JP5967059B2 - Electronic control device for vehicle - Google Patents

Description

  The present invention relates to an electronic control device for a vehicle.

  As a vehicle electronic control device, there is one including a microcomputer (microcomputer) for controlling a controlled object and a monitoring module for monitoring the operation of the microcomputer (for example, see Patent Document 1).

In the apparatus of Patent Document 1, a program executed by a microcomputer is divided into first to third levels.
The first level program (hereinafter referred to as the first level program) is a program for controlling the controlled object.

  The second level program (hereinafter referred to as the second level program) monitors whether or not the control function by the first level program is normal, and outputs to the control target when the control function is determined to be abnormal. This is a program for outputting a signal for adjusting the stage.

  The third level program (hereinafter referred to as the third level program) is a program for performing execution inspection of the second level program and outputting the inspection result to the monitoring module.

  The monitoring module compares the inspection result output by the third level program of the microcomputer with the expected value of the inspection result, and outputs a signal for operating the output stage when the inspection result does not match the expected value. Output.

  That is, in this apparatus, even if the first level program performs an erroneous control, the second level program is configured to avoid problems due to the incorrect control. Furthermore, for the common cause failure that causes the first and second level programs to become abnormal at the same time, and the event that the first level program that has developed a bug infringes the second level program by interference, the third level The output stage can be shut off by the program and the monitoring module.

  Here, the reliability of the monitoring module independent of the microcomputer will be described in ISO (International Organization for Standardization) 26262, which is a functional safety regulation regarding electric / electronics of automobiles.

  First, since a microcomputer failure can lead to indefinite control immediately, usually a vehicle control device will be able to suppress acceleration before unintended vehicle acceleration reaches 0.3G, for example, tens of milliseconds. Diagnose at short time intervals.

  On the other hand, a failure of the monitoring module alone does not immediately cause indefinite control, so diagnosis at a short time interval such as several tens of milliseconds is unnecessary, and in the case of a vehicle control device, for example, in one driving cycle Diagnosis may be performed at a frequency of about once.

  Further, the failure of the independent microcomputer and the monitoring module in the same driving cycle is small enough to be ignored with respect to the failure probability of the microcomputer, and no special countermeasure is essential.

  As described above, regarding the monitoring module, in the case of a vehicle control device, for example, the reliability may be ensured by a diagnosis about once in one driving cycle.

Japanese Patent No. 3955328

  By the way, the content of the functional safety regulation described above is a story in terms of a hardware failure between the microcomputer and the monitoring module, and the first level program that has developed a bug infringes the second level program by interference. The event is not discussed.

  The interference is, for example, a phenomenon that data in the RAM referred to by the second level program is rewritten, and is not a hardware failure. For this reason, it is difficult to say that both the interference due to the bug occurrence of the first level program in the microcomputer and the failure of the monitoring module never occur in the same driving cycle.

  Therefore, if the present inventor does not know when a bug of the first level program will appear, assuming the worst case, a bug occurrence of the first level program and a hardware failure of the monitoring module will occur in the same driving cycle. From the standpoint of being able to do so, we considered increasing the reliability by designing an electronic control device.

  For this reason, this invention aims at the reliability improvement of the electronic control apparatus for vehicles.

A vehicle electronic control device according to a first aspect of the present invention includes a microcomputer and a monitoring module for monitoring the operation of the microcomputer.
The program executed by the CPU of the microcomputer monitors the first level program, which is a program for controlling the controlled object, and whether the control function for the controlled object by the first level program is normal. When the control function is determined to be abnormal, the second level program for outputting the first shut-off signal for invalidating the control function and the execution inspection of the second level program are performed, and the inspection result is monitored. And a third level program including an inspection program for output to the module.

The monitoring module outputs a second cutoff signal that invalidates the control function when the inspection result from the microcomputer does not match the expected value of the inspection result.
For this reason, for example, when an abnormality occurs in the control function by the first level program, the abnormal control function can be invalidated by the first cutoff signal output by the second level program. In addition, for example, when a common cause failure occurs such that the first and second level programs become abnormal at the same time, or when the first level program that develops a bug infringes the second level program by interference. The inspection program in the third level program and the monitoring module cooperate to ensure reliability. That is, in those cases, the inspection result output from the microcomputer by the inspection program (the result of performing the execution inspection of the second level program) does not match the expected value, and the monitoring module outputs the second cutoff signal. Is output. And the control function by the 1st level program can be invalidated by the 2nd interruption | blocking signal, and incorrect control can be prevented.

  Further, in the vehicle electronic control device, the microcomputer is a hardware circuit for outputting a third cutoff signal for invalidating the control function, and the operation for outputting the third cutoff signal is performed. A hardware circuit that is prevented from being blocked by a bug in the first level program is provided. The third level program executed by the microcomputer includes an error for causing the hardware circuit to output a third cutoff signal when the inspection result by the inspection program does not match the expected value of the inspection result. A detection program is included.

  According to this vehicle electronic control device, when the first level program that has developed a bug causes the second level program to be infringed by interference and a hardware failure of the monitoring module occurs in the same driving cycle However, reliability can be ensured. That is, in that case, it is unlikely that the hardware circuit in the microcomputer will fail. In that case, in the microcomputer, the inspection result by the inspection program (the result of performing the execution inspection of the second level program) does not match the expected value, and the error detection program and the hardware circuit cause the third result. A shut-off signal is output. Therefore, erroneous control can be prevented by the third cutoff signal.

  Thus, in the vehicle electronic control device according to the first aspect of the present invention, the error detection program in the microcomputer and the hardware circuit realize a function equivalent to that of the monitoring module, and the control reliability can be improved.

