JP2016126692A - Electronic control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic control device capable of eliminating erroneous detection due to noise as much as possible, accurately executing BIST (Built-In Self-Test), and thereby performing diagnosis of a failure detection function.SOLUTION: In activation of a microcomputer 20, BIST of a function block with a BIST circuit is executed. When there is an abnormality in a diagnosis result of BIST, a reset for executing BIST is executed with a reset circuit 209 to be BIST execution reset means, and thereby diagnosis of BIST is performed a plurality of times.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an electronic control device equipped with a microcomputer having a failure detection function.

  In order to comply with ISO 26262, which is a standard related to the functional safety of automobiles, the microcomputer is provided with a failure detection function such as a lockstep method, and failure detection is performed using the failure detection function. When a failure is discovered, it is necessary to put the vehicle in a safe state (for example, output limitation) within a time when safety is ensured. In addition, an electronic control unit such as an ECU (Electronic Control Unit) equipped with a microcomputer diagnoses the failure detection function itself once during startup, and if the diagnosis result is abnormal, turns on a warning light to the driver. You need to be warned.

  As a diagnostic method of such a failure detection function itself, BIST is performed by a BIST (Build In Self Test) circuit (see Patent Document 1 and Patent Document 2 below). In such a BIST by the BIST circuit, the microcomputer cannot be operated temporarily, so that it is necessary to reset after executing the BIST. Due to the nature of BIST, BIST is generally executed before software operation.

JP 2003-68865 A JP 2012-181564 A

  Since many electronic control units (ECUs) equipped with microcomputers are installed in the vehicle, noise is generated due to the operation of other electronic control units even before software operation. There is. Therefore, in a noisy environment such as a vehicle, there is a possibility that an abnormality is erroneously detected due to the noise.

  The present invention has been made in view of such a problem, and an object of the present invention is to provide an electronic control device that can eliminate erroneous detection due to noise as much as possible and perform BIST accurately to diagnose a failure detection function. It is to provide.

  In order to solve the above-described problem, an electronic control device (10, 10A) equipped with a microcomputer (20, 20A) having a failure detection function according to the present invention, which has a BIST circuit (202, 203, 204). , 211) and BIST execution reset means (209) for executing BIST by the BIST circuit, and when the microcomputer is activated, the BIST of the functional block is executed by the BIST circuit, and the diagnosis result by the BIST is obtained. If abnormal, the BIST execution resetting means executes a BIST reset to perform a BIST diagnosis a plurality of times.

  According to the present invention, when the diagnosis result by the BIST is abnormal at the time of starting the microcomputer, the BIST execution reset unit executes the reset for executing the BIST, so that there are a plurality of cases where an abnormality may occur. Multiple BIST diagnoses can be made. Therefore, the influence of erroneous detection due to noise can be eliminated as much as possible by performing BIST diagnosis a plurality of times, and robustness can be improved.

  Furthermore, the present inventor has found a problem of prolonging the reset time in addition to the problem of erroneous detection due to noise. Specifically, since the diagnosis by BIST requires time on the order of several tens of ms, if the diagnosis by BIST is always performed after resetting the microcomputer, the BIST will take more time than necessary and safe. There is a risk of affecting the product and merchantability. The reset after the microcomputer is started is a reset that attempts to recover when a failure of the microcomputer is detected by the failure detection function (lock step, ECC (Error Check Correct), MPU (Memory Protection Unit), etc.) while the vehicle is running, For example, resetting when an engine start request is made due to the driver's ignition on operation being entered during the shutdown process.

  In order to solve the problem of lengthening the reset time, the present invention includes BIST non-execution reset means (209) that does not execute BIST by the BIST circuit, and performs reset that does not require BIST after the microcomputer is activated. When executing, it is also a preferable aspect to execute a reset that does not execute BIST by the BIST non-execution reset means.

  Furthermore, the present inventor has found a problem of lowering the BIST execution frequency in addition to the problem of increasing the reset time. Specifically, if no diagnosis by BIST is performed at the time of reset after start-up, the BIST execution frequency is lowered, and the reliability may be deteriorated.

  In order to solve the problem of lowering the BIST execution frequency, the present invention includes a BIST determination means (209) for determining whether the reset is performed after startup that requires BIST or reset after startup that does not require BIST. It is also a preferred aspect that a reset by the BIST execution reset unit or a reset by the BIST non-execution reset unit is selected based on the determination result of the BIST determination unit.

  According to the present invention, it is possible to provide an electronic control device that can eliminate erroneous detection due to noise as much as possible and perform a BIST accurately and diagnose a failure detection function.

