JP2021120234A - On-vehicle control device - Google Patents

Abstract

To detect ROM failure of micro computer interior in early stage as much as possible and to reduce risk that behavior which does not intend by a vehicle continuing to travel generates nevertheless ROM fails.SOLUTION: An on-vehicle control device measures electric current supplied to a storage device for read-only and outputs a signal showing that the storage device for read-only has possibility to fail in future if the electric current exceeds determination threshold.SELECTED DRAWING: Figure 1

Description

The present invention relates to an in-vehicle control device that controls a device mounted on a vehicle.

An in-vehicle control device (Vehicle Control Unit) that controls a device mounted on a vehicle includes a microcomputer (hereinafter, referred to as a microcomputer) that performs control calculations. A microcomputer generally includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like.

The ROM is a storage device that stores data used by the CPU in control operations. ROM may fail regardless of the operating state of the vehicle control device due to short-circuiting of adjacent transistors and wiring due to foreign matter mixed in the semiconductor manufacturing process, and poor transistor deterioration due to long-term use. be. The failure modes of ROM include, for example, the following. If any of these failure modes occur, the failed ROM cannot correctly hold the data used by the CPU for control operations:
(Failure 1) Data cannot be retained correctly;
(Failure 2) Data writing time / reading time becomes longer.

If the ROM fails, both the data written to the ROM and the data read from the ROM may be damaged, so that a problem occurs in the control calculation executed by the CPU, and it becomes difficult to execute the desired control calculation. Therefore, the in-vehicle control device generally has a function of diagnosing whether or not the ROM is out of order.

The following Patent Document 1 describes a method for diagnosing a ROM failure. The document states, "A control computer that constantly performs failure diagnosis to detect ROM / RAM failure register failures during control and stops the assist operation in the event of an abnormality to prevent the system from entering a serious failure mode. offer. "The ROM area consists of cells consisting of a plurality of predetermined number of byte data, and is a machine cycle consisting of a normal control period for controlling a controlled object and a diagnostic period for diagnosing a failure of a control computer." For diagnosis this time, the data of some cells out of a plurality of cells are added for each diagnosis period, and the data of some cells obtained in the previous diagnosis period is added to the added value of the data of some cells. When the data of some other cells are added to the period and the added value of the data for all the cells in the ROM area is obtained, the calculation means is provided with a calculation means for comparing the total of the added values with the specified value. Failure detection is performed based on the comparison between the total of the added values and the specified value. 』Disclosures the technology (see summary).

Japanese Unexamined Patent Publication No. 2004-133635

Due to the complexity / sophistication of vehicle control processing in recent years, the amount of data stored in the ROM has increased, and the time required for diagnosing the storage area of the ROM has also increased. Therefore, the time required to detect a failure by diagnosis tends to be long. If the ROM fails, the vehicle control system may enter a serious failure mode, so it is important how quickly an abnormality in the ROM storage area can be detected.

It is considered that the ROM diagnostic method of Patent Document 1 is supposed to constantly perform a checksum operation on the entire storage area of the ROM and immediately execute a fail-safe process when a failure is detected. However, the failure cannot be detected for a while from the diagnosis of the entire storage area to the diagnosis of the area again.

In the ROM diagnostic method of Patent Document 1, when the transistors constituting the ROM completely fail, the ROM cannot hold the data correctly, and the CPU reads out the incorrect data when accessing the ROM, the ROM Failure can be detected. In other words, in the ROM failure diagnosis method of Patent Document 1, it is difficult to detect a failure unless the ROM is completely failed.

The present invention has been made in view of the above problems, by detecting a ROM failure inside the microcomputer at the earliest possible stage and continuing the vehicle running despite the ROM failure. The purpose is to reduce the risk of unintended behavior.

The in-vehicle control device according to the present invention measures the current supplied to the read-only storage device, and if the current exceeds the determination threshold value, the read-only storage device may fail in the future. A signal indicating that is output.

According to the in-vehicle control device according to the present invention, although data can be normally read and written to the read-only storage device (ROM) at present, if there is a possibility of failure in the future, a sign of the failure can be detected. It can be detected at an early stage.

