JP2012006535A - In-vehicle electronic control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an in-vehicle electronic control device which includes a function for monitoring abnormality in a first micro computer that is doubled by an abnormality control circuit and a second micro computer, and in which an unwanted reset signal is not supplied from the second micro computer to the first micro computer even if abnormality occurs in operation of the second micro computer.SOLUTION: A first abnormality control circuit 30 and a second abnormality control circuit 40 detect output abnormality of normal operation signals Sg11 and Sg21 output by micro computers 10 and 20 respectively, and output the reset signal Sg121 and Sg22. The second micro computer 20 detects output abnormality of the normal operation signal Sg11 by executing an abnormality monitor program 22P, and outputs the reset signal Sg123. For the reset signal Sg123, a delay circuit 51 makes incorrect reset signal Sg123 invalid by causing signal change from a non-active state to an active state generated by abnormality by executing the abnormality monitor program 22P to delay longer than abnormality detection time of the second abnormality control circuit 40.

Description

  The present invention relates to an in-vehicle electronic control device that is an electronic control device including a plurality of microcomputers that control devices in a vehicle such as an automobile.

  2. Description of the Related Art Conventionally, with the enhancement of functions of vehicles (automobiles), electronic control units (ECUs) mounted on recent vehicles often include a plurality of microcomputers (hereinafter abbreviated as microcomputers). . In the in-vehicle ECU, a plurality of microcomputers control the travel system devices, the power system devices, and other devices. The traveling system devices are, for example, devices such as an engine, a steering, and a brake in a vehicle. The power system devices are devices such as a control switch and an alternator provided in a power supply line from the battery, for example. The other devices are devices related to comfort and convenience in a vehicle cabin such as an air conditioner, an audio device, and a car navigation device, for example.

  In an in-vehicle ECU, an abnormal operation may occur in a part of data in a main memory of the microcomputer due to various noises, and the microcomputer may operate abnormally. Therefore, the conventional vehicle-mounted ECU includes an abnormality control circuit that monitors whether the operation of the microcomputer is normal and outputs a reset signal to the microcomputer that is operating abnormally.

  The abnormality control circuit monitors whether or not a normal operation signal periodically output from the microcomputer is generated at a predetermined cycle. The normal operation signal is referred to as a watchdog clear signal, for example. Further, the abnormality control circuit outputs a reset signal to the microcomputer when the normal operation signal is not generated at a predetermined cycle. On the other hand, the microcomputer supplied with the reset signal executes reset processing. By executing this reset process, the microcomputer often returns to a normal operating state.

  By the way, in the vehicle-mounted ECU, from the viewpoint of safety, it is desirable to duplicate the function of the abnormality control circuit for a microcomputer that controls important devices such as a traveling device and a power supply device. However, it is not preferable to provide a plurality of abnormality control circuits for one microcomputer in terms of power saving and cost reduction.

  On the other hand, in Patent Document 1, the function of monitoring the abnormality of the first microcomputer that controls the traveling system device is duplicated by the abnormality control circuit and the second microcomputer that controls the device other than the traveling system device. An in-vehicle ECU is shown. In the in-vehicle ECU shown in Patent Document 1, a logical sum signal of a reset signal output from the abnormality control circuit and a reset signal output from the second microcomputer is supplied as a reset signal to the first microcomputer. Is done. This in-vehicle ECU makes it possible to achieve both the duplication of the abnormality monitoring function related to the important first microcomputer, power saving, and cost reduction.

JP 2009-184423 A

  By the way, in the vehicle-mounted ECU shown in Patent Document 1, the second microcomputer that monitors the first microcomputer may operate abnormally due to noise or the like. In this case, the second microcomputer outputs an unnecessary reset signal to the first microcomputer before being reset by the monitoring control circuit that monitors the second microcomputer. That is, the in-vehicle ECU shown in Patent Document 1 has a problem that an unnecessary reset signal is supplied to the first microcomputer due to an abnormal operation of the second microcomputer.

  In the in-vehicle ECU, an important microcomputer is configured so that fail-safe signal output is performed during the reset process. However, the microcomputer cannot execute effective control during the reset process. Therefore, in an in-vehicle ECU, it is desirable that an important microcomputer that controls a traveling device, a power supply device, and the like avoid unnecessary execution of reset processing as much as possible.

  The present invention does not require the function of monitoring the abnormality of the first microcomputer even if an abnormality occurs in the operation of the second microcomputer in the in-vehicle electronic control device in which the abnormality control circuit and the second microcomputer are duplicated. An object is to prevent a reset signal from being supplied from the second microcomputer to the first microcomputer.

The on-vehicle electronic control device according to the present invention includes the following components.
(1) The first component is a first microcomputer that periodically outputs a first normal operation signal while controlling a vehicle device.
(2) The second component is a first abnormality control circuit that detects an abnormality in the output of the first normal operation signal and outputs a reset signal to the first microcomputer when the abnormality is detected.
(3) The third constituent element periodically outputs the second normal operation signal while controlling the equipment of the vehicle, and executes a predetermined abnormality monitoring program to thereby execute the first normal operation signal. The second microcomputer outputs a reset signal to the first microcomputer when the abnormality is detected and the abnormality is detected.
(4) The fourth component is a second abnormality control circuit that detects an abnormality in the output of the second normal operation signal and supplies a reset signal to the second microcomputer when the abnormality is detected. is there.
(5) The fifth component is a signal from the inactive state to the active state that is generated when an abnormality occurs in the execution of the abnormality monitoring program by the second microcomputer with respect to the reset signal output from the second microcomputer. It is a fraudulent signal invalidation part which performs the process which invalidates a change.
(6) The sixth component outputs a logical sum signal of the reset signal output from the second microcomputer and passed through the invalid signal invalidation unit and the reset signal output from the first abnormality control circuit. This is an OR circuit that supplies the microcomputer as a reset signal.

