JP3991782B2 - Electronic control unit - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to an electronic control device having two or more CPUs, and more particularly to an electronic control device for suitably detecting an abnormality in a clock signal supplied to each CPU and an abnormality in processing omission.
[0002]
[Prior art]
2. Description of the Related Art Some electronic control devices that perform vehicle control and the like include a plurality of CPUs and have a function of monitoring each other for abnormalities. As one of them, there is a method of monitoring the operating state of the CPU by monitoring a watchdog pulse (WD pulse) that is inverted at a predetermined cycle. In this case, one CPU inputs a WD pulse from the other CPU, and when the WD pulse stops, the other CPU is determined to be abnormal (runaway).
[0003]
[Problems to be solved by the invention]
As an abnormality relating to this type of electronic control device, there is an abnormality of a clock signal supplied to each CPU from an oscillator or the like. In this case, if the frequency of the clock signal changes due to an abnormality of the oscillator, it is conceivable that the abnormality cannot be detected depending on the state of the clock abnormality.
[0004]
For example, when the frequency of the clock signal is higher than that at normal time, the accuracy of time calculation in the CPU is lowered due to this. Therefore, there arises a disadvantage that various arithmetic processes that should be performed periodically are not performed at a predetermined cycle. In such a case, even if the CPU abnormality is detected by the WD pulse as described above, the clock abnormality cannot be determined because the WD pulse is periodically issued.
[0005]
In addition, in a CPU that wakes up a plurality of tasks having different priorities, there may be a case where processing loss occurs in a low priority task when the processing load on the CPU increases. In this case, since the issuance of the normal WD pulse is a high-priority process, the WD pulse is normally issued even when the low-priority process is lost. For this reason, even if a process omission occurs, the WD pulse is not affected and the process omission cannot be detected. In the worst case, there is a possibility of continuing the processing as it is.
[0006]
The present invention has been made paying attention to the above-mentioned problem, and an object of the present invention is to appropriately detect a clock abnormality and a processing omission abnormality, and as a result, ensure the reliability of the CPU. Is to provide.
[0007]
[Means for Solving the Problems]
According to the first aspect of the present invention, the first CPU and the second CPU are provided, and an individual clock signal is input to each of the CPUs, and periodic arithmetic processing is performed in each CPU based on the clock signals. The second CPU notifies the first CPU of time information of a fixed period based on a clock signal input to the second CPU. In particular, the first CPU counts the main counter at a constant period based on the clock signal input to itself, and counts the sub-counter based on the time information at a constant period input from the second CPU. Then, the difference between the main and sub counters is compared at two timings before and after, and the abnormality of the clock signal is detected from the comparison result.
[0008]
If the clock signal on the second CPU side becomes abnormal and its frequency is smaller than that at the normal time, the time interval of time information notified from the second CPU to the first CPU is widened, and as a result, the counting operation of the sub-counter is delayed. In this case, it can be determined that the difference between the main and sub counters is different from the normal state, and that the clock signal is abnormal by comparing the difference between the counters. That is, it is possible to detect an abnormality in which the cycle of the clock signal changes. As a result, it is possible to properly detect the clock abnormality and to secure the reliability of the CPU.
[0009]
In the invention according to claim 2, the first CPU wakes up task A at a constant cycle, counts the main counter at the task A, and wakes up task B using time information from the second CPU as a trigger. In the task B, the sub-counter is counted. In this case, the task A and the task B are appropriately woken up so that the counting operation of the main and sub counters can be performed.
[0010]
As described above, the first CPU receives the time information notification from the second CPU and operates the sub-counter. In such a case, the time information notification may be realized in the following form.
In the invention according to claim 3, the second CPU outputs a trigger signal at a constant period in a periodic process based on a clock signal, and the first CPU counts a sub-counter every time the trigger signal is input. .
In the invention according to claim 4, the second CPU transmits data at a constant cycle in a periodic communication process based on a clock signal, and the first CPU sets a sub-counter every time data is received from the second CPU. Count.
