JP2016071771A - Control device and monitoring device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device capable of detecting an abnormality while ensuring the continuity of control processing.SOLUTION: An engine ECU 20 implements engine control processing by four CPUs 1 to 4. The CPUs 1 to 4 all correspond to monitoring CPUs and monitored CPUs and monitor the other CPUs so that monitored CPUs differ among the CPUs. Furthermore, when an abnormality occurs to any of the CPUs 1 to 4, the remaining normal CPUs implements engine control processing for saving if the CPUs can implement the engine control processing for saving. The remaining normal CPUs stop transmitting watchdog signals to a monitoring IC 22 if the CPUs are unable to implement the engine control processing for saving.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a control device having a plurality of arithmetic units and a monitoring device for monitoring the control device.

  As this type of control device, there is a control device described in Patent Document 1. The control device described in Patent Literature 1 includes two microcomputers (hereinafter abbreviated as “microcomputer”) and a monitoring unit that monitors the two microcomputers. The two microcomputers transmit watchdog signals having the same cycle to the monitoring unit at different timings. The monitoring unit detects an abnormality based on a difference between a transmission timing of the watchdog signal from one microcomputer and a transmission timing of the watchdog signal from the other microcomputer for a predetermined time or more. When the monitoring unit detects an abnormality, the monitoring unit initializes each microcomputer by transmitting a reset signal to each microcomputer.

JP-A-3-217364

  By the way, in the control apparatus described in Patent Document 1, when an abnormality occurs in one of the two microcomputers, a normal microcomputer is initialized together with the abnormal microcomputer. At that time, since the control processing executed by the two microcomputers is temporarily stopped, the entire control system is temporarily stopped. Therefore, there is room for improvement from the viewpoint of continuity of the control process.

  The present invention has been made in view of such circumstances, and an object thereof is to provide a control device and a monitoring device capable of detecting an abnormality while ensuring continuity of control processing.

  The control device that solves the above-described problem executes control processing by using three or more arithmetic units (1, 2, 3, 4). When the monitoring computing unit is the monitoring computing unit and the monitored computing unit is the monitored computing unit, all of the computing units are the monitoring computing unit and the monitored computing unit. And the other computing units are monitored so that the respective computing units to be monitored are all different. When an abnormality occurs in any of the plurality of calculation units, the remaining normal calculation units execute the control process when the control process can be executed, and perform a specific process when the control process cannot be executed. Perform the action.

  According to the present invention, when an abnormality occurs in any of the plurality of calculation units, if the remaining normal calculation units can execute the control process, the remaining normal calculation units execute the control process. Therefore, continuity of control can be ensured. In addition, when the control process cannot be executed, the remaining normal calculation units perform a specific operation, and therefore it is possible to detect an abnormality of the control device based on the detection of the specific operation.

  ADVANTAGE OF THE INVENTION According to this invention, abnormality of a control apparatus can be detected, ensuring the continuity of a control process.

The block diagram which shows schematic structure of an engine control apparatus. The block diagram which shows the schematic structure about one Embodiment of engine ECU. The figure which shows typically the outline | summary of the mutual monitoring by CPU and monitoring IC of embodiment. (A)-(e) is a timing chart which respectively shows the output mode of the watchdog signal from CPU and microcomputer of embodiment. The figure which shows typically the outline | summary of the mutual monitoring by CPU and monitoring IC of embodiment. The figure which shows the information memorize | stored in ROM of embodiment. The table | surface which shows the specific content of the redistribution table of the control process memorize | stored in ROM of embodiment. The chart which shows the information memorized by RAM of an embodiment. The flowchart which shows the procedure of the WD signal monitoring process performed by each CPU of embodiment. The flowchart which shows the procedure of the WD signal transmission process performed by each CPU of embodiment. The flowchart which shows the procedure of the abnormality detection process performed by each CPU of embodiment. The flowchart which shows the procedure of the control redistribution process performed by each CPU of the embodiment. The flowchart which shows operation | movement of the microcomputer of embodiment. The flowchart which shows the procedure of the monitoring process performed by the monitoring IC of embodiment. (A)-(c) is a timing chart which respectively shows transition of the value of the reset signal Sr transmitted to the microcomputer from the microcomputer of the embodiment, and the monitoring IC, and the counter C of the monitoring IC.

  Hereinafter, an embodiment of the engine control device will be described. First, the outline | summary of the engine control apparatus of this embodiment is demonstrated.

  As shown in FIG. 1, the engine control device 10 of this embodiment includes an engine ECU (electronic control device) 20 and a sensor device 30.