It is a block block diagram which shows the structure of ECU which is embodiment of this invention. 2 is a flowchart showing the operation of the ECU shown in FIG. It is a flowchart which shows the software initialization process shown in FIG. It is a flowchart which shows the software initialization process shown in FIG. It is a block block diagram which shows the modification of ECU shown in FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In order to facilitate the understanding of the description, the same constituent elements in the drawings will be denoted by the same reference numerals as much as possible, and redundant description will be omitted.

  As shown in FIG. 1, an ECU 10 (electronic control device) that is an embodiment of the present invention includes a microcomputer 20, a monitoring IC 30, and an output circuit 40.

  The microcomputer 20 includes, as functional blocks, a CPU 202 with a lock step, a memory protection 203, an ECC controller 204, a BIST controller 205, a ROM 206, a RAM 207, a reset factor flag 208, a reset circuit 209 (BIST execution reset means, BIST non-execution reset means, BIST determination means), and I / O 210. Each functional block is configured to be able to communicate with each other via the bus 201.

  Since the microcomputer 20 is functional safety compliant, the CPU 202 with lockstep, the memory protection 203, and the ECC controller 204 have a failure detection function. For failure detection, the CPU 202 with lockstep, the memory protection 203, and the ECC controller 204 are each provided with a BIST circuit. The BIST circuit and the BIST circuit of the CPU 202 with lock step, the memory protection 203, and the ECC controller 204 are controlled by the BIST controller 205. In the present embodiment, BIST is executed at the initialization stage of the microcomputer 20.

  The ROM 206 is an area for storing a control program. The RAM 207 is an area for storing the BIST diagnosis result and the BIST abnormality frequency. As will be described later, the BIST diagnosis result and the BIST abnormality count need to be held before and after the microcomputer reset for executing the BIST. If the RAM 207 is not a BIST diagnosis target, there is no problem, but if the RAM 207 is a BIST diagnosis target, the stored information is cleared. Therefore, the BIST diagnosis result and the BIST abnormality frequency are required to be excluded from the BIST target.

  The reset factor flag 208 is a register that stores a flag for specifying a reset cause. The reset factor flag 208 includes a PowerOn reset history flag 208a, a software Dest. It has a reset history flag 208b and a WDC reset history flag 208c.

  The PowerOn reset history flag 208a indicates whether there is a reset history when the power is turned on. The soft Dest reset history flag 208b indicates whether there is a history of software reset for executing BIST. The WDC reset history flag 208c indicates whether there is a history of WDC reset that does not execute BIST. Even if there is no such register, a flag may be secured in the RAM area held before and after the reset for executing the BIST, and the history of each reset may be turned on before each reset request.

  The reset circuit 209 can generate a reset that executes BIST and a reset that does not execute BIST. The reset circuit 209 performs a reset by a reset according to a signal input from the monitoring IC 30 or a reset by a special register in the microcomputer 20.

  In the present embodiment, the reset for executing BIST is a reset applied inside the microcomputer 20 by a special register. The reset by the special register is to specify the reset for executing the BIST by giving the data redundancy. Note that a reset signal may be output from the I / O 210 and a BIST may be executed in response to the reset signal.

  In the case of this embodiment, the reset that does not execute BIST is a WDC reset based on a reset signal input from the monitoring IC 30. If the microcomputer 20 is in a normal state, the I / O 210 outputs a WDC signal to the monitoring IC 30. Since the I / O 210 stops the WDC signal when detecting an abnormality, the monitoring IC 30 detects the abnormality and outputs a reset signal to the reset circuit 209. Note that the monitoring IC 30 can be configured to be monitored inside the microcomputer 20 without monitoring the WDC signal.

  An electronic throttle signal is output from the I / O 210 to the output circuit 40. The output circuit 40 drives and controls the electronic throttle 50 according to the electronic throttle signal. The output circuit 40 and the electronic throttle 50 are control targets that are functional safety targets of the ECU 10. The control target is not limited to the electronic slot, but may be a starter or the like.

  In FIG. 1, the single-core microcomputer 20 is illustrated, but a multi-core microcomputer 20A (ECU 10A) as shown in FIG. 5 may be used. The microcomputer 20A includes a CPU 211 in addition to the CPU 202 with a lock step.

  Next, the operation of the ECUs 10 and 10A will be described with reference to FIG. When the microcomputers 20 and 20A are turned on, the PowerOn reset is executed, the PowerOn reset history flag 208a is turned on, and the microcomputer initialization 1 is executed (step S101). As the microcomputer initialization 1, for example, the I / O register is initialized to a predetermined value.

