JP5559100B2 - Electronic control system - Google Patents

Description

  The present invention relates to an electronic control system for diagnosing the state of an input / output device.

  As a control device for automobile engine control, a microcontroller (hereinafter referred to as a microcomputer) incorporating a central processing unit, ROM, RAM, input / output signal processing device, and the like is used. Software installed in a microcomputer is generally composed of application programs that perform control processing, device drivers that perform input / output, and operating systems (OS), etc., so that the control target performs the desired control operations. Has been.

  Such a control device is required to have high safety because it performs control directly related to the safety of the vehicle occupant by controlling the vehicle. For this reason, a fail-safe process is used in which a failure diagnosis of a device related to control is performed, and a transition is made to a safe state when a failure is detected.

  In recent years, with the increasing sophistication and scale of control, the number of safety input / output devices such as sensors such as yaw rate sensors and braking devices such as brake devices has increased. Development man-hours are an issue.

  For the purpose of improving the development efficiency of control software in general, methods such as configuring the software as small unit parts and reusing them, and hierarchizing these to localize the changes are adopted. Furthermore, a technique is adopted in which these software components are accumulated as assets and these components are developed in combination according to the network configuration of the development target electronic system (Patent Document 1).

  In addition, a technique of reducing development man-hours by reusing software related to diagnosis using object-oriented technology (Patent Document 2).

JP 2000-97102 A JP 2002-14839 A

Japan Reliability Society: Reliability Handbook, Nikka Giren, p. 318 Tomohiro Tomohiro: Fault Tolerant System Theory, IEICE, p. 149

  A common method for improving software development efficiency is to reuse software when it is required to change hardware parts by making the software parts and making them correspond to actual physical hardware parts. Improves sex.

  However, failures of sensors and actuators that are input / output devices include fixed faults that occur due to component failures, transient faults that temporarily occur due to electrical noise, alpha rays from radiation isotopes, etc. For actual diagnosis, hardware such as a simple one that checks the upper and lower thresholds, a judgment using a complex algorithm, a judgment that corrects long-term secular change by learning, etc. There are various methods specific to the part.

  In addition, there are various frameworks for technologies that improve the reusability of software by combining multiple processes as one common part. In addition to the fact that the contents of each process such as the input / output process are correct, they need to be performed at an optimal timing, and a delay of several microseconds is often not allowed.

  In addition, due to limitations of microcomputers installed in products, it is difficult to introduce complex processing based on object-oriented technologies such as general-purpose frameworks and Java and C ++ that require large delay times.

  An object of the present invention is to provide an electronic control system capable of improving the reusability of software for performing failure diagnosis of a target device and improving the development efficiency.

  An electronic control system of the present invention that solves the above-described problem has an arithmetic processing device having arithmetic means and storage means, and a plurality of signal input means, and electronic control for diagnosing the signal input means in the arithmetic processing device. In the system, the arithmetic processing unit includes a unique condition determination unit that prepares a condition determination corresponding to each signal input unit according to the type of each signal input unit, and a unique condition determination unit to each signal input unit. It is characterized by having an inquiry switching section for calling up information on the corresponding condition determination, and a state management section for managing and updating the state of each signal input means.

  According to the present invention, it is possible to reuse a process common to each part, and even when developing a new diagnostic process, only the specific condition determination unit corresponding to the failure to be diagnosed and the type of detection method is determined. Development efficiency is improved because it is only necessary to focus on realizing the contents of the specified interface.

The figure which showed the structure of hardware. The figure which showed the structure of software. The figure which showed the state transition of software. The figure which showed the structure of the conversion table. The figure which showed the execution procedure of diagnostic state update process. The figure which showed an example of the program which comprises a state management part. The figure which shows the example which described the inquiry switching part using C language.

Hereinafter, embodiments of the present invention will be described.
The failure that causes malfunction of the electronic control system to be diagnosed can be classified into fixed faults caused by component failures, etc., electrical noise, cosmic rays, and radiation isotopes in the materials constituting semiconductor devices. Are classified as transient faults that are temporarily generated by α rays (Non-Patent Document 1).

  Since transient faults literally occur transiently, that is, temporarily, even if a fault occurs, if the same process is executed again at a different time, in many cases, the process can be safely completed without causing a fault. Can be made. Such a method is called time redundancy (Non-Patent Document 2).

  The electronic control system according to the present embodiment performs a diagnosis determination at each time point for extracting a factor that may cause a fixed fault, and a part for managing and updating a state transition for determining as a transient fault in the diagnosis process. By separating the parts to be performed and defining the inquiry for performing these determination processes as a common interface, the control system is constructed with the part for managing and updating the state transition as a common component. When a transient fault occurs, for example, in a sensor, noise having the same tendency occurs in the output regardless of the type. Therefore, by using such a system, it is possible to share a process for diagnosing noise caused by a transient fault that occurs in the same tendency in any sensor.

