JP6716429B2 - Electronic control device and diagnostic method thereof - Google Patents

Description

The present invention relates to an electronic control device for a vehicle and a diagnosis method thereof.

Conventionally, a failure detection device for an electronic control system for a vehicle such as an automobile has been known (see Patent Document 1). According to this failure detection device, the first microcomputer and the second microcomputer having a monitoring function for monitoring the presence/absence of a failure of the first microcomputer are provided. Further, the first microcomputer determines whether the monitoring function of the second microcomputer is operating properly. Specifically, the first microcomputer intentionally sends an erroneous diagnostic signal to the monitoring function (for example, a monitoring circuit) of the second microcomputer, and the monitoring function sends a failure detection signal. A diagnostic means for determining whether or not to output is provided.

By the way, conventionally, an international standard of functional safety (for example, functional safety standard for automobiles (ISO 26262)) is known. Therefore, for example, it is conceivable to apply the above-mentioned diagnostic means to a functional safety measure such as a latent failure (latent fault).

JP-A-2002-99321

However, the above-mentioned diagnosis means is executed during the shutdown until the power is cut off after the key-off operation by the driver, for example, and the diagnosis of the monitoring function is switched at every key-off operation, so that the diagnosis is performed once. Only one monitoring function can be diagnosed by shutdown. Therefore, when there are multiple monitoring functions, it is a problem to deal with functional safety measures such as latent failure.

Therefore, in view of the above problems, the present invention is a technique capable of coping with functional safety measures such as a latent failure when the second microcomputer has a plurality of monitoring functions for monitoring each function of the first microcomputer. The purpose is to provide.

In the vehicle electronic control device according to the present invention, the second microcomputer monitors the presence or absence of a failure of the first microcomputer, and the first microcomputer diagnoses the monitoring state of the second microcomputer. An electronic control device for an automobile, wherein the second microcomputer includes a plurality of monitoring units that monitor the presence or absence of the failure for each function of the first microcomputer, and the first microcomputer includes: The diagnostic unit includes a diagnostic unit that diagnoses whether the plurality of monitoring units are operating normally, and the diagnostic unit detects an abnormality in any one of the monitoring units at a timing of shifting to shutdown by a key-off operation. Then, the first condition for resetting the first microcomputer is switched to the second condition for sequentially diagnosing whether or not the plurality of monitoring units are operating normally.

Further, in the method for diagnosing an electronic control device for an automobile according to the present invention, the second microcomputer monitors whether or not the first microcomputer has a failure, and the first microcomputer is the second microcomputer. A method of diagnosing a monitoring state of an electronic control device for a vehicle, wherein a plurality of monitoring units of the second microcomputer monitor the presence or absence of the failure for each function of the first microcomputer, The diagnostic unit of the first microcomputer resets the first microcomputer from the first condition when an abnormality is detected in any one of the monitoring units at the timing of shifting to the shutdown by the key-off operation. Then, the monitoring unit is diagnosed by switching to the second condition for sequentially diagnosing whether or not the plurality of monitoring units are normally operating.

According to the present invention, when the second microcomputer has a plurality of monitoring functions for monitoring each function of the first microcomputer, it is possible to provide a technology capable of coping with functional safety measures such as a latent failure.

It is a functional block diagram showing an example of composition of an electronic control unit in this embodiment. It is a flow chart which shows the example of operation of the electronic control unit in this embodiment. It is explanatory drawing which shows an example of the time chart of the electronic control unit in this embodiment. It is explanatory drawing which shows an example of the time chart of the electronic control unit in this embodiment. It is explanatory drawing which shows an example of the time chart of the electronic control unit in this embodiment.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the accompanying drawings.
[Configuration example of the present embodiment]
FIG. 1 is a functional block diagram showing a configuration example of the electronic control device according to the present embodiment. The electronic control unit 1 shown in FIG. 1 is mounted in an automobile, for example, a main microcomputer (hereinafter referred to as “main microcomputer”) 2 and a sub-microcomputer (hereinafter, referred to as “main microcomputer 2”) , "Sub-microcomputer"). Here, the main microcomputer 2 is an example of a first microcomputer, and the sub-microcomputer 3 is an example of a second microcomputer.

