JP2009157512A - Electronic control unit, fault diagnosis system, and method for diagnosing failure of electronic control unit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a flexible electronic control unit capable of appropriately achieving a process for dispersing control tasks, particularly a process for dispersing self-diagnosis tasks, even if a request for starting control tasks is delayed. <P>SOLUTION: The electronic control unit ECU 1a for controlling a device to be controlled by executing control tasks in synchronization with corresponding events includes a loaded state determining unit for monitoring the state of computing loads of each event and a task dispersion process unit for requesting another electronic control unit ECU 1b to take over the execution of a self-diagnosis task included in an event in a highly loaded state, and for requesting the results of execution of the self-diagnosis task to be collected when the state of computing loads of the event corresponding to the self-diagnosis task is eased. The task dispersion process unit supplies diagnosis standard information to the electronic control unit ECU 1b at a predetermined interval, the diagnosis standard information including the current data needed to take over the execution of the self-diagnosis task. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an electronic control apparatus that controls a device to be controlled by executing a plurality of processes including an abnormality detection process, an abnormality diagnosis system that is executed by the electronic control apparatus, and an abnormality diagnosis method for the electronic control apparatus.

  In recent years, electronic control units (hereinafter also referred to as “ECUs”) equipped with microcomputers for controlling control target devices such as engines and brakes mounted on vehicles have driving performance, fuel consumption, and emission performance. A control program composed of various control tasks for improving the above is incorporated in the microcomputer, and the microcomputer is configured to execute each control task in synchronization with an event corresponding to each control task. .

  In particular, in the ECU that controls the engine, various control tasks are executed in response to the occurrence of events such as a pulse interrupt such as a crank pulse signal, an AD conversion interrupt, and a plurality of timer interrupts having different intervals.

  Each of these events has a priority order, and control tasks corresponding to high priority events such as pulse interrupt processing are executed preferentially. When a transition is made to a high load state in which the interrupt cycle becomes shorter, the execution cycle of the control task for an event with a lower priority becomes longer.

  Multiple self-diagnostic tasks are included as control tasks corresponding to low priority events to determine the abnormality or normality of various controlled devices. However, if the self-diagnostic task execution cycle becomes long, proper judgment cannot be made. As a result, there is a possibility that the above-described various performances may be deteriorated without proper control.

  For this reason, if the ECU is configured by adopting a microcomputer with a high processing speed so that a control task corresponding to an event with a low priority is executed even in a high load state, there is an inconvenience that the component cost increases. appear. Further, if the evolution of the performance of the microcomputer does not follow the increase in the control task, the same problem occurs even if an expensive microcomputer is employed.

  In order to cope with such a problem, Patent Document 1 discloses that in a vehicle communication system in which a plurality of ECUs are connected via a network, each control device is efficiently operated to increase the operation rate of the entire control device. In order to make effective use of the resources of each control device, the control program executed by each ECU is divided into a unique task that is a unit program unique to each ECU and a unit program that can be executed by any ECU. As one of the ECUs that are divided into two types of float tasks and connected to the network, the processing load of each ECU is monitored via the network. There has been proposed a vehicle communication system provided with a task control device for executing the above.

Patent Document 2 aims to provide a load distribution system that guarantees real-time performance by efficiently operating each ECU in a distributed control system in which a plurality of ECUs are connected via a network while guaranteeing real-time performance. As each ECU has a task management list activated as a task to be executed by itself, each ECU determines whether all tasks in the task management list can satisfy a deadline or a task cycle, When it is determined that the task cannot be satisfied, a task that can be executed by satisfying the deadline or task cycle in another ECU is selected from the tasks included in the task management list, and the task is executed by the other ECU. A distributed control system has been proposed.
JP 2004-38766 A JP 2006-134203 A

  However, in the vehicle communication system described in Patent Document 1, a float task execution program is stored in the task control device, and the task control device reduces the processing load of the float task execution program according to the vehicle state and the like. The system is configured to transfer the float task to an executable ECU and cause the ECU to execute the float task, so that the system selects the ECU that executes the float task according to a preset priority order. Accordingly, a dedicated task control device has to be constructed, and there is a problem that it is not versatile and cannot be flexibly handled.

  Further, in the distributed control system described in Patent Document 2, the ECU performs task scheduling based on a task activation request, and determines whether or not a deadline or a task cycle can be satisfied. There is a problem that load distribution cannot be performed properly when a task execution request is requested and the task activation request itself is not accepted.

  For example, when a priority order is assigned to each event and a control task corresponding to a high priority event such as pulse interrupt processing is configured to be executed preferentially, it corresponds to a low priority event. The activation request for the control task is delayed.