  In the in-vehicle electronic control device according to the present invention, the illegal signal invalidation unit is, for example, a delay circuit shown below. The delay circuit receives only the signal change from the inactive state to the active state with respect to the reset signal output from the second microcomputer by the execution of the abnormality monitoring program, and the second normal operation signal by the second abnormality control circuit. This is a circuit that performs a process of delaying longer than the time required to detect the output abnormality.

  In the on-vehicle electronic control device according to the present invention, the second microcomputer executes the first abnormality monitoring program and the second abnormality monitoring program using different memory areas in the main memory of the second microcomputer. Can be considered. In this case, the illegal signal invalidation unit includes the following two components. The first of the constituent elements is a second microcomputer that executes a second abnormality monitoring program. The second component is the first reset signal output from the second microcomputer by the execution of the first abnormality monitoring program and the second microcomputer output by the execution of the second abnormality monitoring program. A logical product circuit that supplies a logical product signal to the logical sum circuit.

  According to the present invention, when an abnormality occurs in the execution of the abnormality monitoring program by the second microcomputer due to the operation of the invalid signal invalidating unit, the reset signal output from the second microcomputer is changed from the inactive state. Processing for invalidating the signal change to the active state is performed.

  For example, when the invalid signal invalidating unit is the delay circuit described above, the signal change from the inactive state to the active state in the output signal (reset signal) of the delay circuit is a reset signal output from the second microcomputer. Occurs with a certain time delay with respect to the same signal change in. The delay time is longer than the time required for detecting the abnormality of the output of the second normal operation signal by the second abnormality control circuit.

  Here, although the first microcomputer is normal, an abnormality occurs in the execution of the abnormality monitoring program by the second microcomputer, so that the second microcomputer is not required to change from the inactive state to the active state. Consider a case where a reset signal is output. In this case, the second abnormality control circuit detects an abnormality of the second microcomputer and outputs a reset signal while delay processing is performed on the signal change by the action of the delay circuit.

  Further, the second microcomputer executes the reset process by the reset signal from the second abnormality control circuit while the delay circuit performs the delay process on the reset signal. Thereby, the second microcomputer returns to a normal state and stops outputting an unnecessary reset signal. Therefore, the reset signal output from the second microcomputer changes from the active state to the inactive state, and the output signal (reset signal) of the delay circuit is held in the inactive state.

  That is, the reset signal (active signal) output from the second microcomputer when the abnormality occurs in the execution of the abnormality monitoring program by the second microcomputer is invalidated by the delay circuit. For this reason, even if an abnormality occurs in the operation of the second microcomputer, an unnecessary reset signal is not supplied from the second microcomputer to the first microcomputer.

  In a situation where the reset signal is not output from the second abnormality control circuit due to the abnormality of the second abnormality control circuit, the normal second microcomputer detects the abnormality of the first microcomputer and detects the abnormality with respect to the first microcomputer. A reset signal (active signal) is output. In this case, the reset signal in the active state output from the second microcomputer is supplied to the first microcomputer through the OR circuit after being delayed for a predetermined time by the delay circuit. That is, the second abnormality control circuit and the normal second microcomputer that executes the abnormality monitoring program realize the dual abnormality monitoring function of the first microcomputer.

  On the other hand, when the invalid signal invalidation unit includes the second microcomputer for executing the second abnormality monitoring program and the AND circuit, the first microcomputer causes an abnormality in the execution of the abnormality monitoring program by the second microcomputer. The unnecessary first reset signal (active signal) output from the second microcomputer is invalidated by the following action. The reason will be described below.

  When the operation of the second microcomputer is normal, the states (active state or inactive state) of the plurality of reset signals output by the execution of the plurality of abnormality monitoring programs by the second microcomputer are the same. For this reason, the output signal (reset signal) of the AND circuit to which the plurality of reset signals are input is the same signal as the normal reset signal output by executing the plurality of abnormality monitoring programs.

  On the other hand, when an abnormality occurs in the operation of the second microcomputer, there is a high possibility that the states of the plurality of reset signals output by the execution of the plurality of abnormality monitoring programs by the second microcomputer are different. Therefore, even if the reset signal corresponding to the first abnormality monitoring program is illegally changed to the active state, the reset signal corresponding to the second abnormality monitoring program is held in the inactive state, and the AND circuit The output signal (reset signal) is likely to be held as an inactive signal.

  That is, the first reset signal (active signal) output from the second microcomputer when an abnormality occurs in the execution of the first abnormality monitoring program by the second microcomputer executes the second abnormality monitoring program. Disabled by the second microcomputer and the AND circuit. For this reason, even if an abnormality occurs in the operation of the second microcomputer, an unnecessary reset signal is not supplied from the second microcomputer to the first microcomputer.

  The first abnormality monitoring program and the second abnormality monitoring program in the plurality of abnormality monitoring programs are classified into the invalid signal invalidation unit as the invalid signal invalidation unit, and the output reset signal is invalidated. It is a division for convenience to distinguish the side. Therefore, which of the plurality of abnormality monitoring programs functions as the second abnormality monitoring program can vary depending on the situation.