  In step S102 following step S101, BIST setting is performed. For example, the diagnosis area is set by BIST. In step S103 following step S102, BIST is executed.

  In step S104 following step S103, microcomputer initialization 2 is executed. Although it has been initialized once by the microcomputer initialization 1, the initialized value has been changed by the BIST execution. Therefore, it is necessary to execute microcomputer initialization again before software initialization. In the microcomputer initialization 2, the PowerOn reset history flag 208a is not initialized. In addition, since the result is referred to in the software initialization, the BIST result is not initialized.

  In step S105 following step S104, software initialization processing is performed. The software initialization process will be described with reference to FIG.

  In step S201, a PowerOn reset history is acquired by the PowerOn reset history flag 208a. The PowerOn reset history flag 208a is a flag that is turned on only by the microcomputer initialization 1 at the time of PowerOn reset (step S101 in FIG. 2).

  In step S202 following step S201, it is determined whether there is a PowerOn reset history. If the PowerOn reset history is on, the process proceeds to step S203. If the PowerOn reset history is not on, the process proceeds to step S210.

  In step S203, the soft Dest reset history flag 208b is acquired, and the soft Dest reset history flag 208b is cleared. In step S204 following step S203, it is determined whether there is a soft Dest reset history acquired from the soft Dest reset history flag 208b. If the soft Dest reset history is on, the process proceeds to step S205. If the soft Dest reset history is not on, the process proceeds to step S206.

  In step S206, the BIST abnormality count is initialized to 0, and the process proceeds to step S205. In step S205, the BIST diagnosis result at startup is acquired. In step S207 following step S205, it is determined whether or not the BIST diagnosis result at startup is normal. If the BIST diagnosis result at startup is normal, the process proceeds to step S211. If the BIST diagnosis result at startup is not normal, the process proceeds to step S208.

  In step S208, the BIST abnormality frequency is incremented by one. In step S209 following step S208, it is determined whether or not the BIST abnormality count is equal to or greater than the abnormality determination value. If the BIST abnormality count is equal to or greater than the abnormality determination value, the process proceeds to step S212. If the BIST abnormality number is not equal to or greater than the abnormality determination value, the process proceeds to step S213.

  In step S210, the BIST diagnosis result is “UNFIX (unconfirmed)” and the process proceeds to step S214. In step S211, the BIST diagnosis result is “NORMAL (normal)” and the process proceeds to step S214. In step S212, the BIST diagnosis result is “FAULT (abnormal)” and the process proceeds to step S214. In step S213, a soft Dest reset request is made, the soft Dest reset history flag 208b is turned on, and the software initialization process is terminated.

  In step S214, the PowerOn reset history flag 208a is cleared, and the software initialization process is terminated. Thus, since the PowerOn reset history flag 208a is cleared during the software initialization process, the PowerOn reset history flag 208a is not turned on unless the power is turned on again after the power is turned on.

  When the flow described with reference to FIG. 3 is executed, when the power is turned on (PowerOn reset history on (Yes) in step S202, soft Dest reset history off (No) in step S204), the BIST abnormality frequency is initialized, BIST determination will be performed. If the BIST determination result in step S207 is normal (Yes), the determination is normal and the process is terminated.

  If the BIST determination result in step S207 is abnormal (No), the BIST abnormality count is incremented in step S208, and if the BIST abnormality count is less than the abnormality determination threshold value (No) in step S209, the software Dest that is a reset that performs BIST. Request a reset. If the number of BIST abnormalities is equal to or greater than the abnormality determination threshold value (Yes) in step S209, the abnormality is determined and the process is terminated.

  At the time of self-reset cancellation to execute BIST (PowerOn reset history on (Yes) in step S202, soft Dest reset history on (Yes) in step S204), the BIST abnormality count is not initialized, and the same BIST as when the power is turned on Judgment processing is performed.

  On the other hand, at the time of self-reset cancellation without BIST execution (PowerOn reset history off (No) in step S202), the BIST abnormality count is held and the BIST determination process is not performed.

  Returning to FIG. 2, the description will be continued. In the software initialization process described with reference to FIG. 3, if the BIST diagnosis result is “abnormal” or “indeterminate”, or if a soft Dest reset request is made, the process returns to step S101. In other cases, the process proceeds to step S106.