  Furthermore, since the result of the task executed by another ECU is returned at the end timing, there is a problem that the requesting ECU may not be able to process.

  In view of the above-described conventional problems, an object of the present invention is to flexibly realize control task distribution processing, particularly self-diagnosis task distribution processing, even when the activation request for the control task is delayed. A rich electronic control device, abnormality diagnosis system, and abnormality diagnosis method for the electronic control device are provided.

  In order to achieve the above-described object, a characteristic configuration of an electronic control device according to the present invention is an electronic control device that controls a device to be controlled by executing a plurality of processes including an abnormality detection process. When it is determined that the storage unit for storing related information and the calculation load of the plurality of processes is higher than a first predetermined value, request an alternative process of the abnormality detection process to another electronic control unit, When it is determined that the calculation load of the plurality of processes is lower than the second predetermined value, the other electronic control device is requested to transmit the abnormality detection result of the requested abnormality detection process, and the abnormality detection result is And a control unit to be stored in the storage unit.

  The control unit stores information related to the plurality of processes in the storage unit, and when the calculation load of the plurality of processes is higher than the first predetermined value and the process cannot be performed smoothly, the alternative process of the abnormality detection process Is received from the other electronic control unit, and when the calculation load becomes lower than the second predetermined value, the abnormality detection result of the abnormality detection process requested from the other electronic control unit is received, and the received abnormality detection The result is stored in the storage unit.

  As described above, according to the present invention, even when the activation request for the control task is delayed, the electronic control is flexible enough to appropriately realize the distributed processing of the control task, particularly the distributed processing of the self-diagnosis task. The device can now be provided.

  Hereinafter, an electronic control device according to the present invention, an abnormality diagnosis system executed by the electronic control device, and an abnormality diagnosis method for the electronic control device will be described.

  As shown in FIG. 1, a plurality of electronic control devices (hereinafter referred to as “ECUs”) 1 (1a, 1b, 1c, 1) equipped with a microcomputer for controlling devices to be controlled such as engines and brakes mounted on a vehicle. Are connected to each other via a CAN (Controller Area Network) bus 2.

  Each ECU is controlled by controlling various actuators based on detection signals from various sensors incorporated in a plurality of on-vehicle control target devices and control information of other ECUs received via the CAN bus 2. The target device is configured to exhibit a predetermined function. For example, the ECU 1a controls the engine, the ECU 1b controls the transmission, and the ECU 1c controls the brake. Although not shown in the figure, there are a plurality of ECUs such as a power steering ECU and a security ECU.

  The CAN bus 2 is a differential serial communication bus composed of two signal lines (CANH and CANL) processed at both ends by a termination resistor 20, and the access right to the bus is controlled by, for example, the CSMA / CD method. Multicast, multi-master bus.

  A data frame transmitted on the CAN bus 2 includes a 1-bit SOF (Start Of Frame), a 12-bit arbitration area, a 6-bit control area, a 0 to 8-byte data area, a 16-bit CRC area, a 2-bit acknowledge area, and a 7-bit EOF. (End Of Frame), the data type transmitted by the data identifier of 11 bits from the MSB in the arbitration area can be discriminated, and the transmission data is stored in the data area of 0 to 8 bytes.

  Each ECU 1 recognizes the data type transmitted based on the data identifier, and takes in necessary data. For example, by providing each ECU 1 with table data for determining a data type from a data identifier, data necessary for processing can be selected.

  Each ECU 1 includes a microcomputer including a CPU that executes a control program stored in a ROM and a peripheral circuit, and is provided in the control target device based on an output signal from a sensor provided in the control target device. Various actuators are driven and controlled.

  For example, as shown in FIG. 2, the engine control ECU 1a includes a microcomputer 10, a memory 12 connected by an expansion bus 11, a peripheral circuit, and the like.

  The microcomputer 10 includes an AD conversion port group IP (AD) for converting an analog signal into a digital signal, a capture port group IP (1) for inputting a pulse signal, an input port group IP (2) for inputting a digital signal, and a control signal. Output port group OP, serial communication port SIO connected to the CAN bus 2, and the like, and a buffer circuit and a driver circuit are connected to each port.

  As the memory 12, a ROM 12a that stores a control program composed of a plurality of control tasks, a RAM 12b that is used as a work area of the CPU, a standby RAM 12c that is powered even when the ignition switch is turned off, and important control data are stored. An EEPROM 12d is provided, and diagnostic information such as execution results of a plurality of self-diagnosis tasks described later is stored in any of the RAM 12b, the standby RAM 12c, and the EEPROM 12d.

