The present application claims priority from Japanese application JP 2004-324679 filed on Nov. 9, 2004, the content of which is hereby incorporated by reference into this application.
The present invention relates to a distributed control system where a plurality of control units which execute a program for controlling a plurality of devices to be controlled are connected via a network and, in particular, to a distributed control system for application strictly requiring real-time processing, especially typified by vehicle control.
In electronic control units (ECUs) for motor vehicles or the like, a control circuit (CPU) generates a control signal, based on information input from sensors and the like and outputs the control signal to actuators and the actuators operate, based on the control signal. Lately, such electronic control units have been used increasingly in motor vehicles. The control units are interconnected for communication for cooperative operation or data sharing and build a network.
In a distributed control system where a plurality of control units are connected via a network, each individual control unit is configured to execute a unit-specific control program and, thus, a control unit with processing performance adequate to handle a peak load is selected as a system component. However, the processing capacity of the control unit is not used fully in situations where the device to be controlled is inactive or does not require complicated control. Consequently, a problem in which the overall operating efficiency is low is presented.
Meanwhile, in computing systems that are used for business applications, academic researches, and the like, attempts have been made to enable vast amounts of processing power with enhanced speed by load sharing across a plurality of computers without requiring each computer to have a high performance. For example, in patent document 1 (Japanese Patent Laid-Open No. H9(1997)-167141), a method allowing for load sharing of multiple types of services across a plurality of computers constituting a computer cluster is proposed. For an in-vehicle distributed control system, a technique of load sharing across a plurality of control units is proposed. For example, patent document 2 (Japanese Patent Laid-Open No. H7(1995)-9887) discloses a system where control units are connected by a communication line to execute control of separate sections of a motor vehicle, wherein at least one control unit can execute at least one of control tasks of another control unit under a high load; this system is designed to enable a backup across the control units and for processing load averaging across them.
In patent document 3 (Japanese Patent Laid-Open No. 2004-38766), tasks to be executed by control units connected to a network, are divided into fixed tasks that must be executed on a particular control unit and floating tasks that can be executed on any control unit and a program for executing the floating tasks is managed at a manager control unit connected to the network. The manager control unit identifies a floating task to be executed dynamically in accordance with vehicle running conditions or instructions from the driver and assigns the floating task to a control unit that is put under a low load and can execute the floating task.
In general, a control circuit and related sensors and actuators are connected by a dedicated path. Patent document 4 (Japanese Patent Laid-Open No. H7(1995)-078004) discloses a method in which control circuits, sensors and actuators are all connected via network in the control unit, dispensing with dedicated paths. The advantage of this method is that control processing for an actuator, based on sensor information, can be executed by any control circuit connected to the network, not limited to a particular control circuit, by using the network instead of dedicated paths. As a result, even if a control circuit fails, another control circuit can back up easily; this improves reliability. Although not disclosed in the above publication, in this method combined with an appropriate distribute control technique, distributed processing of control across a plurality of control circuits is considered easier than in a system using dedicated paths.
As disclosed in the publication, network duplication just in case a network fault occurs is well known.
[Patent document 1] Japanese Patent Laid-Open No. H9(1997)-167141
[Patent document 2] Japanese Patent Laid-Open No. H7(1995)-9887
[Patent document 3] Japanese Patent Laid-Open No. 2004-38766
[Patent document 4] Japanese Patent Laid-Open No. H7(1995)-078004
The technique disclosed in patent document 1 relates to a load sharing method in distributed computing environment mainly for business application and takes no consideration in respect of ensuring the performance of real-time processing of tasks. The technique disclosed in patent document 2 is a distributed control system for motor vehicle use wherein load sharing across a plurality of control units is performed, but takes no consideration in respect of ensuring the performance of real-time processing of tasks, which is especially important in vehicle control. In patent document 3, tasks are divided beforehand into tasks specific to each individual control unit and floating tasks that may be executed on any control unit and only the floating tasks that can be executed on any control unit can be processed by load sharing. In this case, it is needed to separate unit-specific tasks and floating tasks in advance when the system is built. In practical application, whether a task can be executed on another control unit changes, according to operating conditions. In vehicle control, generally, processing tasks to be processed by each individual control unit represent most of loads. If local tasks are not processed by load sharing, as suggested in patent document 3, few tasks remain to be processed by load sharing and, consequently, load sharing cannot be performed well.
