JP2003222053A - Electronic control unit for vehicle - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To properly specify the content of abnormality. <P>SOLUTION: An engine ECU 10 includes a control CPU 11 which carries out vehicle control and a supervisory CPU 12 which is communicably connected to the control CPU 11. The supervisory CPU 12 supervises a communication state with the control CPU 11. When abnormality occurs in communication, the supervisory CPU memorizes that effect and applies reset to the control CPU 11. The supervisory CPU 12 carries out monitoring of WD pulse output from the control CPU 11 and performs abnormality detection from the periodicity. When abnormality occurs in the WD pulse, the supervisory CPU memorizes that effect. With such constitution as described above, when the communication abnormality detection time is expressed by X and the WD pulse abnormality detection time is expressed by Y, the abnormality detection times X, Y are determined to satisfy the relation of X≥Y. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a vehicular electronic control device having a control CPU and a monitoring CPU, and more particularly to a process for appropriately monitoring an abnormality of the control CPU.

[0002]

2. Description of the Related Art An electronic control unit (in-vehicle ECU) for a vehicle that controls an in-vehicle engine or the like is provided with a control CPU for performing vehicle control and a monitoring CPU for monitoring the operation of the control CPU. is there. For example, in recent years C
A configuration has been proposed in which one control CPU performs engine control (injection / ignition control) and electronic throttle control by increasing the functionality and capacity of the PU. In this case, the control CP
The monitoring CPU communicatively connected to U monitors the control CPU to determine whether electronic throttle control or the like is functioning normally.

Further, in the vehicle electronic control device having the above-mentioned configuration, the control CPU and the monitoring CPU periodically communicate with each other. Then, the monitoring CPU determines that the communication from the control CPU is abnormal when the communication from the control CPU is interrupted for a predetermined time,
The history of occurrence of the abnormality is stored. In general, the operation of the control CPU is monitored by the watchdog monitoring circuit, and the reset output from the watchdog monitoring circuit resets the control CPU when communication is abnormal. That is, the control CPU receives the monitoring CP in response to the communication abnormality.
If U is repeatedly reset and communication is still not recovered, the output of the WD pulse (watchdog pulse) is stopped. Then, the control CPU is controlled by the watchdog monitoring circuit.
Is reset. However, in this case, since it takes time from the occurrence of the communication abnormality to the CPU reset, it is considered to add a function of resetting the control CPU by the monitoring CPU when the communication abnormality occurs.

Further, it has been considered that the WD pulse transmitted from the control CPU to the watchdog monitoring circuit is also taken into the monitoring CPU and the monitoring CPU monitors the WD pulse, that is, the state of the control CPU. In this case, control C
When the WD pulse is stopped during the runaway of the PU, the abnormality occurrence is detected by the monitoring CPU, and the history of the abnormality is stored.

However, assuming that the control CPU runs out of control in the electronic control device having the above-mentioned configuration, both the communication abnormality and the WD pulse output abnormality occur in the control CPU, and these abnormality information are appropriately stored and held. The problem arises that you can't. Specifically, if a communication abnormality is first detected, the control CPU is reset by the monitoring CPU at that time, and it cannot be stored that the WD pulse output is abnormal.
Therefore, even when the CPU runs out of control, there may be a case in which only the communication abnormality can be recognized.

[0006]

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and an object of the present invention is to provide an electronic control device for a vehicle capable of appropriately specifying an abnormality content. Is to provide.

[0007]

In the electronic control unit for a vehicle of the present invention, the monitoring CPU monitors the communication state with the control CPU, stores the fact when communication is abnormal, and resets the control CPU. 1 abnormality detection means). Further, the monitoring CPU monitors the watchdog pulse output from the control CPU, detects the abnormality from its periodicity, and stores the fact when the watchdog pulse is abnormal (second abnormality detecting means). In such a case, in the invention according to claim 1, when the abnormality detection time by the first abnormality detection means is X and the abnormality detection time by the second abnormality detection means is Y, the abnormality is satisfied such that X ≧ Y. The detection times X and Y are defined.

