JP6306530B2 - Electronic control unit for automobile - Google Patents

Description

  The present invention relates to an automotive electronic control device.

  In an electronic control device mounted on an automobile, there is an increasing demand for compliance with the functional safety standard ISO26262 in order to ensure safety. According to the functional safety standard, in order to diagnose an abnormality in a memory such as a RAM (Random Access Memory), as described in Japanese Patent Application Laid-Open No. 2003-323353 (Patent Document 1), depending on the degree of influence on the safety of an automobile A technique has been proposed in which the storage area is divided and the interval for diagnosing each divided area is changed according to the degree of influence.

JP 2003-323353 A

  By the way, in the functional safety standard, it is necessary to consider a fault tolerant time interval (FTTI) from when a fault (individual component failure) occurs as a starting point until a dangerous event of the vehicle is considered to occur. For example, in an electronically controlled throttle system, FTTI is a time interval from when an abnormality occurs in a part of the system that controls the throttle valve until the opening of the throttle valve becomes abnormal and the vehicle becomes uncontrollable. is there.

  On the other hand, the capacity of the memory area of the electronic control device is increased due to the complexity of the control program, and the capacity of the divided area is increased accordingly. For this reason, a certain amount of time is required to diagnose the divided area, and there is a possibility that the scheduled job executed by the electronic control device every predetermined time may be affected. Therefore, it is difficult to diagnose in the FTTI a storage area that has a high influence on the safety of the automobile, and the functional safety standard cannot be complied with for the memory diagnosis.

  SUMMARY OF THE INVENTION An object of the present invention is to provide an automotive electronic control device that can comply with functional safety standards for memory diagnosis.

For this reason, the processor of the electronic control unit for automobiles rewrites the data stored in each divided area obtained by logically dividing a partial area of the memory at a predetermined time shorter than the fault tolerant time interval. Diagnose in order.

  According to the present invention, it is possible to comply with functional safety standards for memory diagnosis.

1 is a system diagram illustrating an example of an internal combustion engine for a vehicle. It is a block diagram which illustrates the outline of an electronic control unit. It is explanatory drawing which illustrates the logical control structure of an electronically controlled throttle chamber. It is explanatory drawing which illustrates the logical division | segmentation structure of RAM. It is explanatory drawing of the 1st method based on a functional safety standard. It is explanatory drawing of the 2nd method based on a functional safety standard. It is a flowchart which shows an example of a scheduled job.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 shows an example of an internal combustion engine for a vehicle.

  In the intake passage 110 of the internal combustion engine 100, an air cleaner 120 that filters dust in the air, an electronic control throttle chamber 130, and an intake valve 140 that is opened and closed by a valve mechanism (not shown) are arranged in this order along the intake flow direction. It is installed. An electronically controlled fuel injection valve 150 that injects fuel toward the umbrella portion of the intake valve 140 is attached to the intake passage 110 located between the electronically controlled throttle chamber 130 and the intake valve 140.

  The electronically controlled throttle chamber 130 includes a throttle valve 132 that adjusts the intake flow rate, an actuator 134 such as a stepping motor that rotates the throttle valve 132, and a throttle such as a potentiometer that detects the opening (throttle opening) of the throttle valve 132. Position sensor 136. The electronic control throttle chamber 130 opens and closes the throttle valve 132 by the actuator 134 in accordance with an opening signal from the outside.

  On the other hand, in the exhaust passage 160 of the internal combustion engine 100, the exhaust valve 170 and CO (carbon monoxide), HC (hydrocarbon), NOx (nitrogen oxide) in the exhaust gas are simultaneously reduced and purified along the exhaust flow direction. A three-way catalytic converter 180 and a muffler 190 for reducing exhaust noise are arranged in this order.

  An ignition plug 210 that sparks and ignites a mixture of fuel and air in response to the ignition current from the distributor 200 is attached to the cylinder head 102 of the internal combustion engine 100 so as to face the combustion chamber 104. . The distributor 200 distributes the ignition current to the ignition plugs 210 disposed in the respective cylinders of the internal combustion engine 100 at a timing according to the operation state.