  The sensor device 30 includes, for example, an accelerator pedal position sensor 31, an air flow meter 32, a crank angle sensor 33, and the like. The accelerator pedal position sensor 31 detects the amount of depression of the accelerator pedal. The air flow meter 32 detects the intake air amount of the engine. The crank angle sensor 33 detects a rotation angle (crank angle) of a crankshaft that is an output shaft of the engine. A detection signal output from the sensor device 30 is taken into the engine ECU 20.

  The engine ECU 20 performs electronic throttle control, ignition timing control, fuel injection control, and the like by driving the throttle motor 40, the ignition coil 41, the injector 42, and the like based on the detection signal of the sensor device.

  Next, the configuration of the engine ECU 20 will be described in detail.

  As shown in FIG. 2, the engine ECU 20 includes a microcomputer 21 and a monitoring IC 22 as a monitoring unit.

  The microcomputer 21 includes four central processing units (CPUs) 1 to 4, a ROM (Read Only Memory) 5, a RAM (Random Access Memory) 6, an input / output port 7, and a power supply circuit 8. Yes.

  The CPUs 1 to 4 can exchange various data with the ROM 5, the RAM 6, and the input / output port 7 via the communication bus 9. The CPUs 1 to 4 share and execute various control processes related to engine control such as electronic throttle control and ignition timing control executed by the engine ECU 20. Hereinafter, for convenience, the control processes executed by the CPUs 1 to 4 are abbreviated as a first control process, a second control process, a third control process, and a fourth control process. The CPU numbers 1 to 4 are assigned CPU numbers 1 to 4 in ascending order of code values. That is, CPU number “1” is assigned to CPU 1, CPU number “2” is assigned to CPU 2, CPU number “3” is assigned to CPU 3, and CPU number “4” is assigned to CPU 4. The CPUs 1 to 4 monitor each state mutually.

  The ROM 5 is a read-only memory in which various control programs, control data used for the control, and the like are stored. The RAM 6 is a memory that temporarily stores calculation results of the CPUs 1 to 4. The ROM 5 and RAM 6 are shared by the CPUs 1 to 4 as storage units.

  The input / output port 7 is communicably connected to the monitoring IC 22. The input / output port 7 exchanges signals and data between the CPUs 1 to 4 and the monitoring IC 22.

  The power supply circuit 8 generates an operating voltage Vmm for each of the CPUs 1 to 4 based on a driving voltage Vm supplied from a vehicle battery (not shown). That is, the CPUs 1 to 4 are driven by the operating voltage Vmm supplied from the power supply circuit 8.

  The monitoring IC 22 is composed of an integrated circuit having a counter C and the like. The monitoring IC 22 monitors the state of the microcomputer 21. When the monitoring IC 22 detects an abnormality in the microcomputer 21, the monitoring IC 22 transmits a reset signal Sr to the power supply circuit 8 of the microcomputer 21. The power supply circuit 8 stops applying the voltage to the CPUs 1 to 4 based on the reset signal Sr, so that the operations of the CPUs 1 to 4 are reset.

  The monitoring device 50 according to this embodiment includes a microcomputer 21 to be monitored and a monitoring IC 22 that monitors the microcomputer 21.

  Next, an overview of the monitoring configuration by the CPUs 1 to 4 and the monitoring IC 22 of this embodiment will be described.

  As shown by the arrows in FIG. 3, the CPUs 1 to 4 establish a relationship of monitoring each other in a ring shape. Note that the CPU at the base of the arrow indicates the monitored CPU, and the CPU at the end of the arrow indicates the monitoring CPU. Therefore, CPU1 is monitoring CPU4. CPU 2 monitors CPU 1. CPU 3 monitors CPU 2. The CPU 4 monitors the CPU 3. As described above, when the monitoring CPU is the monitoring CPU and the monitored CPU is the monitored CPU, all of them correspond to the monitoring CPU and the monitored CPU. In addition, other CPUs are monitored so that the CPUs to be monitored are all different.

  Specifically, the CPUs 1 to 4 output watchdog (WD) signals in a ring shape in the order of “CPU 1 → CPU 2 → CPU 3 → CPU 4 → CPU 1 →... As shown in FIGS. 4A to 4D, the WD signal is a pulse signal that changes from a low level (L) to a high level (H). The time interval from the previous WD signal transmission time by the CPU to the next CPU WD signal transmission time is set to a fixed time T. Therefore, the cycle in which the WD signal is output from each of the CPUs 1 to 4 is basically set to “4 × T”. The period T is set to 4 [ms], for example.

  If the monitored CPU does not output the next WD signal even after the time threshold Tth has elapsed from the time when the monitored CPU previously output the WD signal, the CPUs 1 to 4 determine that an abnormality has occurred in the monitored CPU. For example, the time threshold Tth is set to a value slightly larger than “4 × T”, which is the output period of the WD signals of the CPUs 1 to 4.