  In addition, the functions equivalent to the monitoring module placed in the microcomputer form a relationship between the monitoring module and the composition, so the ASIL (Automotive Safety Integrity Level) carried by the monitoring rig module can be reduced. It is. When the monitoring module is, for example, a sub-microcomputer that is different from the microcomputer that performs the control, the ASIL is reduced, so that a runtime check (device) such as ROM, RAM, instructions, and flow check in the sub-microcomputer is performed. It is not necessary to carry out the check periodically performed during the operation.

  In addition, the code | symbol in the parenthesis described in the claim shows the correspondence with the specific means as described in embodiment mentioned later as one aspect, Comprising: The technical scope of this invention is limited is not.

It is a block diagram showing the structure of the vehicle electronic control unit (ECU) of 1st Embodiment. It is explanatory drawing for demonstrating a microcomputer monitoring program and monitoring IC. It is explanatory drawing for demonstrating notification data, the sum expectation value, and an adjustment value. It is a flowchart showing the interruption | blocking signal diagnostic process. It is a block diagram showing the compare match timer circuit of 2nd Embodiment. It is a flowchart showing the process of the error detection program of 2nd Embodiment.

A vehicle electronic control device (hereinafter referred to as ECU) according to an embodiment to which the present invention is applied will be described.
[First Embodiment]
As shown in FIG. 1, the ECU 11 of the first embodiment is a device that controls at least the electronic throttle 13.

  The electronic throttle 13 is a combination of a throttle valve 15 for adjusting the amount of intake air to the engine of the vehicle and a motor 17 as an actuator for moving the throttle valve 15 as one product. The ECU 11 adjusts the position (opening degree) of the throttle valve 15 by driving the motor 17. Further, in the electronic throttle 13, when the drive of the motor 17 is stopped, the position of the throttle valve 15 returns to the specific position. The specific position is, for example, a position where the engine can be operated with a predetermined output (for example, idling operation).

  The ECU 11 includes a microcomputer 21 for controlling the throttle valve 15 (electronic throttle 13) and a monitoring IC 23 as a monitoring module for monitoring the operation of the microcomputer 21. Note that monitoring the operation of the microcomputer 21 means monitoring (monitoring) the normal functionality of the components of the microcomputer 21.

  The microcomputer 21 includes a CPU 25 that executes programs, a ROM 26 that stores programs executed by the CPU 25, a RAM 27 that stores calculation results and the like by the CPU 25, an input / output port (I / O) 28, and other internal peripherals Circuits (for example, an A / D converter, a circuit that outputs a pulse width modulation signal, a watchdog timer circuit 29 described later, and the like).

  The ECU 11 detects signals from two throttle position sensors (TPS1, TPS2) 31, 32 that detect the position of the throttle valve 15 as a throttle opening, and an accelerator pedal operation position by a vehicle driver as an accelerator operation amount. Signals from the two accelerator position sensors (APS1, APS2) 33, 34 are input at least.

  One throttle position sensor (TPS 1) 31 is a main sensor for detecting the throttle opening, and the other throttle position sensor (TPS 2) 32 is a sub sensor used for diagnosis of the throttle position sensors 31 and 32. Similarly, one accelerator position sensor (APS1) 33 is a main sensor for detecting an accelerator operation amount, and the other accelerator position sensor (APS2) 34 is a sub sensor used for diagnosis of the accelerator position sensors 33 and 34. .

Signals from the sensors 31 to 34 are input to the microcomputer 21 via an input circuit (not shown) provided in the ECU 11.
Specifically, the program executed in the microcomputer 21 and stored in the ROM 26 executed by the CPU 25 includes a first level program 41, a second level program 42, as indicated by a dotted frame in FIG. And the third level program 43. The second and third level programs 42 and 43 are programs with higher design reliability than the first level program 41.

  A first level program (hereinafter also referred to as a first level program) 41 is a program for controlling a control target (in this example, the throttle valve 15), and a control amount calculation program for calculating a control amount of the throttle valve 15 41a is included.

  The control amount calculation program 41a calculates the target opening (target position) of the throttle valve 15 from the accelerator operation amount detected by the accelerator position sensor 33, and the actual throttle opening detected by the throttle position sensor 31 is A control signal for driving the motor 17 is output so as to achieve the target opening. In this specification, the operation with the program as the subject is the operation of the microcomputer 21 realized by the CPU 25 executing the program. The control signal output from the microcomputer 21 is supplied to the motor 17 via a drive circuit as an output stage (not shown).

  A second level program (hereinafter also referred to as a second level program) 42 monitors whether or not the control function for the throttle valve 15 by the first level program 41 is normal and determines that the control function is abnormal. This is a program for outputting a first cutoff signal (hereinafter referred to as cutoff signal 1) that invalidates the control function.

  The second level program 42 includes, for example, an allowable torque calculation program 42a, an estimated torque calculation program 42b, diagnostic programs 42c and 42d, and an abnormality treatment program 42e.

  The allowable torque calculation program 42 a calculates the allowable torque of the engine from the accelerator operation amount detected by the accelerator position sensor 33. The allowable torque corresponds to, for example, the maximum value of the engine output torque that can be considered from the accelerator operation amount.

  The estimated torque calculation program 42b calculates an estimated torque, which is an estimated value of the torque currently generated by the engine, from the throttle opening detected by the throttle position sensor 31.

  The diagnosis program 42c compares the allowable torque calculated by the allowable torque calculation program 42a with the estimated torque calculated by the estimated torque calculation program 42b. For example, when the estimated torque is larger than the allowable torque by a predetermined value or more, Judged as abnormal (control function is abnormal). That is, the diagnosis result of the control function is “abnormal”.

The diagnostic program 42d is a program for diagnosing input signals used for control, such as throttle position sensors 31, 32 and accelerator position sensors 33, 34.
For example, the diagnostic program 42d compares the detection values obtained by the two throttle position sensors 31 and 32, and determines that the abnormality is detected when the two detection values are separated by a predetermined value or more. Similarly, the diagnosis program 42d compares the detection values obtained by the two accelerator position sensors 33 and 34, and determines that an abnormality occurs when the two detection values are separated by a predetermined value or more.

