JP2018080710A - Transmission control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a transmission control device which can avoid the lowering of the dynamic performance of a vehicle while securing the safety of a motion of the vehicle.SOLUTION: A transmission control device comprises a first calculation processor (main microcontroller 103) for controlling a control object, and a second calculation processor (sub-microcontroller 107) which can substitute for a part of a main control function of the first calculation processor, and can communicate with the first calculation processor. The transmission control device further comprises a monitoring device (monitoring module 111) which monitors that the first calculation processor and the second calculation processor are normally operated, makes the second calculation processor substitute for a part of the main control function (gear change function) by switching a part of the main control function which is mounted to the first calculation processor according to an abnormal state, and can communicate with the first and second calculation processors.SELECTED DRAWING: Figure 1

Description

The present invention relates to a transmission control device, and more particularly to a technique applicable to an in-vehicle electronic control device for controlling a transmission of a vehicle.

  In recent years, with the further digitization of automobiles, control has become complicated and sophisticated due to demands such as drivability, fuel efficiency, and comfort from the market. In accordance with this, failures and malfunctions inherent in automobiles are considered as risks. Under such circumstances, IEC61508, ISO26262, etc. have been established as international standards for functional safety to rationally reduce the risks inherent in electrical and electronic products for automobiles and to objectively explain the validity of the design. Has been. In the future production of automobiles, compliance with these international standards has become an essential condition. In order to meet such needs, the microcontroller (microcomputer) installed in the vehicle transmission ensures the safety of the vehicle with functional safety in terms of functions for diagnosing and monitoring safety conditions and motor performance of automobiles. On the other hand, it is also important to avoid a decrease in athletic performance.

  As for safety-related technologies in the automobile industry, it has been the mainstream to design and implement diagnostics, monitoring, and safety measures based on original ideas for each car manufacturer. Specifically, a configuration in which a main function for realizing desired control and a monitoring function for monitoring the main function are mounted on the same microcomputer and the main function is stopped according to the monitoring result from the monitoring function is generally used. Conventionally known.

  For example, the arithmetic device of Patent Document 1 is an arithmetic device that can detect program runaway, counts the reference clock of the arithmetic unit that executes the program, makes an interrupt request to the arithmetic unit for each predetermined value, and performs an interrupt process. Sometimes, it is determined whether or not the execution address of the program is in a predetermined range, and it is determined that the program is in a runaway state when the execution address of the program is not in the predetermined range.

  Moreover, the electronic control unit for shifting disclosed in Patent Document 2 includes a main computer and a monitoring computer. The main computer detects a dangerous state of the main processing unit 211 that executes various processes for operating the power transmission device, and the power transmission device 20 that operates according to the processing by the main processing unit 211, and the power transmission device. And a safety function processing unit 212 that executes safety function processing, which is processing for bringing the safety function 20 into a safe state, is constructed, and the safety function processing unit 212 executes the safety function processing when the safety function processing is executed. The correctness is monitored. When executing safety function processing, obtain the address of the program to be executed and compare it with the program address after execution to diagnose and monitor the task execution order of safety function processing to ensure validity. On the other hand, the power supply to all the solenoid valves of the hydraulic control device is cut off to shift to a state (so-called limp home state) in which the transmission forms a predetermined gear stage.

JP 2002-236600 A JP 2013-140431 A

  The disclosed technique of Patent Document 1 basically only monitors whether a currently executed process is included in a predetermined address (program address), and a process that should be originally executed is executed. It is not something that can be monitored. Therefore, the program runaway detection technology of Patent Document 1 is considered to be insufficient as a vehicle control device including a my controller that controls the in-vehicle device from the viewpoint of ensuring the safety of the vehicle. .

  Also, the disclosed technology of Patent Document 2 is safe by expanding the address of a process to be executed as a safety function to a RAM (Random Access Memory) when the main control function is abnormal, and comparing the address with the address after the process is executed. It performs the limp home state transition and the main computer reset while diagnosing the execution order of the functional processing tasks and ensuring the validity. However, since this validity judgment and safety function processing are performed by the main computer itself, if the main computer causes program runaway etc. due to some reason, such as computation load, missing task execution, etc. There is a possibility that normal validity judgment and safety function processing may not be executed.