  In the present embodiment, the monitored CPU stores the output information of the WD signal in the RAM 6 without directly transmitting the WD signal to the monitoring CPU. Therefore, the monitoring CPU determines whether or not the WD signal is output from the monitored CPU based on the output information of the WD signal of the monitored CPU stored in the RAM 6.

  Further, as indicated by arrows in FIG. 3, each of the CPUs 1 to 4 also transmits the WD signal to the monitoring IC 22 when storing the output information of the WD signal in the RAM 6. Therefore, as shown in FIG. 4E, the microcomputer 21 transmits a WD signal to the monitoring IC 22 at a constant period T. The monitoring IC 22 detects whether the microcomputer 21 is abnormal based on the WD signal output from the microcomputer 21.

  On the other hand, if any of them becomes abnormal, the CPUs 1 to 4 determine whether or not the remaining normal CPU can execute the engine control process for evacuation. The engine control process for evacuation indicates an engine control process in which some restrictions are imposed on the vehicle travel so that the vehicle can travel until the vehicle stops at a safe place such as a road shoulder. As a limitation of the vehicle travel, for example, a method is conceivable in which the travelable distance is limited to a short distance and the travelable speed is limited to a low speed. For example, when the number of remaining normal CPUs is equal to or greater than the predetermined minimum CPU number and the abnormal CPU is not the main CPU, the CPUs 1 to 4 can execute the engine control process for saving. to decide. The minimum number of CPUs is the minimum number of CPUs necessary for executing the engine control process for saving. The main CPU indicates a CPU that is indispensable for the execution of the engine control process for evacuation and in which the control process executed by the CPU cannot be substituted for another CPU. If the remaining normal CPUs other than the abnormal CPU can execute the engine control process for saving, the engine control process for saving is executed. At that time, if the remaining normal CPUs can perform the control processing executed by the abnormal CPUs, they are substituted for them. Further, the remaining normal CPUs reconstruct the ring-shaped monitoring system so that the abnormal CPU does not correspond to either the monitoring CPU or the monitored CPU. For example, when an abnormality occurs in the CPU 4 as shown in FIG. 5, the CPU 1 shifts to a state in which the CPU 3 is monitored. Thereby, the ring-shaped monitoring system is reconstructed by the remaining normal CPUs 1 to 3.

  The remaining normal CPUs cannot execute the engine control process for evacuation when the number of normal CPUs is less than the minimum CPU number or when the abnormal CPU is the main CPU. judge. In this case, the remaining normal CPUs stop sending the WD signal to the monitoring IC 22. As a result, the monitoring IC 22 detects an abnormality of the microcomputer 21 based on the absence of transmission of the WD signal from the microcomputer 21. At this time, the monitoring IC 22 transmits the reset signal Sr to the microcomputer 21 to initialize the operations of the CPUs 1 to 4 and restore the microcomputer 21.

  Next, a specific configuration of the microcomputer 21 and the monitoring IC 22 for realizing the mutual monitoring as described above will be described.

  As shown in FIG. 6, the ROM 5 stores the following information (a1) to (a6).

(A1) A program executed by each of the CPUs 1 to 4.
(A2) Number of all CPUs. In this embodiment, this value is “4”.
(A3) The minimum number of CPUs required for executing the engine control process for saving. This value is set to a value (for example, “2”) smaller than the total number of CPUs.
(A4) Number of main CPU. For example, when the CPU 2 is the main CPU, “2” that is the CPU number of the CPU 2 is stored here.
(A5) WD signal transmission cycle T.
(A6) Control processing redistribution table. As shown in FIG. 7, the redistribution table includes information such as an abnormality occurrence CPU, a control process of the abnormality occurrence CPU, a process take-over destination CPU, a process start address, and the like. The process take-over destination CPU indicates a CPU that performs the process executed by the CPU when an abnormality occurs in the corresponding CPU.

  In FIG. 7, among the first to fourth control processes executed by the respective CPUs 1 to 4, the process takeover destination CPU is described in the first control process and the fourth control process. These control processes correspond to control processes that need to be executed by other CPUs during the execution of the engine control process for evacuation, such as fuel injection control and ignition timing control. The process take-over destination CPU is set so that a control process with a large process load is allocated to a CPU with a small process load to be executed in consideration of a control process load assigned to each of the CPUs 1 to 4. .

  Further, the process takeover destination CPU is not described in the second control process executed by the CPU 2. This is because the CPU 2 is the main CPU, and there is no CPU that can perform the control process.

  Furthermore, the process takeover destination CPU is not described in the third control process executed by the CPU 3. This third control process corresponds to a control process that is not directly related to vehicle travel, for example, electronic throttle control. Even if the third control process is not performed during the engine control process for evacuation, for example, it can be handled by setting a fixed value, so that the control process is not delivered.