  The diagnosis result by the diagnosis programs 42c and 42d is notified to the abnormality treatment program 42e. Then, the abnormality treatment program 42e outputs the cutoff signal 1 if any of the diagnosis results by the diagnosis programs 42c and 42d is “abnormal”.

  The cutoff signal 1 from the microcomputer 21 is supplied to the electronic throttle 13. The electronic throttle 13 is forced to stop driving the motor 17 when the cutoff signal 1 is supplied.

  When the cutoff signal 1 is output from the microcomputer 21, the control function by the first level program 41 is invalidated, the position of the throttle valve 15 is returned to the specific position, and the engine output is limited. As another example, for example, the cutoff signal 1 from the microcomputer 21 may be supplied to the drive circuit (output stage) in the ECU 11 so that the drive of the motor 17 is forcibly stopped. . Further, the power supply to the motor 17 may be cut off by outputting the cutoff signal 1 from the microcomputer 21.

  A third level program (hereinafter also referred to as a third level program) 43 performs an inspection of the second level program 42 (hereinafter also referred to as a test), and outputs an inspection result to the monitoring IC 23. Includes a microcomputer monitoring program 43a as a computer program.

  The contents of the microcomputer monitoring program 43a will be described with reference to FIG. Here, it is assumed that the execution inspection target program is the torque monitor program 51 including the allowable torque calculation program 42a, the estimated torque calculation program 42b, and the diagnosis program 42c in the second level program 42.

  As shown in FIG. 2, in the torque monitor program 51, control data normally detected by a sensor (in this example, detected by the accelerator position sensor 33) is used as input data for calculating the allowable torque and the estimated torque. The accelerator operation amount and the throttle opening detected by the throttle position sensor 31 are input.

  Further, in the present embodiment, the timing for executing the execution inspection (hereinafter referred to as test timing) arrives at every predetermined time T (for example, 32 ms). At each test timing, test data, which is data for execution inspection, is input to the torque monitor program 51 as input data instead of control data. Such switching of input data is performed by the microcomputer monitoring program 43a. The period for every fixed time T at which execution inspection is performed is called a test period.

  The microcomputer monitoring program 43a calculates the calculation result of the torque monitor program 51 (in this example, the diagnosis result by the diagnosis program 42c) when the test data is input to the torque monitor program 51, and the expected value of the calculation result. Are compared by the comparison unit 53. Test data and expected values corresponding to the test data are stored in advance in the ROM 26, and corresponding data are selected.

  If the calculation result of the torque monitor program 51 matches the expected value, the comparison unit 53 outputs “1” indicating “positive” as the inspection result, and conversely, the calculation result and the expected value are one. If not, “0” indicating “error” is output as the inspection result.

Further, the microcomputer monitoring program 43 a includes a cycle counter 55 that counts up every the predetermined time T and a test data switching unit 57.
The value of the cycle counter 55 (hereinafter referred to as the cycle counter value) returns to 1 after 3. For this reason, the cycle counter value changes as “1 → 2 → 3 → 1 → 2 → 3 → 1...”.

  When the cycle counter value is “1” or “2”, the test data switching unit 57 inputs T test data as test data to the torque monitor program 51, and when the cycle counter value is “3”. Inputs F test data to the torque monitor program 51 as test data.

  The test data for T is test data for an execution test that expects “1” as an inspection result from the comparison unit 53 (hereinafter referred to as a positive-expected execution test). This is test data that should yield the same calculation result as the expected value compared in 53. For this reason, when T test data is input to the torque monitor program 51, it is normal that “1” is output from the comparison unit 53. “T” in the test data for T is an abbreviation of “True”.

  On the other hand, the test data for F is test data for an execution test that expects “0” as an inspection result from the comparison unit 53 (hereinafter referred to as an erroneously expected execution test). As a result, the test data is supposed to obtain a calculation result different from the expected value compared by the comparison unit 53. Therefore, when the cycle counter value is 3 and F test data is input to the torque monitor program 51, it is normal that “0” is output from the comparison unit 53. “F” in the test data for F is an abbreviation for “False”. The reason why the erroneously expected execution inspection is performed by using the test data for F is to detect that a failure in which the inspection result from the comparison unit 53 is fixed to “1” has occurred as an abnormality.

  In the present embodiment, a plurality of execution tests with different test data are performed on the program to be executed for each test cycle. For this reason, different test data is prepared for each type of execution inspection. The type of execution inspection is identified by a test ID that is identification information of the execution inspection. In the following description, for example, it is assumed that two types of execution inspections, “test ID = 0” and “test ID = 1”, are performed.

  For example, among the positively expected execution inspections based on the T test data (that is, the execution inspection when the cycle counter value is 1 or 2), in the execution inspection of “test ID = 0”, the test data is used as the T test data. A is input to the torque monitor program 51. Then, the calculation result of the torque monitor program 51 and the expected value corresponding to the test data A are compared by the comparison unit 53. In the execution test of “test ID = 1”, test data B is input to the torque monitor program 51 as T test data, and the calculation result of the torque monitor program 51 and the expected value corresponding to the test data B are The comparison unit 53 compares them. Similarly, in the false expectation execution test using the F test data, different F test data is input to the torque monitor program 51 for each test ID.

Further, the microcomputer monitoring program 43 a includes a transmission data synthesis unit 59.
The transmission data combining unit 59 generates data including both the test ID of the executed execution test and the test result output by the comparison unit 53 for the execution test as notification data, and the generated notification data is generated. Output to the monitoring IC 23. The notification data is data for notifying the monitoring IC 23 of the inspection result in the microcomputer 21, and is also a test answer from the microcomputer 21 to the monitoring IC 23. The notification data is transmitted from the microcomputer 21 to the monitoring IC 23 by, for example, serial communication via a communication line.