In a fifth aspect of the present invention, the monitoring circuit outputs a reset signal to the second CPU when a watchdog pulse that is inverted at a predetermined cycle is input from the second CPU and the watchdog pulse is not inverted for a predetermined time or more. In addition, the first CPU inputs the watchdog pulse from the second CPU, and counts the sub-counter each time it is input.
[0011]
In any of the above cases, the first CPU counts the sub-counter at a constant period, and the clock abnormality can be properly detected by the difference between the sub-counter and the main counter.
[0012]
In the invention according to claim 6, the first CPU compares the difference between the main and sub counters at the two timings before and after to obtain a difference change amount, and when the difference change amount is the same every time, the clock abnormality occurs. Judge that there is. Thereby, the clock abnormality can be detected with high accuracy.
[0013]
In the invention according to claim 7, the first CPU obtains a difference change amount by comparing a difference between the main and sub counters at two timings before and after, and the difference change amount corresponds to the count of one counter. Then, it is determined that one of the counters is stopped. Thereby, the abnormality of the counter stop can be detected with high accuracy. As in claim 2, when the main counter is counted in task A and the sub-counter is counted in task B, it can be accurately detected that any task has stopped.
[0014]
As described in claim 8, when the periods of both the main and sub counters are the same, if both the counters are normal, the difference always matches. Therefore, the difference between the main and sub counters can be easily compared.
[0015]
In the invention according to claim 9, the first CPU wakes up a predetermined task by using time information notified from the second CPU as a trigger, and leaves a history of processing completion in a prescribed processing unit within the task. Then, when the next task wakes up, a process omission abnormality is detected from the history. In this case, if the task is executed to the end, a history of processing completion remains for all the processing. However, if the task is executed only halfway, no history of processing completion is left for the unexecuted portion. Therefore, it is possible to detect missing processing for the task. Further, by confirming the history, it is possible to identify the position where the processing omission has occurred.
[0016]
In the ninth aspect of the invention, as described in the tenth aspect, the first CPU wakes up a plurality of tasks having different priorities, and records a processing end history in a prescribed processing unit in a task having a lower priority. It is good to leave. If there are multiple tasks with different priorities, a task with a low priority may cause a processing dropout (interruption of processing) due to a high-priority task interrupting the process. Occurrence of omission and location of occurrence can be specified.
[0017]
According to another aspect of the present invention, the first CPU may count the sub-counter at the end of a predetermined task that is woken up by time information from the second CPU. As a result, when a process omission occurs, the sub-counter is not counted, and it is possible to determine the occurrence of abnormality from the difference between the main and sub-counters.
[0018]
On the other hand, in the invention according to claim 12, as in the case of claim 9, if the task is executed to the end, a history of completion of processing remains for all the processes. There is no history of processing completion for. Therefore, it is possible to detect missing processing for the task. Further, by confirming the history, it is possible to identify the position where the processing omission has occurred.
[0019]
Furthermore, as described in claim 13, the first CPU wakes up a plurality of tasks having different priorities, and by leaving a processing end history in a prescribed processing unit in a task having a lower priority, Even if a priority task interrupts and a process omission (interruption of the process) occurs, the occurrence of the process omission and the location of the occurrence can be specified.
[0020]
According to a fourteenth aspect of the present invention, the first CPU performs electronic throttle control, and the second CPU is applied as a vehicle electronic control device that performs fail-safe processing relating to electronic throttle control. When the first CPU detects that the clock is abnormal or the process is abnormal, the first CPU notifies the second CPU, and the second CPU performs fail-safe processing based on the abnormality information from the first CPU. In this case, even if a clock abnormality or a process omission abnormality occurs, the appropriate fail-safe process can be performed.
[0021]
DETAILED DESCRIPTION OF THE INVENTION
DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, an embodiment of the invention will be described with reference to the drawings. In the present embodiment, the electronic control device of the present invention is embodied as an engine ECU mounted on a vehicle. FIG. 1 is a block diagram showing a configuration of an engine ECU in the present embodiment.