  As shown in FIG. 8, the RAM 6 stores the previous transmission time Twd of the WD signal. For example, if the CPU that last transmitted the WD signal at the current time is the CPU 3, the time when the CPU 3 transmitted the WD signal is stored as the previous transmission time Twd.

  The RAM 6 stores information shown in the following (b1) to (b7) for each of the CPUs 1 to 4.

(B1) Own CPU number. For example, in the case of the information of the CPU 1, its own CPU number “1” is stored.
(B2) The number of the CPU monitored by itself (hereinafter abbreviated as “monitoring target CPU”). For example, in the case of the information of the CPU 1, “4” that is the number of the CPU 4 to be monitored is stored.
(B3) The number of the CPU that monitors itself (hereinafter abbreviated as “monitoring source CPU”). For example, in the case of the information of the CPU 1, “2” that is the number of the monitoring source CPU 2 is stored.
(B4) WD signal output information from the monitoring target CPU. For example, in the case of the information of the CPU 1, the output information of the WD signal from the monitoring target CPU 4 is stored.
(B5) Its own operating state. For example, in the case of information on the CPU 1, whether the CPU 1 is in a normal state or an abnormal state is stored. In the initial state, “normal state” is stored here.
(B6) Abnormality detection information. For example, if it is information of CPU1, when CPU1 detects abnormality of monitoring object CPU4, that fact is memorized. In the initial state, “no abnormality detected” is stored here.
(B7) WD signal non-reception time. For example, in the case of the information of the CPU 1, the elapsed time from the time when the CPU 1 confirmed the output of the WD signal from the CPU 4 last time is stored. The elapsed time is measured by, for example, counting by a counter provided in the microcomputer 21.

  Each of the CPUs 1 to 4 performs the processing shown in FIG. 9 on the basis of the information stored in the ROM 5 shown in FIG. 6 and the information for each CPU 1 to 4 stored in the RAM 6 shown in FIG. Repeatedly. The calculation cycle is set to 0.5 [ms], for example. In addition, since the process which each CPU1-4 performs is the same, below, the process which CPU1 performs is demonstrated as a representative for convenience.

  As shown in FIG. 9, the CPU 1 first determines whether or not the unreceived time of the WD signal in its own information in the RAM 6 is equal to or greater than the time threshold Tth (step S10). When the unreceived time of the WD signal is less than the time threshold value Tth (step S11: NO), in other words, the CPU 1 has elapsed time from the time when the output of the WD signal from the CPU 4 was confirmed last time is less than the time threshold value Tth. In that case, the process of step S14 is executed. That is, the CPU 1 determines whether or not the WD signal output information from the monitoring target CPU 4 in the information of the RAM 6 is “with output” (step S14). CPU1 once complete | finishes a process, when the output information of the WD signal from monitoring object CPU4 is "no output" (step S14: NO).

  When the output information of the WD signal from the monitoring target CPU 4 is “with output” (step S14: YES), the CPU 1 determines that the WD signal is normally output from the monitoring target CPU 4. In this case, the CPU 1 clears the WD signal non-reception time in its own information in the RAM 6 (step S15), sets the output information of the WD signal from the monitoring target CPU 4 to “no output” (step S16), and sets the WD. A signal transmission event is issued (step S17).

  When the CPU 1 issues a WD signal transmission event, the CPU 1 measures the elapsed time from the previous transmission time Twd of the WD signal stored in the RAM 6 using the built-in timer of the microcomputer 21. The CPU 1 subtracts the previous transmission time Twd of the WD signal from the count value of the built-in timer, in other words, the elapsed time from the previous transmission time Twd of the WD signal is the transmission cycle T of the WD signal stored in the ROM 5. When exceeded, the WD signal transmission process shown in FIG. 10 is executed as an interrupt process.

  Specifically, as shown in FIG. 10, the CPU 1 transmits a WD signal to the monitoring IC 22 (step S170). Further, the CPU 1 changes the WD signal output information in the information of the CPU 2 of the RAM 6 to “with output” (step S171). As a result, the CPU 2 that is the monitoring source of the CPU 1 can determine that the WD signal has been normally output from the CPU 1. Further, the CPU 1 stores the current time in the RAM 6 as the previous transmission time Twd (step S172).

  The above processing is executed in the order of “CPU 1 → CPU 2 → CPU 3 → CPU 4 → CPU 1 →... That is, the WD signal is output in this order.