  For example, in this embodiment, each data of the test ID and the inspection result is 4 bits, and the transmission data synthesis unit 59 converts the 8-bit data with the test ID as the upper 4 bits and the inspection result as the lower 4 bits. And generated as notification data.

  Here, when particularly distinguishing the notification data by the execution test of “test ID = 0”, it is referred to as notification data 0, and when notifying the notification data by the execution test of “test ID = 1” in particular. In this case, the notification data 1 is as shown in FIG. 3 if the notification data 0 and the notification data 1 are normal. In FIG. 3 and the following description, “0x” means that the subsequent two-digit alphanumeric characters (0 and 1 in the example of FIG. 3) are displayed in hexa (hexadecimal). That is, as shown in the first to third stages in FIG. 3, when the cycle counter value is 1 or 2, if the cycle counter value is normal, the inspection result from the comparison unit 53 is “1”. Becomes [0x01], and the notification data 1 becomes [0x11]. When the cycle counter value is 3, if the result is normal, the inspection result from the comparison unit 53 is “0”, so the notification data 0 is [0x00] and the notification data 1 is [0x10].

  Then, the transmission data combining unit 59 continuously outputs the generated notification data 0 and notification data 1 to the monitoring IC 23. Each of the comparison unit 53, the test data switching unit 57, and the transmission data synthesis unit 59 is a program that forms part of the microcomputer monitoring program 43a.

  On the other hand, the monitoring IC 23 uses an error detection circuit 23a for determining whether or not the inspection result included in the notification data from the microcomputer 21 matches the expected value of the inspection result, and the error detection circuit 23a performs the inspection. An output circuit 23b for outputting a second cutoff signal (hereinafter referred to as cutoff signal 2) for invalidating the control function of the throttle valve 15 by the first level program 41 when a mismatch between the result and the expected value is detected; .

  For example, the error detection circuit 23a counts the number of times of receiving notification data (notification data 0 and notification data 1) from the microcomputer 21 after starting the operation, so that the notification data received this time is the positive expectation. It is discriminated whether the execution inspection is an execution inspection or a false expectation execution inspection.

  If the error detection circuit 23a determines that the received notification data is based on a positively expected execution test, the received notification data 0 is [0x01] and the received notification data 1 is [0x11]. It is determined whether or not. If the received notification data 0 is not [0x01] or the received notification data 1 is not [0x11], the error detection circuit 23a determines that the inspection result from the microcomputer 21 does not match the expected value. It will be judged. Further, when the error detection circuit 23a determines that the received notification data is based on an erroneously expected execution test, the received notification data 0 is [0x00] and the received notification data 1 is [ 0x10]. If the received notification data 0 is not [0x00] or the received notification data 1 is not [0x10], the error detection circuit 23a determines that the inspection result from the microcomputer 21 does not match the expected value. It will be judged.

  In this example, the error detection circuit 23a performs comparison with the expected value in units of the notification data 0 and 1 (in other words, the test ID is also compared with the expected value). However, of course, the inspection result portion (lower 4 bits) may be extracted from the notification data 0, 1 and compared with the expected value.

  In this way, when the error detection circuit 23a detects a mismatch between the inspection result from the microcomputer 21 and the expected value, the output circuit 23b outputs the cutoff signal 2. Further, the error detection circuit 23a causes the output circuit 23b to output the cutoff signal 2 even when notification data is not transmitted from the microcomputer 21 even if a predetermined time limit longer than the test cycle elapses.

  As another example, for example, the error detection circuit 23a has a normal value of the sum value (added value of 8 bits) of the notification data 0 and the notification data 1 as shown in the fourth row of FIG. A certain expected value of thumb may be stored. In this case, if the error detection circuit 23a determines that the received notification data is based on a positive expected execution test, the error detection circuit 23a uses the sum value of the received notification data 0 and the notification data 1 and the sum expected value. It is determined whether or not [0x00] matches, and if both values do not match, it may be determined that the test result and the expected value do not match. Similarly, if the error detection circuit 23a determines that the received notification data is due to an erroneously expected execution test, the error detection circuit 23a uses the sum value of the received notification data 0 and the notification data 1 and the sum expected value. It is determined whether or not [0x10] matches, and if both values do not match, it may be determined that the test result and the expected value do not match.

  As another example, for example, the error detection circuit 23a receives the notification data 0 and notification data 1 sent from the microcomputer 21 every test cycle as “[0x01] and [0x11]” → “[0x01] and [ 0x11] ”→“ [0x00] and [0x10] ”→... Is determined to determine whether the inspection result matches the expected value. Also good. Of course, if the pattern is not repeated, the inspection result and the expected value are inconsistent.

That is, the process performed by the error detection circuit 23a may be any process as long as it can be detected that the inspection result from the microcomputer 21 does not match the expected value.
As shown in FIG. 1, the cutoff signal 2 output by the output circuit 23 b of the monitoring IC 23 is also supplied to the electronic throttle 13 in the same manner as the cutoff signal 1. The electronic throttle 13 is forcibly stopped from driving the motor 17 even when the cutoff signal 2 is supplied. Therefore, even when the cutoff signal 2 is output from the monitoring IC 23, the position of the throttle valve 15 returns to the specific position described above, and the engine output is limited. As another example, for example, the cutoff signal 2 from the monitoring IC 23 may be supplied to the drive circuit (output stage) in the ECU 11 to forcibly stop the drive of the motor 17. . Further, the power supply to the motor 17 may be cut off by outputting the cutoff signal 2 from the monitoring IC 23.

