In recent years, in the field of automobiles, the functionality of vehicles has been improving more and more. With this improvement, a variety of devices are now mounted in vehicles, and a large number of controllers for controlling these in-vehicle devices, or so-called ECUs (Electronic Control Units) are also mounted. For example, various ECUs are mounted in vehicles, including a body ECU for performing control for turning on and off a compartment light or a headlight, sounding an alarm, and locking/unlocking doors, in accordance with switch operations or the like performed by a passenger, a meter ECU for controlling operations of meters and the like installed near a driver seat, and a navigation ECU for performing control of a car navigation device or the like.
An ECU is constituted by a processing unit such as a microcomputer, and control of in-vehicle devices is realized as a result of the ECU reading and executing a control program stored in a ROM (Read Only Memory). In general, a control program to be executed by a single ECU is constituted by a plurality of application programs for controlling a plurality of in-vehicle devices connected to an input-output interface included in the ECU. An ECU cooperates with other ECUs through an in-vehicle LAN, and an application program for controlling an in-vehicle device connected to an input-output interface included in another ECU is included in the control program in some cases.
The control program constituted by a plurality of application programs transmits control signals to an actuator for operating an in-vehicle device and operates the in-vehicle device in a predetermined sequence, based on information from various sensors mounted in the vehicle, switch operation signals provided by a passenger, and the like. Here, processing for acquiring various kinds of sensor information, processing for acquiring the switch operation signals, and processing for controlling the in-vehicle device are realized by a plurality of processes based on a program created for each processing unit being combined and sequentially executed.
An ECU makes a plan of an execution sequence of a plurality of processes for operating an in-vehicle device based on various kinds of sensor information, the switch operation signals, and control signals from other ECUs, and executes the processes based on the plan. For example, in the control for smart keyless entry, the body ECU, upon receiving a first communication signal serving as a trigger from a portable key approaching the vehicle, needs to execute a plurality of processes in a prescribed sequence conforming to an engine start procedure and a communication protocol between the portable key and an in-vehicle communication unit. Usually, the ECU advances the processes in accordance with the procedure planned in conformity with prescribed rules. However, if an unexpected phenomenon occurs, such as a communication error between the portable key and the in-vehicle communication unit or an instantaneous power interruption, and the ECU deviates from the planned procedure, a malfunction of the in-vehicle device will be caused.
As described above, in the control program including a plurality of application programs for controlling a plurality of in-vehicle devices, the execution sequence of processes is prescribed for each application program in some cases. In such cases, the ECU needs to monitor whether or not the processes are proceeding in the prescribed execution sequences in multiple series of processes, and if a deviation from the execution sequences occurs, the ECU needs to be able to promptly restore the execution sequence.
JP 2010-009296A describes a monitoring device including an ID register, a log register group, a control unit, and a watchdog timer. The ID register stores identification information assigned to processing tasks to be executed. The identification information of a first processing task contains an ID of the first processing task and an ID of a second processing task that is to be executed before the first processing task (hereinafter referred to as a “preceding processing task ID”). The control unit holds the identification information of each processing task to be executed and the identification information of the previously executed processing task in the register, and monitors whether or not the execution sequence of the tasks is normal, based on the preceding processing task ID in the identification information of the processing task to be executed and the previously executed processing task ID. The log register group stores the identification information and monitoring result information as log information in time series. If a failure occurs in a program execution state and time-out of the watchdog timer is detected, the log information stored in the log register group is saved in a storage device, and the cause of the failure occurrence can thereby be promptly investigated based on the saved log information.
However, with the monitoring device described in JP 2010-009296A, although monitoring can be performed in conformity with the prescribed execution sequence of a single series of processes by holding the identification information of each processing task to be executed and the identification information of the previously executed processing task in the register and performing the monitoring, a problem arises in that procedures of processes in multiple series cannot be monitored.
Moreover, with the monitoring device described in JP 2010-009296A since the identification information assigned to each process contains the ID of this processing task and the ID of the preceding processing task, the data length of the identification information is long, which requires an extra storage area in a ROM or the like for storing each processing program. Since the identification information assigned to each process contains the ID of this processing task and the ID of the preceding processing task, the ID of each processing task and the ID of the preceding processing task needs to be extracted individually from the identification information during the monitoring, and the processing time becomes longer due to the time taken for this extraction processing.
In addition, in the monitoring device described in JP 2010-009296A the identification information assigned to the previously executed process is held in the register. The preceding processing task ID in the identification information assigned to the previously executed processing is held even though it is not necessary for the monitoring, and an extra register is required. Furthermore, the preceding processing task ID in the identification information assigned to the previously executed processing is unnecessary for the monitoring, and if processing for deleting this unnecessary portion is added, the register can be minimized, but the processing time becomes longer due to the deleting processing.