  In view of such conventional problems, the present invention accurately monitors and diagnoses the safety state of the first and second arithmetic processing units (main and sub-microcontrollers), and causes a hardware abnormality due to some cause. Another object of the present invention is to provide a transmission control device capable of avoiding a decrease in vehicle motion performance while ensuring safety of vehicle operation when program runaway occurs.

  The transmission control device according to the present invention can substitute a part of main control functions of the first arithmetic processing device (main microcontroller 103) for controlling the control target and the first arithmetic processing device. And a second arithmetic processing unit (sub-microcontroller 107) capable of communicating with the first arithmetic processing unit. The transmission control device further monitors whether the first arithmetic processing device and the second arithmetic processing device are operating normally, and is mounted on the first arithmetic processing device according to an abnormal state. A monitoring device capable of communicating with the first and second arithmetic processing devices, switching a part of the main control functions and causing the second arithmetic processing device to substitute a part of the main control functions ( A monitoring module 111).

  According to the present invention, it is possible to monitor an abnormal state of operation of the first and second arithmetic processing devices (main and sub-microcontrollers). In addition, when an abnormality is detected in any of the arithmetic processing devices, a part of the main control function (gear shift) can be obtained by substituting a part of the main control function in the second arithmetic processing device. Operation) can be continued, and a decrease in the vehicle performance can be suppressed.

1 is a schematic block diagram of a vehicle including a transmission control device according to the present invention. It is a flowchart about the output inversion signal mutual diagnosis which concerns on this invention. It is a flowchart about the task execution order diagnostic counter update process which concerns on this invention. It is a flowchart about the output inversion signal final diagnosis which concerns on this invention. It is a flowchart about the task execution order diagnosis which concerns on this invention. It is a flowchart about CPU abnormality diagnosis which concerns on this invention. 7 shows a diagnostic counter generation pattern of task execution order diagnostic counter processing according to the present invention. The pattern of the comprehensive determination result of the output inversion signal final diagnosis which concerns on this invention is shown. The pattern of the diagnostic result of CPU abnormality diagnosis which concerns on this invention is shown.

  Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a schematic block diagram of a vehicle 1 including a transmission control device according to the present invention. A transmission control device 10 shown in FIG. 1 is, for example, an on-vehicle electronic control device (ECU) for controlling an automatic transmission of a vehicle to be controlled, and is mounted on the vehicle 1 as an automatic transmission controller. The The transmission control device 10 has a configuration for detecting a failure of a microcontroller used in the transmission control device or a program runaway in the microcontroller.

  The transmission control device 10 is connected to a sensor 101 that receives input from the outside, such as a vehicle speed, an engine speed, a range switch, and the like, which are necessary for vehicle control. The transmission control device 10 includes an input circuit 102 that converts data received from the sensor 101 into an electrical signal such as a pulse signal or data. The transmission control device 10 further includes a main microcontroller (hereinafter also referred to as a main microcomputer) 103 serving as a first arithmetic processing device and a sub microcontroller (hereinafter referred to as a sub microcomputer) serving as a second arithmetic processing device. 107) and a monitoring module 111 because it is a monitoring device.

  The main microcomputer 103 and the sub microcomputer 107 can communicate with each other by communication means such as CAN (Controller Area Network) communication. Similarly, the monitoring module 111 can communicate with the main microcomputer 103 and the sub-microcomputer 107 by communication means such as CAN communication.

  In FIG. 1, the main microcomputer 103 is described as Main-CPU, and the sub-microcomputer 107 is described as Sub-CPU. For example, 20 may be a semiconductor integrated circuit device such as one chip, and the main microcomputer 103 and the sub-microcomputer 107 may be configured by the semiconductor integrated circuit device 20. In this case, although not particularly limited, the semiconductor integrated circuit device 20 includes a plurality of central processing units (CPUs), and the main microcomputer 103 is constituted by one CPU, and the sub-microcomputer 107 is constituted by another one CPU. I can do it. Note that the monitoring module 111 can also be configured by one other CPU of the semiconductor integrated circuit device 20.