  Similarly, the other ECU 1 is also provided with a microcomputer, a memory, and a peripheral circuit having input / output ports necessary for the control target device.

  Each ECU 1 controls a control target device by executing a control task as a plurality of processes including a self-diagnosis task as an abnormality detection process in synchronization with an event corresponding to each control task.

  For example, in the engine control ECU 1a, as shown in FIG. 3, the NE interrupt (SA1) generated at the edge of the crank pulse input to the capture port, and the CAN interrupt (SA3 generated at the completion of CAN communication by the serial communication port SIO). ), An AD interrupt (SA5) generated at the completion of AD conversion for an input signal to the AD conversion port, 1 msec. , 4 msec. , 8 msec. , 16 msec. , 32 msec. When various events such as timer interrupts (SA7, SA9, SA11, SA13, SA15) that occur at each interval occur, interrupt processing (SA2, SA4, SA6) configured by a plurality of control tasks set respectively. , SA8, SA10, SA12, SA14, SA16).

  Each event is given a priority, and an interrupt control register is set so that a high task, which is a control task corresponding to an event with a high priority, is executed preferentially. In the flowchart shown in FIG. 3, NE interrupt, CAN interrupt (SA3), AD interrupt (SA5), 1 msec. , 4 msec. , 8 msec. , 16 msec. , 32 msec. The priority order is set in the order of timer interrupts that occur at each interval, and if a high priority event occurs when a low priority event occurs, the control task corresponding to the high priority event is executed preferentially, and then A low task that is a control task corresponding to an event having a low priority is executed.

  The control task corresponding to each timer interrupt includes single or multiple self-diagnostic tasks that determine whether the controlled device or the sensor or actuator incorporated in the controlled device is operating normally. ing.

  The self-diagnosis task is based on whether the analog signal level or digital signal logic value that is input from the diagnosis target under a predetermined control condition indicates an expected appropriate range level or an appropriate logic value. This is a task for determining whether the diagnosis target is operating normally or abnormally.

  When the level of the analog signal input from the diagnosis target or the logical value of the digital signal is within the expected appropriate level or the appropriate logical value, or deviates, the time is counted with the corresponding event. Actually, the value of the diagnostic counter for determining normality or abnormality is incremented. When the value of the diagnostic counter exceeds a predetermined threshold value, it is determined as normal or abnormal, and the diagnostic information is stored in the RAM 12b, standby RAM 12c, EEPROM 12d. Stored in any of the above.

  If the analog signal level or digital signal logic value input from the diagnosis target during abnormality diagnosis falls within the expected appropriate level or proper logic value, the counter value is reset, and from the diagnosis target during normal diagnosis When the level of the input analog signal or the logic value of the digital signal deviates from the level or the appropriate logic value of the assumed proper range, the value of the diagnostic counter is reset.

  That is, it is determined as normal or abnormal when the normal or abnormal state continues for the time set as the threshold so as not to make a false diagnosis due to the influence of noise. If the predetermined control condition is not satisfied during the diagnosis, depending on the diagnosis target, the diagnosis is interrupted and the value of the diagnosis counter is held as it is, or the diagnosis is interrupted and the value of the diagnosis counter is reset.

  In which memory 12 the diagnostic information is stored is determined in advance for each diagnosis target. For example, when it is necessary to hold the counter value over a plurality of trips while the ignition switch is turned on and then turned off, the counter value is stored in the standby RAM 12C as part of the diagnostic information. When it is necessary to hold the counter value within one trip, the counter value is stored in the RAM 12B as part of the diagnostic information, and it is necessary to hold the counter value from shipment to disposal of the vehicle. In some cases, the value of the diagnostic counter is stored in the EEPROM 12d as part of the diagnostic information.

By the self-diagnosis task, for example, the state of the battery, the state of the O ₂ sensor, the state of the water temperature sensor, etc. are self-diagnosis. The diagnostic information diagnosed as abnormal by the self-diagnostic task and stored in the memory 12 is reset via an external device connected to the ECU at the time of repair, or is reset when it is judged normal by the same self-diagnostic task thereafter. The

  A part of such diagnostic information is transmitted to the meter ECU that controls the lamp of the instrument panel and the like through the CAN bus 2 by the self-diagnosis task, and a warning lamp corresponding to the diagnostic information is turned on, or a warning code Is displayed.

  In the task execution flow of the ECU 1a shown in FIG. 3, for example, when the engine speed increases during high-speed driving or the like, the NE interrupt cycle is shortened and the control task corresponding to the NE interrupt is frequently executed. Low 8 msec. , 16 msec. , 32 msec. The execution cycle of the control task corresponding to the timer interrupt such as the above becomes longer, and the calculation load state of the low task gets worse.

