In vehicles, a network is configured with, an ECU (Electronic Control Unit), as a component, of a control system for controlling the engine, the motor, the brake, and the handle. The network configuration is made for not only the navigation system, but also for the information system, unit (such as a communication apparatus for a server outside the vehicle performing inter-vehicle/road-vehicle communication), with a communication path, such as a CAN (Controller Area Network) or Ethernet (registered trademark, the same shall apply hereinafter) Further, to realize the automatic traveling of the vehicles, the control system network and the information system, network are logically integrated in a single network. To protect these networks from a malicious security attacker, a security function is necessarily formed mainly using an encryption technique. On the other hand, the vehicles need to satisfy some requirement based on the functional safety as a keyword.
Japanese Unexamined Patent Application Publication No. 2002-221075 discloses a fail-safe system in integrated control of vehicles. In the vehicle integrated system which is vehicle-integrally controlled, the navigation ECU, a plurality of information system ECUs (such as the air-conditioner ECU), the engine ECU, the transmission ECU, and the control system ECU (such as the traveling control ECU) are coupled to a single communication line. Upon detection of a failure in any of the ECUs included in the system, the one having predetermined performance is selected from the rest of ECUs without failure, in accordance with preset priorities. A basic program for the failed ECU s downloaded and operated on the selected ECU, thereby taking over the failed ECU. As a result, at least the vehicle can travel, even when any of the ECUs fails.
Japanese Unexamined Patent Application Publication No. 2008-259124 discloses an on-vehicle communication system which is configured with two communication buses coupled to the ECUs, a gateway for coupling the two communication buses, and a third ECU. Upon detection of a malfunction in the gateway, the above-described third ECU takes over it. The third ECU includes means for detecting the malfunction of the gateway, means for replacing the function of the gateway, and process restriction means for stopping or restricting the process for communication data. Upon detection of occurrence of the malfunction in the gateway, the function of the gateway is replaced, after the process restriction means stops or restricts a process with a low priority.