JP2015171853A - Vehicle electronic control unit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To acquire highly reliable data that can contribute to an analysis of the cause of a defect or the like if abnormality occurs to an electronic control unit (ECU).SOLUTION: A monitoring target ECU from which data is to be acquired always transmits data in use to a monitoring ECU via an on-vehicle network. The monitoring ECU stores the received data in a RAM in time series (S11, S12). Furthermore, the monitoring ECU determines whether abnormality occurs to the monitoring target ECU by monitoring an output signal from a P-RUN or the like of the monitoring target ECU, a counter of a periodic job, a SUM value of the data stored in a memory or the like (S13). If abnormality occurs to the monitoring target ECU, the monitoring ECU writes the data stored in the RAM to a flash ROM (S14), and transmits an initialization command to the monitoring target ECU (S15, S16) on the assumption that an initialization condition is satisfied.

Description

  The present invention relates to an automotive electronic control device.

  An electronic control device mounted on an automobile is provided with a self-diagnosis function for diagnosing whether or not an abnormality has occurred in various sensors, various actuators, and the like. As described in Japanese Patent Application Laid-Open No. 2013-32163 (Patent Document 1), an electronic control device for an automobile is stored in a memory of the electronic control device in which an abnormality has occurred when an abnormality is detected by a self-diagnosis function. For example, there is one that stores data such as control parameters when an abnormality occurs. This data is used for failure cause analysis.

JP 2013-32163 A

  However, when the abnormality that has occurred in the electronic control device is caused by, for example, a memory failure, the reliability of the data stored in the memory of the electronic control device in which the failure has occurred is low. It may be difficult to analyze the cause.

  Accordingly, an object of the present invention is to provide an automotive electronic control device that can acquire highly reliable data.

  For this reason, the automotive electronic control device includes a control device mounted on the vehicle and an external device that is communicably connected to the control device. Then, the control device transmits data in use to the external device, and the external device saves the data transmitted from the control device when an abnormality occurs in the control device.

  According to the present invention, since data of a control device is collected by an external device, highly reliable data can be acquired.

It is a schematic diagram showing an example of an electronic control system mounted on an automobile. It is a flowchart which shows an example of the monitoring process by the to-be-monitored side. It is a flowchart which shows an example of the monitoring process by the monitoring side. It is a flowchart which shows an example of an abnormal condition reproduction process. It is a block diagram which shows an example of the control apparatus of the to-be-monitored side. It is a flowchart which shows an example of the data restoration process by the to-be-monitored side. It is a flowchart which shows an example of the data restoration process by the monitoring side. It is a flowchart which shows an example of a memory initialization process. It is a structural diagram which shows an example of the data composition of memory. It is a flowchart which shows an example of a memory initialization process. It is a block diagram which shows the other example of the control apparatus by the side to be monitored. It is a flowchart which shows an example of a core switching process. It is a flowchart which shows an example of a core switching process.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 shows an example of an electronic control system mounted on an automobile.

  In an automobile, for example, a plurality of electronic control units (ECUs) 100A to 100C having a microcomputer and a communication adapter for electronically controlling an engine fuel injection device, a variable valve timing mechanism, an automatic transmission, and the like. Is installed. Each of the electronic control devices 100A to 100C is connected to be able to transmit and receive various data, commands, and the like via an in-vehicle network 200 such as a CAN (Controller Area Network). Here, the in-vehicle network 200 is not limited to CAN, and for example, a wired network such as FlexRay (registered trademark) or a wireless network such as a wireless LAN (Local Area Network) can be used. In the following description, the electronic control devices 100A to 100C are referred to as the electronic control device 100 when it is not necessary to distinguish them. Further, the number of electronic control devices 100 mounted on the automobile is not limited to three, and may be other numbers.

  The electronic control device 100 outputs a drive signal to the control target device based on output signals from various sensors, for example, according to a control program stored in a flash ROM (Read Only Memory). For this reason, each electronic control device 100 uses various data such as control parameters and learning values.