  A rotational speed sensor 220 that detects the rotational speed of the internal combustion engine 100 and a load sensor 230 that detects the load of the internal combustion engine 100 are attached to predetermined locations of the internal combustion engine 100. Here, as the load of the internal combustion engine 100, for example, a state quantity closely related to the output torque of the internal combustion engine 100, such as an intake flow rate, an intake pressure, and a supercharging pressure, can be used.

  An accelerator sensor 250 that detects the amount of depression of the accelerator pedal 240 (accelerator operation amount) is provided together with the accelerator pedal 240 operated by the driver of the vehicle. Here, as the accelerator sensor 250, for example, a potentiometer can be used.

  The output signals of the throttle position sensor 136, the rotation speed sensor 220, the load sensor 230, and the accelerator sensor 250 are input to an electronic control device 260 that incorporates a microcomputer. As shown in FIG. 2, the electronic control unit 260 includes a CPU (Central Processing Unit) 262 that is an example of a processor, a RAM 264 that is an example of a volatile memory, and a ROM (Read that is an example of a nonvolatile memory. Only Memory) 266 and a bus 268 for connecting the CPU 262, RAM 264 and ROM 266 to each other. Here, as the ROM 266, for example, a flash ROM capable of electrically rewriting data can be used. Note that the RAM 264 is an example of a memory.

  The electronic control unit 260 executes a control program stored in the ROM 266, so that the electronic control throttle chamber 130, the fuel injection valve 150, and the distributor according to the throttle opening, rotational speed, load, accelerator operation amount, and the like. 200 is electronically controlled.

  That is, the electronic control unit 260 obtains the fuel injection amount and fuel injection timing according to the rotational speed and load of the internal combustion engine 100, and when the crank angle reaches the fuel injection timing, the fuel injection valve 150 sets the fuel injection amount. The corresponding operation signal is output. Further, the electronic control unit 260 obtains an ignition timing corresponding to the rotational speed and load of the internal combustion engine 100, and outputs an operation signal to the distributor 200 when the crank angle reaches the ignition timing. Further, the electronic control unit 260 obtains a target throttle opening degree according to the accelerator operation amount and the change amount thereof, and feeds back the actuator 134 of the electronic control throttle chamber 130 according to a deviation between the target throttle opening degree and the throttle opening degree. Control.

  In the control part of the electronic control unit 260, as shown in FIG. 3, a safety-related part (ASIL: Automotive Safety Integrity Level) to which the functional safety must be applied and a non-safety-related part to which the functional safety does not need to be applied ( QM (Quality Management) is mixed. Here, as the safety-related part, for example, control of the electronically controlled throttle chamber 130 that directly affects the safety of the vehicle is exemplified.

  Therefore, the RAM 264 of the electronic control unit 260 can be logically divided into an SM (Safety Mechanism) RAM area 264A corresponding to ASIL and a normal RAM area 264B corresponding to QM, as shown in FIG. . The RAM 264 of the electronic control device 260 can include a DMACRAM area where a direct memory access controller (DMAC) transfers data directly to the memory.

  In order to comply with the functional safety standard, the SMRAM area 264A is FTTI, whether or not the contents are rewritten by another element (another system such as a fuel injection system). ) Needs to be diagnosed. An example of the occurrence of RAM violation is, for example, accessing a memory area of another element due to a bug in a program.

  When the size of the SMRAM area 264A is large, it takes a certain amount of time to check all the data stored in the SMRAM area 264A, and a scheduled job that the electronic control unit 260 executes every predetermined time, for example, an electronic control throttle chamber There is a possibility that the opening degree control of 130 may be affected. The SMRAM area 264A is an example of an area in which data related to automobile safety is stored.

  Therefore, by applying the following method, it is possible to diagnose whether or not a RAM violation has occurred in the SMRAM area 264A in the FTTI while reducing the influence on the scheduled job. For the normal RAM area 264B, for example, RAM diagnosis can be performed by a known method such as so-called “Read / Write check” in which predetermined data is written and read byte by byte.