The electronic control unit 1 is also connected to a cutoff circuit 4, a power supply circuit 5, and an IGN (Ignition) 6. Further, the electronic control unit 1 is connected to various sensors (not shown), and controls the solenoid of the transmission for TCU (Transmission Control Unit), for example. The electronic control unit 1 is also controlled by an ECU (Engine Control Unit) (not shown) as an example.

The main microcomputer 2 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), an input/output circuit (I/O), and a communication interface (I/F) inside (not shown). Further, the main microcomputer 2 includes a first function F1, a second function F2,..., An nth function Fn, a flash ROM (Read Only Memory) such as a nonvolatile memory 20, a communication unit 21, and a diagnosis unit 22. The main microcomputer 2 is responsible for these functions of the first function F1, the second function F2,... The nth function Fn. Here, in the present embodiment, for convenience of description, the case of n=3 is illustrated as an example, but the present invention is not limited to this.

The first function F1 is, for example, a functional module that performs memory diagnosis such as the nonvolatile memory 20 of the main microcomputer 2 and the RAM. The second function F2 is, for example, a function module that diagnoses the program flow in order to confirm whether or not the main microcomputer 2 is operating in the correct processing order. The third function F3 is, for example, a so-called WDT (Watch Dog Timer) function module. Further, the main microcomputer 2 includes a plurality of ports P21 to P27 for communicating with the sub-microcomputer 3 and a port P28 for controlling the power supply circuit 5.

On the other hand, the sub-microcomputer 3 includes a CPU, a flash ROM, a RAM, an input/output circuit (I/O), and a communication interface (I/F) inside (not shown). Further, the sub-microcomputer 3 is provided with a first monitoring function M1, a second monitoring function M2,... Nth monitoring function Mn as monitoring functions of the changeover switch SW and the main microcomputer 2. Here, in the present embodiment, a case of n=3 is illustrated for convenience of description, but the present invention is not limited to this. Further, the sub-microcomputer 3 has a communication monitoring function C1 and an OR/AND switch S1. The sub-microcomputer 3 also includes a plurality of ports P31 to P37 for communicating with the main microcomputer 2 and a port P38 for controlling the cutoff circuit.

In the sub-microcomputer 3, the first monitoring function M1 monitors the first function F1 by executing, for example, a program that determines whether or not the above memory diagnostic processing is operating properly. The second monitoring function M2 executes, for example, a program for determining whether or not the diagnosis of the program flow of the main microcomputer 2 is operating correctly, and monitors the second function F2. The third monitoring function M3, for example, executes a program that determines whether the WDT is operating properly to monitor the third function F3. The communication monitoring function C1 monitors communication with the main microcomputer 2. Here, each of the first monitoring function M1, the second monitoring function M2, the third monitoring function M3, and the communication monitoring function C1 is an example of a monitoring unit. When these monitoring units detect an abnormality, it determines that the main microcomputer 2 has a failure. The OR/AND switch S1 controls switching of the changeover switch SW.

Here, as a monitoring function process, the sub-microcomputer 3 monitors, for example, at a constant cycle, and detects normality when High and abnormality when Low. Further, the sub-microcomputer 3 causes the communication monitoring function C1 to detect an abnormality due to communication interruption for a predetermined time. The OR/AND switch S1 monitors the data received at the port P35, and switches to the AND condition when it is High and the OR condition when it is Low. The AND condition corresponds to the second condition, and the OR condition corresponds to the first condition. Under the first condition, the main microcomputer 2 is reset and a predetermined fail control is executed, for example, to shift to a safe state when an abnormality is detected.

The cutoff circuit 4 cuts off the supply of power (consumed power) to the solenoid. Here, in this embodiment, when abnormality is detected, the supply of power to the solenoid is cut off and the control is shifted to the fail control.

The power supply circuit 5 executes WAKE processing. The WAKE function logically indicates that the power supply is turned on when it is on the High side, and the power supply is turned off when it is on the Low side. The IGN 6 supplies power to the power supply circuit 5 when the ignition switch is turned on by the ignition key.

In the present embodiment, normally, by the reset process of the sub-microcomputer 3, the sub-microcomputer 3 issues a reset instruction to the main microcomputer 2 via the reset port P27, and the main microcomputer 2 is shut down. However, when an abnormality occurs in the monitoring unit of the sub-microcomputer 3, the main microcomputer 2 shuts itself down.