  In the electronic control device 100, for example, when an abnormality occurs due to a logic error in the control program, if the control data at the time of occurrence of the abnormality is stored, the cause of the abnormality can be investigated using this. Therefore, for example, data of the electronic control device 100A is collected by the other control device 100B or 100C, so that highly reliable data can be collected even if an abnormality occurs in the electronic control device 100A. In the following description, for convenience of explanation, the electronic control device 100A from which data is collected is referred to as “monitored ECU 100A”, and the electronic control device 100B that collects data is referred to as “monitoring ECU 100B”. Here, the monitored ECU 100A is an example of a control device, and the monitoring ECU 100B is an example of an external device.

  FIG. 2 shows an example of a monitoring process that is repeatedly executed every first predetermined time, triggered by the monitored ECU 100A being activated by turning on the power when the ignition switch is turned on.

  In step 1 (abbreviated as “S1” in the figure, the same applies hereinafter), the monitored ECU 100A sends, for example, data such as control data controlling the control target device to the monitoring ECU 100B via the in-vehicle network 200. And send. Here, the number of data to be transmitted to the monitoring ECU 100B is not limited to one and may be plural.

  In step 2, monitored ECU 100A determines whether or not there is an initialization command (details will be described later) from monitoring ECU 100B. The monitored ECU 100A advances the process to step 3 if it is determined that there is an initialization command (Yes), and ends the process if it determines that there is no initialization command (No).

  In step 3, the monitored ECU 100A executes, for example, initialization to return the contents of the register and the contents of the memory to the initial state immediately after activation. As initialization, the microcomputer of the monitored ECU 100A can be reset (the same applies hereinafter).

  FIG. 3 shows an example of a monitoring process that is repeatedly executed every second predetermined time when the monitoring ECU 100B is activated by turning on the power when the ignition switch is turned on. Here, the second predetermined time may be the same as the first predetermined time in order to facilitate synchronization with the monitored ECU 100A.

  In step 11, the monitoring ECU 100B determines whether or not data from the monitored ECU 100A has been received, for example, based on whether or not there is data in the reception buffer of the communication adapter. If the monitoring ECU 100B determines that data has been received, the process proceeds to step 12 (Yes), whereas if it is determined that data has not been received, the process proceeds to step 13 (No).

  In step 12, the monitoring ECU 100B stores the data from the monitored ECU 100A in time series in a predetermined area of a RAM (Random Access Memory) that is an example of a volatile memory. Here, in order to reduce the occupation area of the RAM, data is stored in a ring buffer constructed in the RAM. Even if a ring buffer is used, there is no problem because it is sufficient if data at the time of occurrence of an abnormality can be secured.

  In step 13, the monitoring ECU 100B determines whether an abnormality has occurred in the monitored ECU 100A. The occurrence of an abnormality in the monitored ECU 100A can be detected, for example, by monitoring an output signal such as P-RUN of the monitored ECU 100, a counter for a scheduled job, a SUM value of data stored in the memory, and the like. The monitoring ECU 100B advances the process to step 14 if it is determined that an abnormality has occurred in the monitored ECU 100A (Yes), and ends the process if it is determined that no abnormality has occurred in the monitored ECU 100A (No). ).

  In step 14, the monitoring ECU 100B writes the data stored in the RAM in step 12 to a flash ROM (nonvolatile memory). Thereby, for example, even when the power supply to the monitoring ECU 100B is interrupted, data when an abnormality occurs in the monitored ECU 100A can be retained.

  In step 15, the monitoring ECU 100B determines whether or not a condition for executing initialization of the monitored ECU 100A (initialization condition), that is, whether there is no effect or little condition is satisfied even if the monitored ECU 100A is initialized. . As initialization conditions, for example, when the processing load of the monitored ECU 100A is small, such as during idling, engine stall, standby in which the ignition switch is OFF, or when the monitored ECU 100A is in a standby state and the battery voltage is equal to or higher than a predetermined voltage Etc. can be applied. The monitoring ECU 100B advances the process to step 16 if it is determined that the initialization condition is satisfied (Yes), and ends the process if it is determined that the initialization condition is not satisfied (No).

  In step 16, the monitoring ECU 100B transmits an initialization command to the monitored ECU 100A via the in-vehicle network 200. Note that the monitoring ECU 100B can transmit an initialization command to the monitored ECU 100A when an abnormality occurs in the monitored ECU 100A without determining whether the initialization condition is satisfied.