  The calculation load state can be grasped as the execution cycle of the control task processed by the occurrence of the event. As shown in FIG. 4, the execution cycle of the control task for each timer interrupt is less than 1.5 times the set cycle. Low load state when the cycle is reached, medium load state when the execution cycle is 1.5 times or more and less than 2 times the set cycle, and high load when the execution cycle is more than twice the set cycle It is grasped as a state. The load state identification range is not limited to such a value, and is a value set as appropriate depending on the performance of the microcomputer used in the target ECU and the characteristics of the control target device.

  A program for monitoring the event calculation load state is set to start for each event, and each ECU 1 is provided with a load state determination unit composed of the program and hardware resources of a microcomputer that executes the program. Yes.

  Further, the ECU 1a requests the other electronic control unit to perform an alternative execution of the self-diagnosis task included in the event determined as the first predetermined value high load state by the load state determination unit via the network. And a task distribution processing unit constituted by hardware resources of a corresponding microcomputer are relatively high priority 1msec. It is built to be executed as part of the task corresponding to the interrupt event.

  On the other hand, the other ECUs 1b, 1c,... Have a load state determination unit that similarly monitors the calculation load state of each event, a program that executes a self-diagnosis task requested by another ECU, and a corresponding micro The task alternative execution processing unit configured by the hardware resources of the computer is similarly 1 mcec. It is built to be executed as part of the task corresponding to the interrupt event.

  As shown in FIG. 5, when a certain event is determined to be in a high load state by the load state determination unit and there is a self-diagnosis task that requires alternative processing (SB1), the task distribution processing unit includes a self-diagnosis included in the event. Among the tasks, a self-diagnosis task with a high importance level or a self-diagnosis task with a high degree of reduction in calculation load is preferentially selected (SB2), and an alternative execution of the self-diagnosis task is requested to another electronic control unit (SB3). , SB4, SB5). Based on the priority task table set for each event indicating the priority of the self-diagnosis task stored in advance in the ROM 12a, the self-diagnosis task requesting the alternative execution is selected. In addition, it may be configured to request alternative execution of all self-diagnosis tasks included in an event determined as a high load state by the load state determination unit without setting the priority.

  Specifically, confirmation request data for alternative execution is transmitted from the task distribution processing unit of the ECU 1a to the other ECUs 1b, 1c,... Via the CAN bus 2, and the other ECUs 1b, 1c,. Confirmation response data is returned from the task alternative execution processing unit.

  When transmission data is set in the transmission buffer provided in the serial communication port SIO, the data is transmitted from the serial communication port SIO to the CAN bus 2, and the received data received via the CAN bus 2 is transmitted to the serial communication port SIO. The data is set in the reception buffer provided in. When data transmission from the serial communication port SIO is completed or data is set in the reception buffer, a CAN interrupt event occurs, and the next transmission data is set in the transmission buffer at that event, or the data in the reception buffer is changed. Stored in the RAM 12b.

  As shown in FIG. 6A, the confirmation request data and the confirmation response data are the data identifier (CANID) and the data necessary for each 1-byte data area from # 1 to # 8 in the above-described CAN data frame. Is composed of data frames set.

  In this embodiment, the data identifier of the confirmation request data is set by 11-bit data “7 ** h” that identifies the transmission destination ECU. For example, when “720h” is set, all other ECUs 1b, 1c,. Is set as the transmission destination, and when set to “702h”, the ECU 1b is set as the transmission destination, and when set to “703h”, the ECU 1c is set as the transmission destination, and the data identifier of the confirmation response data is the transmission source ECU Is set by 11-bit data of “7 ** h”. That is, the data identifier is used so that an arbitrary ECU can be specified in the lower 8 bits.

  Further, code data indicating an alternative processing mode is set in the data area # 1 of the confirmation request data, abnormality detection confirmation command data is set in the data area # 2, and the processing timing of the self-diagnosis task is set in the data area # 3. That is, the timer interrupt interval is set, and in the data area # 4, the resource information indicating the storage location of the diagnostic information, that is, the memory in which the diagnostic information is stored is a RAM, a standby RAM, or an EEPROM. Whether or not there is a diagnosis code (diag code) indicating the type of self-diagnosis is set in the data area # 5.

  Data indicating acceptance or rejection of substitution processing is set in the data area # 3 of the confirmation response data, and the same data as the confirmation request data is set in the data areas # 1 and # 2. Note that data indicating the computation load state and the presence or absence of resources are added to the data indicating acceptance or rejection.