  In a situation where the reset signal is not output from the second abnormality control circuit due to the abnormality of the second abnormality control circuit, the normal second microcomputer detects the abnormality of the first microcomputer and detects the abnormality with respect to the first microcomputer. The first reset signal and the second reset signal are output as active state signals. In this case, the logical product of the two reset signals in the active state output from the second microcomputer is also an active signal, and the signal is supplied to the first microcomputer through the logical sum circuit. That is, the second abnormality control circuit and the normal second microcomputer that executes the first abnormality monitoring program and the second abnormality monitoring program realize a dual abnormality monitoring function of the first microcomputer.

It is a block diagram of the principal part of the vehicle-mounted electronic control apparatus 1 which concerns on embodiment of this invention. It is a block diagram of the principal part of 1 A of vehicle-mounted electronic control apparatuses which concern on 1st Example of this invention. It is an example of the time chart of each signal when the abnormal operation of the second microcomputer occurs in the in-vehicle electronic control device 1A. It is an example of the time chart of each signal when operation abnormality of the 1st microcomputer occurs in in-vehicle electronic control unit 1A. It is an example of the time chart of each signal when the operation abnormality of the 1st microcomputer and the abnormality of the 2nd abnormality control circuit occur in in-vehicle electronic control unit 1A. It is a block diagram of the principal part of the vehicle-mounted electronic control apparatus 1B which concerns on 2nd Example of this invention. It is an example of the time chart of each signal when the abnormal operation of the second microcomputer occurs in the in-vehicle electronic control device 1B. It is an example of the time chart of each signal when the abnormal operation of the first microcomputer occurs in the in-vehicle electronic control device 1B. It is an example of the time chart of each signal when the operation abnormality of the 1st microcomputer and the abnormality of the 2nd abnormality control circuit occur in in-vehicle electronic control unit 1B.

  Hereinafter, embodiments and examples of the present invention will be described with reference to the accompanying drawings. The following embodiment is an example embodying the present invention, and does not limit the technical scope of the present invention.

  The on-vehicle electronic control devices 1, 1A, 1B according to the embodiments and examples of the present invention are electronic control devices including a plurality of microcomputers that control devices in an automobile.

<Embodiment>
First, the configuration of an in-vehicle electronic control device 1 according to an embodiment of the present invention will be described with reference to FIG. As shown in FIG. 1, the on-vehicle electronic control device 1 includes a first microcomputer 10, a second microcomputer 20, a first abnormality control circuit 30, a second abnormality control circuit 40, an illegal signal invalidation unit 50, and an OR circuit 60. It has.

  The first microcomputer 10 is a control computer that controls a safety-related device such as a traveling device or a power supply device in an automobile. The first microcomputer 10 includes a first CPU 11 (Central Processing Unit) and a first reset circuit 12.

  The first CPU 11 develops a control program 11P stored in advance in a storage unit such as a ROM (Read Only Memory) (not shown) in the main memory 11M, and executes the control program 11P, thereby passing through a signal output port (not shown). Then, a process of outputting a control signal to the device to be controlled is executed. The main memory 11M is usually a RAM (Random Access Memory).

  Further, the first CPU 11 outputs a first watchdog clear signal Sg11 whose ON / OFF state changes at a predetermined cycle t11 through the signal output port 14 while controlling the vehicle equipment.

  Accordingly, the situation in which the first watchdog clear signal Sg11 changes at a constant period t11 is a situation in which the first microcomputer 10 is operating normally. On the other hand, the situation in which the first watchdog clear signal Sg11 does not change even after a time longer than t11 has elapsed from the time when the first watchdog clear signal Sg has changed normally is a situation in which the first microcomputer 10 has malfunctioned. That is, the first watchdog clear signal Sg11 is an example of a first normal operation signal that the first microcomputer 10 outputs periodically.

  The first watchdog clear signal Sg11 is supplied to both the first abnormality control circuit 30 and the second microcomputer 20.

  The first reset circuit 12 resets the first CPU 11 and other circuits included in the first microcomputer 10 when the first reset signal Sg12 input through the reset signal input port 13 changes from the inactive state to the active state. It is a circuit that executes processing. Normally, the first microcomputer 10 returns to a normal operating state by executing this reset process.

  The second microcomputer 20 is a control computer that controls devices other than safety-critical devices such as a traveling device and a power supply device in an automobile. The second microcomputer 20 controls devices related to comfort and convenience in the vehicle interior such as an air conditioner, an audio device, and a car navigation device, for example. Similarly to the first microcomputer 10, the second microcomputer 20 includes a second CPU 21 and a second reset circuit 22.

  The second CPU 21 develops a control program 21P stored in advance in a storage unit such as a ROM (not shown) in the main memory 21M, and executes the control program 21P, thereby controlling the control target device through a signal output port (not shown). The process which outputs a control signal with respect to is performed. The main memory 21M is usually a RAM.

  Further, the second CPU 21 outputs a second watchdog clear signal Sg21 whose ON / OFF state changes at a predetermined cycle t21 through the signal output port 24 while controlling the vehicle equipment. The second watchdog clear signal Sg21 is the same signal as the first watchdog clear signal Sg11.

  Therefore, the situation in which the second watchdog clear signal Sg21 changes at a constant period t21 is a situation in which the second microcomputer 20 is operating normally. On the other hand, a situation in which the second watchdog clear signal Sg21 does not change even when a time longer than t21 has elapsed from the time when it has changed normally is a situation in which an abnormality has occurred in the operation of the second microcomputer 20. That is, the second watchdog clear signal Sg21 is an example of a second normal operation signal that the second microcomputer 20 outputs periodically.