  Further, the microcomputer 21 includes means for performing the same function as the function of the monitoring IC 23. As shown in FIG. 1, the means is an error detection program 43 b provided as a part of the third level program 43 and a watchdog timer circuit 29 in the microcomputer 21.

  The error detection program 43b is for causing the watchdog timer circuit 29 to output a third cutoff signal (hereinafter referred to as a cutoff signal 3) when the test result by the microcomputer monitoring program 43a does not match the expected value of the test result. It is a program. Details of the error detection program 43b will be described later.

  As shown in FIG. 1, the cutoff signal 3 is a signal that invalidates the control function of the first level program 41, as with the cutoff signal 1 and the cutoff signal 2, and is supplied to the electronic throttle 13. The electronic throttle 13 is forcibly stopped from driving the motor 17 even when the cutoff signal 3 is supplied. Therefore, even when the cutoff signal 3 is output from the microcomputer 21, the position of the throttle valve 15 returns to the specific position described above, and the engine output is limited. As another example, for example, the cutoff signal 3 from the microcomputer 21 may be supplied to the drive circuit (output stage) in the ECU 11 to forcibly stop the drive of the motor 17. . Further, the power supply to the motor 17 may be cut off by outputting the cutoff signal 3 from the microcomputer 21.

  The watchdog timer circuit 29 includes a counter 29a that counts up at regular intervals by a clock in the microcomputer 21. When the value of the counter 29a reaches a specific value N (for example, the maximum value or 0 that is the next value of the maximum value) by counting up, the watchdog timer circuit 29 sets a predetermined output port (input) in the microcomputer 21. The cutoff signal 3 is output from the output port 28) to the outside of the microcomputer 21. Further, the watchdog timer circuit 29 can write to the counter 29a on condition that a predetermined normal key code is given. That is, the watchdog timer circuit 29 is configured so that the counter 29a cannot be write-accessed unless a regular key code (for example, 8-bit [0x5A] in this embodiment) is given.

Next, the error detection program 43b will be described.
The error detection program 43b performs a calculation of the following equation 1 every time the above-described notification data 0 and notification data 1 are generated by the transmission data synthesis unit 59 of the microcomputer monitoring program 43a, thereby the counter of the watchdog timer circuit 29. A key code for write access to 29a is generated.

Key code = "sum value" + "cycle counter value" + "adjustment value [cycle counter value]" ... Equation 1
The “sum value” in Equation 1 is the sum value of the notification data 0 and the notification data 1 generated this time by the transmission data synthesis unit 59.

The “cycle counter value” in Equation 1 is the current cycle counter value.
The “adjustment value [cycle counter value]” in Expression 1 is a value corresponding to the cycle counter value, and is calculated in advance by Expression 2 below and stored in the ROM 26.

Adjustment value [cycle counter value] = “regular key code” − “sum expected value which is a normal sum value of the notification data 0 and the notification data 1 at the test timing corresponding to the cycle counter value (in FIG. 3 (Refer to the 4th stage) "-" cycle counter value "... Equation 2
That is, the adjustment value [cycle counter value] is a value obtained by subtracting the expected sum at the test timing corresponding to the cycle counter value from the regular key code [0x5A] and further subtracting the cycle counter value. In this example, the adjustment value [cycle counter value] is a value shown in the fifth row of FIG.

  Equation 1 shows that the calculation result is a normal result only when the sum value of the notification data 0 and the notification data 1 generated by the transmission data combining unit 59 matches the expected sum value of the sum value. This is a key code expression. Therefore, Expression 1 is an expression in which the calculation result becomes a normal key code only when the inspection result by the microcomputer monitoring program 43a (the inspection result output by the comparison unit 53) matches the expected value of the inspection result. But there is. The expected value of the inspection result is “1” when the cycle counter value is 1 or 2, and is “0” when the cycle counter value is 3. Therefore, only when the inspection result is correct, a regular key code is generated according to Equation 1.

  Then, the error detection program 43b gives the key code calculated by the calculation of Expression 1 to the watchdog timer circuit 29 and writes a preset value different from the maximum value into the counter 29a. The preset value is such that the time required for the value of the counter 29a to reach the specific value N from the preset value is longer than the test cycle (the error detection program 43b also attempts to write the preset value to the counter 29a). The value is sufficiently long.

Therefore, when the inspection result by the microcomputer monitoring program 43a matches the expected value of the inspection result, a normal key code is given to the watchdog timer circuit 29, and a preset value is written to the counter 29a. As a result, the output of the cutoff signal 3 is blocked. Conversely, when the test result does not match the expected value or when the test result is not updated, the regular key code is not given to the watchdog timer circuit 29, and the preset value is not written to the counter 29a. As described above, when the inspection result matches the expected value, the error detection program 43b gives the watchdog timer circuit 29 a normal key code and outputs the counter 29a. By writing a preset value that is different from the specific value N to prevent the cutoff signal 3 from being output, and if the inspection result does not match the expected value, the watchdog timer circuit 29 is not given a normal key code. , A program for outputting the cutoff signal 3.

  In the ECU 11 as described above, for example, when an abnormality occurs in the control function by the first level program 41, the cutoff signal 1 is output by the second level program 42, and the abnormal control function can be invalidated. .

  In addition, for example, when a common cause failure occurs in which the first level program 41 and the second level program 42 become abnormal simultaneously, or the first level program 41 that has developed a bug infringes the second level program 42 by interference. In this case, the microcomputer monitoring program 43a and the monitoring IC 23 in the third level program 43 cooperate to ensure reliability.

  That is, in those cases, the inspection result (result of the execution inspection of the second level program 42) output in the form of notification data from the microcomputer 21 to the monitoring IC 23 by the microcomputer monitoring program 43a matches the expected value. The monitoring IC 23 outputs the cutoff signal 2. And the control function by the 1st level program 41 can be invalidated with the interruption | blocking signal 2, and erroneous control can be prevented.