(Hardware configuration)
FIG. 1 is a diagram illustrating a hardware configuration of an automobile engine control system that is an example of an electronic control system according to the present embodiment.

  A control unit (control device) 201 of the electronic control system includes a microcontroller (CPU) 202, a signal input circuit 209, an actuator drive circuit 210, and a communication circuit 213, as shown in FIG.

  The control unit 201 performs a control process for driving the actuator 212 via the drive circuit 210 based on external information acquired from the acceleration sensor 211 and the yaw rate sensor 216 via the signal input circuit 209. Some signals are subjected to control processing using input / output from another control device 215 obtained from the communication line 216 via the communication circuit 213.

  The microcontroller 202 of the control unit 201 has an input circuit 203, an arithmetic unit 204, a volatile read / write memory (RAM) 205, a read only memory (ROM) 206, an output circuit 207, and a communication control unit 208. ing.

  The acceleration sensor 211 and the yaw rate sensor 216 are examples of sensors connected to the control unit 201, and may be other sensors that detect temperature, current, and other physical quantities, and can obtain the same effect. is there.

(Software configuration)
FIG. 2 is a diagram for explaining functions by software of the automobile engine control system of FIG.

  Software describing the control method is mounted on the ROM 206 and the RAM 205 of the control unit 201 and processed by the arithmetic unit 204. The software having the configuration shown in FIG. 2 is mounted on such a control device. The software is started from the OS (operating system) 106 and starts processing of the state management unit 101 at a timing registered in the OS. The state management unit 101 is described as a function, for example, and is activated every 10 ms when the software is executed. FIG. 6 is a diagram illustrating an example of a program constituting the state management unit 101 in FIG.

  The state management unit 101 performs a diagnosis information update process for defining and managing the states of a plurality of target devices (signal input means) that are diagnosis targets in common. Then, the inquiry switching unit 102 is notified of an ID for specifying a device to be diagnosed, an inquiry about whether it is abnormal, and an inquiry about whether it is normal. Further, the state management unit 101 calls the condition determination information corresponding to each target device (the acceleration sensor 211 and the yaw rate sensor 216) from the inquiry switching unit 102.

  Thereby, it is possible to omit exchange of information (determination conditions and the like) depending on the target device from the inquiry processing performed by the state management unit 101. That is, it is possible to share a state management process that is necessary for diagnosis of a plurality of target devices of different types.

  In the unique condition determination unit 103, condition determination corresponding to each type of target device is defined in advance according to the type of target device. For example, a threshold value for abnormality determination depending on each target device is defined. The state management unit 101 performs a determination process by executing the condition determination defined for each target device by the unique condition determination unit 103 via the inquiry switching unit 102.

  As an example, the processing operation of the unique condition determination unit 103 is determined as normal if the result of digital conversion of the voltage value is within the range of the upper limit value that can be taken from the lower limit value that can be taken as the target device. If there is, it is determined as an abnormal state. The state management unit 101 updates the current state of each diagnosis target based on the determination result obtained by the determination process. Each state is stored as state information in the state information storage unit 105 and prepared for each diagnosis target. The state management unit 101 acquires and updates state information unique to each target device by making an inquiry to the state information switching unit 104.

Then, various application programs for vehicle control, which are not described in FIG. 2, read the state stored in the state information storage unit 105 for each device, and realize control processing according to the failure state of the device. . Further, by outputting the state information stored in the state information storage unit 105 from the diagnostic terminal 214, it is possible to properly monitor the vehicle failure state at a dealer or the like. Here, the output of the state information is performed in synchronization with the cycle of executing the state management unit 101, so that it is possible to grasp in detail including the progress of the failure state of various devices.
In this way, it is possible to share the process of reading and writing the states of various devices.

(Software processing details)
FIG. 3 is a state transition diagram of the diagnostic information update processing software executed by the state management unit.

  In the present embodiment, four states of a normal state 301, an abnormal detection state 303, an abnormal state 306, and a normal recovery state 309 are defined as states to be diagnosed. The ultimate goal of diagnosis is to determine whether the sensor etc. is normal or abnormal, but in the actual diagnosis of the actual control system, there are false detections due to unforeseen circumstances such as electrical noise and radiation. In order to distinguish between transient faults and fixed faults without immediately judging an abnormality just because an unexpected event has been detected, the anomaly detection operation continues for a predetermined period and continues for a certain period. When an abnormality is detected, it is often determined as a fixed fault.