  According to such an electronic control system, data used in the monitored ECU 100A is transmitted to the monitoring ECU 100B via the in-vehicle network 200, and is stored in the RAM of the monitoring ECU 100B in time series. When an abnormality occurs in the monitored ECU 100A, the data stored in the RAM of the monitoring ECU 100B is written in the flash ROM, and can be retained even when the power supply is shut off, for example. For this reason, the data used when the abnormality of the monitored ECU 100A occurs is collected by the monitoring ECU 100B in which no failure has occurred, and highly reliable data can be acquired.

  When an abnormality occurs in the monitored ECU 100A, an initialization command is transmitted from the monitoring ECU 100B to the monitored ECU 100A. The monitored ECU 100A that has received the initialization command executes the initialization, so that the contents of the register and the memory are returned to the state immediately after the activation, and for example, it is possible to suppress the processing by inappropriate control data.

  Here, the monitoring and data collection of the monitored ECU 100A may be performed by, for example, the ECU 100C, a monitoring dedicated monitoring tool, or a computer (server) installed in a remote place connected via an in-vehicle network. In this case, the ECU 100C, the monitoring tool, and the computer are examples of external devices.

  In response to an abnormal state reproduction command from a tool such as a checker or HILS (Hardware In the Loop Simulation) connected to the in-vehicle network 200, for example, data stored in the flash ROM of the monitoring ECU 100B is as follows: This can be used to reproduce the abnormal state in the monitored ECU 100A.

  FIG. 4 shows an example of an abnormal state reproduction process that is repeatedly executed by the monitored ECU 100A when the monitored ECU 100A is activated. It is assumed that the monitoring ECU 100B and the tool are activated as a prerequisite for the abnormal state reproduction process.

  In step 21, the monitored ECU 100A determines whether there is an abnormal state reproduction command from the tool. The monitored ECU 100A advances the process to step 22 if it is determined that there is an abnormal state reproduction command (Yes), and terminates the process if it is determined that there is no abnormal state reproduction command (No).

  In step 22, monitored ECU 100A receives data held in monitoring ECU 100B. That is, for example, the monitoring ECU 100B transmits data written in the flash ROM to the monitored ECU 100A in response to a data transmission command from the tool. Then, the monitored ECU 100A receives the data transmitted from the monitoring ECU 100B and expands it in the RAM. The data transmission is performed while synchronizing the monitored ECU 100A and the monitoring ECU 100B. Further, the tool may read data held in the monitoring ECU 100B in advance and transmit the data to the monitored ECU 100A in synchronization.

  In step 23, the monitored ECU 100A sequentially sets operation parameters based on the data developed in the RAM, and reproduces the state where an abnormality has occurred.

  According to such an abnormal state reproduction process, it is possible to reproduce a state where an abnormality has occurred in the monitored ECU 100A using data when a failure occurs in the monitored ECU 100A. For this reason, even when the abnormality is low in reproducibility, it is possible to easily realize the state at the time of occurrence of the abnormality, which can contribute to investigation of the cause.

  Here, data when a failure occurs in the monitored ECU 100A is not limited to the monitoring ECU 100B, and is held by, for example, a data collection device connected to the in-vehicle network 200, a server installed in a remote place, or another ECU 100C. Also good. In addition, the plurality of ECUs 100 may collect data mutually.

  The monitored ECU 100A may include a main main microcomputer A and a sub sub microcomputer B as shown in FIG. In the monitored ECU 100A, the data used in the main microcomputer A is saved in the sub-microcomputer B, and when an abnormality occurs in the main microcomputer A, the data saved in the sub-microcomputer B is returned to the main microcomputer A ( Restore) so that processing can continue. Hereinafter, the data restoration process will be described.

  FIG. 6 shows an example of a data restoration process that is repeatedly executed every third predetermined time, triggered by the monitored ECU 100A being activated by turning on the power when the ignition switch is turned on. The third predetermined time may be the same as the first predetermined time and the second predetermined time (the same applies hereinafter). The data restoration process may be executed by at least one of the main microcomputer A and the sub microcomputer B (the same applies hereinafter).

  In step 31, the monitored ECU 100A transmits data being used by the main microcomputer A to the sub-microcomputer B via an internal bus (not shown), for example, and saves it in the RAM. Here, in order to reduce the area occupied by the RAM of the sub-microcomputer B, for example, data can be saved in a ring buffer.