[First method]
As shown in FIG. 5, the SMRAM area 264A, which is a partial area of the RAM 264, is divided into divided areas 1 to n that are logically divided by a predetermined number n (n is an integer of 1 or more). Then, the CPU 262 of the electronic control device 260 diagnoses the presence / absence of the RAM infringement using, for example, an abnormality detection value such as a SUM value, an inverted value thereof, and a hash value every predetermined time (for example, 10 ms) shorter than FTTI. . Here, the predetermined number n for dividing the SMRAM area 264A is, for example, the importance of data, the CPU 262 under the constraint that the time required to complete the diagnosis of RAM infringement of all the divided areas 1 to n is less than FTTI. It can be determined appropriately in consideration of the processing capacity of the system. Note that each of the divided regions 1 to n is not limited to the same size, and may have different sizes (the same applies hereinafter).

  When the electronic control unit 260 includes one CPU 262, the divided areas 1 to n of the SMRAM area 264A can diagnose RAM infringement by a scheduled job executed at intervals of 10 ms, for example. In this case, the CPU 262 of the electronic control device 260 can obtain the abnormality detection value in the background with a small processing load in order to reduce the processing load.

  When the electronic control unit 260 has two CPUs 262, the divided areas 1 to n of the SMRAM area 264A diagnose RAM infringement by a scheduled job executed by one CPU 262, and the other CPU 262 obtains an abnormality detection value. it can. In addition, in order to improve the diagnosis accuracy of RAM infringement, the diagnosis of RAM infringement can be multiplexed while the two CPUs 262 are synchronized. Note that the electronic control device 260 can use a multi-core CPU in which a plurality of cores are built in one chip instead of the two CPUs 262.

  In this way, when executing the scheduled job, the CPU 262 of the electronic control device 260 can diagnose RAM infringement in order for one of the divided areas 1 to n of the SMRAM area 264A. In this case, the predetermined number n that divides the SMRAM area 264A is determined as appropriate in consideration of the processing capability of the CPU 262 and the like, so it is difficult to affect the scheduled job that is executed every predetermined time. Further, since the SMRAM area 264A is a partial area of the RAM 264, the diagnosis of the RAM infringement can be completed in a shorter time than the diagnosis of the RAM infringement for the entire area. Therefore, all the divided areas 1 to n of the SMRAM area 264A can be subjected to the diagnosis of RAM infringement within the FTTI and comply with the functional safety standard.

[Second method]
As shown in FIG. 6, the SMRAM area 264A, which is a partial area of the RAM 264, is divided into divided areas 1 to 3, which are logically divided by a predetermined number n (here, n = 3). In each of the divided areas 1, 2 and 3, areas for storing the abnormality determination values of the other divided areas, that is, the abnormality determination values of the divided areas 3, 1 and 2 are secured. Then, the CPU 262 of the electronic control device 260 obtains the abnormality determination values for all the divided regions 1 to 3 when the electronic control device 260 is activated, and stores them in the divided regions 1 to 3. Note that the predetermined number n dividing the SMRAM area 264A is not limited to 3, but may be 2 or 4 or more depending on the importance of data, the processing capability of the CPU 262, and the like.

  When the CPU 262 of the electronic control device 260 executes a scheduled job for the first time, it diagnoses a RAM infringement using the abnormality determination value for the divided area 1 and executes a predetermined process, and then stores the abnormality determination value in the divided area 2. To do. Next, when executing the scheduled job, the CPU 262 of the electronic control unit 260 diagnoses the RAM infringement using the abnormality determination value for the divided area 2 and executes a predetermined process, and then sets the abnormality determination value to the divided area 3. Store. Next, when executing the scheduled job, the CPU 262 of the electronic control device 260 diagnoses the RAM infringement using the abnormality determination value for the divided area 3 and executes a predetermined process. To store. In this way, the CPU 262 of the electronic control unit 260 diagnoses the RAM infringement in order for the divided areas 1 to 3 every predetermined time, and stores the abnormality determination value used for the diagnosis of the RAM infringement in the other divided areas.