The communication unit 21 also controls the communication processing of the main microcomputer 2. The diagnosis unit 22 diagnoses whether the first monitoring function M1, the second monitoring function M2, the third monitoring function M3, and the communication monitoring function C1 are operating normally. For example, the diagnosis unit 22 resets the main microcomputer 2 when an abnormality is detected in any one of the monitoring units at the timing of shifting to the shutdown by a key-off operation, and then the first monitoring function M1, It switches to the second condition that sequentially diagnoses whether or not the monitoring units such as the second monitoring function M2, the third monitoring function M3, and the communication monitoring function C1 are operating normally.

Here, when the diagnostic unit 22 detects an abnormality in any one of the monitoring units when the vehicle is traveling, the first condition is applied when even one of the functions of the main microcomputer 2 is abnormal. This is because, in the case of occurrence, from the viewpoint of functional safety, for example, it is possible to immediately shift to fail control. As a means of notifying the driver of the abnormality after the abnormality is detected, for example, a failure warning lamp (lighting a MIL (Malfunction Indication Lamp)) may be used.

On the other hand, when the key-off operation is accepted, the main microcomputer 2 executes the reset of the main microcomputer 2 after confirming that all the monitoring units are normal under the second condition. Therefore, under this second condition, it is possible to guarantee that the plurality of monitoring units of the sub-microcomputer 3 have normally operated at the next key-on operation by shutting down once as a countermeasure against a potential failure from the viewpoint of functional safety. That is, executing the second condition means that when the sub-microcomputer 3 has a plurality of monitoring functions for monitoring each function of the main microcomputer 2, it is possible to cope with functional safety measures such as a latent failure. Hereinafter, the operation process when the key-off operation is received will be described in detail.

[Operation processing of this embodiment]
FIG. 2 is a flowchart showing an operation example of the electronic control unit in the present embodiment. FIG. 3 is an explanatory diagram showing an example of a time chart of the electronic control device according to the present embodiment. In FIG. 3, IGN 6, OR/AND switching S1, first function F1, second function F2, third function F3, communication of the communication unit 21, reset execution timing, and shutdown execution timing via the self-shut port P28 are shown. It is shown schematically. Further, in order to make the explanation easy to understand, timing of the feedback (communication) of the first function F1, the feedback (communication) of the second function F2, and the feedback (communication) of the third function F3 indicating the execution timing of the response state of each function is timing. Shown in the chart. In the following processing, the CPU of the main microcomputer 2 of the main microcomputer 2 executes the processing, and the CPU of the sub microcomputer 3 of the sub microcomputer 3 executes the processing.

Step S101: The main microcomputer 2 determines whether the ignition switch is turned off via the IGN6. When the ignition switch is turned off (step S101: Yes), the process proceeds to step S102 (see time t1 in FIG. 3). If the ignition switch is on (step S101: No), the process of step S101 is repeated. However, although not shown in the flowchart, the diagnosis unit 22 executes the diagnosis of the first condition at a predetermined cycle until the ignition switch is turned on and then turned off.

Step S102: The diagnosis unit 22 of the main microcomputer 2 transmits an instruction command for switching from the OR condition to the AND condition to the sub microcomputer 3. When the sub-microcomputer 3 receives the instruction command, the OR/AND switch S1 switches the circuit of the switch SW from the OR condition to the AND condition (see time t2 in FIG. 3). By this switching, the first condition is changed to the second condition. Here, the diagnosis under the second condition will be referred to as “AND method” below. The sub-microcomputer 3 transmits “AND switching completion” to the main microcomputer 2 as data indicating completion of switching the AND condition unless the timeout occurs.

Step S103: The diagnosis unit 22 shifts to the reception waiting state of “AND switching completion” after the processing of step S102, and determines whether the communication unit 21 has received the data of “AND switching completion”. When the data of "AND switching completion" is received (step S103: Yes), the process proceeds to step S104. On the other hand, when the data of “AND switching completion” is not received (step S103: No), the process proceeds to step S113 described later.

Step S104: The diagnosis unit 22 first checks the plurality of monitoring units (the first monitoring function M1, the second monitoring function M2, the third monitoring function M3) of the sub-microcomputer 3 in order, so that the counter is initialized (X = 1).