  The task substitution execution processing units of the other ECUs 1b, 1c,... That have received the confirmation request data determine by their own load state determination unit that the operation load state of the requested self-diagnosis execution event is a low load state. When it is determined that the requested resource information is satisfied (SC1), data indicating acceptance is set in the data area # 3 of the confirmation response data to accept the alternative execution and returned (SC2). If any of the conditions is not satisfied (SD1), data indicating rejection is set in the data area # 3 of the confirmation response data and returned (SD2).

  After the transmission of the confirmation request data, the task distribution processing unit accepts the reception of the confirmation response data for a predetermined time, selects a specific ECU from the ECUs that have received the reply data indicating acceptance (SB4), and sets the self-diagnostic task. Substitute request data is transmitted (SB5).

  In this case, the ECU that has been accepted first may be selected, but for a candidate ECU, a table in which a higher priority is set as the prediction calculation load is lower for each event in which the self-diagnosis task is replaced. It is preferable to store the data in the ROM 12a in advance, and to select the ECU with the highest priority among the ECUs that have received the reply data indicating acceptance.

  Further, table data in which higher priority is set in descending order of the system clock frequency of the microcomputer incorporated in each ECU is stored in the ROM 12a in advance, and the first ECU among the ECUs that has received the reply data to accept. It may be configured to select an ECU with a high priority.

  That is, the task distribution processing unit adds an alternative execution condition for the self-diagnosis task, requests an alternative execution from another ECU, and executes an electronic control device that performs the alternative execution based on compliance from another ECU that satisfies the alternative execution condition. decide. FIG. 5 shows an example in which substitution request data is transmitted to the ECU 1b that controls the transmission.

  As shown in FIG. 6B, abnormality detection request command data is set in the data area # 2 of substitution request data, and the diagnostic criteria including current data necessary for substitution execution of the self-diagnosis task is stored in the data area # 6. Information is set.

  Diagnosis reference information is reference information necessary for executing a self-diagnosis task. When the diagnosis target is a sensor that outputs an analog signal, the analog system abnormality detection that is type data, the signal value that is current data, Consists of judgment threshold voltage value, abnormality judgment time, etc. When the diagnosis target is a sensor that outputs a digital system signal, etc., logic meter abnormality detection as type data, logic value of signal as judgment data, judgment logic value It is composed of abnormality determination time and the like.

  During the request for alternative processing (SB6), the processing timing of the alternative self-diagnosis, that is, a predetermined cycle shorter than the event execution cycle is set to 1 msec. The alternative request data in which the diagnostic criteria information is updated to the latest current data is repeatedly transmitted (SB7). For example, if the self-diagnosis task requiring replacement is 8 msec. When it is necessary to be processed by a timer interrupt of 8 msec. Substitution request data is transmitted at the following intervals.

  In other words, the task distribution processing unit is configured to supply diagnostic reference information including current data necessary for alternative execution of the self-diagnosis task to other electronic control devices that execute the requested self-diagnosis task at a predetermined cycle. .

  The transmission control ECU 1b that has received the substitute request data for the self-diagnosis task sets the self-diagnosis task to be substituted at the corresponding event, and returns substitute response data to the ECU 1a (SC3). While the computation load state of the execution event of the self-diagnostic task requiring alternative processing is determined to be a low load state (SC4), the self-diagnostic task is executed instead (SC5). ).

  As shown in FIG. 6B, detection state data is set in the data area # 3 of the substitute response data, and the substitute process can be performed when the operation load state of the execution event of the self-diagnosis task to be substituted is low. In-detection data indicating a state, or non-detectable data indicating that a computation load state is a medium or high load state and a substitution process is impossible is set.

  Substitution response data is returned in response to the substitution request data with detection data set for the first time. Thereafter, when the computation load state changes to medium or high load state (SC4), detection impossible data is set. It is replied (SC10). In addition, in response to the substitute request data, the substitute response data may be returned each time.

  In other words, the task substitution execution processing unit is configured to request the requesting electronic control device to interrupt the substitution execution when the load state determination unit determines that the calculation load state is high during substitution execution of the self-diagnosis task. ing.

  Substitution response data in which substitution processing impossible data is set, that is, the substitution execution is requested to be interrupted (SB8), or the calculation load state of the event for which the substitution request self-diagnosis task is to be executed is the second predetermined value. When shifting to a low load state (SB9), the task distribution processing unit transmits diagnostic information collection request data to the ECU 1b (SB10), receives diagnostic response data from the task substitution execution processing unit of the ECU 1b (SB11), and diagnoses. The diagnostic information included in the response data is stored in an area corresponding to the diagnosis code partitioned in the memory 12 (SB12).