  In step S106, a software time synchronization process that is repeatedly executed is executed. In the software time synchronization process, electronic throttle control and the like are performed. When a failure of the microcomputers 20 and 20A is detected in the software time synchronization process, the above-described WDC reset is applied, and the process returns to step S104. If no failure of the microcomputers 20 and 20A is detected in the software time synchronization process and the ignition switch is turned off, the process proceeds to step S107.

  In step S107, a software shutdown process is executed. If the ignition switch is turned on during the software shutdown process, it is determined that the user's intention to start is working, a WDC reset is applied, and the process returns to step S104.

  In this way, the engine failure detection function (lockstep, ECC, MPU, etc.) in the software time synchronization process attempts to recover when a microcomputer failure is detected, or the engine is started based on the user's ignition switch-on operation during the software shutdown process. The reset due to the request is reset by a WDC reset that does not execute BIST, and the reset time can be shortened by eliminating BIST execution.

  When the shutdown process is completed, the ECUs 10 and 10A are turned off and the process ends. The WDC reset may be a soft reset by a special register operation.

  Incidentally, in the software time synchronization process and the software shutdown process, it may be determined whether BIST is necessary. An example of such a flow is shown in FIG. In FIG. 4, the processing of steps S301, S302, S303, S304, and S305 is the same as the processing of steps S101, S102, S103, S104, and S105 described with reference to FIG.

  In step S306, when a microcomputer failure is detected during the software time synchronization process, it is determined whether the reset is performed after startup that requires BIST or reset after startup that does not require BIST. The process when BIST is not required is the same as the process of step S106 in FIG.

  If BIST is required, a soft Dest reset request is made, the soft Dest reset history flag 208b is turned on, and the process returns to Step S301.

  In step S307, when the ignition switch is turned on during the software shutdown process, it is determined whether the reset is performed after starting that requires BIST or reset after starting that does not require BIST. The processing when BIST is not required is the same as the processing in step S107 in FIG.

  If BIST is required, a soft Dest reset request is made, the soft Dest reset history flag 208b is turned on, and the process returns to Step S301.

  As described above, the reset circuit 209 performs a soft reset by a special register operation. While the BIST is being executed, the WDC signal cannot be output to the monitoring IC 30. Therefore, assuming that the WDC reset is performed by BIST, when the BIST time is longer than the WDC stop determination time of the monitoring IC 30, the WDC reset is continuously generated and the microcomputers 20 and 20A cannot be started. Therefore, by performing a soft reset by a special register operation, the WDC stop determination time can be set short regardless of the BIST time.

  As a BIST non-execution reset means, it is also preferable to use a soft reset by a special register operation in addition to that by the monitoring IC 30. Rather than waiting for the microcomputer 20 and 20A to intentionally stop the WDC signal and apply the reset from the monitoring IC 30, the reset can be performed only by register operation. The WDC stop determination time can be shortened.

10, 10A: ECU (electronic control unit)
20, 20A: microcomputer 30: monitoring IC
202: CPU with lockstep (functional block)
203: Memory protection (function block)
204: ECC controller (functional block)
211: CPU (functional block)
209: Reset circuit (BIST execution reset means, BIST non-execution reset means, BIST determination means)

Claims (6)

An electronic control device (10, 10A) equipped with a microcomputer (20, 20A) having a failure detection function,
A functional block (202, 203, 204, 211) having a BIST circuit;
BIST execution reset means (209) for executing BIST by the BIST circuit,
When the microcomputer starts up, the BIST of the functional block is executed by the BIST circuit, and if the diagnosis result by the BIST is abnormal, the BIST execution reset means executes a BIST reset to execute the BIST. An electronic control device characterized in that diagnosis is performed a plurality of times.   2. The electronic control apparatus according to claim 1, wherein the BIST execution reset means is a soft reset by a special register operation. BIST non-execution reset means (209) that does not execute BIST by the BIST circuit,
3. The electronic control device according to claim 1, wherein when the reset that does not require the BIST is executed after the microcomputer is activated, the BIST non-execution reset unit executes the reset that does not execute the BIST. 4. A monitoring IC (30) for outputting a reset signal in response to the WDC signal;
4. The electronic control device according to claim 3, wherein the BIST non-execution reset means is a WDC reset by the monitoring IC.   4. The electronic control device according to claim 3, wherein the BIST non-execution reset means is a soft reset by a special register operation. BIST determination means (209) for determining whether a reset after activation requiring BIST or a reset after activation not requiring BIST is provided,
6. The method according to claim 3, wherein a reset by the BIST execution reset unit or a reset by the BIST non-execution reset unit is selected based on a determination result of the BIST determination unit. Electronic control unit.

Images