JP2016089782A - Electronic control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic control device including a high functional safety in which an appropriate fail-safe processing is carried out in response to a generated abnormal state.SOLUTION: A micro-computer 10 comprises a master core 20 for executing a control processing for performing a calculation for controlling an engine 100, and a checker core 30 for performing the same calculation as that of the master core 20. If it is determined that a failure occurs in a result of calculation of the master core 20, the master core 20 performs a state determination for determining a presence or non-presence of failure at the hardware of the micro-computer 10 without performing a reset processing of the micro-computer 10 and performs the fail-safe processing on the basis of a result of the state determination.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an electronic control device that controls an engine of a vehicle.

  2. Description of the Related Art An electronic control device that controls an engine of a vehicle is known that checks the validity of a calculation result while executing a control process.

  For example, Patent Document 1 below describes an electronic control device that can execute such processing by including two processors. In the electronic control device, two processors perform the same calculation and determine whether the electronic control device is abnormal based on the calculation result. Specifically, the calculation results of the two processors are compared, and it is determined that an abnormality has occurred when there is a mismatch between the two processors.

JP 2014-2472 A

  The electronic control device described in Patent Document 1 has an advantage that an abnormality can be detected quickly by simultaneously executing the engine control process and the determination of whether or not the processor is abnormal. However, the electronic control device has left room for improvement with respect to a method for returning from the abnormal state to the normal state.

  That is, the electronic control device performs a reset process for resetting the electronic control device in order to return to the normal state. Thereafter, it is diagnosed whether the detected abnormality is temporary or continuous.

  When such a reset process is performed, the engine control process by the electronic control unit is stopped, and the control value used in the control process up to that point is cleared. For this reason, when the electronic control device restarts the control process, the control value before the restart is not carried over, and the subsequent control process may fall into an unpredictable state.

  The present invention has been made in view of such problems, and an object of the present invention is to provide an electronic control device with high functional safety that executes appropriate fail-safe processing in accordance with an abnormal state that has occurred.

  In order to solve the above-described problems, an electronic control device according to the present invention is an electronic control device (10) for controlling an engine (100) of a vehicle, and performs a control process by performing computation to control the engine. Main processor (20), sub processor (30) performing the same operation as the main processor, comparator (60) for comparing the operation result by the main processor and the operation result by the sub processor, and comparison by the comparator And an abnormality determination unit (70) for determining whether there is an abnormality in the calculation result of the main processor based on the result. When the main processor determines that there is an abnormality in the computation result of the main processor, the main processor performs a state determination to determine whether there is an abnormality in the hardware of the electronic control unit without performing the reset process of the electronic control unit, and the state Fail safe processing is executed based on the determination result.

  In the present invention, first, by comparing the operation result of the main processor with the operation result of the sub processor, it is determined whether or not there is an abnormality in the operation result of the main processor. If it is determined that there is an abnormality in the calculation result of the main processor, fail control processing is executed because there is a possibility that appropriate control processing cannot be performed if the state is continued.

  In the present invention, the fail-safe process is further based on the result of the state determination for determining whether or not the hardware of the electronic control device is abnormal. This state determination is performed without performing reset processing of the electronic control unit after it is determined that there is an abnormality in the calculation result of the main processor. Therefore, it is possible to execute an appropriate fail-safe process according to the abnormal state of the hardware of the electronic control device.

  ADVANTAGE OF THE INVENTION According to this invention, the electronic control apparatus with high functional safety which performs an appropriate fail safe process according to the produced abnormal state can be provided.

It is a block diagram which shows the electronic control apparatus which concerns on embodiment of this invention. It is a flowchart which shows the control by the electronic controller which concerns on embodiment of this invention. It is a flowchart which shows the flow of the process in the master core state determination shown by FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In order to facilitate the understanding of the description, the same constituent elements in the drawings will be denoted by the same reference numerals as much as possible, and redundant description will be omitted.