  Note that the memory 12 is selectively stored in the RAM, standby RAM, or EEPROM by the diagnosis code as described above, and is transmitted to the meter ECU by the above-described self-diagnosis task of the ECU 1a when detected as abnormal. The .

  That is, when it is determined that the operation load state of the event corresponding to the requested self-diagnosis task is alleviated by the load state determination unit, a request for collecting the alternative execution result of the self-diagnosis task requested to the other electronic control device is issued. It is configured as follows.

  Note that after the collection request data is transmitted in response to the request for interruption of the alternative execution, the processing from step SB1 to step SB5 is executed again.

  As shown in FIG. 6C, an execution result collection request command is set in the data area # 2 of the collection request data, and a diagnosis code (diag code) indicating the type of self-diagnosis is set in the data area # 3. The An execution result collection response command is set in the data area # 2 of the diagnostic response data, a diagnostic code (diag code) is set in the data area # 3, and diagnostic information is set in the data area # 4. The diagnosis information is composed of normal, abnormal, undecided (during detection) data and the value of the diagnosis counter. Note that the value of the diagnostic counter is indispensable when it is necessary to perform self-diagnosis over a plurality of trips, but in other cases, it may be unnecessary depending on the diagnosis target.

  The task substitution execution processing unit of the ECU 1b performs the self-diagnosis task while the calculation load state of the execution event of the self-diagnosis task requiring substitution processing is determined to be a low load state by the own load state determination unit (SC4). (SC5), the result is stored in the designated memory (SC6), and whether the diagnosis of abnormal or normal is completed by the alternative execution of the self-diagnosis task (SC7), is transmitted from the ECU 1b When the collection request data received is received (SC8), the collection response data is transmitted to the ECU 1a (SC9).

  The operation of the load state determination unit of each ECU 1 will be described. As shown in FIG. 7, when the interrupt is permitted, the load state determination unit set in the timer interrupt event of each interval of the engine control ECU 1a and the other ECUs 1b, 1c,. The value T1 is captured and stored in the RAM 12b (SE1, SE2), the difference from the previously captured value T2 is taken, and the execution cycle of the event is calculated (SE3).

  Based on the calculated execution cycle and a load state determination table as shown in FIG. 4 stored in the ROM 12a, it is determined whether the calculation load state is a low load state, a medium load state, or a high load state. Judgment is made and the result is stored in the RAM 12b (SE4). The RAM 12b of each ECU 1 stores the calculation load state monitored by the load state determination unit corresponding to each timer interrupt.

  Next, when the self-diagnostic task incorporated in each timer interrupt is not executed by another ECU (SE5), the self-diagnostic task is executed (SE6), and is executed by another ECU. (SE5), the self-diagnosis task is not executed, and the other control tasks A1,... Are executed sequentially (SE7). The other control task A1 includes a self-diagnosis stored in the RAM 12b based on the result of the self-diagnosis executed in step SE6 and stored in the RAM 12b, or the collection response data from the other ECU 1 that has executed the self-diagnosis task instead. A process of transmitting diagnostic information to the meter ECU based on the result of the diagnosis is included.

  As described above, the abnormality diagnosis system of the present invention is constructed by the plurality of ECUs 1 connected to the network by the CAN bus 2.

  In the abnormality diagnosis system, as a method for diagnosing an abnormality in an electronic control device that controls a control target device by executing a plurality of control tasks including a self-diagnosis task in synchronization with an event corresponding to each control task, Requests other electronic control devices via the network to perform alternative execution of the self-diagnostic task included in the event determined to be a high load state in the load state determination step for monitoring the computation load state of the event. Diagnostic criteria information that supplies diagnostic criteria information including current data necessary for the alternative execution of the self-diagnosis task to the other electronic control unit that executes the self-diagnosis task requested in the alternative execution request step at a predetermined cycle If the computation load status of the event corresponding to the provided step and the requested self-diagnostic task is relaxed, the load status When it is judged in judging step, the abnormality diagnostic method of an electronic control unit and a substitute execution result recovery step of recovering requesting alternate execution results of the self-diagnostic tasks requested to the other electronic control device is realized.