Step S105: The diagnostic unit 22 intentionally sets the Xth monitoring target function of the main microcomputer 2 to be abnormal (when X=1, see time t3 in FIG. 3). As a result, the sub-microcomputer 3 diagnoses the function of the Xth monitoring target. The reason why the abnormality is set intentionally is that the presence or absence of the normal operation can be easily determined by whether or not the monitoring unit that monitors the Xth function can detect the abnormality.

Here, as a means for setting an abnormality, for example, in the case of memory diagnosis, data that causes a memory diagnosis error is transmitted from the main microcomputer 2, and if the first monitoring function M1 of the sub-microcomputer 3 is normal, the data An abnormality is detected as a memory diagnosis error based on the above. Then, the diagnostic unit 22 can determine that the first monitoring function M1 is operating normally by receiving the data indicating the memory diagnostic error (abnormality detection) from the sub-microcomputer 3.

If the program flow is diagnosed, the main microcomputer 2 transmits data that causes a program flow diagnosis error. If the second monitoring function M2 of the sub-microcomputer 3 is normal, the program is executed based on the data. Anomalies are detected as flow diagnostic errors. Then, the diagnosis unit 22 can determine that the second monitoring function M2 is operating normally by receiving the data indicating the program flow diagnosis error (abnormality detection) from the sub-microcomputer 3.

Further, in the case of WDT diagnosis, if the WDT is normal, the main microcomputer 2 transmits a pulse signal of a predetermined cycle to the third monitoring function M3, and the third monitoring function M3 transmits the pulse signal in a predetermined cycle. Is received, it is determined to be normal. In this case, when the transmission of the pulse signal is intentionally stopped from the main microcomputer 2 as the abnormality setting, the abnormality is detected if the third monitoring function M3 is normal. Then, the diagnosis unit 22 can determine that the third monitoring function M3 is operating normally by receiving the data indicating the WDT error (abnormality detection) from the sub-microcomputer 3.

Step S106: The diagnosis unit 22 determines, on the sub-microcomputer 3 side, whether or not the monitoring unit corresponding to the function of the X-th monitoring target has succeeded in abnormality detection. When it succeeds (step S106: Yes), the process proceeds to step S107. On the other hand, if it fails (step S106: No), the process proceeds to step S111 described later.

Step S107: The diagnosis unit 22 increments the counter (X=X+1) to check the next monitoring unit.

Step S108: The diagnosis unit 22 determines whether or not the checks of the plurality of monitoring units are completed. When the number of monitoring units set in advance has been checked (step S108: Yes), the process proceeds to step S109. On the other hand, when the check is not completed (step S108: No), the process returns to step S105. The processing flow of steps S105 to S108 will be described below with reference to FIG. That is, for example, when the first monitoring function M1 succeeds in detecting the abnormality of the first function F1, the completion notification is transmitted from the sub-microcomputer 3 to the main microcomputer 2 as feedback (communication) of the first function F1. By receiving the, the diagnosis unit 22 intentionally sets the second function F2 to be abnormal. Hereinafter, similar processing is repeated until the function X (X=3 in the example of FIG. 2).

Step S109: The diagnosis unit 22 intentionally interrupts communication (see time t4 in FIG. 3). In the present embodiment, the last diagnosis of the presence/absence of an abnormality in the communication monitoring function C1 is that the main microcomputer 2 receives feedback of abnormality detection of each function from the sub-microcomputer 3 by communication, as shown in FIG. This is because. As a result, the diagnosis unit 22 can efficiently diagnose the presence or absence of abnormality.

Step S110: The diagnosis unit 22 determines whether or not a time-out has occurred. When the time-out has occurred (step S110: Yes), the process proceeds to step S115 described later. On the other hand, if the timeout has not occurred (step S110: No), the process of step S110 is repeated until the timeout occurs.

Step S111: The diagnosis unit 22 determines whether or not a timeout has occurred after the No determination is made in Step S106. If the time-out has not occurred (step S111: No), the process returns to step S105, but since the function of the monitoring target of the main microcomputer 2 has already been intentionally set abnormally, the process directly proceeds to step S106. Alternatively, the abnormal setting may be reset if necessary. On the other hand, if the timeout has occurred (step S111: Yes), the process proceeds to step S112.

Step S112: The diagnosis unit 22 determines the failure of the Xth monitoring unit. Then, the diagnosis unit 22 records the details of the failure in the non-volatile memory 20.