In a distributed control system where a plurality of control units are connected via a network, a first challenge of the present invention is to provide a load sharing method allowing for efficient operation of each control unit, while ensuring the performance of real-time processing.
A second challenge to be solved by the present invention is to achieve enhanced fault tolerance, while ensuring the performance of real-time processing. For conventional typical electronic control units in which a control circuit and related sensors and actuators are connected by a dedicated path and an individual control program is run on each individual control unit, sufficient performance of real-time processing can be ensured, but, in case a control unit should fail, its operation stops. In short, these control units are low fault-tolerant. A conceivable solution is duplicating all control units, but system cost increase is inevitable.
Meanwhile, according to patent document 4, a similar system is configured such that information for all sensors and actuators are communicated via the network. In this case, even if a control unit fails, its related sensor information and actuator control signal can be communicated via the network and continuous operation can be maintained. However, it is required for electronic control units for motor vehicles or the like to process a task in a few milliseconds to a few tens of milliseconds from obtaining sensor information until actuator control signal output. Thus, the above network not only has sufficient throughput, also must ensure fast response time. However, in a situation where a great number of control circuits, sensors, and actuators send and receive information simultaneously, it is hard to ensure fast response time for all accesses.
Moreover, a third challenge is to virtualize a plurality of control circuits and facilitate a sharing process. In other words, this is to realize system uniformity in view from a user program, thus eliminating the need to program caring about a combination of a particular control circuit and a particular sensor or actuator, so that the system can be treated as if it was a single high-performance control circuit.
A fourth challenge of the present invention is to minimize the circuit redundancy and accomplish enhanced fault tolerance and a simple sharing process, applicable to cost-sensitive systems like motor vehicles.
To achieve the foregoing first challenge, the present invention provides a distributed control system where a plurality of control units connected via a network execute a plurality of tasks, and each control unit is arranged such that information of a deadline or task run cycle period as time required until task completion is given for each task and a control unit on which a task will be executed is selected according to the deadline or task cycle period. Each control unit is arranged such that time required to complete task processing and sending and return communication latency information if a task is executed on another control unit other than the control unit where the task was invoked to run are given for each task, thereby allowing for determining per task whether real-time processing can be ensured when the task is executed on another control unit connected via the network and selecting a control unit on which the task should be executed.
In consideration of that communication latency is determined by how much data to be transferred during a communication, the amount of data to be accessed for task execution within storage of each control unit and the amount of data to be accessed, corresponding to an input signal from an input device of each control unit are also given and each control unit is provided with means for calculating communication latency, based on the above amount of data. Moreover, each control unit is provided with means for observing network traffic and communication latency is modified by the traffic.
If the control units have different task processing throughputs such as their computing capacity and storage configuration, each control unit is provided with means for modifying task processing time according to task processing throughput. Furthermore, each control unit is provided with means for updating task processing time and communication latency information by past task run time statistics. A control unit stores tasks waiting for being executed in a task management list, refers to the task management list when a request to run a new task occurs, checks whether the new task can be completed within its deadline, if execution within the deadline is impossible, selects at least one task that should be requested of and executed by another control unit from among the tasks listed in the task management list and the new task to run, and sends a request command to run the selected task to another control unit via the network.
When sending the request command, the control unit sends the task's deadline and processing time information together. One means for determining another control unit to which task execution is requested, before sending the request command to run the task, sends the task's deadline processing time, and communication latency information to at least one of other control units, thereby inquiring whether the task can be completed within the deadline, and selects a control unit to which to send the request command to run the task actually from among other control units from which it received an acceptance return.
Another means for determining another control unit to which task execution is requested, before sending the request command to run the task, inquires of at least one of other control units about load status until the task's deadline time, checks whether the task can be completed by another control unit within the deadline from the task's deadline, processing time, and communication latency information and the load status returned, and selects a control unit to which to send the request command to run the task actually from among other control units on which the task can be executed as the result of the check.