According to the above configuration, if the control CPU is in an abnormal state (runaway state) and both the communication and the watchdog pulse output are stopped, the occurrence of the watchdog pulse abnormality is detected first when the abnormality detection time Y has elapsed. Then, the fact is stored. After that, when the abnormality detection time X has elapsed, the occurrence of communication abnormality is detected and stored, and the control CPU is reset. That is, the watchdog pulse abnormality and the communication abnormality are surely stored, and the content of the abnormality can be properly specified. By the way, at the time of CPU runaway,
It is desirable that the watchdog pulse abnormality is detected with priority over the communication abnormality.

According to another aspect of the invention, the watchdog monitoring circuit inputs a watchdog pulse from the control CPU, and when the watchdog pulse is interrupted for a predetermined monitoring time Z, a reset signal is sent to the control CPU. Output. In this configuration, the abnormality detection time X by the first abnormality detection means and the monitoring time Z by the watchdog monitoring circuit are defined so as to satisfy the relationship of X≤Z.

In this case, when the communication and the watchdog pulse output are both stopped due to the runaway of the control CPU, the occurrence of the communication abnormality is detected by the monitoring CPU until the reset output by the watchdog monitoring circuit at the latest, and the fact is stored. It Therefore, the abnormality information of the control CPU can be surely stored and held.

Further, in the invention described in claim 3, similarly to the above, the abnormality detection time by the first abnormality detection means is X,
When the abnormality detection time by the abnormality detection means is defined as Y, the abnormality detection times X and Y are defined so as to satisfy the relation of X <Y, and the monitoring CPU sets the abnormality detection time when the communication abnormality is detected by the first abnormality detection means. At this point, it is determined whether the reset output to the control CPU is appropriate, and the reset output is limited according to the result.

According to the invention of claim 3, the abnormality detection time X,
Although the definition of Y is opposite to that of claim 1, the control CPU is not unconditionally reset when a communication error is detected, but the reset output is limited according to the suitability of each case. Therefore,
For example, when the control CPU goes out of control and both communication and watchdog pulse output are stopped, the reset output at the time of communication abnormality detection is limited, and as a result, the watchdog pulse abnormality and the communication abnormality are reliably stored.

According to the third aspect of the invention, as described in the fourth aspect, the monitoring CPU estimates the normality / abnormality of the watchdog pulse at the time when the communication abnormality is detected by the first abnormality detecting means. If it is suspected that an abnormality has occurred, it is preferable not to reset the control CPU. In short, when it is estimated that the watchdog pulse is abnormal when the communication abnormality is detected, the fact that the watchdog pulse is abnormal may be stored when the abnormality detection time Y thereafter elapses. Therefore, the control CPU is reset. Limited. As a result, the watchdog pulse abnormality and the communication abnormality can be surely stored.

According to the fifth aspect of the invention, the abnormality detection time Y by the second abnormality detection means and the monitoring time Z by the watchdog monitoring circuit are defined so as to satisfy the relationship of Y≤Z. In this case, when the watchdog pulse is stopped, the watchdog CPU detects the occurrence of the watchdog pulse abnormality by the reset output of the watchdog monitor circuit at the latest, and the fact is stored. Therefore, the abnormality information of the control CPU can be surely stored and held.

[0015]

BEST MODE FOR CARRYING OUT THE INVENTION (First Embodiment) A first embodiment of the present invention will be described below with reference to the drawings. In the present embodiment, the present invention is embodied in an engine ECU as a vehicle electronic control device, and FIG. 1 shows the configuration of the engine ECU.