  The main microcomputer 103 includes control units 104 to 106, the sub microcomputer 107 includes control units 108 to 110, and the monitoring module 111 includes control units 112 to 114.

  The transmission control device 10 further includes a drive circuit 115 for driving one or more linear solenoids 116 that are actuators. The main microcomputer 103, the sub microcomputer 107, and the monitoring module 111 can be connected to the drive circuit 115 in order to supply the clutch hydraulic pressure necessary for the shift operation of the automatic transmission. The operation of the linear solenoid 116 is controlled by a drive instruction or a shift instruction request from 111. The linear solenoid 116 adjusts the supply hydraulic pressure that is required at the time of a shift operation in response to a shift instruction request.

  Note that each control implemented in the main microcomputer 103 and the sub-microcomputer 107 is task-managed and executed in a prescribed order and prescribed cycle.

  The control unit 104 and the control unit 108 are controls implemented in the main microcomputer 103 and the sub-microcomputer 107, respectively, to perform the output inversion signal mutual diagnosis. It plays a role of transmitting an inverted signal. Here, this inverted signal is regarded as information that changes in response to the activation of the main microcomputer 103 and the sub-microcomputer 107, is managed by the task, and is a software inverted signal generated at a specified period. . This inversion signal may be a hardware inversion signal generated from an oscillation circuit or the like built in each of the microcomputers 103 and 107.

  The control unit 105 and the control unit 109 are controls mounted on the main microcomputer 103 and the sub-microcomputer 107, respectively, in order to perform task execution order diagnosis counter update processing. The control unit 105 and the control unit 109 manage themselves to the monitoring module 111 in order to detect a runaway operation caused by the influence of an increase in the calculation load of the microcomputers 103 and 107 of the main microcomputer 103 and the sub-microcomputer 107. It is responsible for sending diagnostic counters that are updated when all tasks are executed. That is, it is assumed that the control unit 105 and the control unit 109 execute processing that generates the order of tasks executed by the main microcomputer 103 and the sub-microcomputer 107 (control processing order) and sends the order to the monitoring module 111.

  The control unit 106 and the control unit 110 are controls implemented in the main microcomputer 103 and the sub-microcomputer 107, respectively, to perform a shift control process (a part of the main control process). The electric signal converted by the input circuit 102 is Originally, the drive circuit 115 is instructed to generate hydraulic pressure necessary for the shift operation. Note that the control unit 106 and the control unit 110 are switched according to the abnormal state of both the microcomputers 103 and 107 of the main microcomputer 103 and the sub-microcomputer 107, and the mutual control is not executed at the same timing.

  The control unit 112 is a control implemented in the monitoring module 111 to perform the final diagnosis of the output inverted signal. The control unit 104, the control unit 105, the control unit 108, and the control unit are implemented in the main microcomputer 103 and the sub-microcomputer 107. It plays a role of diagnosing the normality of the operation status of the main microcomputer 103 and the sub-microcomputer 107 based on the inverted signal transmitted at 109 and the diagnostic counter.

  The control unit 113 receives the processing results of the control unit 105 and the control unit 109 mounted on the main microcomputer 103 and the sub-microcomputer 107 in order to perform task execution order diagnosis, and the expected value registered in the monitoring module 111 in advance. Compared with the above, it plays a role of diagnosing the normality of the operation state of the main microcomputer 103 and the sub-microcomputer 107.

  The control unit 114 switches the operations of the control unit 106 and the control unit 110 installed in the main microcomputer 103 and the sub-microcomputer 107 according to the diagnosis results of the control unit 112 and the control unit 113 in order to perform CPU abnormality diagnosis. The shift operation of the automatic transmission is realized. When it is determined that the operations of both the main microcomputer 103 and the sub-microcomputer 107 are abnormal, an instruction to forcibly stop both the microcomputers 103 and 107 as a safety function and to fix the gear position to the drive circuit 115. Is also going.