A construction means for solving the second challenge connects a first control circuit and related sensors and actuators by a dedicated path on which fast response time is easy to ensure and connects another control circuit and related sensors and actuators via a network. When the first control circuit operates normally with sufficient throughput, the first control circuit is used for control; in case the first control circuit fails or if its throughput is insufficient, another control circuit is used.
Furthermore, the third challenge is solved such that task sharing is implemented by OS or middleware and a user program does not care that a particular task is executed exclusively by a particular control unit, and profit can be taken from the sharing process with simple user programming.
Furthermore, by provision of two paths, the dedicated path and network, the system is constructed such that, in case one control circuit fails, another control circuit can back up, without network duplication. Thus, duplication of each control circuit can be dispensed with, circuit redundancy can be suppressed, and the fourth challenge is solved.
Embodiment 1 of the present invention is described with
The task management list TL for Embodiment 1 is a table of information including, at least, task ID, deadline DL, processing time PT, and communication latency CL, which are managed for the tasks to be executed by the control unit. Other information not relevant to the following explanation is omitted herein. The deadline DL is time by which the task must be completed by request. Because most tasks are iterative in a cycle, the period of the cycle of a task may be treated as the deadline for the task.
Likewise, a control unit ECU2 is internally comprised of a communication device COM2 which is responsible for data communication, connecting to the network NW1, a control circuit CPU2 which processes tasks, and an input-output control circuit IO2 which sends and receives signals to/from a suite of sensors SN2 and a suite of actuators AC2, and has a task management list TL2 on a storage area.
Assume that a request to run a task T4 has now occurred when three tasks, T1, T2, and T3 waiting for being executed have been set and managed in the task management list TL1 on the control unit ECU1. In the task management list TL1, the deadline DL, processing time PT, and communication latency CL are expressed in units of a certain period of time; for example, a time of 100 clocks of the control circuit CPU1 can be used as one unit of time. The deadline DL is usually expressed by time allowed to pass until the deadline after the task was requested to run; however, in Embodiment 1, all deadline values are expressed in terms of the remaining time until the deadline after the present time taken as 0 in an easy-to-understand manner.
While some method allows for preemption, that is, suspending the on-going task to execute another task, non-preemptive scheduling in which no suspension of the on-going task takes place is assumed to be applied in Embodiment 1; however, the present invention is not limited to the non-preemptive scheduling.
Then, under the above situation, a request to run a new task T4 occurs at the control unit ECU1 and, consequently, the tasks including the task T4 are scheduled by the EDF method.
Meanwhile,
By checking the remaining tasks as to whether the task can be executed on another control unit in this manner, it turns out that only the task T3 can be done.
In Embodiment 2, each control unit executes a task whose deadline is less than the threshold time TH1 on the control unit where the task was requested to run. For a task whose deadline DL is equal to or more than the threshold time TH1, it is possible to send a request to execute the task to any other control unit than the control unit where the task was requested to run. That is, a task with a smaller deadline DL will be executed unconditionally on the control unit where the task was requested to run. For a task with a greater deadline DL, a request to execute the task will be sent to any other control unit than the control unit where the task was requested to run, if it is determined that its deadline DL cannot be met. In this way, according to the list example of
In practical operation, it may be determined that a task requested to be executed on another control unit is impossible to be executed on that unit. However, the advantage of this embodiment resides in a simple structure and a small overhead in determining a task that should be requested of and executed by another control unit.
The communication latency CL and task processing time PT may change with network loads and control circuit configuration and usage or because of inconstant execution flows and may be difficult to estimate exactly. In such cases, the threshold time TH1 may be set including some degree of margin; therefore, Embodiment 2 is easy to implement. The threshold time TH can be preset and used as the fixed threshold or allowed to dynamically change. For example, with the provision of means for observing communication traffic, when the communication latency increases with a large network load, the threshold time can be reset longer; conversely, when the communication latency decreases, the threshold time can be reset shorter.