In FIG. 1, an engine ECU 10 carries out monitoring control of operations of a control CPU (main CPU) 11 for carrying out engine injection control, ignition control and electronic throttle control, and control CPU 11 including electronic throttle control. Monitoring CPU (sub CPU) 1 for
2 and a WD circuit 13 for monitoring the operation of the control CPU 11. The control CPU 11 controls the engine speed,
Engine operation information such as intake pipe pressure and throttle opening is input from various sensors at any time, and the drive of injectors, igniters, throttle actuators, etc. (not shown) is controlled based on the operation information. In addition, the control CPU 11
Performs monitoring control for monitoring the operation of the monitoring CPU 12. That is, the monitoring CPU 12 is the control CPU 11
, The control CPU 11 outputs a reset signal to the monitoring CPU 12 when the WD pulse from the monitoring CPU 12 has not been reversed for a predetermined time or longer.

The control CPU 11 and the monitoring CPU 12 are connected to each other so that they can communicate with each other, and the control CPU 11 sends to the monitoring CPU 12 throttle control data such as throttle opening, accelerator opening, and failsafe execution flag. . At this time, the monitoring CPU from the control CPU 11
Data is normally transmitted to the PU 12 at a constant cycle, and the monitoring CPU 12 monitors the communication state from the control CPU 11. In addition, the monitor CPU 12 monitors the throttle control state based on the content of the received data. Then, the monitoring results are returned to the control CPU 11.

The control CPU 11 executes a predetermined fail-safe process when an abnormality occurs according to the monitoring result of the monitoring CPU 12. Specifically, as fail-safe processing, in order to realize evacuation travel (limp home) of the vehicle, reduction cylinder control that suspends fuel injection of some cylinders, ignition retard control that retards ignition timing, etc. are performed. .

The control CPU 11 also outputs to the WD circuit 13 a WD pulse which is inverted at a predetermined cycle. WD
The circuit 13 constitutes a "watchdog monitoring circuit" and outputs a reset signal to the control CPU 11 when the WD pulse from the control CPU 11 has not been inverted for a predetermined time or longer.

The WD pulse output from the control CPU 11 to the WD circuit 13 is also input to the monitoring CPU 12. The monitoring CPU 12 determines whether or not there is a predetermined edge (for example, a falling edge) of the WD pulse, and when the predetermined edge is not detected for a predetermined time or more, that is, when the WD pulse is not inverted for a predetermined time or more, the WD pulse output of the control CPU 11 is output. Determine that it has stopped.

The monitoring CPU 12 is provided with a memory 12a. When a communication abnormality of the control CPU 11 or a WD pulse output abnormality (WD abnormality) is detected, the history information thereof is stored in the memory 12a. There is. The memory 12a is a memory such as an EEPROM or a standby RAM that can store and retain the contents even when the power is cut off.

In this embodiment, in particular, the monitoring CPU 12 can directly reset the control CPU 11, and if the communication with the control CPU 11 is not performed correctly, the monitoring CPU 12 sends the control CPU 11 a reset. Output a reset signal. Further, when the control CPU 11 is reset by either the WD circuit 13 or the monitoring CPU 12, the monitoring CPU 12 is also reset in association with it.

Further, in this embodiment, the abnormality detection time for the monitoring CPU 12 to detect the communication abnormality of the control CPU 11 is X.
(Ms), the abnormality detection time for the monitoring CPU 12 to detect the WD abnormality of the control CPU 11 is Y (ms), and the abnormality detection time for the WD circuit 13 to detect the WD abnormality of the control CPU 11 is Z.
(Ms). In this case, the respective times are set so that the respective abnormality detection times X, Y, Z have a relationship of Y <Z <X. Specifically, in this embodiment, X =
100 ms, Y = 16 ms, Z = 24 ms.

Next, the outline of the operation monitoring of the control CPU 11 of the engine ECU 10 having the above-mentioned configuration will be described. Below, the flowcharts of FIGS.
This is the second process, and the operation of the control CPU 11 is monitored by these processes.

FIG. 2 is a flow chart showing the communication abnormality detection processing for detecting the communication abnormality of the control CPU 11, and this processing is carried out by the monitoring CPU 12 every 2 ms, for example. It should be noted that this processing corresponds to the "first abnormality detecting means" described in the claims.