  The second CPU 21 develops the abnormality monitoring program 22P stored in advance in a storage unit such as a ROM (not shown) in the main memory 21M, and executes the abnormality monitoring program 22P. The abnormality monitoring program 22P detects an abnormality in the change of the first watchdog clear signal Sg11 input through the signal input port 25, that is, an abnormality in the output of the first watchdog clear signal Sg11 by the first microcomputer 10. It is a program that defines an abnormality monitoring process that outputs a reset signal Sg123 to the first microcomputer 10 when it is detected. The reset signal Sg123 is output through the signal output port 26 in the second microcomputer 20.

  The abnormality monitoring process by the second CPU 21 is performed when the time until the first watchdog clear signal Sg11 changes and returns to the original time deviates from a preset allowable time range ((t11−Δta) to (t11 + Δtb)). This is a process of outputting the reset signal Sg123 in the active state. Note that the values of Δta and Δtb are predetermined positive values.

  The second reset circuit 22 resets the second CPU 21 and other circuits included in the second microcomputer 20 when the second reset signal Sg22 input through the reset signal input port 23 changes from the inactive state to the active state. It is a circuit that executes processing. Normally, the second microcomputer 20 returns to a normal operating state by executing this reset process.

  The first abnormality control circuit 30 includes a first watchdog timer 31 and a first abnormality monitoring circuit 32. The first watchdog timer 31 is a timer circuit including an oscillation element that oscillates at a predetermined frequency. The first abnormality monitoring circuit 32 uses the time counting function of the first watchdog timer 31 to detect an abnormality in the output of the first watchdog clear signal Sg11 by the first microcomputer 10, and when an abnormality is detected, the first abnormality monitoring circuit 32 1 is a circuit that performs an abnormality monitoring process for outputting a reset signal Sg121 to the microcomputer 10. The abnormality monitoring process by the first abnormality control circuit 30 is the same as the abnormality monitoring process by the second CPU 21.

  The second abnormality control circuit 40 includes a second watchdog timer 41 and a second abnormality monitoring circuit 42. The second abnormality monitoring circuit 42 uses the time counting function of the second watchdog timer 41 to detect an abnormality in the output of the second watchdog clear signal Sg21 by the second microcomputer 20, and when an abnormality is detected, the second abnormality monitoring circuit 42 2 is a circuit that performs an abnormality monitoring process for outputting a second reset signal Sg22 to the microcomputer 20. The reset signal Sg22 is supplied to the second reset circuit 22 through the reset signal input port 23 in the second microcomputer 20.

  In the abnormality monitoring process by the second abnormality monitoring circuit 42, the time until the second watchdog clear signal Sg21 changes and returns to the original time is within a preset allowable time range ((t21−Δtc) to (t21 + Δtd)). This is a process of outputting the second reset signal Sg22 in an active state when it deviates. Note that the values of Δtc and Δtd are predetermined positive values. Here, the upper limit time (t11 + Δtd) of the allowable time range is a time (maximum time) required for the second abnormality control circuit 40 to detect an abnormality in the output of the second watchdog clear signal Sg21.

  The illegal signal invalidation unit 50 changes the signal from the inactive state to the active state that is generated when an abnormality occurs in the execution of the abnormality monitoring program 22P by the second CPU 21 with respect to the reset signal Sg123 output from the second microcomputer 20. Apply invalidation processing. A specific example of the illegal signal invalidation unit 50 will be described later.

  The logical sum circuit 60 outputs a logical sum signal of the reset signal Sg122 output from the second microcomputer 20 and passed through the invalid signal invalidating unit 50 and the reset signal Sg121 output from the first abnormality control circuit 30 to the first microcomputer. 10 as a first reset signal Sg12.

<First embodiment>
Next, the configuration of the in-vehicle electronic control device 1A according to the first embodiment of the present invention will be described with reference to FIG. The in-vehicle electronic control device 1 </ b> A includes a more specific configuration of the unauthorized signal invalidation unit 50 in the in-vehicle electronic control device 1. 2, the same components as those shown in FIG. 1 are denoted by the same reference numerals. Hereinafter, only a more specific point from the in-vehicle electronic control device 1 (FIG. 1) in the in-vehicle electronic control device 1A (FIG. 2) will be described.

  As illustrated in FIG. 2, the in-vehicle electronic control device 1 </ b> A includes a delay circuit 51 as an example of the unauthorized signal invalidation unit 50. The delay circuit 51 performs a process of delaying only a signal change from the inactive state to the active state by a predetermined time t3 with respect to the reset signal Sg123 output from the second microcomputer 20 by the execution of the abnormality monitoring program 22P. Circuit.

  The delay circuit 51 includes, for example, a delay element that delays the reset signal Sg123 by time t3, and an AND element that outputs an active signal only when both the output signal of the delay element and the reset signal Sg123 are in an active state. Prepare. In this case, the output signal of the AND element is output as the reset signal Sg122 that has passed through the illegal signal invalidation unit 50. Hereinafter, the reset signal 122 in the in-vehicle electronic control device 1A is referred to as a reset signal 122 after delay processing.

  Hereinafter, the operation of the in-vehicle electronic control device 1A will be described with reference to time charts of respective signals shown in FIGS.

  FIG. 3 is an example of a time chart of each signal when an abnormal operation of the second microcomputer 20 occurs in the in-vehicle electronic control apparatus 1A. When an operation abnormality of the second microcomputer 20 occurs, the second watchdog clear signal Sg21 is within the allowable time range ((t21−Δtc) to (t21 + Δtd)) from the time point P11 indicating a normal change. Phenomenon that does not appear in.