It is a block diagram of the vehicle-mounted control device 100 according to the first embodiment. It is a flowchart explaining the procedure for determining whether or not there is a possibility (failure potential) of failure of ROM 113 in the future. It is a flowchart explaining the procedure of failure diagnosis with respect to ROM 113. It is a timing chart about ROM failure possibility evaluation and ROM diagnosis while a vehicle is running. It is a block diagram of the vehicle-mounted control device 100 according to the second embodiment. It is a block block diagram of ROM 113. This is an example of the address map of the storage area of the ROM 113. It is a flowchart explaining the procedure of failure diagnosis with respect to ROM 113 in Embodiment 2.

<Embodiment 1>
FIG. 1 is a configuration diagram of an in-vehicle control device 100 according to a first embodiment of the present invention. The in-vehicle control device 100 is an in-vehicle electronic control unit (ECU: Electronic Control Unit) that electronically controls an in-vehicle device (for example, an automatic transmission, an engine, etc.) mounted on the vehicle. The in-vehicle control device 100 includes a main microcomputer (hereinafter referred to as a main microcomputer) 110, a sub-microcomputer (hereinafter referred to as a sub-microcomputer) 120, a main power supply IC (Integrated Circuit) 130, a sub power supply IC 140, and a current measurement circuit 150. Be prepared.

The main microcomputer 110 is a microcomputer that controls in-vehicle devices mounted on the vehicle. The main microcomputer 110 controls an in-vehicle device by, for example, controlling an actuator 230. In addition, a message can be displayed via the display device 240. As the message, for example, a message such as a character or an image, a notification by lighting a lamp, or any other form can be used.

The main microcomputer 110 includes a CPU 111, a RAM 112, and a ROM 113. The CPU 111 is an arithmetic unit (arithmetic circuit) that performs control calculations necessary for controlling an in-vehicle device. The ROM 113 stores a program executed by the CPU 111 (for example, a program that implements the flowchart described in FIGS. 2, 3, and 8 described later). The RAM 112 temporarily stores the data used by the CPU 111.

The sub-microcomputer 120 is a microcomputer having the same configuration as the main microcomputer 110, and the description thereof will be omitted. The sub-microcomputer 120 diagnoses whether or not the ROM 113 is normal according to the request from the main microcomputer 110, and notifies the main microcomputer 110 of the result of the diagnosis.

The in-vehicle control device 100 receives electric power from the battery 220 mounted on the vehicle. The main power supply IC (main power supply circuit) 130 steps down or raises and lowers the power VB received from the battery 220, and then supplies the power VB to the main microcomputer 110. Similarly, the sub power supply IC (sub power supply circuit) 140 also supplies the power received from the battery 220 to the sub microcomputer 120 after stepping down or stepping up and down.

The main power supply IC 130 is internally divided into three power supply circuits so as to individually supply electric power (VB1, VB2, VB3) to each of the CPU 111, RAM 112, and ROM 113. That is, the main power supply IC 130 has a first power supply circuit VG1 that outputs a first voltage VB1 to the CPU 111, a second power supply circuit VG2 that outputs a second voltage VB2 to the RAM 112, and a third voltage VB3 to the ROM 113. A third power supply circuit VG3 for output is provided. This is to suppress the influence of the drive current supplied to the ROM 113 due to the fluctuation of the drive current of the CPU 111 and the fluctuation of the drive current of the ROM 113.

The first voltage VB1 output by the first power supply circuit VG1 is supplied to the CPU 111 via the power supply wiring (power supply path) L1. The second voltage VB2 output by the second power supply circuit VG2 is supplied to the RAM 112 via the power supply wiring (power supply path) L2. The third voltage VB3 output by the third power supply circuit VG3 is supplied to the ROM 113 via the power supply wiring (power supply path) L3.

The current measurement circuit 150 measures the value of the drive current supplied from the main power supply IC 130 to the ROM 113, and outputs the measurement result to the sub-microcomputer 120. The sub-microcomputer 120 diagnoses the ROM 113 using the measurement result according to the procedure described later. The drive current referred to here is a read current supplied to the ROM 113 for the CPU 111 to read the data stored in the ROM 113. Since the drive current increases as the ROM 113 deteriorates, it is possible to predict the possibility that the ROM 113 will fail in the future based on the increment of the drive current.