  In the present invention, the calculation load state indicating whether or not the control task executed in response to the event is properly executed is monitored by the load state determination unit. In other words, instead of monitoring the execution status of individual control tasks individually, the task distribution processing is performed when the execution status of the control task, that is, the computation load status, is judged on a per event basis and is judged to be in a high load status. The unit requests the alternative execution of the self-diagnosis task corresponding to the other electronic control unit via the network, and thereafter, the diagnostic reference information including the current data necessary for the alternative execution of the self-diagnosis task is supplied in a predetermined cycle. Then, when the load state determination unit determines that the operation load state of the event for which the self-diagnostic task is to be executed has been relaxed, the task distribution processing unit performs an alternative execution result of the self-diagnosis task from the requested electronic control unit Is required to be collected. Therefore, even when the activation request for the control task is delayed, it is possible to provide a flexible electronic control device that can appropriately realize distributed processing of control tasks, particularly distributed processing of self-diagnosis tasks.

  Hereinafter, another embodiment will be described. In the above-described embodiment, the other ECUs 1b, 1c,... Are each provided with a task substitution execution processing unit, and a configuration that can execute a self-diagnosis task instead has been described, but the other ECUs 1b, 1c,. It is not necessary to provide a task substitution execution processing unit for all of them, and it may be provided only in an ECU that can substitutely execute a self-diagnosis task and whose calculation is not possible on average.

  Further, the self-diagnosis task is not limited to a common program, and may be a self-diagnosis program that varies depending on the diagnosis target. In this case, in addition to the resource information that defines the processing timing and memory type described above as an alternative execution condition, a diagnosis code is added. That is, it is determined whether or not a self-diagnosis task corresponding to the diagnosis code exists.

  The alternative execution conditions are not limited to these, and may include other hardware resource information such as signals necessary for diagnosis and software resource information such as table data necessary for diagnosis.

  In the above-described embodiment, the task distribution processing unit transmits the confirmation request data, and the ECU that determines the substitute request for the self-diagnosis task among the ECUs to which the positive confirmation response data is returned has been described. A candidate list of other ECUs that satisfy the alternative execution condition of the self-diagnosis task may be provided, and an alternative execution may be requested from the ECU selected based on the candidate list.

  With this configuration, time for confirming compliance can be omitted, and when the calculation load state becomes high, it is possible to promptly request another ECU to perform a substitute for the self-diagnosis task.

  In the above-described embodiment, the task alternative execution processing unit has been described to transmit acknowledgment or rejection confirmation response data based on the confirmation request data. However, in the case of rejection, the task substitution execution processing unit is configured not to transmit the confirmation response data. It may be.

  In the above-described embodiment, the data identifier of the data frame transmitted / received by the CAN bus 2 is set so as to identify the transmission destination ECU in the transmission data from the task distribution processing unit, and the transmission data from the task alternative execution processing unit Has been described so as to specify the transmission source ECU, but each ECU is provided with a data table for specifying the ECU that generates each diagnosis code, and is configured to set the diagnosis code in the data identifier. It may be a thing.

  In the above-described embodiment, the task distribution processing unit and the task substitution execution processing unit are 1 msec. However, the task distributed processing unit or the task alternative execution processing unit may be provided for each event for executing each self-diagnostic task. It may be configured to be executed at an event having a high priority.

  Furthermore, a task distribution processing unit or a task alternative execution processing unit for a self-diagnosis task executed in an event having a low priority may be provided in an event having a high priority. An event with a lower priority may have a longer task execution interval. In such a case, an alternative request or process can be quickly performed with an event having a higher priority.

In the above-described embodiment, the engine control ECU 1a includes the task distribution processing unit and the other ECUs 1b, 1c,... Each include the task substitution execution processing unit. May include both a task distribution processing unit and a task alternative execution processing unit.

In this case, the task substitution execution processing unit requests the requesting electronic control device to suspend substitution execution when the load state determination unit determines that the computation load state is high during substitution execution of the self-diagnosis task, or The self-distributed task processing unit may be configured to request another ECU for the self-diagnosis task or the self-diagnosis task without requesting interruption.

  As the data indicating acceptance or rejection of the alternative processing set in the data area # 3 of the above-described acknowledgment data, data with higher accuracy than the calculation load state shown in FIG. 4, for example, actual execution of the set event If it is configured to set the time, the ECU with the lowest calculation load state can be selected based on the execution time when there is acceptance from a plurality of ECUs in the confirmation response data for the confirmation request data of the self-diagnosis task it can.

  In the above-described embodiment, the network to which the electronic control device is connected is configured by CAN, which is one of the in-vehicle networks, but the network is configured by other in-vehicle networks such as LIN and FlexRay. It may be. Moreover, the said network is not limited to a vehicle-mounted network, You may be comprised with another network.

  In the above-described embodiment, the electronic control device according to the present invention is applied to a vehicle. However, the electronic control device according to the present invention is not limited to being applied to a vehicle, but includes a plurality of electronic devices such as OA equipment and aircraft. The present invention can be applied to a distributed processing system in which a control device is connected to a network.