When a task start indicating signal St1 is input to the means for measuring task processing time CT1, an internal counter (not shown) of the means for measuring task processing time CT1 starts to count. When a task end indicating signal En1 is input to the above means, the counter stops. When a task is suspended by an interrupt or the like, a pause signal Pa and restart signal Re are input to halt the counter temporarily. The above means measures the number of net cycles consumed for the task execution as the task processing time PT, updates the task processing time PT registered in the task management list TL, and stores it into a storage area MEM. Thereby, the maximum processing time and an average processing time from the past statistics can be used as task information.
Thus, in Embodiment 4, means for measuring communication latency CT2 is provided to measure time from the input of a communication command until receiving the result, that is, from sending a request to execute a task through the communication device COM1 to another control unit until receiving the returned result of the task execution. When a signal St2 indicating the input of a communication command is input to the means for measuring communication latency CT2, an internal counter of the means for measuring communication latency CT2 starts to count. When a signal En2 indicating the reception of the returned result is input to the above means, the counter stops. Thereby, the above means measures the number of net cycles consumed for the task execution on another control unit through communication, obtains the communication latency CL by subtracting the task processing time from the thus measured time, updates the communication latency CL registered in the task management list TL, and stores it into a memory area MEM. Thereby, the maximum communication latency and average communication latency from the past statistics can be used as task information.
In Embodiment 5, the task management list TL is provided with information regarding the amount of memory data to be accessed MA and the amount of input data IA through an input device in addition to the data mentioned in
Means for measuring time to wait for communication CT3 starts its internal counter upon the input thereto of a signal St3 indicating the input of a communication request command from the communication device COM1 and stops the counter when a signal En3 indicating the start of the communication is input to it. The above means inputs the thus obtained time to wait for communication WT1 to means for calculating communication latency CCL1. At this input, the means for calculating communication latency CCL1 obtains the amount of data to be transferred by the request to run the task from the amount of memory data to be accessed MA and the amount of input data IA and calculates the time required to transfer this data amount. By adding the time to wait for communication WT1 to the thus calculated time, the means for calculating communication latency CCL1 calculates the communication latency and fills the communication latency CL field with this new value in the task management list TL4.
The time to wait for communication WT1 can be measured at all times or may be measured periodically. Thereby, the communication latency reflecting the time to wait for communication and the amount of data to be transferred can be used. While communication latency calculation is executed, taking account of both the amount of data to be accessed and the time to wait for communication in Embodiment 5, it may be preferable to apply only either of the above, if the either is significantly governing.
Next, an embodiment where the control units have different throughputs is discussed. Given that the control unit ECU2 operates at an operating frequency twice as high as the operating frequency of the control unit ECU1 in the situation of Embodiment 1,
In the case of Embodiment 6, the processing time of a task on the control unit ECU1 is reduced by half when the task is processed on the control unit ECU2. For example, when the control unit ECU1 that is the task requester determines to request the control unit ECU2 to execute the task, it may inform the control unit ECU2 that the task T3 will be processed in five units of time, which is half cut, according to the throughput ratio between the requested control unit and itself. Alternatively, the control unit ECU1 may inform the requested control unit ECU2 that the task is processed in ten units of time as is and the control unit ECU2 may regard the processing time for the task as half-cut five units of time, according to the throughput ratio between the requesting control unit and itself. In either case, the result is that the task T3 is processed in five units of time on the control unit ECU2, as scheduled in
When a request to run a task occurs (step P901) at the control unit ECU1, the ECU1 adds the new task to the task management list (step P902) and determines whether all tasks can be completed in compliance with their deadlines (step P903). If the tasks can be done, the ECU1 executes the tasks according to the task management list (step P900). If not, as determined at step P903, the ECU1 checks the tasks managed in the task management list as to whether there is a task that should be requested of and executed by another control unit ECU (step P904). Here, a task that can be executed on another control unit is selected in view of task processing time and communication latency as well as task deadline, as described in, e.g., Embodiment 1 and Embodiment 2. The selected task is deleted from the management list (step P905). If there is no task that can be executed on another control unit ECU, the ECU1 aborts a task (step P906). Aborting a task is done, for example, in such away that a task of lowest importance, according to predetermined task priorities, is deleted from the management list. In aborting a task, the task to abort is deleted from the management list.