It will be readily appreciated by those skilled in the art that various circuit configurations can be adopted for the current measuring circuit 150. The measurement result may be output to the sub-microcomputer 120 as an analog signal or may be output to the sub-microcomputer 120 as a digital signal. When the measurement result is output as a digital signal, the current measurement circuit 150 is configured to include an analog-to-digital conversion circuit ADC. On the other hand, when the measurement result is output as an analog signal, the sub-microcomputer 120 is configured to include an analog-to-digital conversion circuit ADC. The case where the measurement result is output as a digital signal is more resistant to the noise generated in the vehicle-mounted control device 100 such as the power supply than the case where the measurement result is output as an analog signal.

When the driver of the vehicle turns the ignition key ON / OFF, the power signal 210 is generated accordingly. The vehicle-mounted control device 100 starts / shuts down according to the power signal 210. The main power supply IC 130 and the sub power supply IC 140 supply or cut off power to the respective microcomputers 110 and 120 accordingly.

In the first embodiment, the in-vehicle control device 100 determines that the ROM 113 may fail in the future when the drive current of the ROM 113 becomes larger than a predetermined threshold value from the time of manufacture. Therefore, the in-vehicle control device 100 stores in advance the value of the drive current at the time of manufacturing the ROM 113, and uses this in the diagnosis of the ROM 113. The drive current value at the time of manufacture can be stored in a storage device such as a ROM included in any of the microcomputers, for example. Instead of the time of manufacturing the in-vehicle control device 100, the drive current value at the time of manufacturing the main microcomputer 110 may be stored. In the following description, it is assumed that the ROM 113 stores the manufacturing drive current 1131.

The measurement result of the drive current measured by the current measurement circuit 150 varies depending on the temperature of the main microcomputer 110. This fluctuation may be due to the temperature characteristics of the element such as the temperature measurement resistor included in the current measurement circuit 150, or due to the temperature characteristics of other circuits such as the temperature characteristics of the main microcomputer 110 itself. Therefore, in the first embodiment, how the drive current value measured by the current measurement circuit 150 fluctuates according to the temperature of the main microcomputer 110 is described in advance as the temperature characteristic data 1132. In the following description, it is assumed that the ROM 113 stores the temperature characteristic data 1132. Specific processing using the temperature characteristic data 1132 will be described later.

FIG. 2 is a flowchart illustrating a procedure for determining whether or not the ROM 113 has a possibility of failure (failure potential) in the future. Although the procedure in which the sub-microcomputer 120 diagnoses the ROM 113 included in the main microcomputer 110 is described in FIG. 2, the same procedure can be used when the main microcomputer 110 diagnoses the ROM included in the sub-microcomputer 120. Each step of FIG. 2 will be described below.

(FIG. 2: Step S101)
The sub-microcomputer 120 reads out the drive current value at the time of manufacturing the in-vehicle control device 100. The main microcomputer 110 may hold the same value and notify the sub-microcomputer 120 of the read value.

(FIG. 2: Step S102)
The main microcomputer 110 measures the temperature of the main microcomputer 110 by using the temperature sensor 160 built in the main microcomputer 110. A temperature sensor (not shown) mounted on the in-vehicle control device 100 may be used. Instead of the temperature measurement result, an estimated temperature value using the temperature state of the outside world and the operating time of the in-vehicle control device 100 may be used.

(FIG. 2: Step S103)
The main microcomputer 110 acquires the fluctuation amount of the drive current measurement result corresponding to the temperature of the main microcomputer 110 by referring to the temperature characteristic data 1132 using the temperature of the main microcomputer 110 acquired in step S104. Even if the measurement result of the drive current exceeds the threshold value, the ROM 113 is not necessarily deteriorated if the excess amount is caused by the temperature characteristics. Therefore, in this step, it was decided to grasp the fluctuation amount due to the temperature in advance based on the temperature characteristic data 1132.

(FIG. 2: Step S104)
The main microcomputer 110 notifies the sub-microcomputer 120 of the fluctuation of the drive current measurement result due to the temperature of the main microcomputer 110 acquired from the temperature characteristic data 1132 in step S103.

(FIG. 2: Step S105)
The sub-microcomputer 120 acquires the measurement result of the drive current from the current measurement circuit 150.