  On the other hand, as shown in FIG. 9, when the WD signal is not output from the monitoring target CPU 4 (step S14: NO), the CPU 1 does not output the WD signal when the unreceived time of the WD signal exceeds the time threshold Tth (step S10). : YES), it is determined that an abnormality has occurred in the monitored CPU 4. In this case, the CPU 1 changes the abnormality detection information in its own information in the RAM 6 to “abnormality detected” (step S11) and stops the monitoring target CPU 4 in which the abnormality has occurred (step S12). Note that the CPU 1 stops the CPU 4 by, for example, stopping the operation clock by using the stop function of each of the CPUs 1 to 4 mounted on the microcomputer 21. Further, the CPU 1 changes the operation state in the information of the monitoring target CPU 4 in the RAM 6 to “abnormal state” (step S13).

  When the CPU 1 detects an abnormality of the CPU 4 in this way, all of the remaining normal CPUs 1 to 3 other than the stopped CPU 4 execute the abnormality occurrence process shown in FIG. 11 as an interrupt process. That is, each of the CPUs 1 to 3 clears the WD signal non-reception time in its own information in the RAM 6 (step S20), and then determines whether or not the saving engine control process can be executed (step S21). When the number of remaining normal CPUs is equal to or greater than the minimum number of CPUs stored in the ROM 5 and the abnormal CPU 4 number is not the main CPU number, the CPUs 1 to 3 execute the engine control process for saving. It is determined that it is possible (step S21: YES). In this case, each of the CPUs 1 to 3 determines whether or not the monitoring source CPU is normal (step S22).

  Here, when an abnormality occurs only in the CPU 4 as described above, only the CPU 3 having the CPU 4 as a monitoring source performs a negative process (step S22: NO), and the other CPUs 1 and 2 perform an affirmative process (step S22). : YES) At this time, the CPU 3 determines whether or not the CPU number of the monitoring source CPU 4 is the maximum value (step S23). In this case, since the CPU number of the monitoring source CPU 4 is the maximum value (step S23: YES), the CPU 3 sets the CPU number of the CPU 1 having the normal and minimum CPU number as the monitoring source CPU number in its own information in the RAM 6. (Step S24).

  Next, each of the CPUs 1 to 3 determines whether or not the monitoring target CPU is normal (step S26). Here, when an abnormality occurs only in the CPU 4 as described above, only the CPU 1 that monitors the CPU 4 performs a negative process (step S26: NO), and the other CPUs 2 and 3 perform a positive process (step S26). : YES) At this time, the CPU 1 determines whether or not the CPU number of the monitoring target CPU 1 is the minimum value (step S27). In this case, since the CPU number of the monitoring target CPU 1 is the minimum value (step S27: YES), the CPU 1 uses the CPU number of the CPU 3 having the normal and maximum CPU number as the monitoring target CPU number in its own information in the RAM 6. Store (step S28).

  With the above processing, the monitoring state of each of the CPUs 1 to 4 shifts from the state shown in FIG. 3 to the state shown in FIG. That is, the ring-like monitoring system is reconstructed by the CPUs 1 to 3.

  Next, the normal CPUs 1 to 3 determine whether or not they are abnormality detection CPUs based on the abnormality detection information in their own information in the RAM 6 (step S30). Here, when an abnormality occurs only in the CPU 4 as described above, the abnormality detection information of the CPU 1 is “abnormality detected”. Therefore, the CPU 1 determines that it is an abnormality detection CPU (step S30: YES), and issues a WD signal transmission event (step S31). Thereby, CPU1 performs the WD signal transmission process shown by FIG. On the other hand, since the CPUs 2 and 3 are not abnormality detecting CPUs themselves (step S30: NO), the processing is terminated. Thereby, after the ring-shaped monitoring system is reconstructed by the CPUs 1 to 3, the CPU 1 starts outputting the WD signal.

  In the above description, the case where abnormality occurs only in the CPU 4 has been described as an example. However, for example, when abnormality occurs only in the CPU 3, the CPU 2 that uses the CPU 3 as the monitoring source determines that the monitoring source CPU 3 is abnormal. (Step S22: NO). At this time, since the CPU number of the monitoring source CPU 3 is not the maximum value (step S23: NO), the CPU 2 adds the value obtained by adding “1” to the CPU number of the monitoring source CPU 3, that is, the CPU number of the CPU 4 to its own information in the RAM 6. Is stored as the number of the monitoring source CPU (step S25).

  In this case, the CPU 4 that monitors the CPU 3 determines that the monitoring target CPU 3 is abnormal (step S26: NO). At this time, since the CPU number of the monitoring target CPU 3 is not the minimum value (step S27: NO), the CPU 4 obtains a value obtained by subtracting “1” from the CPU number of the monitoring target CPU 3, that is, the CPU number of the CPU 2 as its own information in the RAM 6. Is stored as the CPU number to be monitored (step S29).

  By these processes, even when an abnormality occurs only in the CPU 3, a ring-like monitoring system can be constructed by the CPUs 1, 2, and 4 similarly.