[0022]
In FIG. 1, an engine ECU 10 includes a control CPU 11 for performing engine injection control, ignition control, and electronic throttle control, and a monitoring CPU 12 for performing fail-safe processing relating to electronic throttle control and monitoring of the control CPU 11. . These CPUs 11 and 12 are connected so that they can communicate with each other. A clock CK1 (clock signal) is input from the oscillator 13 to the control CPU 11, and a clock CK2 (clock signal) is input from the oscillator 14 to the monitoring CPU 12. In the present embodiment, the control CPU 11 corresponds to a “first CPU”, and the monitoring CPU 12 corresponds to a “second CPU”.
[0023]
The control CPU 11 wakes up the task A at a constant cycle based on the clock CK1 from the oscillator 13, and counts up the counter CA every time in the task A. Task A is a high-priority task, and is woken up every 2 ms in this embodiment. The control CPU 11 receives a trigger signal from the monitoring CPU 12. The control CPU 11 wakes up task B based on this trigger signal, and counts up the counter CB every time in the task B.
[0024]
On the other hand, the monitoring CPU 12 wakes up a periodic process every 2 ms based on the clock CK2 from the oscillator 14, and generates and outputs a trigger signal with a constant period in the periodic process. This trigger signal is taken into the control CPU 11. In the present embodiment, the counter CA corresponds to the “main counter”, the counter CB corresponds to the “sub-counter”, and the trigger signal corresponds to “time information of a fixed period”.
[0025]
Further, the monitoring CPU 12 outputs a WD pulse to the WD circuit 15 as a “monitoring circuit”, and the WD circuit 15 resets the monitoring CPU 12 when the WD pulse from the monitoring CPU 12 is not inverted for a predetermined time or more. Is output.
[0026]
Here, the operations of the counters CA and CB will be described with reference to FIG. When both the counters CA and CB operate normally, each counter is incremented every 2 ms as shown in FIG. In this case, if the difference between the counters CA and CB is ΔCn (= CA−CB), the difference is ΔC1 at timing t1, and the difference is ΔC2 at timing t2. FIG. 2A shows normal operation, so that ΔC1 = ΔC2.
[0027]
On the other hand, FIGS. 2B to 2D show cases where the counter CB operates abnormally. (B) to (d) will be described in detail. In (b), the cycle of the counter CB is larger than that in the normal state. It is considered that this is because the clock CK2 on the monitoring CPU 12 side becomes abnormal (clock abnormality), the wake-up period (period of the trigger signal) of the periodic processing is changed, and further the period of the counter CB is changed. In this case, the differences ΔC1 and ΔC2 at the timings t1 and t2 are ΔC1 <ΔC2.
[0028]
Further, (c) shows an abnormality in which the counter CB stops, and (d) shows an abnormality (processing omission abnormality) in which the regular processing in the monitoring CPU 12 is lost. It should be noted that missing processing occurs irregularly, and due to this missing processing, a situation occurs in which the counter CB is not counted up at a constant period. In the cases (c) and (d), the differences ΔC1 and ΔC2 at the timings t1 and t2 are ΔC1 <ΔC2.
[0029]
In the present embodiment, an abnormality detection method is proposed in which any of the abnormalities shown in FIGS. 2B to 2D can be detected and the form of each abnormality can be specified. In the case of (b) in FIG. 2 above, since the count-up cycles of the counters CA and CB are different, the difference ΔCn of each counter value is different every time, but the change of the same ΔCn is uniform, and is changed at regular intervals. When the two ΔCn are compared, the amount of change is constant. That is, if the change amount of the difference between before and after is DCn (hereinafter referred to as difference change amount DCn), the difference change amount DCn becomes the same value every time (DCn = DCn-1). Therefore, the clock abnormality can be specified by the difference change amount DCn. Of course, when the cycle of the counter CB becomes small or when the cycle of the counter CA becomes large (or small), the clock abnormality can be specified similarly.
[0030]
In the case of FIG. 2 (c), since one counter CA has normally counted up and the other counter CB has stopped, the difference change amount DCn between the counters CA and CB is counted up by the counter CA. Corresponds to minutes. In this case, the difference change amount DCn coincides with a value (DTn / T) obtained by dividing the time interval DTn between t1 and t2 by the time T (2 ms) for one counter cycle (DCn = DTn / T). Thereby, the abnormality of the stop of task B can be specified.