In FIG. 2, first in step 101,
It is determined whether or not communication data has been received from the control CPU 11, and if so, the communication monitoring counter is cleared to 0 in step 102. If not received, the communication monitoring counter is incremented by 1 in step 103.

After that, in step 104, it is judged whether or not the communication monitoring counter has become larger than a value corresponding to X (ms), and if NO, the present process is terminated. If YES, the communication abnormality history is stored in the memory (standby RAM) 12a in step 105, and the control CPU 11 is reset in step 106.

FIG. 3 is a flowchart showing the WD pulse abnormality detection processing. This processing is performed by the monitoring CPU 12
Is performed every 2 ms, for example. It should be noted that this processing corresponds to the "second abnormality detecting means" described in the claims.

In FIG. 3, first in step 201,
It is determined whether or not the falling edge of the WD pulse is detected. If detected, the WD monitoring counter is cleared to 0 in step 202, and the WD abnormality history is cleared in step 203. If the falling edge of the WD pulse is not detected, the WD monitoring counter is incremented by 1 in step 204.

After that, in step 205, it is judged whether or not the WD monitoring counter has become larger than a value corresponding to Y (ms), and if the result is NO, the present process is terminated. If YES, the WD abnormality history is stored in the memory (standby RAM) 12a in step 206.

FIG. 4 is a flow chart showing the initial processing by the monitoring CPU 12. In FIG. 4, first, in step 301, it is determined whether or not there is a WD abnormality history in the memory 12a, and if there is a WD abnormality history, step 302
The processes of to 305 are executed. That is, step 302
Then, the WD abnormality counter is incremented by 1, and in the subsequent step 303, the WD abnormality history is cleared. Also,
In step 304, it is determined whether or not the WD abnormality counter is larger than a predetermined value (2 in this embodiment), and YES.
Only in the case of, the process proceeds to step 305, and the diagnostic output indicating the WD abnormality (CPU abnormality) is executed.

Thereafter, in step 306, the memory 12
Whether or not there is a communication abnormality history in a is determined, and if there is a communication abnormality history, the processes of steps 307 to 310 are executed. That is, in step 307, the communication abnormality counter is incremented by 1, and in the following step 308, the communication abnormality history is cleared. Further, in step 309, it is determined whether or not the communication abnormality counter is larger than a predetermined value (2 in the present embodiment), and if YES, the process proceeds to step 310 to perform a diagnostic output indicating a communication abnormality.

The counter values of communication error and WD error are I
It is deleted when the G switch is turned off. That is, monitoring C
The PU 12 executes the processing of FIG. 5 when the IG switch is off. In this case, the monitoring CPU 12 clears the communication abnormality counter in step 401, and clears the WD abnormality counter in step 402. Further, the communication abnormality history is cleared in step 403, and the WD abnormality history is cleared in step 404.

In short, according to the processing of FIGS. 4 and 5, the diagnosis output is performed when the WD abnormality or the communication abnormality occurs twice or more in one trip (between ON and OFF of the IG switch). At the time of the diagnostic output, the control CPU 11 carries out a predetermined fail-safe process. That is, the cut-off cylinder control, the ignition retard control, etc. are executed to perform the evacuation travel.

Next, the state of abnormality monitoring will be described more specifically with reference to the time chart of FIG. 6 shows the control CPU
It is assumed that 11 is in a runaway state, and the control CPU 11 runs out of control after timing t1 in the figure.

In FIG. 6, before the timing t1, the control CPU 11 periodically (4 ms) from the monitoring CPU 12 to the monitoring CPU 12.
Communication data is transmitted every time, and a fixed period (8 m
The WD pulse is inverted every (s cycles). At this time, the WD monitoring counter and the communication monitoring counter change to values near 0. Of course, no abnormality history is stored.