  2 to 7 are flowcharts of the control unit 104, the control unit 105, the control unit 108, the control unit 109, the control unit 112, the control unit 113, and the control unit 114 according to the present invention. 2, the control unit 104 and the control unit 108, the control unit 105 and the control unit 109 for FIGS. 3 and 6, the control unit 112 for FIGS. 4 and 8, and the control unit for FIGS. 5 and 7. FIG. 6 and FIG. 9 show the control unit 114, and details of the flowcharts of the respective drawings will be described below.

  FIG. 2 is a flowchart of the output inversion signal mutual diagnosis implemented in the main microcomputer 103 and the sub-microcomputer 107.

  Here, since both the microcomputers 103 and 107 are configured to be able to communicate with each other, in step 201, an inversion signal that is inverted at a value of 0 or 1 at each predetermined period is transmitted at a predetermined timing to the counterpart microcomputer (in the figure, From the other party's CPU). In step 202, it is confirmed whether or not the received inversion signal of the other party is normally inverted in a prescribed cycle, and the normality of the other party microcomputer is determined in steps 203 and 204. If it is normally inverted (inverted OK), the process proceeds to step 203, and if not inverted normally (inverted NG), the process proceeds to step 204.

  Here, if the inverting operation is abnormal, the value is fixed to 0 or 1 when the received signal is not inverting at all, or the inverting operation stops at some timing during the inverting operation. This assumes a case where it has been closed. In step 205, it is confirmed whether or not the abnormal state has continued for a certain period. If the abnormality is less than the certain period (NO), the abnormality continuation counter is updated in step 206. If the abnormality continues for a certain period of time (YES), in step 207, confirmation information (partner CPU NG confirmation) is generated that the partner microcomputer (partner CPU) is abnormal.

  Thereafter, in step 208, the determination result (determined information) of the counterpart microcomputer is transmitted to the monitoring module 111 that can communicate with itself, thereby transmitting the operating states of the main microcomputer 103 and the sub-microcomputer 107 to the monitoring module 111. . Thereafter, the process proceeds to end (END).

  FIG. 3 is a flowchart of the update processing of the task execution order diagnosis counter mounted on the main microcomputer 103 and the sub-microcomputer 107.

  This process is a counter in which the order of tasks (TK1-TK16) assigned to each job (JOB0-19) registered in the main microcomputer 103 and sub-microcomputer 107 is updated at the time of task execution. And the result is transmitted to the monitoring module at regular intervals. This process is executed for each registered task (TK1-TK16) process. The control software installed in the main microcomputer 103 and the sub-microcomputer 107 is configured to repeatedly execute jobs JOB0 to 19 as shown in FIG.

  In step 301, the job number (JOB0-19) and task number (TK1-TK16) are acquired in order to determine which job and task the processing timing currently being executed is executed by. In step 302, the task execution order counter is updated. In step 303, the job number and task number acquired in step 301 are input, and two-dimensional matrix information as shown in FIG. 7 is created as a diagnostic counter map. In step 304, it is determined whether or not the current execution task is at a specified timing for transmitting the diagnostic counter map to the monitoring module 111. If the current execution task is at the specified timing, the diagnostic counter map is transmitted to the monitoring module 111 in step 305.

  That is, in step 304, it is determined whether or not the current execution task is a task (TK4) assigned to a job (JOB9) other than the final job (JOB19). If the current execution task is the task (TK4) assigned to the job (JOB9) (YES), the specified timing is reached, and the process proceeds to step 305. On the other hand, if it is determined that the current execution task is not the task (TK4) assigned to the job (JOB9) (NO), the process proceeds to step 306.

  In step 305, the diagnostic counter map is transmitted to the monitoring module 111. After the transmission is completed, the process proceeds to end (END).

  In step 306, it is determined whether or not the current execution task is the task (TK4) assigned to the final job (JOB19). When it is determined that the current execution task is the task (TK4) assigned to the final job (JOB19) (YES), the process proceeds to step 307. In step 307, as in step 305, a diagnostic counter map is transmitted. In step 308, in accordance with the job configuration of the main microcomputer 103 and the sub microcomputer 107, the execution order counter is cleared (reset) when the task of the final job (JOB19) is executed, and then the process proceeds to end (END). On the other hand, if it is determined in step 306 that the current execution task is not the task (TK4) assigned to the final job (JOB19) (NO), the process proceeds to end (END).