  Further, in the ECU 11, the microcomputer 21 is a hardware circuit for outputting the cutoff signal 3, and the operation for outputting the cutoff signal 3 is prevented from being blocked by a bug in the first level program 41. The watchdog timer circuit 29 is provided. As described above, the watchdog timer circuit 29 cannot perform write access to the counter 29a unless a normal key code is given. For this reason, the first level program 41 that has developed a bug may rewrite the value of the counter 29a after giving a normal key code to the watchdog timer circuit 29 (that is, blocking the output of the cutoff signal 3). It is thought that there is nothing.

  The third level program 43 in the microcomputer 21 includes an error detection program for causing the watchdog timer circuit 29 to output the cutoff signal 3 when the inspection result by the microcomputer monitoring program 43a does not match the expected value of the inspection result. 43b is included.

  For this reason, an event in which the first level program 41 that has developed a bug infringes the second level program 42 by interference (an event in which the second level program 42 is not normally executed), and a hardware failure of the monitoring IC 23 (an interruption signal 2). Reliability can be ensured even when a failure that cannot be output occurs in the same driving cycle.

  That is, in that case, it is unlikely that the watchdog timer circuit 29, which is a hardware circuit in the microcomputer 21, will fail. In this case, in the microcomputer 21, the inspection result by the microcomputer monitoring program 43a does not match the expected value, and the cutoff signal 3 is output by the error detection program 43b and the watchdog timer circuit 29. Therefore, erroneous control can be prevented by the blocking signal 3.

  The driving cycle is a period during which the vehicle travels once. Generally, the ECU recognizes the period from when the vehicle is in an ignition-on state to when the vehicle is in an ignition-off state. The ignition-on state is a state in which a battery voltage is supplied to an ignition power supply line in the vehicle, and is generally a state in which an ignition switch of the vehicle is turned on.

  As described above, in the ECU 11 of the present embodiment, the error detection program 43b and the watchdog timer circuit 29 in the microcomputer 21 realize a function equivalent to that of the monitoring IC 23, and the control reliability (and thus the control system) (Reliability) can be improved. In the present embodiment, focusing on the point that it may be considered that independent hardware failures do not occur simultaneously in the same driving cycle, a runtime check is not performed on the monitoring IC 23, but the microcomputer 21 is equivalent to the monitoring IC 23. These functions are configured using software and a watchdog timer circuit 29. If a correct test result cannot be obtained by the microcomputer 21, or if the test result is not updated within a certain period, the cutoff signal 3 is generated by a hardware circuit in the microcomputer 21 (watchdog timer circuit 29 in this example). It is trying to output.

  Further, since the watchdog timer circuit 29 that requires a key code for rewriting the counter value is used as a hardware circuit that outputs the cutoff signal 3, a complicated procedure is necessary for preventing the output of the cutoff signal 3. High robustness against program bugs (so-called robustness).

  Further, since the function equivalent to the monitoring IC 23 arranged in the microcomputer 21 forms a relationship between the monitoring IC 23 and the composition, it is possible to reduce the ASIL carried by the monitoring IC 23. Therefore, for example, when a sub-microcomputer other than the microcomputer 21 is used instead of the monitoring IC 23, the ASIL is reduced, so that a run-time check such as ROM, RAM, instruction, and flow check in the sub-microcomputer is subjected to high load. Is not necessary. For example, the various checks in the sub-microcomputer need only be executed immediately after starting or immediately before stopping the operation.

Next, other functions of the microcomputer 21 of the ECU 11 will be described.
CPU25 of the microcomputer 21 performs the interruption | blocking signal diagnostic process shown in FIG. 4, for example for every fixed time. 4 is a process for diagnosing whether or not the function of the microcomputer 21 that outputs the cutoff signal 3 is normal. Moreover, the program of the interruption signal diagnosis process is included in the third level program 43, for example.

  In a vehicle in which the ECU 11 is mounted, when an ignition switch (hereinafter referred to as IGSW) is turned on by a user (generally a driver), the ignition is turned on. When the IGSW is turned off, the ignition is turned off. A state (that is, a state in which the battery voltage is not supplied to the ignition power source line). The operation of turning off the IGSW corresponds to the ignition off operation. Further, even when the IGSW is turned off, the operation power is continuously supplied to the ECU 11 until all the processes in the microcomputer 21 are completed. When the IGSW is turned off by the user of the vehicle, the microcomputer 21 does not carry out the execution inspection by the microcomputer monitoring program 43a, and as a result, the cutoff signal 3 is output by the watchdog timer circuit 29 of the microcomputer 21. It has become. If the IGSW is turned off, fuel injection to the engine is stopped, so there is no problem even if the cutoff signal 3 is output.

  As shown in FIG. 4, when starting the shut-off signal diagnostic process, the CPU 25 determines whether or not the IGSW is turned off in S110. If the IGSW is not turned off (if the IGSW is turned on), the CPU 25 continues. The interruption signal diagnosis process is terminated. The on / off state of the IGSW is determined based on an input signal indicating the on / off state of the IGSW.

  If the CPU 25 determines in S110 that the IGSW has been turned off, the CPU 25 proceeds to S120 and waits until the scheduled time for the watchdog timer circuit 29 to output the cutoff signal 3 has elapsed. For example, it waits for a predetermined time longer than the time required for the value of the counter 29a to reach the specific value N from the preset value.

  Thereafter, the CPU 25 proceeds to S130 and determines whether or not the position of the throttle valve 15 is the specific position based on the signal from the throttle position sensor (TPS1) 31. If the CPU 25 determines that the position of the throttle valve 15 is the specific position, the CPU 25 proceeds to S140, sets the diagnosis result of the cutoff signal 3 to “normal”, and then ends the cutoff signal diagnostic processing.