  In step 32, monitored ECU 100A determines whether or not there is a data return command from monitoring ECU 100B. The monitored ECU 100A advances the process to step 33 if it is determined that there is a data return command (Yes), and advances the process to step 34 if it is determined that there is no data return command (No).

  In step 33, the monitored ECU 100A returns the data saved in the sub-microcomputer B to the main microcomputer A via, for example, the internal bus. Note that before the data is returned to the main microcomputer A, the registers and memories of the main microcomputer A may be initialized. In this way, inappropriate data does not remain in the register and memory, and the reliability can be improved.

  In step 34, monitored ECU 100A determines whether or not there is an initialization command from monitoring ECU 100B. Then, monitored ECU 100A advances the process to step 35 if it is determined that there is an initialization command (Yes), and terminates the process if it determines that there is no initialization command (No).

  In step 35, the monitored ECU 100A executes, for example, initialization for returning the contents of the register and the contents of the memory to the initial state immediately after the activation.

  FIG. 7 shows an example of a data restoration process that is repeatedly executed every fourth predetermined time when the monitoring ECU 100B is activated by turning on the power accompanying turning on the ignition switch.

  In step 41, the monitoring ECU 100B determines whether an abnormality has occurred in the main microcomputer A of the monitored ECU 100A. The occurrence of an abnormality in the main microcomputer A can be detected by monitoring, for example, an output signal of the main microcomputer A such as P-RUN, a counter for a scheduled job, a SUM value of data stored in the memory, and the like. If the monitoring ECU 100B determines that an abnormality has occurred in the main microcomputer A, the monitoring ECU 100B advances the process to step 42 (Yes), whereas if it determines that no abnormality has occurred in the main microcomputer A, the monitoring ECU 100B ends the process (No). ).

  In step 42, the monitoring ECU 100B determines whether or not an abnormality has occurred in the sub-microcomputer B of the monitored ECU 100A. The occurrence of an abnormality in the sub-microcomputer B is monitored, for example, the output signal of the sub-microcomputer B such as P-RUN, the counter for the scheduled job, the SUM value of the data stored in the memory, etc. Can be detected. If the monitoring ECU 100B determines that no abnormality has occurred in the sub-microcomputer B, the process proceeds to step 43 (Yes), while if it is determined that an abnormality has occurred in the sub-microcomputer B, the process proceeds to step 44. Proceed to No (No).

  In step 43, the monitoring ECU 100B transmits a data return command to the monitored ECU 100A via the in-vehicle network 200.

  In step 44, the monitoring ECU 100B determines whether or not the initialization condition for the monitored ECU 100A is satisfied. Here, the initialization condition can be the same as the condition applied in step 15 of FIG. If it is determined that the initialization condition is satisfied, the monitoring ECU 100B advances the process to step 45 (Yes), and if it is determined that the initialization condition is not satisfied, the process is terminated (No).

  In step 45, the monitoring ECU 100B transmits an initialization command to the monitored ECU 100A via the in-vehicle network 200. Note that the monitoring ECU 100B can also send an initialization command to the monitored ECU 100A without determining whether or not the initialization condition is satisfied.

  According to such data restoration processing, data is saved from the main microcomputer A to the sub-microcomputer B in the monitored ECU 100A. When an abnormality occurs only in the main microcomputer A, the data saved in the sub microcomputer B is returned to the main microcomputer A. If an abnormality occurs in both the main microcomputer A and the sub microcomputer B, the main microcomputer A and the sub microcomputer B are reset on the assumption that the initialization condition is satisfied. Therefore, in the monitored ECU 100A, for example, even if the value of data stored in the memory becomes abnormal, the main microcomputer A that is the main system does not run away, and the reliability can be improved.

  When the initialization of the memory of the main microcomputer A is executed in the monitored ECU 100A, not all the areas may be initialized, but only the areas where the data values are abnormal may be initialized. . Hereinafter, this memory initialization process will be described.