(FIG. 2: Step S106)
The sub-microcomputer 120 adjusts the determination threshold value according to the fluctuation of the drive current measurement result due to the temperature of the main microcomputer 110 acquired in step S104. For example, when the determination threshold value used in step S107 is 1.5 mA and the fluctuation amount due to temperature is +0.5 mA, the determination threshold value is adjusted to 2.0 mA. The determination threshold value may be stored in the ROM of either the main microcomputer 110 or the sub-microcomputer 120, or may be described in the program that implements this flowchart.

(FIG. 2: Steps S107 to S109)
The sub-microcomputer 120 determines whether or not the difference between the drive current value acquired in step S105 and the drive current value at the time of manufacturing acquired in step S101 exceeds the adjusted determination threshold value (S107). .. If it does not exceed, the diagnosis result indicating that the ROM 113 is normal is output (S108). If it exceeds the limit, a diagnosis result indicating that the ROM 113 is not completely out of order at the present time but may be out of order in the future is output (S109). If the current drive current is smaller than the drive current at the time of manufacture, the ROM 113 is considered to be normal.

(Fig. 2: Step S107: Numerical example)
For example, if the drive current at the time of manufacture is 25 mA and the current drive current value is 26.5 mA, the current drive current value is 1.5 mA higher than that at the time of manufacture, so there is a possibility that the ROM 113 has deteriorated. Can be considered. However, since this increment of 1.5 mA is within the range of the adjusted determination threshold value, it is determined that there is no possibility of failure in this case.

(Fig. 2: Step S107: Supplement)
Since the data stored in the RAM 112 is constantly changing, in order to determine the possibility of the RAM 112 failing, how the behavior when the data on the RAM 112 is rewritten fluctuates, etc. Diagnosis with data rewriting is required. On the other hand, since the data stored in the ROM 113 does not fluctuate, it is considered that the possibility of failure can be diagnosed based on how much the read current has increased from the time of manufacture. This step focuses on this characteristic.

FIG. 3 is a flowchart illustrating a failure diagnosis procedure for the ROM 113. In addition to the diagnosis of the possibility of future failure described in FIG. 2, this flowchart is predetermined during, for example, a period in which the vehicle-mounted control device 100 is activated (that is, power is supplied to the vehicle-mounted control device 100). It is carried out periodically at time intervals. Although the procedure for the main microcomputer 110 to diagnose the failure of the ROM 113 will be described here, the same procedure can be used for the sub-microcomputer 120. Each step of FIG. 3 will be described below.

(FIG. 3: Steps S201 to S202)
The main microcomputer 110 diagnoses whether or not the ROM 113 may fail in the future according to the flowchart of FIG. 2 (S201). If it is diagnosed that there is a possibility of failure, the process proceeds to step S203, and if it is diagnosed that there is no failure, the process skips to step S205 (S202).

(Fig. 3: Step S201: Supplement)
This step can be performed not only at predetermined intervals in the period after the vehicle-mounted control device 100 is activated, but also in the initialization process when the vehicle-mounted control device 100 is activated. That is, it can be executed between the time when the in-vehicle control device 100 is activated and the time when the control calculation is started.

(FIG. 3: Step S203)
The main microcomputer 110 notifies the driver of the abnormality of the in-vehicle control device 100 by displaying a warning light on the display device 240. More specifically, it may notify that the ROM 113 / main microcomputer 110 may fail in the future. Other appropriate messages may be notified. By displaying the warning, the driver can transfer the vehicle to the repair shop before a sudden change in vehicle behavior occurs.

(FIG. 3: Step S204)
The main microcomputer 110 raises the priority of the ROM diagnosis performed in step S205. For example, the priority of ROM diagnosis can be increased by shortening the cycle in which step S205 is performed and increasing the size of the storage area to be diagnosed in one diagnosis. The priority may be raised by other appropriate methods. When there is a possibility that the ROM 113 may fail, by increasing the diagnostic priority, it is possible to promptly detect when a failure occurs.

(Fig. 3: Step S205)
The main microcomputer 110 performs a diagnosis on the ROM 113. As the diagnostic method, an arbitrary method capable of detecting a data error in the ROM 113, such as a checksum calculation or a parity calculation, may be used.

(FIG. 3: Steps S206 to S208)
The main microcomputer 110 determines whether or not the result of the ROM diagnosis performed in step S205 is normal (S206). If the ROM diagnosis result is normal, normal control is performed (S207). If it is abnormal, the operation shifts to fail-safe operation (S208). The following are examples of fail-safe operation. For example, if the CPU of the control device of an automatic transmission fails, the actuator that realizes the shift control of the automatic transmission does not operate correctly, and in order to prevent unintended shifts from occurring, the actuators are fixed and the gear ratio is adjusted. Keep it constant. By shifting to fail-safe operation, it is possible to prevent the vehicle system from entering a serious failure mode.