  In this way, in addition to the operation and effect of the first method, the abnormality determination value can also be a diagnosis target of RAM infringement, and the diagnostic accuracy can be improved. For the operation and effect of the second method, refer to the description of the first method.

  As described below, the first method and the second method can be realized, for example, by being incorporated into a scheduled job.

  FIG. 7 shows an example of a scheduled job that is executed by the CPU 262 at the time of activation and every predetermined time when the electronic control device 260 is activated. Here, every time the scheduled job is executed, the CPU 262 of the electronic control unit 260 diagnoses RAM infringement in order for each of the divided areas 1 to n obtained by dividing the SMRAM area 264A by a predetermined number n. In short, when a scheduled job is executed, the divided areas to be diagnosed for RAM violation are sequentially changed. In the following example, a diagnosis of RAM infringement is incorporated in a scheduled job, but a RAM infringement can also be diagnosed as another scheduled job.

  In step 1 (abbreviated as “S1” in the figure, the same applies hereinafter), the CPU 262 of the electronic control unit 260 uses the abnormality determination value such as the SUM value, its inverted value, and hash value to determine the divided region to be diagnosed. Diagnose RAM violation. Specifically, the CPU 262 of the electronic control unit 260 reads the abnormality determination value stored in the divided area to be diagnosed, and performs a predetermined calculation on the data stored in the divided area to be diagnosed to perform an abnormality. Obtain the judgment value. Then, the CPU 262 of the electronic control device 260 compares the abnormality determination value read from the divided area with the abnormality determination value obtained from the data of the divided area to determine whether or not the data of the divided area is rewritten. Diagnose whether a RAM violation has occurred.

  In step 2, the CPU 262 of the electronic control unit 260 determines whether or not a RAM infringement has occurred in the divided area to be diagnosed, according to the diagnosis result in step 1. If the CPU 262 of the electronic control unit 260 determines that no RAM infringement has occurred (Yes), the process proceeds to step 3. On the other hand, if the CPU 262 of the electronic control unit 260 determines that the RAM infringement has occurred (No), the process proceeds to step 5.

  In step 3, the CPU 262 of the electronic control unit 260 executes normal processing in which no RAM infringement has occurred, for example, throttle opening control based on the accelerator operation amount and its change amount.

  In step 4, the CPU 262 of the electronic control unit 260 performs a predetermined calculation on the data stored in the divided area in consideration of the possibility that the data of the divided area to be diagnosed has been rewritten by normal processing. Obtain the judgment value. Note that the abnormality determination value obtained here is stored in the divided area and used for later diagnosis of RAM infringement.

  In step 5, since the RAM infringement has occurred in the divided area to be diagnosed, the CPU 262 of the electronic control unit 260 shifts the normal scheduled job to the process at the time of abnormality. Examples of the processing at the time of abnormality include fail-safe processing that limits the output of the internal combustion engine 100.

  In this way, when the RAM infringement occurs in the SMRAM area 264A, the process at the time of abnormality is executed instead of the regular scheduled job, and therefore, for example, the vehicle becomes uncontrollable due to an abnormality in the electronic control throttle chamber 130. It is possible to ensure the safety of the vehicle. In addition, since the RAM infringement diagnosis function in the SMRAM area 264A is realized by software, for example, various electronic control devices with different OS (Operating System) can be easily implemented.

  In the above embodiment, the electronically controlled throttle chamber 130 is exemplified as an application target of the functional safety standard. However, for example, a system that should ensure the safety of the automobile, such as a brake control system, a steering system, and an automatic driving system. can do.

260 Electronic control unit 262 CPU (processor)
H.264 RAM (memory)
H.264A SMRAM area

Claims (3)

In an automotive electronic control device comprising a memory and a processor,
For each divided area obtained by logically dividing a partial area of the memory, the processor sequentially diagnoses whether or not the data stored therein is rewritten at a predetermined time shorter than the fault tolerant time interval. To
An electronic control device for an automobile. The number of divisions of the partial area of the memory is set according to the processing capability of the processor.
The automotive electronic control device according to claim 1. The partial area of the memory is an area in which data related to automobile safety is stored.
The automobile electronic control device according to claim 1 or 2, wherein