  The example shown in FIG. 3 shows that the second watchdog clear signal Sg21 is newly updated from the time point P11 at which the normal change has occurred until the time point P13 when the upper limit time t22 (= (t21 + Δtd)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 3, the operation of the first microcomputer 10 is normal, and the first microcomputer 10 continues to output the first watchdog clear signal Sg11 that changes at a constant period t11.

  In the example shown in FIG. 3, the reset signal Sg123 that changes from the inactive state to the active state is output at a time point P12 after the time point P11 when the second microcomputer 20 is normal. This is because an abnormality occurred in the execution of the abnormality monitoring program 22P by the second microcomputer 20, and the second microcomputer 20 received an invalid reset signal at the time point P12 although the operation of the first microcomputer 10 was normal. This indicates that Sg123 has been output.

  In the in-vehicle electronic control device 1A, the second abnormality monitoring circuit 42 receives the second abnormality monitoring circuit 42 at the time point P13 when the upper limit time t22 of the allowable time range has elapsed from the time point P11 at which the second watchdog clear signal Sg21 indicates a normal change. 2 An abnormal operation of the microcomputer 20 is detected, and an active second reset signal Sg22 is output.

  Further, the second reset circuit 22 that has received the second reset signal Sg22 in the active state executes a reset process of the second microcomputer 20, and after that time P14, the second microcomputer 20 returns to a state in which it normally operates. To do.

  The time t23 for the second abnormality monitoring circuit 42 to hold the second reset signal Sg22 in the active state is the time required for the second reset circuit 22 to detect the second reset signal Sg22 as a trigger for starting the reset process. is there.

  In addition, at the time P13 when the second microcomputer 20 starts the reset process, the reset signal Sg123 in the active state illegally output from the second microcomputer 20 returns to the inactive state.

  In the in-vehicle electronic control device 1A, the signal change from the inactive state to the active state in the reset signal Sg122 after delay processing output from the delay circuit 51 is inactive in the reset signal Sg123 output from the second microcomputer 20 It occurs with a delay of a fixed time t3 with respect to the signal change from to the active state. The delay time t3 is longer than the time t22 required for the second abnormality control circuit 40 to detect an abnormality in the output of the second watchdog clear signal Sg21 (t3> t22).

  Therefore, the illegal reset signal Sg123 output from the second microcomputer 20 returns from the active state to the inactive state while the delay circuit 51 performs the delay process. As a result, the delayed reset signal Sg122 output from the delay circuit 51 is held in an inactive state. That is, the output of the unnecessary reset signal Sg123 is invalidated by the delay circuit 51.

  Further, since the operation of the first microcomputer 10 is normal, the first abnormality monitoring circuit 32 holds the reset signal Sg121 to be output in an inactive state. Therefore, the OR circuit 60 holds the first reset signal Sg12 supplied to the first microcomputer 10 in an inactive state.

  As described above, in the in-vehicle electronic control apparatus 1A, even if an invalid reset signal Sg123 is output from the second microcomputer 20 due to an abnormal operation of the second microcomputer 20, the first microcomputer 10 is informed. It is avoided that the unnecessary first reset signal Sg12 is supplied.

  Next, the time chart shown in FIG. 4 will be described. FIG. 4 is an example of a time chart of each signal when an abnormal operation of the first microcomputer 10 occurs in the in-vehicle electronic control apparatus 1A.

  In the example shown in FIG. 4, the first watchdog clear signal Sg11 is newly updated from the time point P21 at which normal change has occurred until the time point P22 when the upper limit time t12 (= (t11 + Δtb)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 4, the operation of the second microcomputer 20 is normal, and the second microcomputer 20 continues to output the second watchdog clear signal Sg21 that changes at a constant period t21.

  In the in-vehicle electronic control device 1A, at the time P22 when the upper limit time t12 of the allowable time range has elapsed from the time point P21 when the first watchdog clear signal Sg11 indicates a normal change, the first abnormality monitoring circuit 32 1 An abnormal operation of the microcomputer 10 is detected, and an active reset signal Sg121 is output.

  Further, the OR circuit 60 to which the reset signal Sg121 in the active state is input supplies the first reset signal Sg12 in the active state to the first reset circuit 12 from the time point P22 when the reset signal Sg121 in the active state is input. To do.

  Further, the first reset circuit 12 that has received the first reset signal Sg12 in the active state executes the reset process of the first microcomputer 10, and after that time P23, the first microcomputer 10 returns to a state in which it normally operates. To do.

  The time t23 for the first abnormality monitoring circuit 32 to hold the reset signal Sg121 in the active state is the time required for the first reset circuit 12 to detect the first reset signal Sg12 as a trigger for starting the reset process.

  On the other hand, the normal second microcomputer 20 also operates abnormally at the time point P22 when the upper limit time t12 of the allowable time range has elapsed from the time point P21 when the first watchdog clear signal Sg11 indicates a normal change. And the reset signal Sg123 in the active state is output.

  However, while the reset signal Sg123 in the active state output from the second microcomputer 20 is being delayed by the delay circuit 51, that is, until the delay time t3 elapses from the time point P22, the first microcomputer 10 returns to a state of normal operation (time point P24).

  Therefore, the second microcomputer 20 detects a change in the first watchdog clear signal Sg11 output from the first microcomputer 10 that has returned to the normal operation while the delay circuit 51 performs the delay process, and the reset signal Return Sg123 from the active state to the inactive state. As a result, the delayed reset signal Sg122 output from the delay circuit 51 is held in an inactive state.

  Next, the time chart shown in FIG. 5 will be described. FIG. 5 is an example of a time chart of each signal when the operation abnormality of the first microcomputer 10 and the abnormality of the second abnormality control circuit 40 occur in the in-vehicle electronic control apparatus 1A.