FIG. 4 is a timing chart relating to ROM failure possibility evaluation and ROM diagnosis while the vehicle is running. During the period in which the in-vehicle control device 100 is activated (for example, when the vehicle is running), the main microcomputer 110 and the sub-microcomputer 120 constantly evaluate the ROM failure potential and the ROM diagnosis according to the flowcharts of FIGS. 2 and 3. It is carried out every cycle of. The failure possibility diagnosis of FIG. 2 and the failure diagnosis of FIG. 3 do not necessarily have to be performed at the same cycle and at the same timing. For example, the failure possibility diagnosis can be performed at a longer cycle than the failure diagnosis. FIG. 4 is described on that premise.

(FIG. 4: Step S301)
The main microcomputer 110 diagnoses the possibility of failure of the ROM 113 according to the flowchart of FIG. When it is determined that there is a possibility of failure, the priority of ROM diagnosis is increased by, for example, shortening the execution cycle of ROM diagnosis (process corresponding to S204). Further, a warning light is displayed on the display device 240 (process corresponding to S203).

(FIG. 4: Step S302)
The main microcomputer 110 performs ROM diagnosis at a shorter cycle than before step S301. If it is determined that there is an abnormality in the ROM diagnosis, the in-vehicle control device 100 shifts to the fail-safe operation.

<Embodiment 1: Summary>
The in-vehicle control device 100 according to the first embodiment is an in-vehicle control device (100) that controls a device mounted on the vehicle, and is an arithmetic unit (CPU111) that performs a control calculation for controlling the device. A current measurement circuit (150, If the current measured by the current measuring circuits (150, 151) exceeds the first determination threshold value, the arithmetic unit (CPU 111) includes 151), and the first read-only storage device (ROM 113, 114) will be used in the future. In addition to determining whether or not there is a possibility of failure, a signal indicating the determination result is output. As a result, it is possible to suppress a problem in which the first read-only storage device (ROM 113, 114) suddenly breaks down and the vehicle suddenly changes its behavior.

The first read-only storage device (ROM 113, 114) describes a temperature characteristic indicating how the current measurement result by the current measurement circuit (150, 151) fluctuates according to the temperature of the in-vehicle control device (100). The temperature characteristic data (1132) is stored, and the arithmetic unit (CPU111) refers to the temperature characteristic data (1132) using the temperature of the in-vehicle control device (100), so that the current measurement result is in-vehicle control. The fluctuation amount fluctuating according to the temperature of the device (100) is acquired, and the arithmetic unit (CPU111) adjusts the first determination threshold according to the fluctuation amount and then determines whether or not there is a possibility of failure. .. As a result, even when the current measurement result fluctuates according to the temperature characteristics, the possibility of failure of the first read-only storage device (ROM 113, 114) can be accurately diagnosed.

The arithmetic unit (CPU 111) determines the possibility of failure between the time when the electric power is started to be supplied to the in-vehicle control unit (100) and the time when the control calculation is started. As a result, the safety of the first read-only storage device (113, 114) can be confirmed before the control calculation is started, and the control calculation can be performed according to the result.

The arithmetic unit (CPU 111) intermittently and repeatedly performs a failure diagnosis for the partial storage area of the first read-only storage device (113, 114) during the period in which the in-vehicle control device (100) is activated, and performs an calculation. The device (CPU111) intermittently and repeatedly determines whether or not there is a possibility of failure at a cycle longer than the failure diagnosis. As a result, the possibility of failure can be determined without hindering the execution of the failure diagnosis, and if it is determined that there is a possibility of failure, the failure diagnosis can be performed in a shorter cycle and the failure can be detected at an early stage. can.

The vehicle-mounted control device (100) further supplies power to the first power supply circuit (VG1) that supplies power to the arithmetic unit (CPU111) and the second power supply circuit (113, 114) that supplies power to the first read-only storage device (113, 114). A power supply circuit (VG3) is provided, and the current measurement circuits (150, 151) measure the current output by the second power supply circuit (VG3) to the first read-only storage device (ROM 113, 114). As a result, it is possible to suppress the interference between the currents and suppress the fluctuation of the drive current.