Next, the ECU1 determines whether all the remaining tasks in the updated management list can be completed in compliance with their deadlines (step P907). If not, returning to step P904, the ECU1 again selects a task that should be requested of and executed by another control unit ECU; this step is repeated until it is determined that the tasks can be done at step P907. If “Yes” as determined at step P907, the ECU1 executes the tasks according to the task management list (step P900) and performs the following steps for the task selected as the one that should be requested of and executed by another control unit ECU.
The ECU1 inquires of other control units ECUs whether the control unit can execute the task within its deadline (step P908). This inquiry may be sent by either of the following two optional ways: sending an inquiry message to each of other control units ECUs one by one in predetermined order; and sending broadcast messages of inquiry to all other control units at a time. In Embodiment 7, the inquiry is broadcasted to other control units ECUs by a broadcast BC 91 denoted by a bold arrow in
Having received this inquiry, a control unit ECU determines whether it can execute the requested task within its deadline, referring to the deadline and processing time information and its own task management list (step P1001). If the ECU cannot execute the task, it sends back nothing and returns to its normal processing (step P1002). If the ECU can execute the task, as determined at step P1001, it returns a message that it can do. However, because the inquiry was broadcasted to all other control units ECUs in Embodiment 7, if a plurality of control units ECUs can execute the task at the same time, there is a probability of a plurality of returns being sent from the ECUs at the same time. Here, by way of example, this problem is addressed by using a Control Area Network (commonly known as CAN), which is explained below. In the CAN protocol, a communication path is allocated in accordance with node priorities so that simultaneous transmissions do not collide with each other. When a low-priority node detects a transmission from another higher-priority node, it suspends its transmission and waits until the communication path can be allocated to it. Then, the ECU determines whether an acceptance return message from another control unit occurs (step P1003). If an acceptance return message from another control unit ECU occurs, the ECU receives it and returns to its normal processing (step P1004). Only if the ECU does not receive such message, it sends an acceptance broadcast BC92 to all other control units ECUs (step P1005). When the control unit ECU waits for the release of the communication path to send the acceptance return, if receiving an acceptance broadcast BC92 sent from another control unit ECU, it quits waiting for communication and returns to its normal processing (steps P1003, P1004).
After sending the acceptance return, the ECU determines whether it has received a request to execute the task within a given time (step P1006). When having received the request to execute the task, the ECU executes the task (step P1007); if not, it returns to its normal processing (step P1008). After executing the requested task, the ECU sends a message MS92 having the result of the execution to the control unit ECU1 (step P1009) and returns to its normal processing (step P1010).
The control unit ECU1 determines whether it has received an acceptance broadcast BC92 within a predetermined time (step P909). When having received the broadcast BC92 within the predetermined time, the ECU1 sends a request message MS91 to execute the task to the control unit from which it received the acceptance return (step P910). When receiving a return message MS 92 having the result data from the requested ECU, the ECU1 performs processing of the return data such as storing the data into the memory or using the data as an output signal for actuator control (step P912). Otherwise, when the ECU1 has not received the broadcast BC92 within the predetermined time, the ECU1 aborts a task (step P911).
Included in the process at the control unit ECU1, a series of steps, inquiring of other control units ECUs whether it can execute the task (step 908), determining whether it has received a return (step P909), sending a request to execute the task (step P911), aborting a task (step P911), and processing of return data (step P912) are performed for all tasks selected as those that should be requested of and executed by another control unit ECU.
While the inquiry of other ECUs whether it can execute the task within its deadline is broadcasted to the ECUs in Embodiment 7, a message MS93 inquiring each control unit ECU about load status during the time until the deadline of the requested task is sent to each individual ECU (step 913) in Embodiment 8; in this respect, there is a difference from Embodiment 7. For example, this message inquires of each control unit ECU about idle time until a certain point of time. Referring to the example of
Alternatively, it is possible to attach a storage unit accessible for all control units ECUs to the network NW1 and set up a database in which each control unit will store their load status periodically at predetermined intervals. If such database is available, the control unit ECU1 can access the database and obtain information by which it can determine what ECU to which task processing can be requested. Consequently, it will become unnecessary to inquire of other control units ECUs whether it can execute the task, as involved in Embodiment 7, and inquired of other control units ECUs about their load status, as involved in Embodiment 8.