  In the present embodiment, the process for determining whether or not the abnormality detection has continued is shared in the diagnosis process for a plurality of devices. Therefore, all the devices to be diagnosed make a state transition between states defined in common by the state management unit as described above.

  The abnormality detection state 303 continues the abnormality detection operation. If an abnormality is continuously detected for a certain time or number of times in the abnormality detection state 303, the abnormality state 306 is determined. A normal recovery state 309 is shown for the purpose of recovery from a transient failure or the like. Again, if the normal return condition continues, transition to the normal state 301 is made.

  Details of condition determination in each state are shown below. The diagnosis target in the normal state 301 makes a condition determination by the process of the abnormal initial detection 302. Then, when the condition is satisfied, the state transits to the abnormality detecting state 303, and when the condition is not satisfied, the normal state continuation 311 is performed.

  In the abnormal detection state 303, if the abnormal transition detection 305 determines that the condition for transition to the abnormal state is satisfied, the state transitions to the abnormal state 306. On the other hand, if the condition for normal return detection 304 is satisfied, the state transitions to the normal state 301. If the condition of the abnormality detection continuation 312 is satisfied, the abnormality detection state 303 continues.

  In the abnormal state 306, when the normal return determination 307 is satisfied, the state transits to the normal recovery state 309, and when the abnormal state continuation determination 313 is satisfied, the abnormal state is maintained. In the normal returning state 309, if the condition for returning to the normal state is satisfied by the determination of the normal transition detection 310, the state transitions to the normal state 301. If the condition of the re-abnormality determination 308 is satisfied, the state transits to the abnormal state 306, and if the condition of the normal return continuation 314 is satisfied, the normal recovery state 309 is continued.

  Among the above, the process of performing the condition determination, that is, abnormal initial detection 302, normal return detection 304, abnormal transition detection 305, normal return detection 307, re-abnormality determination 308, normal transition detection 310, normal state continuation 311 determination, The status management unit 101 calls the processing unit acquired from the table shown in FIG.

  FIG. 4 is a diagram illustrating the configuration of the inquiry switching unit 102 in FIG. Inquiry switching is realized using a table that calls a process.

  FIG. 4 (a) shows the definition of the structure of the table, which is realized by holding an address to a process corresponding to each component in a data structure such as a C language structure. 401 is the definition of the entire structure, and its items are composed of an abnormality determination processing address 402, an abnormality determination continuation processing address 403, a normal return determination processing address 404, and a normal determination continuation processing address 405. As a result, the processing of the state management unit can be shared for each target device, and specific determination conditions for each target device can be individually called.

  FIG. 4B is an example in which an address to a process for diagnosing an acceleration sensor, which is an example of a diagnosis target device, is registered using this data structure.

  In the acceleration sensor call table 406, whether or not to continue the call destination 407 of the process (acceleration sensor abnormality determination process) for determining the condition for the acceleration sensor 211 to transition from the normal state to the error state, the abnormality detection state of the acceleration sensor 211 is determined. Call destination 408 of the process for determining whether or not (acceleration sensor abnormality determination continuation process), call destination 409 of the process for determining whether the acceleration sensor 211 returns from the abnormal state to the normal state (acceleration sensor normal return determination process), acceleration sensor A call destination 410 of processing for determining whether to continue the normal return state 211 (acceleration sensor normality determination continuing processing) is registered.

  FIG. 4 (c) shows an example in which an address to a process for diagnosing the yaw rate sensor is registered using this data structure.

In the yaw rate sensor call table 411, whether or not to continue the call destination 412 of the process for determining the condition for the yaw rate sensor 216 to transition from the normal state to the error state (yaw rate sensor abnormality determination process) and the abnormality detection state of the yaw rate sensor 216 are determined. Called 413 for processing to determine whether (yaw rate sensor abnormality determination continuation processing), called destination 414 for processing to determine whether the yaw rate sensor 216 returns from an abnormal state to a normal state (yaw rate sensor normal return determination processing), yaw rate sensor A call destination 415 of a process for determining whether to continue the normal recovery state of 216 (yaw rate sensor normal determination continuation process) is registered.
FIG. 7 shows an example in which the inquiry switching unit 102 is described using the C language.

FIG. 5 is a flowchart for explaining a procedure for the state management unit 101 to execute diagnostic process information update.
First, the current state of each target device of the acceleration sensor 211 and the yaw rate sensor 216 is acquired, and whether it is “normal state”, “abnormal detection state”, “abnormal state”, or “normal return detection state” Is evaluated (501).