[0031]
In the case of (d) in FIG. 2, ΔC1 ≠ ΔC2 (that is, DCn ≠ 0) as in the cases (b) and (c), but the change in the difference ΔCn is irregular. Therefore, if ΔC1 ≠ ΔC2 and the conditions (b) and (c) in FIG.
[0032]
Next, the arithmetic processing that is woken up by the CPUs 11 and 12 will be described in detail with reference to the flowcharts of FIGS. First, FIG. 3 is a flowchart showing the procedure of task A. This task A is woken up by the control CPU 11 every 2 ms.
[0033]
In FIG. 3, first, in step 101, an abnormality detection process is performed based on the counters CA and CB. However, the details (processing of FIG. 4) will be described later. In step 102, normal processing is performed for task A, and in step 103, counter CA is incremented by one. With this task A, the counter CA is incremented every 2 ms.
[0034]
In the abnormality detection process of FIG. 4, a series of abnormality detection is performed every 8 ms, and the process proceeds to the subsequent step 202 on condition that the step 201 is YES (that is, once every four times when the task A wakes up). Anomaly detection is performed at the rate of
[0035]
In step 202, a difference change amount DCn indicating how much the difference ΔCn between the counters CA and CB has changed is calculated. Specifically, the difference between the current value ΔCn and the previous value ΔCn−1 of the difference between the counters CA and CB is calculated to calculate the difference change amount DCn (DCn = ΔCn−ΔCn−1).
[0036]
Thereafter, in step 203, it is determined whether or not the difference change amount DCn is zero. As described with reference to FIG. 2A, when both the counters CA and CB are normal, DCn = 0 (ΔCn = ΔCn-1). When DCn = 0, the routine proceeds to step 204 where all the abnormality counters ErrCk, ErrF, ErrSt are cleared to zero. Thereafter, this process is temporarily terminated.
[0037]
If DCn ≠ 0, the process proceeds to step 205, where the current value DCn of the difference change amount is compared with the previous value DCn-1. If DCn = DCn-1, it is estimated that the clock is abnormal, and in step 206, the clock abnormality counter ErrCk is incremented by one. This corresponds to the case of FIG.
[0038]
If DCn.noteq.DCn-1, the time interval DTn (time width from the previous abnormality detection to the current abnormality detection) is calculated in step 207, and in the subsequent step 208, it is determined whether DCn = DTn / T. Determine. If YES, it is estimated that the task B is stopped abnormally, and the task B stop counter ErrSt is incremented by 1 in step 209. In the case of NO, it is estimated that the process omission is abnormal, and in step 210, the process omission abnormality counter ErrF is incremented by one. That step 208 is YES corresponds to the case of FIG. 2C, and that step 208 is NO corresponds to the case of FIG. 2D.
[0039]
Thereafter, in steps 211 to 213, it is determined whether or not each abnormality counter ErrCk, ErrSt, ErrF is smaller than a predetermined determination value Lmt. If both are less than the determination value Lmt, the present process is terminated. For an abnormality that is equal to or greater than the determination value Lmt, the corresponding abnormality flag (XErrCk, XErrSt, or XErrF) is turned ON (steps 214 to 216). Note that the determination values Lmt need not be the same, and can be set individually for each of the abnormality counters ErrCk, ErrSt, ErrF. Moreover, it is good also as a structure which turns ON an abnormality flag, only when the same abnormality is detected continuously predetermined times.
[0040]
FIG. 5 is a flowchart showing the procedure of task B. This task B is woken up by the control CPU 11 each time a trigger signal is input from the monitoring CPU 12. Actually, the trigger signal is a pulse signal with a period of 2 ms, and the task B is executed with the same period as the task A. Incidentally, the trigger signal is generated by the periodic processing shown in FIG. That is, the monitoring CPU 12 generates and outputs a trigger signal during normal processing (steps 401 and 403) in the regular processing (step 402).
[0041]
In task B, n processes (process 1 to process n) are sequentially performed, and each time each process is performed, the process completion flag Xfin indicating the process completion is turned ON. That is, at this time, the processing 1 to processing n is a prescribed processing unit, and the history of the processing end is left as the processing completion flag Xfin. Then, when the task B wakes up next time, the processing omission place is specified based on the processing completion flag Xfin.