Step S113: The diagnosis unit 22 determines whether or not a timeout has occurred after the No determination is made in step S103. If the timeout has not occurred (step S113: No), the process returns to step S102, but since the circuit of the changeover switch SW has already been switched from the OR condition to the AND condition, the process directly proceeds to step S103. Alternatively, the OR condition may be switched to the AND condition again if necessary. On the other hand, if the timeout has occurred (step S113: Yes), the process proceeds to step S114.

Step S114: The diagnosis unit 22 determines the failure of the AND switching line (OR/AND switching S1). Then, the main microcomputer 2 records the details of the failure in the non-volatile memory 20.

Step S115: The main microcomputer 2 executes self-shutdown by resetting (see time t5 in FIG. 3). Specifically, the main microcomputer 2 resets the CPU of the main microcomputer 2, and the reset of this CPU causes the self-shut port to go to Low and executes the shutdown. The main microcomputer 2 cuts off the supply of power to the solenoid of the TCU via the cutoff circuit 4 before shutting down, and receives the notification of the diagnosis result from the sub-microcomputer 3 to notify the nonvolatile memory. The diagnostic result is recorded in 20. Then, the process of the flowchart shown in FIG. 2 ends.

As described above, when the diagnostic unit 22 intentionally sets the abnormality, if the route from step S110 to step S115 is followed, all the monitoring functions of the sub-microcomputer 3 are operating normally by executing the abnormality detection processing. That is supported. That is, in this embodiment, it is possible to determine that all the monitoring units are normal by shutting down by resetting.

FIG. 4 is an explanatory diagram showing an example of a time chart of the electronic control device according to the present embodiment. The time chart shown in FIG. 4 illustrates a case where the diagnosis unit 22 detects an abnormality in the monitoring unit (as an example, the second monitoring function M2). In the processing of the second function F2, if the abnormality detection notification cannot be received from the sub-microcomputer 3 even after waiting for a certain time in the processing of the second function F2, the diagnosis unit 22 determines that the second monitoring function M2 has failed. It is determined and recorded to that effect in the non-volatile memory 20 (see "Second Function F2/Fault Record" at times t2 to t3). Then, after the completion of recording in the nonvolatile memory 20, the main microcomputer 2 sets the self-shut port to Low and starts the shutdown at time t3. Note that FIG. 4 illustrates the case where the route of steps S112 to S115 is followed in the process of the flowchart illustrated in FIG.

FIG. 5 is an explanatory diagram showing an example of a time chart of the electronic control device according to the present embodiment. The time chart shown in FIG. 5 is not shown in the process of the flowchart shown in FIG. 2, but illustrates the case where the ignition switch is switched from off to on during diagnosis. More specifically, in FIG. 5, if the ignition switch is switched from OFF to ON after the diagnosis unit 22 interrupts communication, the diagnosis unit 22 causes all the monitoring units (first monitoring function M1) at time t1. ~ For the third monitoring function M3 and the communication monitoring function C1), the "intentional abnormal state" is released. Then, after confirming that all have returned to normal, at time t2, the sub-microcomputer 3 returns the OR/AND switching S1 from the AND condition to the OR condition. As a result, the second condition is switched to the first condition.

As described above, in the present embodiment, the AND method is adopted in order to cope with the functional safety measures such as the latent failure, and it is confirmed that all the monitoring units are normally operating in one shutdown by the process of the above-mentioned flowchart. You can judge.

As a result, by referring to the non-volatile memory 20 at the next startup of the main microcomputer 2, it can be seen that all the monitoring units were operating normally in the previous operation. That is, in order to realize the avoidance of the latent failure by the sub-microcomputer 3, it is necessary to show that the monitoring unit of the sub-microcomputer 3 operates correctly, but in the present embodiment, it can be easily realized.

Although the embodiments disclosed in the present application have been described above with reference to the specification, drawings, etc., the technology disclosed in the present application is not limited to the present embodiments and various modifications can be made without departing from the spirit of the present invention. Is possible.
Further, the execution order of each process such as the operation in the device and method shown in the claims, the specification and the drawings may be performed in any order unless the output result of the previous process is used in the subsequent process. It should be noted that in some cases it may be. For example, in the present embodiment, the order of diagnosis of the first monitoring function M1, the second monitoring function M2, and the third monitoring function M3 may be changed.