  The example shown in FIG. 5 shows that the first watchdog clear signal Sg11 has a new change from the time point P31 at which the normal change has occurred to the time point P32 when the upper limit time t12 (= (t11 + Δtb)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 5, the operation of the second microcomputer 20 is normal, and the second microcomputer 20 continues to output the second watchdog clear signal Sg21 that changes at a constant period t21.

  When the first abnormality monitoring circuit 32 is abnormal, the first abnormality monitoring circuit is also at the time P32 when the upper limit time t12 of the allowable time range has elapsed from the time P31 when the first watchdog clear signal Sg11 shows a normal change. 32 cannot detect an abnormal operation of the first microcomputer 10 and cannot output the reset signal Sg121 in the active state.

  On the other hand, the normal second microcomputer 20 detects the abnormal operation of the first microcomputer 10 at the time point P32 when the upper limit time t12 of the allowable time range has elapsed from the time point P31 when the first watchdog clear signal Sg11 shows a normal change. Detect and output an active reset signal Sg123. Here, the second CPU 21 in the second microcomputer 20 holds the reset signal Sg123 in the active state for the time t4 in accordance with the abnormality monitoring program 22P. The holding time t4 is a time obtained by adding the delay time t3 of the delay circuit 51 and the time t23 necessary for starting the reset process of the first microcomputer 10 (t4 = t3 + t23).

  Then, the delay reset signal Sg122 changes to the active state from the time point P32 when the normal second microcomputer 20 correctly outputs the reset signal Sg123 in the active state to the time point P33 when the delay time t3 has elapsed. The reset signal Sg122 after the delay process is held in an active state for a time t23 (= t4-t3).

  Further, the OR circuit 60 to which the reset signal Sg122 after the delay processing in the active state is input is in an active state with respect to the first reset circuit 12 from the time point P33 when the reset signal Sg122 after the delay processing in the active state is input. The first reset signal Sg12 is supplied.

  Further, the first reset circuit 12 that has received the first reset signal Sg12 in the active state executes a reset process of the first microcomputer 10, and after that time P34, the first microcomputer 10 returns to a state in which it normally operates. To do.

  As shown in FIGS. 3 to 5, in the in-vehicle electronic control apparatus 1A, the second abnormality control circuit 40 and the normal second microcomputer 20 that executes the abnormality monitoring program 22P are the abnormality monitoring function of the first microcomputer 10. Realization of duplication.

<Second embodiment>
Next, the configuration of the in-vehicle electronic control device 1B according to the second embodiment of the present invention will be described with reference to FIG. The in-vehicle electronic control device 1B includes a configuration that further embodies the unauthorized signal invalidation unit 50 in the in-vehicle electronic control device 1. 6, the same components as those shown in FIG. 1 are denoted by the same reference numerals. Hereinafter, only the points more specific from the in-vehicle electronic control device 1 (FIG. 1) in the in-vehicle electronic control device 1B (FIG. 6) will be described.

  In the in-vehicle electronic control device 1B, the second CPU 21 of the second microcomputer 20 executes two abnormality monitoring programs 22P and 23P that use different memory areas in the main memory 21M. The contents of the abnormality monitoring process executed according to the plurality of abnormality monitoring programs 22P and 23P are the same. Hereinafter, for convenience, one program is referred to as a first abnormality monitoring program 22P, and the other program is referred to as a second abnormality monitoring program 23P.

  In the second microcomputer 20, the second CPU 21 outputs the reset signal Sg123 through the signal output port 26 by executing the first abnormality monitoring program 22P. Also, the second CPU 21 outputs another reset signal Sg 124 through the signal output port 27 by executing the second abnormality monitoring program 23P.

  The on-vehicle electronic control device 1B outputs a logical product signal Sg122 of the reset signal Sg123 output by the execution of the first abnormality monitoring program 22P and the reset signal Sg124 output by the execution of the second abnormality monitoring program 23P. AND circuit 52 is provided. The AND circuit 52 activates the output signal Sg122 only when both of the two reset signals Sg123 and Sg124 corresponding to the two abnormality monitoring programs 22P and 23P are in the active state.

  In the in-vehicle electronic control apparatus 1B, the unauthorized signal invalidation unit 50 includes a second CPU 21 that executes the second abnormality monitoring program 22P and a logical product circuit 52.

  Hereinafter, the operation of the in-vehicle electronic control device 1B will be described with reference to time charts of respective signals shown in FIGS.

  FIG. 7 is an example of a time chart of each signal when an abnormal operation of the second microcomputer 20 occurs in the in-vehicle electronic control device 1B. When an operation abnormality of the second microcomputer 20 occurs, the second watchdog clear signal Sg21 is within the allowable time range ((t21−Δtc) to (t21 + Δtd)) from the time point P41 indicating a normal change. Phenomenon that does not appear in.

  The example shown in FIG. 7 shows that the second watchdog clear signal Sg21 has a new change from the time point P41 at which the normal change has occurred until the time point P43 when the upper limit time t22 (= (t21 + Δtd)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 7, the operation of the first microcomputer 10 is normal, and the first microcomputer 10 continues to output the first watchdog clear signal Sg11 that changes at a constant period t11.

  Further, in the example shown in FIG. 7, one reset signal Sg123 out of two reset signals output from the second microcomputer 20 is in a situation where an operation abnormality of the second microcomputer 20 occurs after the time point P11. Although the inactive state changes to the active state at the time point P42, the other reset signal Sg124 is held in the inactive state. This is because the execution result of the first abnormality monitoring program 22P (reset signal Sg123) is different from the execution result of the second abnormality monitoring program 23P (reset signal Sg124) due to an operation abnormality of the second microcomputer 20. Indicates that it has stopped.