[0042]
In FIG. 5, first, in step 301, i indicating the process number is cleared to 0, and in the subsequent step 302, it is determined whether or not the process completion flag xfin (i) of process i is ON. If the flag is ON, it is determined that the process i has been completed in the previous task B. In this case, it is determined in step 303 whether i = n. Then, until i = n is established, it is repeatedly determined whether or not the flag xfin (i) is ON while incrementing i by 1 in step 304.
[0043]
When the flag xfin (i) = OFF, it can be determined that a process omission has occurred in the corresponding process i. Therefore, the process proceeds to step 305, and the process i at that time is stored in the memory as a process missing occurrence position.
[0044]
Thereafter, in step 306, all the process completion flags xfin are cleared. In steps 307 to 312, processing 1 to processing n are sequentially performed, and the processing completion flag Xfin corresponding to each processing is turned ON immediately after the execution of each processing. Finally, in step 313, the counter CB is incremented by one.
[0045]
When an abnormality is detected in the abnormality detection process of FIG. 4 (when the abnormality flag is turned on), this is notified from the control CPU 11 to the monitoring CPU 12, and the monitoring CPU 12 cuts off the power supply for electronic throttle control. A predetermined fail-safe process is performed. In this case, even if a clock abnormality or a process omission abnormality occurs, the appropriate fail-safe process can be performed, and the reliability as the engine ECU 10 is ensured.
[0046]
According to the embodiment described in detail above, the following effects can be obtained.
When the clock abnormality occurs, the difference ΔCn between the counters CA and CB is different from the normal state. Therefore, it can be determined that the clock abnormality is caused by comparing the two differences ΔCn before and after. That is, it is possible to detect an abnormality that changes the clock cycle. As a result, it is possible to properly detect the clock abnormality and to secure the reliability of the CPU.
[0047]
Since the clock abnormality is determined when the difference change amount DCn between the counters CA and CB is the same every time, the clock abnormality can be detected with high accuracy.
In addition, when the difference change amount DCn between the counters CA and CB is equivalent to the count of one counter, it is determined that one of the counters is stopped, so that the abnormality of the counter stop can be accurately detected. This also agrees that it is possible to accurately detect that any task has stopped.
[0048]
In Task B, a processing end history (processing completion flag xfin) is left in a prescribed processing unit, and a processing loss abnormality is detected from the history when the next task wakes up. Can do.
[0049]
In addition to the above, the present invention can be embodied in the following forms.
In the above embodiment, the control CPU 11 receives a trigger signal from the monitoring CPU 12 and wakes up the task B with the trigger signal. However, this configuration may be changed. For example,
(1) The control CPU 11 wakes up the task B every time data is periodically received from the monitoring CPU 12. However, in this case, it is a precondition that periodic communication is performed between the two CPUs.
(2) The control CPU 11 receives a WD pulse from the monitoring CPU 12, and wakes up the task B each time the input is made. In this case, the configuration shown in FIG. 1 may be configured such that the WD pulse from the monitoring CPU 12 to the WD circuit 15 is branched and the WD pulse is also input to the control CPU 11.
[0050]
In any of these cases, the control CPU 11 counts the counter CB at a constant period, and the clock abnormality can be detected appropriately based on the difference between the counters CA and CB.
[0051]
In the above embodiment, the case where the periods of the counters CA and CB (that is, the wake-up period of the task A and the task B) are the same is illustrated, but the periods may be different. Even if the periods of the counters CA and CB are different, if each counter is normal, the difference ΔCn maintains a certain regularity. For this reason, the difference ΔCn is compared at the two preceding and following timings, and the clock abnormality can be detected from the comparison result.
[0052]
The present invention can be applied to other ECUs besides the engine ECU, and can also be embodied for uses other than the vehicle electronic control device. In short, an electronic control device having two or more CPUs and having a configuration in which individual clock signals are input to the CPUs and periodic arithmetic processing is performed by the CPUs based on the clock signals. The invention can be applied.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of an engine ECU in an embodiment of the invention.
FIGS. 2A to 2D are time charts showing a counter operation.