  FIG. 4 is a flowchart for the output inversion signal final diagnosis 112 implemented in the monitoring module 111.

  This process includes the result of diagnosing the software inversion signal (output inversion signal) output from the microcomputers 103 and 107 by the monitoring module 111 and the control units 104 and control units of the microcomputers 103 and 107 received by the monitoring module 111. The validity of the operation of both the microcomputers 103 and 107 is diagnosed using the mutual diagnosis result 108. This determination of validity is regarded as a first validity diagnosis process.

  In step 401, a software inversion signal (output inversion signal) is received or acquired from each of the microcomputers 103 and 107 (denoted as main + sub CPU in the figure), and in step 402, each signal is received at a specified period. Confirm that the output is reversed normally. When the output is inverted (inverted OK), the process proceeds to step 403. When the output is not inverted (inverted NG), the process proceeds to step 404. In step 403 and step 404, the normality of the software inversion signal viewed from the monitoring module 111 is determined, and in step 405, it is confirmed whether or not the abnormal state (NG) has continued or exceeded for a certain period. In step 405, if the abnormality is less than a certain period (NO), the abnormality (NG) continuation counter is updated in step 406, and if the abnormality continues to be abnormal for a certain period (YES), it corresponds in step 407. If the microcomputer (103 or 107) is abnormal, NG confirmation information is generated.

  In step 408, the mutual monitoring results of the output inversion signals of the control unit 104 and the control unit 108 mounted on both the microcomputers 103 and 107 (indicated as main + sub CPU in the figure) are acquired. At 409, the comprehensive judgment result of both the microcomputers 103 and 107 is confirmed using a combination of this result and the temporarily issued output diagnosis result.

  FIG. 8 shows a pattern of the overall judgment result of the output inverted signal final diagnosis according to the present invention. The combination of the comprehensive determination results can be considered as shown in FIG. 8. Basically, the output diagnosis result temporarily issued by the monitoring module 111 in step 403 and step 407, the control unit 104, and the control unit 108. If the mutual monitoring results (step 408) are the same, the result is regarded as a comprehensive judgment result as credible data. On the other hand, if there is a difference between the output diagnosis result temporarily issued in step 403 and step 407 and the mutual monitoring result (step 408) of the control unit 104 and control unit 108, the monitoring module 111, Since a failure of either the main microcomputer 103 or the sub microcomputer 107 is suspected and accurate diagnosis is impossible, the comprehensive determination result is undefined.

  In FIG. 8, the output diagnosis result temporarily issued by the monitoring module 111 in step 403 and step 407 is described on the horizontal axis and includes four patterns. The four patterns on the horizontal axis are 1) both the main microcomputer 103 and the sub microcomputer 107 are OK (MAIN-SUB OK), 2) the main microcomputer 103 is NG, the sub microcomputer 107 is OK (MAIN NG + SUB OK), and 3) the main microcomputer 103 is OK, and the sub microcomputer 107 is NG (MAIN OK + SUB NG). 4) Both the main microcomputer 103 and the sub microcomputer 107 are NG (MAIN-SUB NG). On the other hand, the mutual monitoring results of the control unit 104 and the control unit 108 are described on the vertical axis and include four patterns as described above. That is, the four patterns on the vertical axis are 1) both the main microcomputer 103 and the sub microcomputer 107 are OK (MAIN-SUB OK), 2) the main microcomputer 103 is NG, and the sub microcomputer 107 is OK (MAIN NG + SUB OK), 3) The main microcomputer 103 is OK, the sub microcomputer 107 is NG (MAIN OK + SUB NG), and 4) both the main microcomputer 103 and the sub microcomputer 107 are NG (MAIN-SUB NG).

  Based on the combination of the four patterns on the horizontal axis and the four patterns on the vertical axis, the following pattern A-D is determined in step 409.

  Pattern A is a pattern in which both the main microcomputer 103 and the sub-microcomputer 107 are determined to be OK (MAIN-SUB OK).