  First, the configuration of the microcomputer 10 will be described with reference to FIG. The microcomputer 10 is a so-called dual-core electronic control device and is mounted on a vehicle (not shown). The microcomputer 10 is electrically connected to various sensors (not shown) of the vehicle, and controls the vehicle engine 100 using information transmitted from the sensors. The engine 100 is a gasoline engine having a plurality of cylinders.

  As shown in FIG. 1, the microcomputer 10 includes a master core 20, a checker core 30, a RAM 40, a ROM 50, a comparator 60, and an error determination unit 70.

  The master core 20 corresponds to a main processor in the microcomputer 10. The master core 20 has a CPU 21 and an FPU 22. The CPU 21 is a processing device that performs calculations according to a predetermined program using information transmitted from various sensors to the microcomputer 10 as appropriate. The FPU 22 is a processing device that performs floating point arithmetic.

  The checker core 30 corresponds to a sub processor in the microcomputer 10. The checker core 30 has a CPU 31 and an FPU 32. The CPU 31 is a processing device that performs calculations according to a predetermined program using information transmitted from various sensors to the microcomputer 10 as appropriate. The FPU 22 is a processing device that performs floating point arithmetic. The architecture of the CPU 31 is the same as the CPU 21 of the master core 20, and the architecture of the FPU 32 is the same as the FPU 22.

  The RAM 40 is a storage device that can communicate with the master core 20 via an address bus, a read data bus, and a write data bus, and can communicate with the checker core 30 via a read data bus. RAM40 memorize | stores the information etc. which are input from external devices, such as a calculation result by CPU21,31, and various sensors.

  The ROM 50 is a storage device that can communicate with the master core 20 via an address bus and a read data bus, and can communicate with the checker core via a read data bus. The ROM 50 stores a program for performing control processing of the engine 100, fixed data, and the like.

  The comparator 60 is a comparator that can communicate with the master core 20 and the checker core 30 via a data bus for writing. The comparator 60 compares the notified plurality of calculation results. The comparator 60 notifies the comparison result after performing the comparison.

  The error determination unit 70 can communicate with the comparator 60. Based on the notification from the comparator 60, the error determination unit 70 determines whether there is an abnormality in the calculation result of the master core 20, and notifies the determination result.

  In the microcomputer 10 configured as described above, the master core 20 reads a program stored in the ROM 50, and the CPU 21 and the FPU 22 perform calculations according to the program. The master core 20 notifies the RAM 40 of the calculation result as appropriate, stores it, and notifies the comparator 60 of it.

  On the other hand, the checker core 30 also reads a program stored in the ROM 50 in parallel with the master core 20 and performs calculations according to the program in the CPU 31 and the FPU 32. Both the CPU 31 and the FPU 32 perform calculations in synchronization with the CPU 21 and the FPU 22 of the master core 20 in the same clock. The checker core 30 appropriately notifies the RAM 40 of the calculation result to be stored, and notifies the comparator 60 of the calculation result.

  The comparator 60 compares the operation result notified from the master core 20 with the operation result notified from the checker core 30. Both calculation results are set to coincide when the master core 20 and the checker core 30 are operating normally. The comparator 60 notifies the error determination unit 70 of the comparison result.

  Based on the notification from the comparator 60, the error determination unit 70 determines whether there is an abnormality in the calculation result of the master core 20. Only when the error determination unit 70 determines that there is no abnormality in the calculation result of the master core 20, it is permitted to execute the normal control processing of the engine 100 by the master core 20.

  On the other hand, when the error determination unit 70 determines that the calculation result of the master core 20 is abnormal based on the notification from the comparator 60, an error signal is transmitted to the master core 20. The master core 20 that has received the error signal stops the control processing that has been executed so far, and executes fail-safe processing.

  Next, the fail safe level determination process and the microcomputer state determination process performed by the master core 20 will be described with reference to FIGS.

  When the master core 20 receives the error signal from the error determination unit 70 as described above, the master core 20 executes the fail-safe level determination process shown in FIG. This fail safe level determination process is a process for determining the level of the fail safe process in order to execute an appropriate level (level) of the fail safe process according to the state of the microcomputer 10.