While the current measured by the current measuring circuits (150, 151) exceeds the first determination threshold value, the arithmetic unit (CPU 111) shortens the cycle of performing the failure diagnosis as compared with the case where the current does not exceed the first determination threshold value. As a result, when a failure occurs, it can be detected at an early stage.

When the current measured by the current measuring circuits (150, 151) exceeds the first determination threshold value, the arithmetic unit (CPU111) outputs a signal for notifying the driver of the vehicle of a warning. This allows the driver to transfer the vehicle to the repair shop before a sudden change in vehicle behavior occurs.

The first read-only storage device (ROM 113, 114) is supplied to the first read-only storage device (ROM 113, 114) at the time of manufacture of the vehicle-mounted control device (100) or at the time of manufacture of the arithmetic unit (CPU111). The current (1131) is stored, and the arithmetic unit (CPU111) is measured by the current measuring circuit (150, 151) rather than the read current (1131) stored in the first read-only storage device (ROM113, 114). The difference between the read current (1131) stored in the first read-only storage device (ROM 113, 114) and the current measured by the current measurement circuit (150, 151) is the second. When the determination threshold is exceeded, a signal indicating that the first read-only storage device (ROM 113, 114) may fail in the future is output. Thereby, the influence of the measurement error due to the manufacturing variation of the in-vehicle control device (100) can be suppressed.

The current is supplied for the arithmetic unit (CPU 111) to read the data stored in the first read-only storage device (ROM 113, 114). That is, by measuring the read current of the first read-only storage device (ROM 113, 114) by the current measurement circuit (150, 151), it is possible to predict the possibility that the ROM will fail in the future according to the increment of the read current. Can be done.

<Embodiment 2>
FIG. 5 is a configuration diagram of the vehicle-mounted control device 100 according to the second embodiment of the present invention. In the second embodiment, the ROM 113 is divided into a ROM (BL1: BLOCK1) 114 and a ROM (BL2: BLOCK2) 115. Since the same as in the first embodiment except for the difference caused by the ROM being divided into two blocks, the difference will be mainly described below.

The third power supply circuit VG3 supplies electric power to the ROM 114 via the power supply wiring (power supply path) L3. The main power supply IC 130 further includes a fourth power supply circuit VG4, and the fourth power supply circuit VG4 supplies power to the ROM 115 via the power supply wiring (power supply path) L4. The current measurement circuit 150 includes a current measurement circuit 151 that measures the drive current supplied from the third power supply circuit VG3 to the ROM 114, and a current measurement that measures the drive current supplied from the fourth power supply circuit VG4 to the ROM 115. It has a circuit 152.

FIG. 6 is a block configuration diagram of the ROM 113. The ROM (BL1) 114 is composed of BLOCK10 to BLOCK1X, and the ROM (BL2) 115 is composed of BLOCK20 to BLOCK2X. The drive power supply line in BLOCK1 is shared, and the drive power supply line in BLOCK2 is also shared.

FIG. 7 is an example of an address map of the storage area of the ROM 113. When the ROM 114 may fail in the future, the control program stored in the ROM 114 may not be executed correctly. Therefore, in the second embodiment, the ROM 115 stores an alternative control program to be executed in place of the control program stored in the ROM 114 when the ROM 114 may fail in the future. BLOCK10 to BLOCK1X store programs that implement the control processes A to X of the main microcomputer 110, respectively. BLOCK20 to BLOCK2X store programs that implement alternative processing of controls A to X.

FIG. 8 is a flowchart illustrating the procedure of failure diagnosis for the ROM 113 in the second embodiment. Similar to FIG. 3, this flowchart is periodically executed, for example, at predetermined time intervals. Although the procedure for the main microcomputer 110 to diagnose the failure of the ROM 113 will be described here, the same procedure can be used for the sub-microcomputer 120. Each step of FIG. 8 will be described below.

(FIG. 8: Step S401)
The main microcomputer 110 diagnoses whether or not the ROM 114 may fail in the future according to the flowchart of FIG. 2 (S401). Similarly, it is diagnosed whether or not the ROM 115 may fail in the future (S402). The determination threshold value used in the failure possibility diagnosis for ROM 114 and the determination threshold value used in the failure possibility diagnosis for ROM 115 may be the same or different. That is, it may be appropriately determined according to the specifications and importance of ROM 114 and ROM 115.