  Accordingly, the reset signal Sg123 corresponding to the first abnormality monitoring program 22P is in the active state, but the output signal Sg122 (reset signal) of the AND circuit 52 is held in the inactive state.

  In a microcomputer, when multiple programs that perform the same processing are executed in parallel using different memory areas in the main memory, if the operation of the microcomputer is normal, multiple programs that perform the same processing have the same result. Is output. On the other hand, when an abnormal operation of the microcomputer occurs, it is likely that a plurality of programs that perform the same process output different results. The on-vehicle electronic control device 1B has a configuration in which an illegal reset signal Sg123 by the first abnormality monitoring program 22P is invalidated by a reset signal Sg124 by the second abnormality monitoring program 23P by using the phenomenon.

  That is, when an abnormality occurs in the execution of the first abnormality monitoring program 22P by the second microcomputer 20, one reset signal Sg123 (active signal) output from the second microcomputer 20 executes the second abnormality monitoring program 23P. Is invalidated by the second microcomputer 20 and the logical product circuit 52. Therefore, even if an abnormality occurs in the execution of the first abnormality monitoring program 22P, an unnecessary reset signal is not supplied from the second microcomputer 20 to the first microcomputer 10.

  The first abnormality monitoring program 22P and the second abnormality monitoring program 23P in the plurality of abnormality monitoring programs are classified into the invalid signal invalidating unit 50 as the invalid signal resetting side and the output reset signal being invalidated. This is a convenient classification for distinguishing between the two sides. Therefore, which of the plurality of abnormality monitoring programs functions as the second abnormality monitoring program 23P can vary depending on the situation.

  In addition, at the time P43 when the upper limit time t22 of the allowable time range has elapsed from the time point P41 at which the second watchdog clear signal Sg21 indicates a normal change, the normal second abnormality monitoring circuit 42 An abnormal operation is detected, and an active second reset signal Sg22 is output.

  Further, the second reset circuit 22 that has received the second reset signal Sg22 in the active state executes a reset process of the second microcomputer 20, and after that time P44, the second microcomputer 20 returns to a state in which it normally operates. To do.

  As described above, the time t23 during which the second abnormality monitoring circuit 42 holds the second reset signal Sg22 in the active state is that the second reset circuit 22 detects the second reset signal Sg22 as a trigger for starting the reset process. It takes time.

  In addition, at the time P43 when the second microcomputer 20 starts the reset process, the reset signal Sg123 in the active state illegally output from the second microcomputer 20 returns to the inactive state.

  As described above, also in the in-vehicle electronic control device 1B, when an illegal reset signal Sg123 is output from the second microcomputer 20 due to an abnormality in the execution of a part of the abnormality monitoring program 22P in the second microcomputer 20. However, an unnecessary first reset signal Sg12 is prevented from being supplied to the first microcomputer 10.

  Next, the time chart shown in FIG. 8 will be described. FIG. 8 is an example of a time chart of each signal when an abnormal operation of the first microcomputer 10 occurs in the in-vehicle electronic control device 1B.

  The example shown in FIG. 8 shows that the first watchdog clear signal Sg11 has a new change from the time point P51 at which normal change has occurred until the time point P52 when the upper limit time t12 (= (t11 + Δtb)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 8, the operation of the second microcomputer 20 is normal, and the second microcomputer 20 continues to output the second watchdog clear signal Sg21 that changes at a constant period t21.

  In the in-vehicle electronic control device 1B, at the time point P52 when the upper limit time t12 of the allowable time range has elapsed from the time point P51 when the first watchdog clear signal Sg11 indicates a normal change, the first abnormality monitoring circuit 32 1 An abnormal operation of the microcomputer 10 is detected, and an active reset signal Sg121 is output.

  Further, the normal second microcomputer 20 also detects an abnormal operation of the first microcomputer 10 at the time point P52 when the upper limit time t12 of the allowable time range has elapsed from the time point P21 when the first watchdog clear signal Sg11 shows a normal change. Detected and outputs reset signals Sg123 and Sg124 in an active state. At that time, the two reset signals Sg123 and Sg124 output by the execution of the two abnormality monitoring programs 22P and 23P show the same change.

  Further, the logical product circuit 52 to which the reset signals Sg123 and Sg124 in the active state are input receives the reset signal Sg122 in the active state for the logical sum circuit 60 from the time point P52 when the reset signals Sg123 and Sg124 in the active state are input. Supply.

  Further, the OR circuit 60 to which the reset signals Sg121 and Sg122 in the active state are input receives the first reset circuit in the active state from the time point P52 when the reset signals Sg121 and Sg122 in the active state are input. A signal Sg12 is supplied.

  Further, the first reset circuit 12 that has received the first reset signal Sg12 in the active state executes a reset process of the first microcomputer 10, and after that time P53, the first microcomputer 10 returns to a state in which it normally operates. To do.

  The time t23 for the first abnormality monitoring circuit 32 to hold the reset signal Sg121 in the active state is the time required for the first reset circuit 12 to detect the first reset signal Sg12 as a trigger for starting the reset process.

  Next, the time chart shown in FIG. 9 will be described. FIG. 9 is an example of a time chart of each signal when an operation abnormality of the first microcomputer 10 and an abnormality of the second abnormality control circuit 40 occur in the in-vehicle electronic control apparatus 1B.