  On the other hand, when an abnormality occurs only in the CPU 4, the remaining normal CPUs 1 to 3 execute the processing shown in FIG. 12 after executing the processing shown in FIG. 11 to reconstruct the ring-shaped monitoring system. . That is, the normal CPUs 1 to 3 refer to the processing takeover destination CPU column in the redistribution table stored in the ROM 5 (step S40), and determine whether or not they correspond to the processing takeover destination CPU at the time of abnormality. (Step S41). In the present embodiment, the processing takeover destination CPU of the CPU 4 is set to the CPU 1. Therefore, when the CPU 1 determines that it corresponds to the process takeover destination CPU (step S41: YES), the CPU 1 refers to the process head address column (step S42), and adds the referenced address as a process to be executed by the CPU 1 (step S41). S43).

  Further, when the CPUs 2 and 3 determine that they do not correspond to the process take-over destination CPU (step S41: NO), the process is terminated.

  In this way, the CPU 1 performs the assigned control process of the CPU 4, so that the remaining normal CPUs 1 to 3 execute the save engine control process. Therefore, the driver can drive the vehicle to a safe place such as a road shoulder of the vehicle while the traveling distance is short and the vehicle is traveling at a low speed.

  On the other hand, in the above description, the case where abnormality occurs only in the CPU 4 has been described as an example. However, when abnormality occurs only in the main CPU 2, for example, as shown in FIG. The CPUs 1, 3, 4 determine in step S 21 that the engine control process for saving cannot be executed (step S 21: NO). Alternatively, if an abnormality occurs in CPU 1 and CPU 3 after an abnormality has occurred in CPU 4, the number of remaining normal CPUs is smaller than the minimum number of CPUs, so normal CPU 2 determines in step S21. It is determined that the engine control process for evacuation cannot be executed (step S21: NO). In this case, the normal CPU stops outputting the WD signal to the monitoring IC 22 without reconstructing the ring-shaped monitoring system (step S32).

  Next, the operation of the microcomputer 21 when the CPUs 1 to 4 execute the processes shown in FIGS. 9 to 12 will be described with reference to FIG. The microcomputer 21 repeatedly executes the process shown in FIG. 13 at a predetermined cycle.

  As shown in FIG. 13, the microcomputer 21 first performs mutual monitoring by the CPUs 1 to 4 (step S50), and determines whether or not there is an abnormal CPU (step S51). If there is no abnormal CPU (step S51: NO), the microcomputer 21 ends the process.

  If there is an abnormal CPU (step S51: YES), the microcomputer 21 determines whether or not the engine control process for evacuation can be executed (step S52). If the microcomputer 21 can execute the engine control process for evacuation (step S52: YES), the microcomputer 21 reconstructs the ring-like monitoring system with the remaining normal CPUs except the abnormal CPU (step S53). ). Further, the microcomputer 21 redistributes the control processing of each CPU in order to hand over the processing performed by the abnormal CPU to another CPU (step S54).

  If the microcomputer 21 cannot execute the engine control process for saving (step S52: NO), the microcomputer 21 stops transmission of the WD signal to the monitoring IC 22 (step S55).

  Next, the monitoring process of the microcomputer 21 executed by the monitoring IC 22 will be described. Note that the value of the counter C of the monitoring IC 22 is set to “0” in the initial state.

  The monitoring IC 22 repeatedly executes the process shown in FIG. 14 at a predetermined calculation cycle. That is, the monitoring IC 22 increments the value of the counter C (step S60), and then determines whether or not the value of the counter C is equal to or greater than the threshold value Cth (step S61). The threshold value Cth is required from the time when transmission of the WD signal to the monitoring IC 22 is stopped due to, for example, an abnormality in the CPUs 1 to 4 until a ring-shaped monitoring system is established by a normal CPU and transmission of the WD signal is resumed. A value corresponding to a time longer than the time (for example, 40 [ms]) is set. If the value of the counter C is not equal to or greater than the threshold value Cth (step S61: NO), the monitoring IC 22 determines whether or not the WD signal transmitted from the microcomputer 21 has been received (step S63). If the monitoring IC 22 has not received the WD signal (step S63: NO), the process is terminated.

  When the monitoring IC 22 receives the WD signal transmitted from the microcomputer 21 before the value of the counter C reaches the threshold Cth (step S61: NO), the value of the counter C is cleared. (Step S64).

  The monitoring IC 22 transmits a reset signal Sr to the microcomputer 21 when the value of the counter C becomes equal to or greater than the threshold Cth (step S61: YES) without receiving a WD signal from the microcomputer 21 (step S63: NO). (Step S62). The reset signal Sr is composed of a pulse signal that changes from a low level to a high level, for example.