  Pattern B is a pattern in which the main microcomputer 103 is determined to be indefinite or NG, and the sub-microcomputer 107 is determined to be OK (MAIN indefinite + SUB OK and MAIN NG + SUB OK).

  Pattern C is a pattern in which the main microcomputer 103 is determined to be OK, and the sub-microcomputer 107 is determined to be indeterminate or NG (MAIN OK + SUB undefined, and MAIN OK + SUB NG).

  Pattern D is a pattern in which both the main microcomputer 103 and the sub-microcomputer 107 are determined to be NG or undefined (MAIN-SUB NG and MAIN-SUB undefined).

  If any one of the main microcomputer 103 and the sub microcomputer 107 is determined to be normal as a result of the comprehensive determination in step 409 in FIG. 4, a pattern A / B / C diagnosis result is generated in step 410. On the other hand, if it is determined that the main microcomputer 103 and the sub-microcomputer 107 are NG or indefinite as a result of the comprehensive determination in step 409, a diagnostic result of pattern D is generated in step 411.

  FIG. 5 is a flowchart for the task execution order diagnosis implemented in the monitoring module 111. This processing compares the two-dimensional diagnostic counter map generated by the task execution order diagnostic counter update processing of the control units 105 and 109 of both the microcomputers 103 and 107 with the expected value registered in the monitoring module 111 in advance. Diagnose.

  In step 501, a counter map for task execution order diagnosis generated by both microcomputers 103 and 107 is acquired. In step 502, the two diagnostic counter maps acquired in step 501 are compared with the expected task activation order values as shown in FIG. 7 preliminarily incorporated in the monitoring module as a two-dimensional ROM map. NG), in step 503, the microcomputer is regarded as an abnormal state (NG) as the primary determination of the execution order. On the other hand, if they match (OK), the corresponding microcomputer is considered to be in a normal state, and this process ends (END).

  In step 504, the execution order NG continuation counter prepared for each of the microcomputers 103 and 107 is updated, and compared with the NG continuation counter threshold value incorporated as ROM information in step 505. As a result of comparison, if NG continuation continues for a certain period (threshold elapse), a diagnostic result is generated as an abnormal microcomputer in step 506. On the other hand, when NG continuation has not continued for a certain period (threshold value has not elapsed), the corresponding microcomputer is considered to be in a normal state, and this processing ends (END).

  FIG. 6 is a flowchart for the CPU abnormality diagnosis 113 implemented in the monitoring module 111.

  This process determines the normality and validity of the operations of the microcomputers 103 and 107 by combining the final diagnosis result of the output inversion signal generated in FIG. 4 and the diagnosis result of the task execution order generated in FIG. Diagnosis is performed, and shift control switching according to an abnormal state and abnormal microcomputer stop processing are performed. The diagnosis process for the normality of operation and the validity of the operation of both the microcomputers 103 and 107 is regarded as a second validity diagnosis process.

  In step 601, a software inversion signal output from both the microcomputers 103 and 107 at a specified cycle is diagnosed, and details are shown in the flowchart of FIG. In step 602, the diagnosis result pattern (see FIG. 8) generated in step 601 is confirmed. If it is pattern D, it is determined that the states of both microcomputers 103 and 107 are indefinite or abnormal, and the processing in step 608 is performed. Transition. For patterns A, B, and C other than pattern D, the process proceeds to step 603 to perform task execution order diagnosis. This diagnoses the execution order of task operations for each job registered in the microcomputers 103 and 107 with the configuration shown in FIG. 7, and the detailed contents are shown in the flowchart of FIG.

  In step 604, a combination shown in FIG. 9 is confirmed that is considered from the software inversion signal diagnosis result (patterns A, B, and C in FIG. 8) in step 601 and the task execution order diagnosis result in step 603. To do.