  First, in step S21, the master core 20 executes a “level 2” fail-safe process among the three stages of fail-safe processes. Specifically, the master core 20 performs a control process for making the vehicle ready to travel while suppressing the output of the engine 100 as compared with the case where there is no abnormality in the calculation result of the master core 20. More specifically, the master core 20 stops the combustion in some of the cylinders of the engine 100 and continues the operation of the engine 100.

  Next, the master core 20 performs a microcomputer state determination process in step S22. This microcomputer state determination process is a process for determining whether or not there is an abnormality in the hardware of the microcomputer 10. In other words, when it is determined that there is an abnormality in the calculation result of the master core 20, the abnormality is only temporary or is due to an abnormality in the hardware of the microcomputer 10, and is continuous. This is a process for determining whether or not.

  As shown in FIG. 3, the master core 20 first diagnoses the CPU 21 in step S31 in the microcomputer state determination process. Specifically, the CPU 21 is caused to perform a calculation for diagnosis, and the presence or absence of abnormality of the CPU 21 is diagnosed based on whether or not the calculation is performed in a predetermined order.

  When abnormality of CPU21 is not detected by the diagnosis of step S31 (S32: No), the master core 20 implements diagnosis of FPU22 next at step S33. Specifically, the FPU 22 is caused to perform a calculation for diagnosis, and the presence or absence of abnormality of the FPU 22 is diagnosed based on whether or not the calculation is performed according to a predetermined expected value.

  If no abnormality of the FPU 22 is detected in the diagnosis of step S33 (S34: No), the master core 20 next performs the diagnosis of the ROM 50 in step S35. Specifically, the normal checksum is stored in the ROM 50 in advance, and the checksum is recalculated when it is determined that the calculation result of the master core 20 is abnormal, By comparing, the presence or absence of abnormality of FPU22 is diagnosed.

  When abnormality of ROM50 is not detected by the diagnosis of step S35 (S36: No), the master core 20 implements diagnosis of RAM40 next at step S37. Specifically, the CPU 21 stores diagnostic data once in the RAM 40, then reads the data and compares it with the stored data, thereby diagnosing whether the RAM 40 is abnormal.

  If no abnormality is detected in the RAM 40 in the diagnosis in step S37 (S38: No), that is, if no abnormality is detected in any of the CPU 21, FPU 22, ROM 50, and RAM 40, the calculation result of the master core 20 occurs. It can be estimated that the abnormality is temporary. In this case, the master core 20 sets a flag indicating that the state of the microcomputer 10 is normal in step S39, and ends the microcomputer state determination process.

  On the other hand, if an abnormality is detected in any of the CPU 21, FPU 22, ROM 50, and RAM 40 (S32, S34, S36, S38: Yes), the abnormality that has occurred in the calculation result of the master core 20 is a malfunction of the hardware of the microcomputer 10. It can be presumed to be a continuous thing. In this case, the master core 20 sets a flag that the state of the microcomputer 10 is abnormal in step S40, and ends the microcomputer state determination process.

  As shown in FIG. 2, the master core 20 that has finished the microcomputer state determination process next changes the degree of the fail-safe level to be executed based on the flag relating to the state of the microcomputer 10 in step S23.

  In the microcomputer state determination process, when the flag indicating that the state of the microcomputer 10 is normal is set (S23: No), the master core 20 determines “level 1” among the three stages of failsafe processes in step S24. ”Is executed. In the “level 1” fail-safe process, the control of reducing the output of the engine 100 is more relaxed than in the “level 2” fail-safe process described above, and the control process for making the vehicle ready to run is executed. Specifically, in the “level 1” fail-safe process, the upper limit value of the engine 100 is set higher than the “level 2” fail-safe process.

  On the other hand, in the microcomputer state determination process, when the flag indicating that the state of the microcomputer 10 is abnormal is set (S23: Yes), the master core 20 in step S25, among the three stages of failsafe processes, “ Level 3 "fail-safe processing is executed. In the “level 3” fail-safe process, the output of the engine 100 is further suppressed as compared with the above-described “level 2” fail-safe process, and the control process is performed so that the vehicle can travel at a minimum. The output of the engine 100 at this time is limited to that which allows retreating to bring the running vehicle to the shoulder, and for example, the vehicle can run at a speed of about 10 km / h.