FIG. 3 is a flowchart showing a procedure of task A by the control CPU.
FIG. 4 is a flowchart showing abnormality detection processing by a control CPU.
FIG. 5 is a flowchart showing a procedure of task B by the control CPU.
FIG. 6 is a flowchart showing regular processing by a monitoring CPU.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 10 ... ECU, 11 ... Control CPU, 12 ... Monitoring CPU, 13, 14 ... Oscillator, 15 ... Monitoring circuit.

Claims (14)

A first CPU and a second CPU are provided, and an individual clock signal is input to each of the CPUs, and a periodic calculation process is performed by each CPU based on the clock signal, and the second CPU receives a clock input to itself. An electronic control device for notifying the first CPU of time information of a fixed period based on a signal,
The first CPU counts the main counter at a fixed period based on the clock signal input to itself, and also counts the sub counter based on the time information of the fixed period input from the second CPU. An electronic control device characterized by comparing a difference of a counter at two timings before and after and detecting an abnormality of the clock signal from the comparison result. The first CPU wakes up task A at a fixed period, counts the main counter at the task A, wakes up task B using the time information from the second CPU as a trigger, and sets the sub-counter at the task B. The electronic control device according to claim 1, which counts. 3. The electronic control device according to claim 1, wherein the second CPU outputs a trigger signal at a constant period in a periodic process based on a clock signal, and the first CPU counts a sub-counter every time the trigger signal is input. . 3. The electronic device according to claim 1, wherein the second CPU performs data transmission at a constant cycle in a periodic communication process based on a clock signal, and the first CPU counts a sub-counter every time data is received from the second CPU. Control device. The monitor further includes a monitoring circuit that inputs a watchdog pulse that is inverted at a predetermined cycle from the second CPU, and that outputs a reset signal to the second CPU if the watchdog pulse is not inverted for a predetermined time or more. 3. The electronic control device according to claim 1, wherein a dog pulse is input from the second CPU, and the sub-counter is counted each time the dog pulse is input. 6. The first CPU compares a difference between main and sub counters at two timings before and after to obtain a difference change amount, and determines that the clock is abnormal when the difference change amount is the same every time. The electronic control apparatus in any one of. The first CPU compares the difference between the main and sub counters at the two timings before and after to obtain a difference change amount, and when the difference change amount corresponds to the count of one counter, one of the counters stops. The electronic control device according to claim 1, wherein it is determined that the electronic control device is in the state. The electronic control device according to claim 1, wherein the main and sub counters have the same cycle. The first CPU wakes up a predetermined task with the time information notified from the second CPU as a trigger, and keeps a history of processing completion in a prescribed processing unit within the task, and the processing is lost from the history when the next task wakes up. The electronic control device according to claim 1, wherein an abnormality is detected. 10. The electronic control device according to claim 9, wherein the first CPU wakes up a plurality of tasks having different priorities, and leaves a processing end history in a prescribed processing unit in a task having a lower priority. 11. The electronic control device according to claim 9, wherein the first CPU counts the sub-counter at the end of a predetermined task that is woken up by time information from the second CPU. A first CPU and a second CPU are provided, and an individual clock signal is input to each of the CPUs, and a periodic calculation process is performed by each CPU based on the clock signal, and the second CPU receives a clock input to itself. An electronic control device for notifying the first CPU of time information of a fixed period based on a signal,
The first CPU wakes up a predetermined task with the time information notified from the second CPU as a trigger, and keeps a history of processing completion in a prescribed processing unit within the task, and the processing is lost from the history when the next task wakes up. An electronic control device characterized by detecting an abnormality. 13. The electronic control device according to claim 12, wherein the first CPU wakes up a plurality of tasks having different priorities, and leaves a processing end history in a prescribed processing unit in a task having a lower priority. The first CPU performs electronic throttle control, the second CPU is applied as a vehicle electronic control device that performs fail-safe processing related to electronic throttle control, and the first CPU detects that the clock is abnormal or processing is abnormal. The electronic control device according to any one of claims 1 to 13, wherein the second CPU performs a fail-safe process based on abnormality information from the first CPU.

Images