At timing t1, communication and WD pulse output are stopped due to the runaway of the control CPU 11. As a result, the WD monitoring counter and the communication monitoring counter are gradually counted up, and the WD abnormality history is stored in the memory 12a at the timing t2 when the abnormality detection time Y has elapsed.

After that, at the timing t3 when the abnormality detection time Z has elapsed, the WD circuit 13 outputs a reset signal to the control CPU 11. As a result, the control CP
U11 is reset and continues to monitor CPU12
Is also reset. After that, at timing t4, each CPU
When 11 and 12 are restarted, the WD abnormality history in the memory 12a is cleared and the WD abnormality counter is incremented by one. After the timing t4, when the control CPU 11 returns to the normal state as shown in the figure, the WD monitoring counter and the communication monitoring counter again change to values near 0.

In the above-mentioned FIG. 6, since the relation of Y <Z is satisfied, the monitoring CPU is operated before the reset output by the WD circuit 13.
With 12, the WD abnormality history can be reliably stored and retained. Also, Y
Because of the relationship of <X, there is no inconvenience that the control CPU 11 is reset due to the communication abnormality before the WD abnormality history is stored. From this, it can be said that the WD abnormality history can be reliably stored and held.

Although illustration is omitted, when the communication is stopped and the WD pulse is normal in the control CPU 11, only the communication monitoring counter is gradually incremented. Then, when the value of the communication monitoring counter reaches a value equivalent to X,
The communication abnormality history is stored in the memory 12a and is monitored C
The control CPU 11 is reset by the PU 12.

On the contrary, when the control CPU 11 stops the WD pulse and the communication becomes normal, only the WD monitoring counter is gradually incremented. Then, similar to FIG. 6, when the value of the WD monitoring counter reaches a value corresponding to Y, the WD abnormality history is stored in the memory 12a.
Furthermore, when the abnormality detection time Z has passed from the WD abnormality, the WD
The control CPU 11 is reset by the circuit 13.

According to the present embodiment described in detail above, since the abnormality detection times X, Y, Z are defined in the relation of "Y <Z <X", the WD pulse abnormality and the communication abnormality are caused even when the control CPU 11 runs out of control. And are reliably stored, and the content of the abnormality can be properly specified.

By properly identifying the details of the abnormality, the subsequent fail-safe processing can be properly performed.
That is, it is possible to take appropriate measures depending on whether the communication is abnormal or the WD pulse is abnormal (CPU abnormality).

In the above configuration, each abnormality detection time X, Y, Z
Was defined as the relationship of "Y <Z <X", but this was changed,
It is also possible to specify the relationship of “Y <X <Z”. That is, the magnitude relationship between the abnormality detection times X and Z is reversed (X <
Z). The time chart in this case is shown in FIG.
Similar to FIG. 6, FIG. 7 shows the operation of the control CPU 11 during a runaway.

In FIG. 7, the timing t is the same as in FIG.
At 11, the communication of the control CPU 11 and the WD pulse output are stopped. As a result, the WD monitoring counter and the communication monitoring counter are gradually counted up, and the WD abnormality history is stored in the memory 1 at the timing t12 when the abnormality detection time Y has elapsed.
2a.

Thereafter, at the timing t13 when the abnormality detection time X has elapsed, the communication abnormality history is stored in the memory 12a. Then, at this timing t13, the monitoring CPU 12 resets the control CPU 11. After that, when the CPUs 11 and 12 are restarted at the timing t14, the WD abnormality history and the communication abnormality history in the memory 12a are cleared, and the WD abnormality counter and the communication abnormality flag are each incremented by one.

When the relation of "Y <X <Z" is defined as described above, both the WD abnormality and the history of the communication abnormality can be surely stored when both the communication and the WD pulse output are stopped due to the runaway of the control CPU 11. .