  FIG. 9 shows a pattern of the diagnosis result of the CPU abnormality diagnosis. The vertical axis in FIG. 9 corresponds to the patterns A, B, and C described in FIG. On the other hand, the horizontal axis of FIG. 9 is a diagnosis result of the task execution order check and includes four patterns. These four patterns are 1) both the main microcomputer 103 and the sub microcomputer 107 are OK (MAIN-SUB OK), 2) the main microcomputer 103 is NG, the sub microcomputer 107 is OK (MAIN NG + SUB OK), and 3) the main microcomputer 103 is OK. The sub microcomputer 107 is NG (MAIN OK + SUB NG), 4) the main microcomputer 103 and the sub microcomputer 107 are both NG (MAIN-SUB NG).

  Then, the patterns AA, BB, CC, and DD are determined again from the combination of the three patterns A, B, and C on the vertical axis and the four patterns on the horizontal axis in FIG. Here, the pattern AA is a pattern for causing the main microcomputer 103 to continue normal control (main control function). The pattern BB is a pattern that causes the sub-microcomputer 107 to substitute shift control (part of main control functions). The pattern CC is a pattern that causes the main microcomputer 103 to continue normal control. The pattern DD is a pattern for forcibly stopping both the main microcomputer 103 and the sub-microcomputer 107.

  Returning to the step description again. If the main microcomputer 103 is determined to be normal (patterns AA, CC) as a result of checking the combination as shown in FIG. 9 in step 603, that is, in step 605 or step 607, the main microcomputer 103 is currently executed. Each normal control process including the vehicle shift control is continued.

  On the other hand, if it is determined that the main microcomputer 103 is in an abnormal state and the sub microcomputer 107 is in a normal state (pattern BB), the main microcomputer 103 is stopped in step 606 and a shift control switching request is issued to the sub microcomputer 107. Sub-microcomputer 107 performs a shift control operation (part of the main control function) as a vehicle control function (main control function).

  If it is determined that both microcomputers 103 and 107 are in an abnormal state (pattern D or pattern DD), the microcomputers 103 and 107 are forcibly stopped in step 608 and the vehicle is shifted to a safe operation. Perform safe operation. As the fail-safe operation, the monitoring module 111 is connected to the drive circuit 115, and instructed by the monitoring module 111 to fix the gear position to the drive circuit 115. Thereby, control such as stopping the hydraulic pressure supplied to the solenoid is performed, and the shift operation based on an instruction from an abnormal microcomputer is prevented.

Here, with respect to the processing of step 605 to step 608, the processing of step 605 to step 608 is performed so that the abnormal state of the main microcomputer 103 and the sub-microcomputer 107 can be transmitted to another control device capable of communicating with the automatic transmission control device. A communication signal indicating an abnormal state for the main microcomputer and a communication signal indicating an abnormal state for the sub-microcomputer may be generated and transmitted to another microcomputer according to each abnormal state.
(Summary)
The transmission control apparatus according to the present invention has the following configuration.

  The transmission control device includes a first arithmetic processing device that is the main microcontroller 103, a second arithmetic processing device that is the sub-microcontroller 107, and a monitoring device that is the monitoring module 111.

  The first arithmetic processing device 103 includes a main control function of the transmission control device and a monitoring function of the second arithmetic processing device 107.

  The second arithmetic processing unit 107 includes a function of substituting a part of main control functions of the transmission control device and a monitoring function of the first arithmetic processing unit 103 when the first arithmetic processing unit 103 is abnormal. .

  The monitoring device 111 has a function of monitoring the monitoring function result of the first and second arithmetic processing devices 103 and 107, and is operated according to the abnormal state of the first and second arithmetic processing devices 103 and 107. The devices are switched or both the arithmetic processing devices are stopped to make a transition to the vehicle safety operation.

  The monitoring of the first and second arithmetic processing devices 103 and 107 is performed by the monitoring device 111 in the processing order diagnostic counter results of the first and second arithmetic processing devices 103 and 107 and the processing order registered in advance as fixed values. The task execution order diagnosis result obtained by comparing the expected counter value and the software inversion signal result (or the oscillation circuit output result) of the first and second arithmetic processing units 103 and 107 are combined and executed. Here, the processing order diagnostic counter is a counter that is updated at the timing when a task scheduled for each job of both the first and second processing units 103 and 107 is executed. Is transmitted to the monitoring module at regular intervals. In addition, when the second arithmetic processing unit 107 is abnormal, the switching of the arithmetic processing unit to be operated is controlled by the first arithmetic processing unit 103 based on the monitoring results of the first and second arithmetic processing units 103 and 107. The operation is continued, and when the first arithmetic processing unit 103 is abnormal, the second arithmetic processing unit 107 substitutes the shift control of the first arithmetic processing unit 103 (part of the main control function). In addition, when both the arithmetic processing units 103 and 107 are abnormal, the monitoring unit 111 resets or forcibly stops both the arithmetic processing units 103 and 107 to stop the control of the linear solenoid, and performs a shift of the transmission as a fail-safe operation. The stage is fixed.