  Next, operations of the microcomputer 21 and the monitoring IC 22 of this embodiment will be described.

  As shown in FIG. 15A, the microcomputer 21 transmits a WD signal with a period T when each of the CPUs 1 to 4 is normal. Further, even when an abnormality occurs in any of the CPUs 1 to 4, the microcomputer 21 similarly transmits a WD signal with a period T while the engine control process for evacuation is being performed. While the WD signal is transmitted from the microcomputer 21 at the cycle T, the monitoring IC 22 clears the value of the counter C before reaching the threshold value Cth, as shown in FIG. Therefore, the monitoring IC 22 does not transmit the reset signal Sr.

  If an abnormality occurs in the CPUs 1 to 4 at time t <b> 1 and the execution of the engine control process for saving is impossible, the microcomputer 21 stops transmitting the WD signal thereafter. In this case, the monitoring IC 22 continues to increment the value of the counter C. Then, the monitoring IC 22 transmits a reset signal Sr to the microcomputer 21 at time t2 when the value of the counter C reaches the threshold value Cth. Therefore, the CPUs 1 to 4 are reset at time t2.

  According to the engine control device 10 and the monitoring device 50 described above, the operations and effects shown in the following (1) to (4) can be obtained.

  (1) When an abnormality occurs in any of the CPUs 1 to 4, the remaining three normal CPUs execute the engine control process for evacuation when the engine control process for evacuation can be executed. . Specifically, the three normal CPUs execute the engine control process for evacuation on condition that the number of remaining normal CPUs is equal to or greater than the minimum number of CPUs and the abnormal CPU is not the main CPU. . Therefore, continuity of the engine control process can be ensured. In addition, when the normal three CPUs cannot execute the engine control process for evacuation, transmission of the WD signal to the monitoring IC 22 is stopped. Therefore, the monitoring IC 22 can detect an abnormality of the microcomputer 21 when transmission of the WD signal from the microcomputer 21 is stopped.

  (2) When an abnormality occurs in any of the CPUs 1 to 4, the remaining three normal CPUs reconstruct the ring-shaped monitoring system. Specifically, in the normal three CPUs, the abnormal CPU does not correspond to either the monitoring CPU or the monitored CPU, and all the remaining normal CPUs are the monitoring CPU and the monitored CPU. Other CPUs are monitored so that the corresponding CPUs are different from each other. Further, when any abnormality occurs in any of the remaining three normal CPUs, if the remaining two normal CPUs can execute the engine control process for evacuation, the engine control for evacuation is performed. Process. Therefore, the continuity of the engine control process can be further improved. The two normal CPUs stop sending the WD signal to the monitoring IC 22 when the engine control process for saving cannot be executed. Therefore, even when there are only two normal CPUs, the monitoring IC 22 can detect an abnormality in the microcomputer 21.

  (3) Each of the CPUs 1 to 4 monitors the monitored CPU based on the WD signal. Thereby, each of the CPUs 1 to 4 can easily monitor the state of the monitored CPU.

  (4) When any of the CPUs 1 to 4 has an abnormality, the CPU 1 performs the control process performed by the abnormal CPU. As a result, the engine control process can be continued more accurately by the remaining normal CPUs.

  In addition, the said embodiment can also be implemented with the following forms.

  The CPUs 1 to 4 may directly send WD signals to the monitoring CPU via the bus 9. In this case, the monitoring CPU monitors the monitored CPU based on the WD signal transmitted from the monitored CPU via the bus 9. With such a configuration, the process of storing the output states of the CPUs 1 to 4 in the RAM 6 becomes unnecessary, so that the processing speed of the CPUs 1 to 4 can be improved.

  The microcomputer 21 may notify the driver of an abnormality in the engine ECU 20 through a car navigation device or the like when executing the engine control process for evacuation. At that time, the microcomputer 21 may perform route guidance to a safe place by the car navigation device. The microcomputer 21 may prompt the driver to turn off the ignition switch using a car navigation device or the like, and may reset the CPUs 1 to 4 when the ignition switch is turned off. As a result, when the microcomputer 21 is activated in response to the subsequent operation of turning on the ignition switch, all the CPUs 1 to 4 including the CPU in which an abnormality has occurred are restarted. It becomes possible. According to such a configuration, all the CPUs 1 to 4 can be returned to normal when the ignition switch is turned on, so that the reliability of the operation of the microcomputer 21 can be improved.

  The specific operation for notifying the monitoring IC 22 of the abnormality from the CPUs 1 to 4 is not limited to the operation of stopping the WD signal, and an appropriate operation can be employed. For example, the CPUs 1 to 4 may notify the monitoring IC 22 of the abnormality by transmitting a predetermined abnormality detection signal to the monitoring IC 22. The means for notifying the abnormality between the CPUs 1 to 4 can be changed as appropriate.