(Second Embodiment) Next, a second embodiment of the present invention will be described focusing on the differences from the above-described first embodiment. In the present embodiment, the abnormality detection times X and Y are defined as "X>Y", but this magnitude relationship is reversed (assuming X <Y). In this case, by setting X <Y, there is a concern that a communication abnormality may be detected first when the control CPU 11 runs out of control as described above, and reset may be applied before the WD abnormality history is stored. Then, when the communication abnormality is detected, it is determined whether or not the control CPU 11 can be reset at that time. That is, the reset output is permitted or prohibited depending on the result of the determination. As a result, it is possible to properly identify the details of the abnormality.

FIG. 8 is a flow chart showing the communication abnormality detection processing according to the present embodiment. This processing is the same as in FIG.
Will be implemented. The process of FIG. 8 is obtained by adding step 501 to the process of FIG.

In short, in FIG. 8, the communication monitoring counter is X.
When it becomes larger than the value corresponding to (ms), the communication abnormality history is stored in the memory 12a (steps 104 and 10).
5). Then, in step 501, it is estimated whether the WD pulse is normal at that time. At this time, WD
The normality / abnormality of the WD pulse is inferred from the confirmation of the pulse edge. When it is estimated that the WD pulse is not normal, this processing is ended as it is. When it is estimated that the WD pulse is normal, the process proceeds to step 106,
The control CPU 11 is reset.

FIG. 9 shows a time chart corresponding to the processing of FIG. FIG. 9 shows a control CPU similar to FIG. 6 and the like.
11 shows the operation at the time of runaway. In FIG. 9, the communication of the control CPU 11 and the WD are performed at the timing t21 as in FIG.
The pulse output is stopped, and the WD monitoring counter and the communication monitoring counter are gradually counted up. Then, the communication abnormality history is stored in the memory 12a at the timing t22 when the abnormality detection time X has elapsed. At this time, the normality / abnormality of the WD pulse is inferred, and if it is inferred that the WD is abnormal, the monitoring C
The control CPU 11 is not reset by the PU 12 (state shown in the figure).

Thereafter, the WD abnormality history is stored in the memory 12a at the timing t23 when the abnormality detection time Y has elapsed.
Further, at timing t24 when the abnormality detection time Z has passed, WD
The control CPU 11 is reset by the circuit 13. After that, when the CPUs 11 and 12 are restarted at the timing t25, the WD abnormality history and the communication abnormality history in the memory 12a are cleared, and the WD abnormality counter and the communication abnormality flag are each incremented by one.

However, when it is estimated that the WD pulse is normal at the timing t22, the timing t22
The control CPU 11 is reset by. Incidentally, when the WD pulse abnormality is erroneously estimated at the timing t22, the control CPU 11 is not reset at that time, but the control CPU 11 is reset when the next communication abnormality is detected.

In short, when it is estimated that the WD pulse is abnormal when the communication abnormality is detected, the subsequent abnormality detection time Y
There is a possibility that the fact that the WD pulse is abnormal is stored after the passage of, and therefore the reset of the control CPU 11 is limited. As a result, the WD pulse abnormality and the communication abnormality can be surely stored.

In the second embodiment, when the communication abnormality is detected, the normality / abnormality of the WD pulse is estimated and the reset output to the control CPU 11 is limited according to the result, but this configuration is changed. For example, when a communication abnormality is detected, the control CP is controlled according to a past abnormality history (communication or WD abnormality history).
The reset output to U11 may be limited.

When defining the abnormality detection times X, Y, Z, the magnitude relation may be defined so as to include equals such as X ≧ Y, X ≦ Z, Y ≦ Z. In short, even if the abnormality detection time is the same, it is only necessary to reliably store information such as abnormality history.

It is also possible to integrate the monitoring CPU 12 and the WD circuit 13 into one IC and integrate them. in this case,
The cost of the engine ECU 10 can be reduced.

In each of the above-described embodiments, the control CPU 11 has a combination of the engine control function and the electronic throttle control function in the vehicle, but this configuration is changed. For example, a CPU for engine control (main CP
U) and a CPU (sub CPU) for electronic throttle control may be separately provided. Also in this case, the desired effect can be obtained by defining each abnormality detection time as described above.