  FIG. 8 shows an example of a memory initialization process that is executed when the main microcomputer A of the monitored ECU 100A receives an initialization command from the monitoring ECU 100B. Here, the memory of the main microcomputer A is divided into a plurality of memory areas (for example, three memory areas) as shown in FIG. 9, and data classified according to a predetermined rule is stored in each area. To do. In the example shown in the figure, register and I / O values are stored in the memory area 1, learning values are stored in the memory area 2, and control data is stored in the memory area 3. Then, the main microcomputer A executes a memory initialization process for each memory area.

  In step 51, the main microcomputer A transmits data in the memory area to be processed to the sub microcomputer B via the internal bus.

  In step 52, the main microcomputer A calculates the SUM value of the memory area transmitted to the sub microcomputer B. That is, the main microcomputer A sequentially reads data from the start address of the memory area, and calculates the SUM value obtained by integrating the values.

  In step 53, the main microcomputer A transmits the SUM value of the memory area calculated in step 52 to the sub microcomputer B via the internal bus.

  In step 54, the main microcomputer A determines whether or not the comparison result transmitted from the sub-microcomputer B is negative. Here, the comparison result indicates a result of comparing the SUM value calculated from the data in the memory area transmitted from the main microcomputer A with the SUM value transmitted from the main microcomputer A in the sub microcomputer B. For example, a flag indicating the same (positive) or not the same (negative) is included. The main microcomputer A advances the process to step 55 if it is determined that the comparison result is negative (Yes), and ends the process if it determines that the comparison result is positive (No).

  In step 55, the main microcomputer A initializes the memory area to be processed. Note that when the register and I / O values are stored in the memory area to be processed, since the reliability of the learning value and the control data is low, initialization is executed for all the memory areas.

  FIG. 10 shows an example of a memory initialization process that is executed when the sub-microcomputer B of the monitored ECU 100A transmits data in the memory area to be processed from the main microcomputer A.

  In step 61, the sub-microcomputer B receives the data in the memory area transmitted from the main microcomputer A. The sub-microcomputer B stores the received data in, for example, a RAM and expands it.

  In step 62, the sub-microcomputer B sequentially reads data from the head address of the data in the memory area developed in the RAM, and calculates the SUM value obtained by integrating the values.

  In step 63, the sub-microcomputer B receives the SUM value of the memory area transmitted from the main microcomputer A. The received SUM value of the memory area relates to the same memory area as the SUM value calculated in step 62.

  In step 64, the sub-microcomputer B compares whether the SUM value calculated in step 62 is the same as the SUM value received in step 63. The sub-microcomputer B generates a negative comparison result if it determines that the two SUM values are not the same, and generates a positive comparison result if it determines that the two SUM values are the same.

  In step 65, the sub-microcomputer B transmits the comparison result of the two SUM values to the main microcomputer A via the internal bus.

  According to such a memory initialization process, if there is an initialization process from the monitoring ECU 100B in the monitored ECU 100A, for each memory area obtained by dividing the memory of the main microcomputer A according to a predetermined rule, the data and the SUM value are transferred from the main microcomputer A. Is transmitted to the sub-microcomputer B. In the sub-microcomputer B, the SUM value of the data transmitted from the main microcomputer A is calculated, and the comparison result between this and the SUM value transmitted from the main microcomputer A is returned to the main microcomputer A. In the main microcomputer A, if the comparison result returned from the sub-microcomputer B is negative, the memory area to be processed is initialized.

  For this reason, the main microcomputer A initializes only the memory area where the reliability of the data stored in the plurality of memory areas is low, and the time required for the initialization of the memory can be shortened. it can. Note that when the reliability of the memory area in which the registers and I / O are stored is low, the reliability is improved by initializing all the memory areas.

  As shown in FIG. 11, the main microcomputer A of the monitored ECU 100 </ b> A may be a multi-core including a plurality of cores, for example, the core 1 and the core 2. When an abnormality occurs in the main microcomputer A, for example, the processing main body is switched from the core 1 to the core 2 so that the processing can be continued. In the following description, the multi-core is assumed to have two cores, but the number thereof may be three or more.

  FIG. 12 shows an example of a core switching process that is repeatedly executed by the core 1 every fifth predetermined time when the main microcomputer A is activated. Here, it is assumed that the core 1 and the core 2 use different memories.