This embodiment and Embodiment 7 illustrate an instance where, whether all tasks to be processed can be completed in compliance with their deadline is determined; if not as determined, a task is selected to be executed on another control unit. Not only for the case of deadline noncompliance, the present invention is also carried out for the purpose of load leveling across the control units. In the flowcharts of
An electronic control unit ECU4 is comprised of an input-output control circuit IO4, a suite of sensors SN4, and a suite of actuators AC4. Senor information is input from the suite of sensors SN4 to the input-output control circuit IO4 and actuator control information is output from the input-output control circuit IO4 to the suite of actuators AC4. Besides, the input-output control circuit IO4 is connected to the network NW1. The electronic control unit ECU4 in Embodiment 9 does not have a control circuit independent of the sensor suite and the actuator suite, unlike other electronic control units ECU1, ECU2, and ECU3.
A control circuit CPU4 is an independent control circuit that is not connected by a direct signal line to any input-output control circuit connected to the network NW1.
Then, typical operation of Embodiment 9 is described. A process of generating actuator control information based on sensor information will be referred to as a control task. Generally, there are a great number of tasks to which the sensor suite SN1 and the actuator suite AC1 relate. In the electronic control unit ECU1, normally, the input-output control circuit IO1 sends sensor information received from the sensor suite SN1 to the control circuit CPU1 via the direct signal line DC1. The control circuit CPU1 executes a control task, based on the received sensor information, and sends generated actuator control information to the input-output control circuit IO1 via the direct signal line DC1. The input-output control circuit IO1 sends the received control information to the actuator site AC1. The actuator suite AC1 operates, based on the received control information. Alternatively, if the input-output control circuit IO1 has the capability of control task processing in addition to normal input-output control, it may process a control task that does not require the aid of the control circuit CPU1. In this case, the input-output control circuit IO1 executes the control task, based on sensor information received from the sensor suite SN1, and sends generated actuate control information to the actuator suite AC1. The actuator suite AC1 operates, based on the received control information.
Conventionally, all of such a great number of tasks need to be processed by the electronic control unit ECU1 and the electronic control unit ECU1 is provided with the capability required for the processing. In Embodiment 9, if the electronic control unit ECU1 cannot process all control tasks, the input-output control circuit IO1 sends sensor information received from the sensor suite SN1 to any other electronic control unit ECU2, ECU3, ECU4, or the control circuit CPU4 via the network NW1. The receiving unit or circuit generates actuator control information, based on the sensor information, and sends the control information to the input-output control circuit IO1 via the network NW1. The input-output control circuit IO1 sends the received control information to the actuator suite AC1. The actuator suite AC1 operates, based on the received control information.
The electronic control units ECU2 and ECU3 also operate in the same way as for the electronic control unit ECU1. On the other hand, in the electronic control unit ECU4, the input-output control circuit IO4 executes a control task, based on sensor information received from the sensor suite SN4, and sends generated actuator control information to the actuator suite AC4. The actuator suite AC4 operates, based on the received control information. If the input-output control circuit IO4 is lacking in the control task processing capability or the capability is insufficient, it uses any other electronic control unit ECU1, ECU2, ECU3, ECU4, or the control circuit CPU4 via the network NW1 to have a control task processed by the unit or circuit, in the same manner as for other electronic control units ECU1, ECU2, and ECU3.