(FIG. 8: Steps S403 to S404)
In step S401, if the ROM 114 is diagnosed as normal, the process proceeds to step S404, and if it is diagnosed that there is a possibility of failure, the process proceeds to step S406 (S403). In step S402, if the ROM 115 is diagnosed as normal, the process proceeds to step S409, and if it is diagnosed that there is a possibility of failure, the process proceeds to step S405 (S404).

(FIG. 8: Step S405)
The main microcomputer 110 stores a flag or the like indicating that the alternative processing stored in the ROM 115 cannot be used in a storage device such as a RAM 112.

(Fig. 8: Step S406)
The main microcomputer 110 determines whether or not the alternative control program stored in the ROM 115 can be used. If the alternative control process is available, the process proceeds to step S407. If the alternative control process cannot be used, the process proceeds to step S410. Whether or not the alternative control process can be used can be determined based on the result of step S405.

(FIG. 8: Step S407)
If it is diagnosed that the ROM 115 is normal, the process proceeds to step S408, and if it is diagnosed that there is a possibility of failure, the process proceeds to step S410.

(FIG. 8: Step S408)
The main microcomputer 110 switches the program to be executed for the control calculation from the control program stored in the ROM 114 to the alternative control program stored in the ROM 115.

(FIG. 8: Steps S409 to S411)
When either the control process or the alternative control process is available, the main microcomputer 110 performs a normal control operation (S409). If none of them can be used, a warning light is displayed on the display device 240 (S410), and the operation shifts to the fail-safe operation (S411).

<Embodiment 2: Summary>
The vehicle-mounted control device (100) according to the second embodiment further includes a second read-only storage device (ROM115) for storing data used by the arithmetic unit (CPU111), and the second read-only storage device (ROM115) is An alternative control program that implements an alternative control operation executed by the arithmetic unit (CPU111) instead of the control operation is stored. In the arithmetic unit (CPU111), the current measured by the current measurement circuit (151) is the third determination threshold value. If it exceeds, an alternative control operation is executed instead of the control operation. As a result, if the first read-only storage device (ROM114) may fail in the future, control can be safely performed by an alternative control program.

The in-vehicle control device (100) further includes a third power supply circuit (VG4) that supplies power to the second read-only storage device (ROM115), and the current measurement circuit (152) is a third power supply circuit (VG4). Measures the second current output to the second read-only storage device (ROM115), and the arithmetic unit (CPU111) measures the second current measured by the current measurement circuit (152) and exceeds the third determination threshold value. In this case, the second read-only storage device (ROM115) outputs a signal indicating that the second read-only storage device (ROM115) may fail in the future, and the arithmetic unit (CPU111) has the first read-only storage device (ROM1114) and the second read-only storage device (ROM1114). When it is determined that both the storage devices (ROM115) may fail in the future, a fail-safe operation is performed instead of the control calculation and the alternative control calculation. As a result, in addition to enhancing the safety of the vehicle by using the alternative control program, it is possible to ensure a certain level of safety even when the alternative control program may not operate normally.

<About a modified example of the present invention>
The present invention is not limited to the above embodiment, and includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations. Further, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. In addition, other configurations can be added / deleted / replaced with respect to a part of the configurations of each embodiment.

In the second embodiment, it has been described that alternative control is performed when the ROM 114 may fail in the future. In addition to this, as described in the first embodiment, the diagnostic priority for the ROM that may fail may be raised. For example, in S405, S406, or S410, the diagnostic priority may be increased for a ROM diagnosed as having a possibility of failure in the future.

In the above embodiment, an example of comparing the difference between the drive current at the time of manufacturing and the current drive current with the determination threshold has been described, but instead, the current drive current may be compared with the determination threshold. .. In this case, the same effect can be exhibited by embedding a value corresponding to the drive current at the time of manufacturing in the determination threshold value. That is, whether to compare the current drive current with the judgment threshold value or to compare the difference between the drive current at the time of manufacture and the current drive current with the judgment threshold value depends on how the threshold value is configured. The actual processing is the same.