  The example shown in FIG. 9 shows that the first watchdog clear signal Sg11 has a new change from the time point P61 at which normal change has occurred to the time point P32 when the upper limit time t12 (= (t11 + Δtb)) of the allowable time range has elapsed. This is an example in which no signal change was shown. On the other hand, in the example of FIG. 9, the operation of the second microcomputer 20 is normal, and the second microcomputer 20 continues to output the second watchdog clear signal Sg21 that changes at a constant period t21.

  When the first abnormality monitoring circuit 32 is abnormal, the first abnormality monitoring circuit is also at a time point P62 when the upper limit time t12 of the allowable time range has elapsed from the time point P61 when the first watchdog clear signal Sg11 shows a normal change. 32 cannot detect an abnormal operation of the first microcomputer 10 and cannot output the reset signal Sg121 in the active state.

  On the other hand, the normal second microcomputer 20 detects the abnormal operation of the first microcomputer 10 at the time point P62 when the upper limit time t12 of the allowable time range has elapsed from the time point P61 when the first watchdog clear signal Sg11 shows a normal change. It detects and outputs two reset signals Sg123 and Sg124 in the active state. Here, the second CPU 21 in the second microcomputer 20 holds the two reset signals Sg123 and Sg124 in the active state for the time t23 according to the abnormality monitoring programs 22P and 23P, respectively. The holding time t23 is a time necessary for starting the reset process of the first microcomputer 10.

  The output signal Sg122 (reset signal) of the AND circuit 52 changes to the active state until the time t23 elapses from the time point P62 when the normal second microcomputer 20 correctly outputs the reset signals Sg123 and Sg124 in the active state. To do.

  Further, the OR circuit 60 to which the reset signal Sg122 in the active state is input supplies the first reset signal Sg12 in the active state to the first reset circuit 12 from the time point P63 when the reset signal Sg122 in the active state is input. To do.

  Further, the first reset circuit 12 that has received the first reset signal Sg12 in the active state executes a reset process of the first microcomputer 10, and after that time P64, the first microcomputer 10 returns to a state in which it normally operates. To do.

  As shown in FIGS. 7 to 9, in the in-vehicle electronic control apparatus 1B, the second abnormality control circuit 40 and the normal second microcomputer 20 that executes the abnormality monitoring programs 22P and 23P are abnormalities in the first microcomputer 10. Realize duplication of monitoring function.

  In the in-vehicle electronic control device 1B, the second CPU 21 in the second microcomputer 20 may execute three abnormality monitoring programs. In that case, the logical product circuit 52 outputs a logical product signal of three abnormal reset signals output from the second microcomputer 20. Thereby, when the operation abnormality of the second CPU 21 occurs, there is a higher possibility that the plurality of reset signals corresponding to the plurality of abnormality monitoring programs show different changes, and the invalid reset signal is invalidated more reliably. .

1, 1A, 1B On-vehicle electronic control device 10 First microcomputer 11 First CPU
11P control program 11M main memory 12 first reset circuit 13 reset signal input port 14 signal output port 20 second microcomputer 21 second CPU
21P control program 21M main memory 22 second reset circuit 22P, 23P abnormality monitoring program 23 reset signal input port 24, 26, 27 signal output port 25 signal input port 30 first abnormality control circuit 31 first watchdog timer 32 first abnormality Monitoring circuit 40 Second abnormality control circuit 41 Second watchdog timer 42 Second abnormality monitoring circuit 50 Illegal signal invalidating section 51 Delay circuit 52 AND circuit 60 OR circuit

Claims (3)

A first microcomputer that periodically outputs a first normal operation signal while controlling a vehicle device;
A first abnormality control circuit that detects an abnormality in the output of the first normal operation signal and outputs a reset signal to the first microcomputer when the abnormality is detected;
While outputting the second normal operation signal periodically while controlling the equipment of the vehicle, by executing a predetermined abnormality monitoring program, an abnormality in detecting the output of the first normal operation signal is detected. A second microcomputer that outputs a reset signal to the first microcomputer when an error is detected;
A vehicle-mounted electronic control device comprising: a second abnormality control circuit that detects an abnormality in the output of the second normal operation signal and supplies a reset signal to the second microcomputer when the abnormality is detected. Because
A process of invalidating a signal change from an inactive state to an active state caused by an abnormality occurring in the execution of the abnormality monitoring program by the second microcomputer with respect to the reset signal output from the second microcomputer. An illegal signal invalidation unit to be applied;
A logical sum signal of the reset signal output from the second microcomputer and passed through the illegal signal invalidation unit and the reset signal output from the first abnormality control circuit is reset to the first microcomputer. An in-vehicle electronic control device comprising: an OR circuit supplied as The illegal signal invalidation unit
Only the signal change from the inactive state to the active state with respect to the reset signal output from the second microcomputer by the execution of the abnormality monitoring program, the second normal operation signal by the second abnormality control circuit is changed. The on-vehicle electronic control device according to claim 1, wherein the on-vehicle electronic control device is a delay circuit that performs a process of delaying longer than a time required to detect an output abnormality. The second microcomputer executes a first abnormality monitoring program and a second abnormality monitoring program that use different memory areas in the main memory of the second microcomputer,
The illegal signal invalidation unit
The second microcomputer for executing the second abnormality monitoring program;
A first reset signal output from the second microcomputer by the execution of the first abnormality monitoring program, and a second reset signal output from the second microcomputer by the execution of the second abnormality monitoring program; The on-vehicle electronic control device according to claim 1, further comprising: a logical product circuit that supplies a logical product signal to the logical sum circuit.

Images