101 ... sensor 102 ... input circuit 103 ... main microcomputer 104 ... control unit (output inversion signal mutual diagnosis process)
105... Control unit (task execution order diagnosis counter update process)
106... Control unit (main shift control processing)
107... Sub-microcomputer 108... Control unit (output inversion signal mutual diagnosis processing)
109 ... Control unit (task execution order diagnosis counter update process)
110... Control unit (shift control process)
111... Monitoring module 112... Control unit (output inversion signal final diagnosis process)
113... Control unit (task execution order diagnosis process)
114... Control unit (CPU abnormality diagnosis process)
115 ... Drive circuit 116 ... Linear solenoid

Claims (7)

A first arithmetic processing unit for controlling a controlled object;
It is possible to substitute a part of the main control function of the first arithmetic processing unit, a second arithmetic processing unit capable of communicating with the first arithmetic processing unit,
The first arithmetic processing unit and the second arithmetic processing unit are monitored to operate normally, and the main control function implemented in the first arithmetic processing unit according to an abnormal state A monitoring device communicable with the first and second arithmetic processing devices, wherein a part of the main control function is substituted for the second arithmetic processing device by switching a part thereof,
A transmission control device. The transmission control device according to claim 1,
An input circuit for capturing external inputs;
A drive circuit for driving the solenoid, and further,
The first arithmetic processing unit and the second arithmetic processing unit are connected to the input circuit and selectively connected to the drive circuit.
A transmission control device. The transmission control device according to claim 1,
The first arithmetic processing unit is:
Mutual diagnosis processing for diagnosing information that changes in response to activation of the second arithmetic processing device;
A control processing order generation process for generating the order of the control processing executed by the first arithmetic processing device and transmitting it to the monitoring device;
A main control process for executing the main control function necessary for controlling the vehicle,
The second arithmetic processing unit is:
A mutual diagnosis process for diagnosing information that changes in response to activation of the first arithmetic processing unit;
A control processing order generation process for generating the order of the control processing executed by the second arithmetic processing device and transmitting the control processing device to the monitoring device;
A control process substituting a part of the main control function of the first arithmetic processing unit,
A transmission control device. The transmission control device according to claim 3, wherein
The monitoring device
From the information that changes in response to the activation of the first and second arithmetic processing units and the result of the mutual diagnosis processing received from the first and second arithmetic processing units, the first and second arithmetic processing units A first validity diagnosis process for diagnosing the validity of the operation of the device,
A transmission control device. The transmission control device according to claim 4,
The monitoring device
Diagnose the validity of the first and second arithmetic processing devices from the diagnosis result of the first validity diagnostic processing and the results of the control processing order generation processing received from the first and second arithmetic processing devices. A second validity diagnosis process to
A transmission control device. The transmission control device according to claim 5,
The monitoring device
According to the abnormal state of the first and second arithmetic processing devices from the first and second validity diagnosis processing, the operation of the first and second arithmetic processing devices is switched, and the first An arithmetic processing unit switching process for substituting a part of the main control function implemented in the arithmetic processing unit for the second arithmetic processing unit and continuing a part of the main control function, Prepare
A transmission control device. The transmission control device according to claim 6, wherein
A drive circuit for driving the solenoid, and further,
When both the first and second arithmetic processing units are abnormal or out of order, the monitoring device instructs the gear to be fixed as a fail-safe operation of the vehicle, and stops the hydraulic pressure supplied to the solenoid. Connected to the drive circuit,
A transmission control device.

Images