  If the CPU 25 determines that the position of the throttle valve 15 is not the specific position in S130, the CPU 25 determines that the function of outputting the cutoff signal 3 is abnormal, and proceeds to S150. Set the diagnosis result to "abnormal". Then, the interruption signal diagnosis process is terminated.

  By the interruption signal diagnosis process as described above, the diagnosis of the function of outputting the interruption signal 3 is performed once in one driving cycle. A potential failure can be detected with a minimum frequency.

  On the other hand, in the microcomputer 21, the microcomputer monitoring program 43 a performs an execution inspection similar to the execution inspection for the second level program 42 for the error detection program 43 b, and sends the inspection result to the monitoring IC 23. The monitoring IC 23 also determines whether or not the inspection result from the microcomputer 21 matches the expected value of the error detection program 43b. Is output. For this reason, it is possible to improve the reliability with respect to the abnormal execution of the error detection program 43b.

[Second Embodiment]
Next, the ECU of the second embodiment will be described. The same reference numeral “11” as that of the first embodiment is used. The same reference numerals as those in the first embodiment are used for the same components and processes as those in the first embodiment. This also applies to other embodiments described later.

  The ECU 11 of the second embodiment is different from the ECU 11 of the first embodiment in that the hardware circuit for outputting the cutoff signal 3 in the microcomputer 21 is the compare match timer circuit 61 shown in FIG. The difference is that the detection program 43b is a program for performing the processing of FIG.

  As shown in FIG. 5, the compare match timer circuit 61 includes a compare match counter 63 that counts up every predetermined time by a clock in the microcomputer 21, a compare match register 65, the value of the compare match counter 63, and the compare match register 65. And a comparator 67 that outputs a cutoff signal 3 from a predetermined output port 28a (any one of the input / output ports 28) in the microcomputer 21 when the two values match.

  The compare match register 65 is not write-accessed by the first level program 41. As a result, the compare match timer circuit 61 is prevented from preventing the operation for outputting the cutoff signal 3 from being caused by a bug in the first level program 41. For example, in the program design stage, instructions relating to write access to the compare match register 65 are not arranged in the first level program 41.

  The error detection program 43b in the second embodiment is a program for causing the compare match timer circuit 61 to output the cutoff signal 3 when the inspection result by the microcomputer monitoring program 43a does not match the expected value of the inspection result. .

  The error detection program 43b is activated every time the notification data 0 and the notification data 1 are generated by the transmission data synthesis unit 59 of the microcomputer monitoring program 43a. This is the same as in the first embodiment.

And CPU25 performs the process of FIG. 6 by running the error detection program 43b.
As shown in FIG. 6, when starting execution of the error detection program 43b, the CPU 25 first determines whether there is an abnormality in S210.

  Specifically, the notification data 0, 1 generated by the transmission data combining unit 59 is compared with their expected values, and if the notification data 0, 1 matches the expected value, the notification data 0, 1 is normal. If 1 does not match the expected value, it is determined that there is an abnormality. As another example, for example, as in the first embodiment, a key code is calculated by the calculation of Expression 1, and if the calculation result matches the regular key code [0x5A], the key code is normal. Otherwise, it may be determined that there is an abnormality. That is, the process of S210 may be any process as long as it can be determined whether or not the inspection result by the microcomputer monitoring program 43a matches the expected value.

  If the CPU 25 determines in S210 that it is normal (no abnormality), the CPU 25 proceeds to S220, and calculates a value obtained by adding a value corresponding to the failure determination time to the value of the compare match counter 63 (current value). Write to the match register 65. The process of S220 is a process for preventing the interruption signal 3 from being output until the failure determination time has elapsed from the present time. The failure determination time is set to a time longer than the test cycle (which is also the execution cycle of the error detection program 43b). Then, after performing the process of S220, the CPU 25 ends the execution of the error detection program 43b.

  If the CPU 25 determines in S210 that there is an abnormality, the CPU 25 does not do anything (that is, does not write to the compare match register 65) and ends the execution of the error detection program 43b. In this case, the value of the compare match counter 63 eventually matches the value of the compare match register 65, and the cutoff signal 3 is output from the microcomputer 21.

  Also by the ECU 11 of the second embodiment as described above, a function equivalent to the monitoring IC 23 is realized by the error detection program 43b and the compare match timer circuit 61 in the microcomputer 21, and the same effect as the ECU 11 of the first embodiment is obtained. be able to.

  In the second embodiment, the CPU 25 may wait until the scheduled time when the compare match timer circuit 61 outputs the cutoff signal 3 elapses in S120 in the cutoff signal diagnosis processing of FIG. Specifically, it is only necessary to wait for a predetermined time longer than the above-described failure determination time.

[Third Embodiment]
For example, the microcomputer 21 may be provided with an output register having a memory protection function that can be write-accessed only from a specific program as an output register in which an output value of the output port (value to be output) is written. For example, the output register may be used as a hardware circuit for outputting the cutoff signal 3. Whether the program is a specific program or not is distinguished depending on the storage location in the ROM 26, for example.

In this case, the output register having the memory protection function is inaccessible from the first level program 41 and is accessible from the error detection program 43b.
And the error detection program 43b should just be comprised so that the process which changed the process of FIG. 6 as follows may be performed by CPU5.

  In other words, if the CPU 25 determines that it is normal (no abnormality) in S210, it ends the execution of the error detection program 43b as it is. On the other hand, if the CPU 25 determines that there is an abnormality in S210, the CPU 25 writes the value (for example, 1) indicating the output of the cutoff signal 3 in the output register having the memory protection function, and stores the value in the output register. The cutoff signal 3 is output from the corresponding output port. Thereafter, the execution of the error detection program 43b is terminated.