  As described above, the microcomputer 10 first determines whether there is an abnormality in the calculation result of the master core 20 by comparing the calculation result of the master core 20 with the calculation result of the checker core 30. When it is determined that there is an abnormality in the calculation result of the master core 20, if the state is continued, there is a possibility that appropriate control processing cannot be performed, and therefore fail-safe processing is executed.

  In the microcomputer 10, the fail-safe process is further based on the result of the microcomputer state determination process that determines whether there is an abnormality in the hardware of the microcomputer 10. This microcomputer state determination process is performed without performing the reset process of the microcomputer 10 after it is determined that the calculation result of the master core 20 is abnormal. Therefore, it is possible to execute an appropriate failsafe process according to the abnormal state of the hardware of the microcomputer 10.

  Further, in the microcomputer 10, when it is determined that there is an abnormality in the calculation result of the master core 20, the master core 20 performs “level 2” fail-safe processing and performs microcomputer state determination processing. Thereafter, when it is determined that there is an abnormality in the hardware of the microcomputer 10, “level 3” fail-safe processing is executed, while when it is determined that there is no abnormality in the hardware of the microcomputer 10, “level 1”. Execute the fail-safe process.

  According to the microcomputer 10, when it is determined that there is an abnormality in the calculation result of the master core 20, the “level 2” fail-safe process is temporarily performed to put the vehicle in a safe state, Performs microcomputer state determination processing. Then, it is possible to determine a level (level) suitable for the hardware state of the microcomputer 10 and execute more appropriate fail-safe processing.

  The embodiments of the present invention have been described above with reference to specific examples. However, the present invention is not limited to these specific examples. In other words, those specific examples that have been appropriately modified by those skilled in the art are also included in the scope of the present invention as long as they have the characteristics of the present invention. For example, the elements included in each of the specific examples described above and their arrangement, materials, conditions, shapes, sizes, and the like are not limited to those illustrated, but can be changed as appropriate. Moreover, each element with which each embodiment mentioned above is provided can be combined as long as technically possible, and the combination of these is also included in the scope of the present invention as long as it includes the features of the present invention.

10: Microcomputer (electronic control unit)
20: Master core (main processor)
30: Checker core (sub processor)
60: Comparator 100: Engine

Claims (6)

An electronic control device (10) for controlling an engine (100) of a vehicle,
A main processor (20) for performing a control process by performing an operation to control the engine;
A sub processor (30) for performing the same operation as the main processor;
A comparator (60) for comparing the operation result of the main processor with the operation result of the sub-processor;
An abnormality determination unit (70) for determining the presence or absence of an abnormality in the calculation result of the main processor based on a comparison result by the comparator;
When the main processor determines that there is an abnormality in the calculation result of the main processor, the main processor performs a state determination to determine whether there is an abnormality in the hardware of the electronic control device without performing a reset process of the electronic control device. An electronic control device that performs the fail-safe process based on the result of the state determination.   The main processor performs the first fail safe process when it is determined that there is an abnormality in the calculation result of the main processor, performs the state determination, and then determines that there is an abnormality in the hardware The electronic control device according to claim 1, wherein the second fail-safe process is executed while the third fail-safe process is executed when it is determined that there is no abnormality in the hardware.   The electronic control device according to claim 2, wherein the first fail-safe process suppresses the output of the engine more than when it is determined that there is no abnormality in the calculation result of the main processor.   The electronic control device according to claim 3, wherein the second fail-safe process further suppresses the output of the engine more than the first fail-safe process.   5. The electronic control device according to claim 3, wherein the third fail-safe process is one in which suppression of the output of the engine is relaxed as compared with the first fail-safe process. 6.   The electronic control unit according to claim 5, wherein the third fail-safe process sets an upper limit value of the engine speed higher than that of the first fail-safe process.

Images