In the case where the electronic control unit ECU1 cannot process all control tasks, the ECU1 must determine what control task to be allocated to any other electronic control unit ECU2, ECU3, ECU4, or the control circuit CPU4 via the network NW1. Generally, the control circuit assigns priorities to control tasks and processes the tasks in order of highest to lowest priorities. If two or more tasks have the same priority, a task earliest received is first processed. Thus, high-priority tasks can be processed by the control circuit CPU1 within its processing capacity limit and the remaining low-priority tasks can be allocated to other electronic control units ECU2, ECU3, ECU4, or the control circuit CPU4; in this way, control tasks can be allocated. Response time of a control task from receiving sensor information until completion of the control task is limited to control the actuator suite at appropriate timing. This response time limit varies from one control task to another. Communicating information via the network takes longer than transmission by a direct signal line. Therefore, according to the response time limits, control tasks for which the time to complete is coming earlier should be processed by the control circuit CPU1 and the remaining tasks for which the time to complete is relatively late allocated to other electronic control units ECU2, ECU3, ECU4, or the control circuit CPU4; this manner facilitates compliance with the response time limits. Based on this concept, by applying the load sharing method of Embodiments 1 to 9, load sharing with ensured performance of real-time processing can be implemented.
In Embodiment 9, a communication packet for requesting another control unit for task execution according to the packet example shown in
For control units for motor vehicles or the like, control tasks to be processed are determined before the units are productized. However, timing at which each control task is executed and the processing load per task changes, according to circumstances. Therefore, optimization is carried out before productizing to prevent a control burst under all possible conditions. It is thus possible to determine optimum load sharing rules in advance, according to situations. Alternatively, general-purpose load sharing rules independent of products may be created and incorporated into an OS or implemented in middleware; this eliminates the need of manual optimization of load sharing in the optimization before productizing. As a result, system designers can write a control program without caring that a control task is executed by which control circuit. After productizing, there is a possibility of system configuration change for function enhancement or because of part failure. With the capability of automatic optimization of load sharing rules adaptive to system reconfiguration, optimum load sharing can be maintained. Because a great number of control tasks change, according to circumstances, by appropriately applying on-demand load sharing by load sharing rules and automatic optimization of load sharing rules adaptive to circumstantial change, more optimum load sharing can be achieved.
Next, fault tolerance of Embodiment 9 is described. In Embodiment 9, since the actuator suite AC1, sensor suite SN1, and input-output control circuit IO1 are essential for tasks for controlling the actuator suite AC1, in case they break down so as to affect control task processing, it becomes impossible to execute the tasks for controlling the actuator suite AC1. Therefore, measures for enhancing fault tolerance at the component level such as duplication are taken for these components, according to the fault tolerance requirement level. If the input-output control circuit IO1 is incapable of processing a control task, normally, the direct signal line DC1 and control circuit CPU1 are still used. In case of the direct signal line DC1 fault, processing can be continued by connecting the input-output control circuit IO1 and control circuit CPU1 via the network NW1. Alternatively, in case of the direct signal line DC1 fault or control circuit CPU1 fault, control can be continued by having control tasks executed on other electronic control units ECU2, ECU3, ECU4, or the control circuit CPU4 via the network NW1 in Embodiment 9, in the same way as in the foregoing case where the electronic control unit ECU1 cannot process all control tasks.
At this time, the load of the network NW1 and the load of the electronic control units ECU2, ECU3, ECU4 or the control circuit CPU4 increase. However, in a system where a great number of electronic control units are connected, a relative load increase can be suppressed within the permissible extent. By provision of an allowance for the whole system capacity, the same processing as before the fault can be continued. For example, if one control circuit fault results in a 10% decrease in the capacity, the capacity should be preset 10% higher. Even if the capacity allowance is cut to a minimum with priority given to efficiency, the processing load in case of the fault can be decreased by lowering degradation-tolerable facilities in an emergency in terms of comfort, mileage, cleaning exhaust gas, etc. and processing can be continued. For control systems for motor vehicles or the like, the reliability of components is sufficiently high and it is generally considered unnecessary to suppose that two ore more components fail at the same time. For example, the probability that two components which may fail once for one hundred thousand hours both fail within one hour is once for ten billion hours.
In conventional systems, the control circuit CPU1 and input-output control circuit IO1 are united or they are separate, but the input-output control circuit IO1 is connected to the network NW1 via the control circuit CPU1, and multiplexing including the direct signal line DC1 and control circuit CPU1 is required to improve fault tolerance. Likewise, fault tolerance can be achieved in other electronic control units ECU2, ECU3. The electronic control unit ECU4 consists entirely of the actuator suite AC4, sensor suite SN4, and input-output control circuit IO4 which require fault tolerance and, therefore, measures for enhancing fault tolerance such as duplication must be taken.