  When the current state of the target device is “normal state” (502), the abnormality determination function of the target device is read from the table (506), and the determination process is performed (510). If the result of the determination process is “abnormal detection”, the process proceeds to the abnormal detection state and initializes the error counter (518). This is a counter for measuring the elapsed time for separating the transient fault from the fixed fault. On the other hand, if the result of determination processing 510 is “not detected”, no particular processing is performed and the current state is maintained.

  When the current state of the target device is “abnormal detection state” (503), the abnormality determination continuing function of the target device is read from the table (507), and the function is called to perform error checking (511). ). If the result of the error check determination process (511) is an abnormality detection, an error counter is added (514), and the error counter is compared with a predefined threshold value (516). If the value of the error counter is equal to or greater than the threshold (error counter ≧ threshold), transition to an abnormal state (520), and if the value of the error counter is smaller than the threshold (error counter <threshold), no particular processing is performed. Maintain the current state. As a result, it is possible to distinguish between a transient fault and a fixed fault.

  On the other hand, if the result of the error check determination process (511) is “no abnormality detected”, the state shifts to a diagnosis state (519).

  When the current state is “abnormal state” (504), the normal device return judgment function of the target device is read from the table (508) and the judgment process is called to check the return condition (512). When the result of the determination process is the return condition detection, the state transits to the normal return detecting state, and the normal return counter is initialized (521). Then, when the result of the determination process of the return condition check (512) indicates that the return condition is not detected, no particular process is performed and the current state is maintained. Thereby, it is determined as a fixed fault.

  If the current status is “normal recovery detection status” (505), the normal transition determination continuation function of the target device is read from the table (509), and that function is called to check the recovery condition (513) . Here, it returns from a fixed fault and determines again whether it is a transient fault. If the result of the determination process is a normal return condition detection, a normal return counter is added (515), and the normal return counter is compared with a predefined threshold value (517). If the value of the normal return counter is equal to or greater than the threshold value (normal return counter ≧ threshold value), the state transitions to the normal state (523), and if the value of the normal return counter is smaller than the threshold value (normal return counter <threshold value), the processing is performed. Keep the current state without doing. When the above processing is completed, the determination result corresponding to the current state is output as a diagnosis result (524). If the result of the determination process of the return condition check (513) indicates that the return condition is not detected, a transition is made to an abnormal state (522). Thereby, it is determined again as a fixed fault.

  According to the electronic control system having the above-described configuration, a diagnosis process peculiar to each target device and a process that can be shared, for example, a process for distinguishing between a transient fault and a fixed fault are separated, and the transient fault is fixed. Since the state management is made common without depending on the target device for the process for distinguishing from the fault, the process for detecting the transient fault can be reused without depending on the target device.

  According to the electronic control system having the above-described configuration, even when the number of hardware (target devices) to be diagnosed increases, a diagnostic inquiry table in the inquiry switching unit 102 is added to perform hardware-specific diagnostic processing. This makes it possible to add new hardware. Therefore, the man-hour for addition can be reduced.

101 State Management Unit 102 Inquiry Switching Unit 103 Unique Condition Determination Unit 104 State Information Switching Unit 105 State Information Storage Unit 106 OS (Operating System)
211 Acceleration sensor 216 Yaw rate sensor

Claims (3)

An electronic control system having an arithmetic processing unit having an arithmetic unit and a storage unit, and a plurality of signal input units, and diagnosing the plurality of signal input units in the arithmetic processing unit,
The arithmetic processing unit includes:
A state management unit for performing diagnostic information update processing to define and manage and update the states of the plurality of signal input means, respectively,
A condition determination corresponding to each of the plurality of signal input means is defined in advance according to the type of the plurality of signal input means;
An inquiry switching unit that executes a condition determination corresponding to the signal input means to be diagnosed in the specific condition determination unit in response to a determination inquiry from the state management unit;
A state information storage unit for storing state information unique to each of the plurality of signal input means;
A state information switching unit that causes the state information storage unit to read and write the state information in response to a state inquiry from the state management unit;
I have a,
The inquiry switching unit includes a plurality of tables having a common item, each of the plurality of tables holds an address to a process corresponding to each of the plurality of signal input means,
The electronic control system , wherein the state management unit calls the item from each of the plurality of tables by a common process .   The electronic control system according to claim 1, further comprising: an output unit that outputs each of the states, wherein the output unit outputs the states at a predetermined period. 3. The electronic control system according to claim 1, wherein the item includes an abnormality determination processing address, an abnormality determination continuation processing address, a normal return determination processing address, and a normal determination continuation processing address. And electronic control system.

Images