[Brief description of drawings]

FIG. 1 is a configuration diagram showing an outline of an engine ECU according to an embodiment of the invention.

FIG. 2 is a flowchart showing communication abnormality detection processing by the monitoring CPU.

FIG. 3 is a flowchart showing WD abnormality detection processing by the monitoring CPU.

FIG. 4 is a flowchart showing initial processing by the monitoring CPU.

FIG. 5 is a flowchart showing the processing when the monitoring CPU turns off IGSW.

FIG. 6 is a time chart showing the operation of the control CPU during a runaway.

FIG. 7 is a time chart showing the operation of the control CPU during a runaway.

FIG. 8 is a flowchart showing communication abnormality detection processing by the monitoring CPU according to the second embodiment.

FIG. 9 is a time chart showing the operation of the control CPU during a runaway.

[Explanation of symbols]

10 ... Engine ECU, 11 ... Control CPU, 12 ... Monitoring CPU, 12a ... Memory, 13 ... WD circuit.

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Takehiro Jomukai             1 Toyota Town, Toyota City, Aichi Prefecture Toyota Auto             Car Co., Ltd. F-term (reference) 3G084 BA05 DA26 DA27 DA28 EB06                       EB22 EB24

Claims (5)

[Claims] 1. An electronic control device for a vehicle, comprising: a control CPU for performing vehicle control; and a monitoring CPU communicatively connected to the control CPU, wherein the monitoring CPU monitors a communication state with the control CPU. If the communication abnormality occurs, the first abnormality detecting means for storing the fact and resetting the control CPU, and the watchdog pulse output from the control CPU are monitored to detect the abnormality from the periodicity of the watchdog pulse abnormality. Sometimes, a second abnormality detecting means for storing that effect is provided, and when the abnormality detecting time by the first abnormality detecting means is X and the abnormality detecting time by the second abnormality detecting means is Y, X ≧ Y An electronic control unit for a vehicle, characterized in that the abnormality detection times X and Y are defined so as to satisfy the above relationship. 2. A watchdog monitoring circuit for inputting a watchdog pulse from the control CPU and outputting a reset signal to the control CPU when the watchdog pulse is interrupted for a predetermined monitoring time Z, further comprising the first abnormality. The vehicle electronic control device according to claim 1, wherein the abnormality detection time X by the detection means and the monitoring time Z by the watchdog monitoring circuit are defined so as to satisfy the relationship of X≤Z. 3. An electronic control device for a vehicle, comprising: a control CPU for performing vehicle control; and a monitoring CPU communicatively connected to the control CPU, wherein the monitoring CPU monitors a communication state with the control CPU. If the communication abnormality occurs, the first abnormality detecting means for storing the fact and resetting the control CPU, and the watchdog pulse output from the control CPU are monitored to detect the abnormality from the periodicity of the watchdog pulse abnormality. And a second abnormality detecting means for storing the fact, wherein X is the abnormality detecting time by the first abnormality detecting means and Y is the abnormality detecting time by the second abnormality detecting means. The abnormality detection times X and Y are defined so as to satisfy the above relationship, and the monitoring CPU resets to the control CPU at the time when the first abnormality detection means detects a communication abnormality. Determining the appropriateness of bets output, vehicle electronic control unit, characterized in that to limit the reset output accordingly. 4. The monitoring CPU resets the control CPU when the normality / abnormality of the watchdog pulse is inferred at the time when the communication abnormality is detected by the first abnormality detection means The vehicle electronic control unit according to claim 3, wherein the electronic control unit is not provided. 5. A watchdog monitoring circuit for inputting a watchdog pulse from the control CPU and outputting a reset signal to the control CPU when the watchdog pulse is interrupted for a predetermined monitoring time Z, the second abnormality detection. The vehicle electronic control device according to any one of claims 1 to 4, wherein the abnormality detection time Y by means and the monitoring time Z by the watchdog monitoring circuit are defined so as to satisfy the relationship of Y≤Z.