In Embodiment 9, the network NW1 is not multiplexed. In the event of the network NW1 failure, each electronic control unit ECU1 to ECU4 must execute control tasks without relying on load sharing via the network NW1. If a system is run such that load sharing via the network NW1 is not performed during normal operation and, in case of a fault, processing is continued by load sharing via the network NW1, the system can deal with faults other than a multi-fault with an extremely low probability like the fault in which the network NW1 and an electronic control unit fail simultaneously. If the capacity allowance is cut to a minimum with priority given to efficiency, in case of a fault, the processing load can be decreased by lowering degradation-tolerable facilities in an emergency and processing can be continued, so that tasks can be executed with lower performance for reliance on load sharing via the network NW1.
With the advancement of control systems, high performance and high functionality of the control circuits CPU1 to CPU4 are required. Capability to accomplish fault tolerance without multiplexing these CPUs and the direct signal lines DC1 to DC4 and the network NW1 for connecting the CPUs greatly contributes to system efficiency enhancement.
In Embodiment 9, control of load sharing of tasks for controlling the actuator suite AC1 is performed by the control circuit CPU1 or input-output control circuit IO1 during normal operation. Since the input-output control circuit IO1 requires duplication or the like for improving fault tolerance, it is desirable to make this circuit as small as possible with a limited capacity. If the load sharing control is performed by the control circuit CPU1, this contributes downsizing of the input-output control circuit IO1. In this case, load sharing in case of the control circuit CPU1 fault must be performed by any other electronic control unit ECU2 to ECU4. Therefore, the input-output control circuit IO1 should be provided with a capability to detect the control circuit CPU1 fault. In case the control circuit CPU fault occurs, the input-output control circuit IO1 sends a task control process request to any other electronic control unit ECU2 to ECU4, selected by predetermined rules. The electronic control unit that received the request adds the control task process to the control tasks that it manages. This transfer of the load sharing control may be performed in a way that the control is entirely transferred to one of other electronic control units ECU2 to ECU4 or in a way that the control load is distributed to other units. It is desirable that the control is transferred to a control circuit that will first execute a control task, according to load sharing rules. Otherwise, if the load sharing control is performed by the input-output control circuit IO1, the size of the input-output control circuit IO1 increases, but it is unnecessary to transfer the load sharing control to any other electronic control unit ECU2 to ECU4 in case of the control circuit CPU1 fault.
In case of the direct signal line DC1 fault or control circuit CPU1 fault, the paths via the DC1 line and the CPU1 are disabled, but backing up of the control circuit CPU1 can be performed, through other paths, by the control circuits CPU2 to CPU4 or the input-output control circuits IO2 to IO4. In case of the network NW2 fault, the input-output control circuit IO1 can be connected to the network NW1 via the direct signal line DC1 and the control circuit CPU1. Conversely, in case of the network NW1 fault, the control circuit CPU1 can be connected to the network NW2 via the direct signal line DC1 and the input-output control circuit IO1. Since a bypass via the direct signal line DC1 is simpler and faster than a bypass via the plural networks, it is sufficient as a backup circuit in case of failure. For other electronic control units ECU2 to ECU4, load sharing and backup can be accomplished in the same way as above.
The physical wiring of the networks in the foregoing embodiments can be constructed with transmission lines through which electrical signals are transmitted or optical transmission lines. Moreover, a wireless network can be constructed.
According to the present invention, ensured performance of real-time processing, improved fault tolerance, or virtualizing a plurality of control circuits can be accomplished.
This invention relates to a distributed control system where a plurality of control units which execute a program for controlling a plurality of devices to be controlled are connected via a network and accomplishes distributed control to reduce system costs and improve fault tolerance, while ensuring the performance of real-time processing in applications strictly requiring real-time processing such as motor vehicle control, robot control, and controlling manufacturing equipment at factories.
Number | Date | Country | Kind |
---|---|---|---|
2004-324679 | Nov 2004 | JP | national |