  In step 71, the core 1 determines whether or not an abnormality has occurred in the memory, for example, by monitoring the SUM value of the memory. If the core 1 determines that an abnormality has occurred in the memory, the process proceeds to step 72 (Yes), whereas if it is determined that no abnormality has occurred in the memory, the core 1 ends the process (No).

  In step 72, the core 1 transmits a process switching command to the core 2 via the internal bus. In other words, in view of the possibility that it may be difficult to continue the processing of the core 1 because an abnormality has occurred in the memory of the core 1, the processing is continued by the core 2.

  In step 73, the core 1 determines whether or not there is an initialization command from the core 2. The core 1 advances the process to step 74 if it is determined that there is an initialization command (Yes), and ends the process if it determines that there is no initialization command (No).

  In step 74, the core 1 executes memory initialization.

  FIG. 13 shows an example of a core switching process that the core 2 repeatedly executes every sixth predetermined time when the main microcomputer A is activated.

  In step 81, the core 2 determines whether or not there is a switching command from the core 1. If the core 2 determines that there is a switching command, the process proceeds to step 82 (Yes), and if it determines that there is no switching command, the core 2 ends the processing (No).

  In step 82, the core 2 executes a substitute process for the core 1. Here, the alternative process of the core 1 may be either a process capable of ensuring a minimum function or a process capable of ensuring all functions.

  In step 83, the core 2 starts an alternative process for the core 1 and then transmits an initialization command to the core 1.

  According to the core switching process, when a memory abnormality occurs in the core 1, the substitution process is executed in the core 2 and the memory of the core 1 is initialized. For this reason, the process executed by the main microcomputer A is not interrupted for a long time, and the reliability of controlling important equipment such as an automobile engine can be improved.

  The processing in the main microcomputer A may be switched from the core 2 to the core 1 after the memory of the core 1 is initialized or when a memory abnormality occurs in the core 2. In this way, the main microcomputer A can continue processing.

  In the above embodiment, the technical ideas described with reference to the drawings can be combined or a part thereof can be replaced. If it does in this way, in various forms, the effect acquired from the composition can be enjoyed.

  Here, technical ideas other than the claims that can be grasped from the above embodiment will be described together with effects.

(A) The external device stores the data transmitted from the control device in a nonvolatile memory, and the electronic control device for an automobile according to any one of claims 1 to 3.
In this way, even when the power supply to the external device is interrupted, data when an abnormality occurs in the control device can be retained.

(B) The control device has a main microcomputer and a sub-microcomputer, and saves data used in the main microcomputer to the sub-microcomputer, and when an abnormality occurs in the main microcomputer, the sub-microcomputer 4. The automobile electronic control device according to claim 1, wherein the data saved in the main microcomputer is restored to the main microcomputer. 5.
In this way, even if an abnormality occurs in the main microcomputer, the contents of the memory can be returned to the state immediately before the abnormality occurred.

(C) The electronic control device for an automobile according to claim 2, wherein the initialization of the control device initializes a memory.
In this way, since the memory is initialized when an abnormality occurs in the control device, it is possible to suppress the controlled object from being controlled based on inappropriate data.

(D) The initialization of the memory is performed for a memory area in which inconsistencies in memory contents occur among a plurality of memory areas into which the memory is divided. Electronic control device.
In this way, the initialization of the memory area where no inconsistency occurs in the memory contents is not executed, so that the processing time can be shortened.

(E) The microcomputer of the control device is multi-core, and when an abnormality occurs in one of the cores, the other core performs processing instead. The electronic control apparatus for motor vehicles as described in any one of a)-(d).
In this way, the reliability of the control device can be improved.

100A ECU (control equipment)
100B ECU (external equipment)
200 In-vehicle network A Main microcomputer B Sub-microcomputer

Claims (3)

Control equipment installed in the car,
An external device communicably connected to the control device;
An automotive electronic control device comprising:
The control device transmits data in use to the external device,
The external device stores data transmitted from the control device when an abnormality occurs in the control device.
An electronic control device for an automobile. The external device initializes the control device when an abnormality occurs in the control device.
The automotive electronic control device according to claim 1. The control device, when receiving an abnormal state reproduction command from the external device, sets operation parameters based on the data stored in the external device, and reproduces the state where the abnormality has occurred.
The automobile electronic control device according to claim 1 or 2, wherein