  The conditions for determining whether the CPUs 1 to 4 can execute the engine control process for saving can be changed as appropriate. For example, when there is no CPU corresponding to the main CPU among the CPUs 1 to 4, it may be determined whether or not the saving engine control process can be executed only by the number of remaining normal CPUs.

  When an abnormality occurs in any of the CPUs 1 to 4, the remaining normal CPUs may continue to execute normal engine control processing instead of evacuation engine control processing. In short, what is necessary is that the remaining normal CPUs execute the engine control process when an abnormality occurs in any of the CPUs 1 to 4.

  -If the number of CPU which engine ECU20 has is three or more, it can change arbitrarily.

  -The structure of engine ECU20 of the said embodiment is applicable to arbitrary control apparatuses, if it is a control apparatus which performs control processing by 3 or more some CPU. Further, the present invention is not limited to a configuration having a CPU as a calculation unit, and can be applied to a control device having three or more microcomputers as calculation units, for example.

  -This invention is not limited to said specific example. That is, the above-described specific examples that are appropriately modified by those skilled in the art are also included in the scope of the present invention as long as they have the characteristics of the present invention. For example, the elements included in each of the specific examples described above and their arrangement, materials, conditions, shapes, sizes, and the like are not limited to those illustrated, and can be changed as appropriate. Moreover, each element with which embodiment mentioned above is provided can be combined as long as it is technically possible, and the combination of these is also included in the scope of the present invention as long as it includes the features of the present invention.

1, 2, 3, 4: CPU (calculation unit)
6: RAM (storage unit)
21: Microcomputer (control device)
22: Monitoring unit (monitoring IC)

Claims (10)

A control device that executes control processing by three or more arithmetic units (1, 2, 3, 4),
When the monitoring computing unit is the monitoring computing unit and the monitored computing unit is the monitored computing unit,
The plurality of calculation units, each of which corresponds to the monitoring side calculation unit and the monitored side calculation unit, and monitors the other calculation units so that the respective calculation target calculation units are different, respectively.
When an abnormality occurs in any of the plurality of arithmetic units, the remaining normal arithmetic units execute the control process when the control process can be executed and the control process cannot be executed. A control device that performs a specific operation. The remaining normal calculation units are:
When the control process can be executed, the abnormal calculation unit does not correspond to either the monitoring-side calculation unit or the monitored-side calculation unit, and all of the remaining normal calculation units are monitored. And the transition to a state in which each of the other computing units is monitored so as to correspond to the computing unit on the side and the monitored computing unit to be monitored, and the computing units to be monitored are all different,
When any abnormality occurs in any of the remaining normal calculation units, the remaining normal calculation units execute the control process by the remaining calculation units when the control process can be executed. The control device according to claim 1, wherein when the control process cannot be executed, the specific operation is performed.   The control device according to claim 1, wherein the monitoring side calculation unit monitors a state of the monitored side calculation unit based on a watchdog signal output from the monitored side calculation unit. A storage unit (6) shared by the plurality of arithmetic units;
The monitored side arithmetic unit stores the output information of the watchdog signal in the storage unit,
The control apparatus according to claim 3, wherein the monitoring side calculation unit monitors the monitored side calculation unit based on output information of the watchdog signal stored in the storage unit. The monitored computing unit transmits the watchdog signal to the monitoring computing unit via a communication bus,
The control device according to claim 4, wherein the monitoring side calculation unit monitors the monitored side calculation unit based on the watchdog signal transmitted from the monitored side calculation unit.   The control device according to claim 1, wherein the plurality of arithmetic units determine whether or not the control process can be performed based on the number of the remaining normal arithmetic units. .   The plurality of arithmetic units determine whether or not the control process can be executed based on whether or not an arithmetic unit in which an abnormality has occurred is an indispensable arithmetic unit for the execution of the control process. The control apparatus as described in any one of 1-6.   The control device according to any one of claims 1 to 7, wherein the remaining normal calculation unit performs the processing performed by the abnormal calculation unit. The plurality of arithmetic units execute an engine control process,
The control device according to any one of claims 1 to 8, wherein when an abnormality occurs in any of the plurality of arithmetic units, an engine control process for evacuation in which vehicle travel is restricted is executed. . A monitoring device for monitoring the control device (21),
While the control device according to any one of claims 1 to 9 is used as the control device,
A monitoring unit (22) for monitoring the control device;
The plurality of arithmetic units transmit a watchdog signal to the monitoring unit, and when the control process cannot be performed, the specific operation is to transmit the watchdog signal to the monitoring unit. Stop,
The monitoring device detects an abnormality of the control device based on the stop of transmission of the watchdog signal.

Images