Even if comprised in this way, the effect similar to ECU11 of 1st, 2nd embodiment is acquired.
As mentioned above, although embodiment of this invention was described, this invention can take a various form, without being limited to the said embodiment. The above-mentioned numerical values are also examples, and other values may be used.

For example, the control target is not limited to the throttle valve 15 but may be a fuel injection valve, an ignition device, or the like. Further, the monitoring module may be a microcomputer different from the microcomputer 21.
In addition, the functions of one component in the above embodiment may be distributed as a plurality of components, or the functions of a plurality of components may be integrated into one component. Further, at least a part of the configuration of the above embodiment may be replaced with a known configuration having the same function. Moreover, you may abbreviate | omit a part of structure of the said embodiment as long as a subject can be solved. In addition, all the aspects included in the technical idea specified by the wording described in the claims are embodiments of the present invention. In addition to the ECU described above, the present invention is realized in various forms such as a system including the ECU as a constituent element, a program for causing a computer to function as the ECU, a medium storing the program, and a control method for a control target. You can also

  DESCRIPTION OF SYMBOLS 11 ... ECU (electronic control apparatus for vehicles), 15 ... Throttle valve, 21 ... Microcomputer, 23 ... Monitoring IC, 25 ... CPU, 29 ... Watchdog timer circuit, 41 ... 1st level program, 42 ... 2nd level program, 43 ... Third level program, 43a ... Microcomputer monitoring program (inspection program), 43b ... Error detection program, 61 ... Compare match timer circuit

Claims (3)

A microcomputer (21);
A monitoring module (23) for monitoring the operation of the microcomputer;
The program executed by the CPU (25) of the microcomputer is
A first level program (41) which is a program for controlling the controlled object (15);
Monitoring whether the control function for the control target by the first level program is normal, and outputting a first shut-off signal for invalidating the control function when the control function is determined to be abnormal A second level program (42);
A third level program (43) including an inspection program (43a) for performing an execution inspection of the second level program and outputting the inspection result to the monitoring module;
The monitoring module is configured to output a second cutoff signal for invalidating the control function when the inspection result does not match an expected value of the inspection result, the vehicle electronic control device (11) In
The microcomputer is
A hardware circuit for outputting a third cutoff signal for invalidating the control function, wherein an operation for outputting the third cutoff signal is prevented by a bug in the first level program. The hardware circuit (29, 61) that is prevented from
The third level program executed by the CPU includes:
An error detection program (43b) for causing the hardware circuit to output the third shut-off signal when the inspection result by the inspection program does not match an expected value of the inspection result is included ;
The hardware circuit (29)
When the value of the counter (29a) that counts up every predetermined time reaches a specific value, the third cutoff signal is output, and writing to the counter is possible on condition that a predetermined key code is given. Watchdog timer circuit (29),
The error detection program (43b)
When the inspection result matches the expected value, the third cutoff signal is not output by giving the key code to the watchdog timer circuit and writing a value different from the specific value to the counter. When the inspection result does not match the expected value, the program is a program for outputting the third cutoff signal by not giving the key code to the watchdog timer circuit.
An electronic control device for a vehicle. A microcomputer (21);
A monitoring module (23) for monitoring the operation of the microcomputer;
The program executed by the CPU (25) of the microcomputer is
A first level program (41) which is a program for controlling the controlled object (15);
Monitoring whether the control function for the control target by the first level program is normal, and outputting a first shut-off signal for invalidating the control function when the control function is determined to be abnormal A second level program (42);
A third level program (43) including an inspection program (43a) for performing an execution inspection of the second level program and outputting the inspection result to the monitoring module;
The monitoring module is configured to output a second cutoff signal for invalidating the control function when the inspection result does not match an expected value of the inspection result, the vehicle electronic control device (11) In
The microcomputer is
A hardware circuit for outputting a third cutoff signal for invalidating the control function, wherein an operation for outputting the third cutoff signal is prevented by a bug in the first level program. The hardware circuit (29, 61) that is prevented from
The third level program executed by the CPU includes:
An error detection program (43b) for causing the hardware circuit to output the third shut-off signal when the inspection result by the inspection program does not match an expected value of the inspection result is included;
The hardware circuit (61)
A compare match counter (63) that counts up every predetermined time; and a compare match register (65) that is not write-accessed by the first level program, and the value of the compare match counter and the compare match A match match timer circuit (61) for outputting the third cutoff signal when the value of the register matches,
The error detection program (43b)
When the inspection result matches the expected value, a value obtained by adding a predetermined value to the value of the compare match counter is written to the compare match register so that the third cutoff signal is not output, When the inspection result does not match the expected value, the program is configured to output the third cutoff signal by not writing to the compare match register;
An electronic control device for a vehicle. The electronic control device for a vehicle according to claim 1 or 2 ,
The control target is a throttle valve (15) of a vehicle engine on which the vehicle electronic control device is mounted,
The first to third cutoff signals are signals for stopping the operation of the actuator (17) for moving the throttle valve and returning the position of the throttle valve to a specific position,
When an ignition-off operation for changing the vehicle from an ignition-on state to an ignition-off state is performed by a user of the vehicle, the execution inspection by the inspection program is not performed, and the hardware circuit of the microcomputer The third cutoff signal is output by
Furthermore, the CPU of the microcomputer is
When it is detected that the user of the vehicle has performed the ignition off operation (S110: YES), as a process for diagnosing the function of outputting the third cutoff signal,
After waiting until the scheduled time at which the third shut-off signal is output by the hardware circuit, the position of the throttle valve is determined based on a signal from a throttle position sensor (31) that detects the position of the throttle valve. A process (S120, S130, S150) for determining whether or not the position is the specific position and determining that the function of outputting the third cutoff signal is abnormal if the position of the throttle valve is not the specific position. What to do,
An electronic control device for a vehicle.

Images