to drive the actuator 167 according to the target value not correctly set.
As described above, in the normal operation of the vehicle control system, one series of processes is allocated to a plurality of functional blocks and is repeatedly executed by the functional blocks to control a vehicle, each functional block of a current stage delivers a signal indicating a result of a separate process to another functional block of a succeeding stage in a predetermined order, and each functional block receiving the signal from another functional block of a preceding stage executes a process according to the signal. In this system, an abnormality may sometimes occur during one series of processes, and the deliveries of the signals among the functional blocks in the series of processes are not performed within given periods and performed out of a predetermined order. That is, the series of processes is not correctly executed. This abnormality is called a sequence error.
In the conventional vehicle control system, a problem arises in that the occurrence of the sequence error cannot be detected.
Published Japanese Patent First Publication No. H10-214208 teaches a technique for checking whether a plurality of applications are normally executed in a computer (for example, corresponding to a processing unit of one ECU). More particularly, a flag or counter is prepared for each application, and a monitoring unit monitors the renewal of the flag or counter for each application. Therefore, the monitoring unit can check whether or not each of the applications in the computer is normally started and completed.
However, in this technique, although the monitoring unit can check whether or not the applications in one computer are correctly executed individually, the monitoring unit cannot check whether or not a plurality of applications in a plurality of ECUs are correctly executed according to a control sequence. That is, the sequence error is not checked or detected according to this prior-art technique.