[Supplementary Items of the Above Embodiment]
(1) In the above embodiment, in FIG. 2, when an abnormality occurs in any one of the monitoring units, the fact is recorded in the non-volatile memory 20 and the system is shut down, but the present invention is not limited to this. For example, in the above-described embodiment, after checking the presence/absence of an abnormality in all the monitoring units, the fact that the abnormality has occurred may be recorded in the non-volatile memory 20 and then shut down. In this way, it is possible to detect an abnormality in a plurality of monitoring units with one shutdown.
(2) In the above embodiment, no particular reference is made to the case where the main microcomputer 2 resets itself after switching to the AND condition during the diagnosis under the second condition, but in this case, the diagnosis is stopped. Then, self-shutdown may be performed.
(3) In the above embodiment, the presence/absence of abnormality of the communication monitoring function C1 is finally diagnosed, and whether or not the communication monitoring function C1 actually fails is not shown in the flowchart. Therefore, in the above embodiment, for example, the order of diagnosis is as follows: nth monitoring function→communication monitoring function C1→(n+1)th monitoring function and nth monitoring function→(n+1)th monitoring function→communication monitoring function C1. Alternatively, the presence/absence of abnormality may be determined by executing the processes alternately.
(4) In the above-described embodiment, the power supply to the solenoid of the transmission is cut off as a control at the time of abnormality, and the control is shifted to the fail control. However, the present invention is not limited to this, and as the control at the time of abnormality, for example, it is applied to the control of the electrically controlled throttle such as the restriction of the electrically controlled throttle opening (maximum opening, change speed/change rate, especially on the opening side), You may make it transfer to fail control. Therefore, the diagnostic method of the above embodiment has general versatility.
(5) In the above-described embodiment, the case where the main microcomputer 2 and the sub-microcomputer 3 are built in the electronic control unit 1 has been described, but the electronic control unit may be configured such that the sub-microcomputer 3 is externally attached. Well, both have similar effects.

DESCRIPTION OF SYMBOLS 1... Electronic control device 2... Main microcomputer 3... Sub microcomputer 22... Diagnostic part F1... 1st function F2... 2nd function F3... 3rd function C1... Communication monitoring function M1... 1st monitoring function M2... 2nd monitoring function M3 …Third monitoring function

Claims (5)

An electronic control unit for an automobile, wherein a second microcomputer monitors whether or not there is a failure in the first microcomputer, and the first microcomputer diagnoses a monitoring state of the second microcomputer.
The second microcomputer includes a plurality of monitoring units that monitor the presence or absence of the failure for each function of the first microcomputer,
The first microcomputer includes a diagnostic unit that diagnoses whether the plurality of monitoring units are operating normally,
The diagnostic unit resets the first microcomputer when an abnormality is detected in any one of the monitoring units at the timing of shifting to the shutdown by the key-off operation , and then the plurality of monitoring units are set. An electronic control unit for an automobile, characterized by switching to a second condition for sequentially diagnosing whether or not the parts are operating normally. The said 1st microcomputer is a main microcomputer which carries out the said function, The said 2nd microcomputer is a sub-microcomputer which monitors the presence or absence of the said failure, The claim 1 characterized by the above-mentioned. Electronic control unit for automobiles. Under the second condition, the diagnosis unit diagnoses whether or not the monitoring unit detects the abnormality by setting the function of each of the main microcomputers to an abnormal setting. An electronic control unit for an automobile according to claim 2. The diagnostic unit finally diagnoses the presence or absence of an abnormality in a monitoring unit that monitors communication between the main microcomputer and the sub microcomputer under the second condition. An electronic control unit for an automobile according to claim 2 or claim 3. A diagnostic method for an electronic control unit for an automobile, wherein a second microcomputer monitors whether or not there is a failure in the first microcomputer, and the first microcomputer diagnoses a monitoring state of the second microcomputer. ,
A plurality of monitoring units of the second microcomputer monitor the presence or absence of the failure for each function of the first microcomputer;
The diagnostic unit of the first microcomputer resets the first microcomputer when an abnormality is detected in any one of the monitoring units at a timing of shifting to shutdown by a key-off operation. Then, the method for diagnosing the electronic control unit for a vehicle is characterized by switching to a second condition for sequentially diagnosing whether or not the plurality of monitoring units are operating normally and diagnosing the monitoring units.