  In addition, the above-mentioned embodiment is only an example of this invention, and it cannot be overemphasized that the concrete structure of each block etc. can be changed and designed suitably in the range with the effect of this invention.

Explanatory drawing of electronic control device and CAN bus mounted on vehicle Explanatory drawing of the electronic control unit that controls the engine The flowchart explaining the structure of the task performed according to the event of the electronic controller which controls an engine Explanatory diagram of table data showing the calculation load status of each timer interrupt event The flowchart explaining operation | movement of the abnormality diagnosis system by this invention. It is explanatory drawing of the data frame transmitted / received via a CAN bus, (a) is explanatory drawing of confirmation request data and confirmation response data, (b) is explanatory drawing of alternative request data and alternative response data, (c) is Illustration of collection request data and collection response data Flowchart explaining operation of load state determination unit

Explanation of symbols

1: Electronic control unit (ECU)
1a: Electronic control device 1b for controlling the engine 1b: Electronic control device 1c for controlling the transmission: Electronic control device 2 for controlling the brake 2: CAN bus 10: Microcomputer 11: Expansion bus 12: Memory 12a: ROM
12b: RAM
12c: Standby RAM
12d: EEPROM
20: Termination resistor IP (AD): AD conversion port group IP (1): Capture port group IP (2): Input port group OP: Output port group SIO: Serial input / output port

Claims (10)

An electronic control device that controls a device to be controlled by executing a plurality of processes including an abnormality detection process,
A storage unit for storing information related to the plurality of processes;
When it is determined that the calculation load of the plurality of processes is higher than the first predetermined value, the alternative process of the abnormality detection process is requested to another electronic control unit, and the calculation load of the plurality of processes is the second A control unit that requests the other electronic control device to transmit the abnormality detection result of the abnormality detection process requested when it is determined to be lower than the predetermined value, and stores the abnormality detection result in the storage unit; An electronic control device characterized by that.   The electronic control device according to claim 1, wherein the control unit transmits information required for abnormality detection processing requested to another electronic control device.   The control unit adds an alternative execution condition for the abnormality detection process to request another electronic control device for alternative execution, and performs electronic control to perform alternative execution based on compliance from the other electronic control device that satisfies the alternative execution condition The electronic control device according to claim 1, wherein the device is determined.   The control unit includes a candidate list of other electronic control devices that satisfy an alternative execution condition of the abnormality detection process, and requests alternative execution from another electronic control device selected based on the candidate list. The electronic control device according to claim 1.   The control unit gives priority to an abnormality detection process in which a reduction degree of a calculation load is increased by substitution execution among a plurality of abnormality detection processes, and requests substitution execution from another electronic control device. The electronic control device according to 1. An electronic control device that controls a device to be controlled by executing a plurality of processes including an abnormality detection process,
A load state determination unit that monitors a calculation load state of the plurality of processes;
An alternative execution processing unit that performs an alternative execution of the abnormality detection process requested by another electronic control unit,
The alternative execution processing unit is determined by the load state determination unit that the computation load state is low in response to a request for alternative execution of the abnormality detection process from the electronic control device according to any one of claims 1 to 5. An electronic control device characterized in that it sometimes accepts alternative execution.   The alternative execution processing unit requests the requesting electronic control device to interrupt the alternative execution if the load state determination unit determines that the calculation load state is high during the alternative execution of the abnormality detection process. The electronic control device according to claim 6.   8. The electronic control according to claim 6 or 7, wherein, when the substitute execution processing unit diagnoses that an abnormality has occurred during the substitute execution of the abnormality detection process, it immediately transmits abnormality diagnosis information to the requesting electronic control device. apparatus.   An abnormality diagnosis system, wherein the electronic control device according to any one of claims 1 to 5 and the electronic control device according to any one of claims 6 to 8 are connected to a network. An abnormality diagnosis method for an electronic control device that controls a device to be controlled by executing a plurality of processes including an abnormality detection process,
A load state determination step of determining whether or not the calculation load state of the plurality of processes is higher than a first predetermined value;
If it is determined in the load state determination step that the calculation load state is higher than a predetermined value, an alternative execution request step for requesting another electronic control device to perform an alternative process of the abnormality detection process;
An alternative execution result collection step for requesting to transmit the abnormality detection result of the abnormality detection process requested to the other electronic control unit when it is determined that the calculation load of the plurality of processes is lower than a second predetermined value; ,
An abnormality diagnosis method for an electronic control device, comprising a storage step of storing a collected abnormality detection result in a storage unit.

Images