100: In-vehicle control device 110: Main microcomputer 111: CPU
112: RAM
113: ROM
114: ROM (BL1)
115: ROM (BL2)
120: Sub-microcomputer 130: Main power supply IC
140: Sub power supply IC
150: Current measurement circuit 151: Current measurement circuit (BL1)
152: Current measurement circuit (BL2)
160: Temperature sensor 210: Power signal 220: Battery 230: Actuator 240: Display device

Claims (11)

It is an in-vehicle control device that controls the equipment installed in the vehicle.
An arithmetic unit that performs control calculations to control the device,
A first read-only storage device that stores data used by the arithmetic unit,
A current measuring circuit that measures the current supplied to the first read-only storage device,
With
When the current measured by the current measuring circuit exceeds the first determination threshold value, the arithmetic unit determines whether or not the first read-only storage device may fail in the future, and also determines whether or not the first read-only storage device may fail in the future. An in-vehicle control device characterized by outputting a signal indicating the determination result. The first read-only storage device stores temperature characteristic data describing temperature characteristics indicating how the measurement result of the current by the current measurement circuit fluctuates according to the temperature of the in-vehicle control device. ,
By referring to the temperature characteristic data using the temperature of the in-vehicle control device, the arithmetic unit acquires a fluctuation amount in which the measurement result of the current fluctuates according to the temperature of the in-vehicle control device.
The vehicle-mounted control device according to claim 1, wherein the arithmetic unit adjusts the first determination threshold value according to the fluctuation amount and then determines whether or not there is the possibility. The vehicle-mounted control device according to claim 1, wherein the arithmetic unit determines the possibility between the time when power is supplied to the vehicle-mounted control device and the time when the control calculation is started. The arithmetic unit intermittently and repeatedly performs a failure diagnosis for the partial storage area of the first read-only storage device during the period in which the in-vehicle control device is activated.
The vehicle-mounted control device according to claim 1, wherein the arithmetic unit intermittently and repeatedly determines whether or not there is the possibility in a cycle longer than the failure diagnosis. The vehicle-mounted control device further includes a first power supply circuit that supplies electric power to the arithmetic unit and a second power supply circuit that supplies electric power to the first read-only storage device.
The vehicle-mounted control device according to claim 1, wherein the current measuring circuit measures the current output by the second power supply circuit to the first read-only storage device. The arithmetic unit is characterized in that while the current measured by the current measuring circuit exceeds the first determination threshold value, the cycle for performing the failure diagnosis is shorter than when the current does not exceed the first determination threshold value. Item 4. The in-vehicle control device according to item 4. The arithmetic unit is characterized in that when the current measured by the current measuring circuit exceeds the first determination threshold value, it outputs a signal for notifying the driver of the vehicle of a warning. The in-vehicle control device described. The first read-only storage device stores the read current supplied to the first read-only storage device at the time of manufacturing the in-vehicle control device or the time of manufacturing the arithmetic unit.
In the arithmetic device, the current measured by the current measuring circuit is larger than the read current stored in the first read-only storage device, and the read current stored in the first read-only storage device is used. When the difference between the current measured by the current measuring circuit and the current measured exceeds the second determination threshold value, the first read-only storage device outputs a signal indicating that the first read-only storage device may fail in the future. The vehicle-mounted control device according to claim 1. The vehicle-mounted control device according to claim 1, wherein the current is supplied to the arithmetic unit for reading data stored in the first read-only storage device. The in-vehicle control device further includes a second read-only storage device that stores data used by the arithmetic unit.
The second read-only storage device stores an alternative control program that implements an alternative control operation that the arithmetic unit executes in place of the control operation.
The vehicle-mounted device according to claim 1, wherein the arithmetic unit executes the alternative control calculation instead of the control calculation when the current measured by the current measurement circuit exceeds the third determination threshold value. Control device. The vehicle-mounted control device further includes a third power supply circuit that supplies power to the second read-only storage device.
The current measuring circuit measures the second current output by the third power supply circuit to the second read-only storage device, and measures the second current.
The arithmetic unit sends a signal indicating that the second read-only storage device may fail in the future when the second current measured by the current measuring circuit exceeds the third determination threshold value. Output and
When it is determined that both the first read-only storage device and the second read-only storage device may fail in the future, the arithmetic unit performs a fail-safe operation instead of the control calculation and the alternative control calculation. 10. The vehicle-mounted control device according to claim 10.

Images