JP5985030B1 - Electronic control device and control method for electronic control device - Google Patents

Abstract

An electronic control device and the like that improve the reliability of three-level monitoring concept control while minimizing redundant configuration. A microcomputer that performs control of a drive unit with a control signal, a monitoring IC that transmits a cutoff signal to the drive unit when there is an abnormality in the microcomputer, a target value output unit that outputs a target value for control of the drive unit, and electronic control A first level control processing unit that includes a plurality of sensors for obtaining values necessary for controlling the device, and the microcomputer calculates and outputs a control signal for normal control from the target value and one or more sensor values, and is driven from the target value A second level control processing unit that calculates an output allowable value of the drive unit, calculates an estimated output value of the drive unit from at least two sensor values, and outputs a cutoff signal to the drive unit when the estimated value is outside the range of the allowable value And an independence assurance unit that obtains first and second sensor values that do not become abnormal within the set time due to the same factor when the first sensor value is abnormal due to a failure of the first sensor value among the sensors used for the calculation. . [Selection] Figure 1

Description

  The present invention relates to an electronic control device that performs a failure process for a sensor failure and a control process, and a control method for the electronic control device, using a plurality of sensors that are mounted on a vehicle and are independent of a failure that has occurred. .

  In recent years, electronic control devices called ECUs (Electronic Control Units) have come to be mounted in response to demands for electrification due to CO2 emission reduction regulations.

  Due to the complexity of the hardware components that make up the vehicle and the enlargement of the software, the system of the ECU mounted on the vehicle is also becoming increasingly complex. Along with these, functional safety standard ISO 26262 is issued, and fail-safety for ensuring safety and measures for ensuring safety are required for various possible failures.

A three-level monitoring concept has been proposed as a conventional technique that can implement various countermeasures against electronic control devices (for example, Patent Document 1). The three-level monitoring concept is composed of the following three levels: normal control for operating the ECU functions and fail-safe for preventing a situation in which the ECU may cause a dangerous state.
First level: Software program of a microcomputer (hereinafter referred to as a microcomputer or the like) that realizes a normal control function Second level: Diagnoses whether or not the first level processing is correctly performed, and detects an abnormality Microcomputer software program that shuts off the output of the control target when it is done Third level: Diagnoses whether the second level diagnosis is correctly performed in order, and if an abnormality is detected, it is the same as the second level A microcomputer software program that shuts off the output of the controlled object and a monitoring mechanism using an IC other than the microcomputer

JP2015-108944A

However, when the conventional technology is applied for vehicle fail-safety, there are the following problems.
In the configuration described in Patent Document 1, the throttle position sensor or the accelerator position sensor used for the control amount calculation is failed due to a certain factor, and the throttle position or accelerator position sensor is made redundant, and the corresponding sensor is made redundant. The sensor output is diagnosed by both sensors. Thereby, even when the sensor becomes abnormal, it is possible to guide the ECU to a safe operation by the cutoff signal. However, in this configuration, it is necessary to provide redundant sensors for all the sensors and to perform sensor reliability diagnosis, so there is a concern that the board area increases and the cost increases.

  The present invention has been made to solve the above-described problems. An electronic control device and an electronic control device for improving the reliability of control based on a three-level monitoring concept while minimizing a redundant configuration. Therefore, an object is to provide a control method.

  The present invention is an electronic control device mounted on a vehicle, the microcomputer for controlling the drive unit by a control signal, the operation of the microcomputer is monitored, and when there is an abnormality in the microcomputer, the drive unit A monitoring IC that transmits a cutoff signal; a target value output unit that outputs a target value indicating a target control amount of the drive unit; and a plurality of sensors that detect and output values necessary for control of the electronic control unit; And the microcomputer calculates and outputs the control signal for normal control using the target value of the target value output unit and the output of one or more of the plurality of sensors. A processing unit, an allowable value calculation unit that calculates an allowable value of the output of the drive unit from a target value of the target value output unit, and an output of the drive unit using at least two sensor values of the plurality of sensors. The reason for calculating the estimated value A second level control comprising: a value calculation unit; and a comparison processing unit that compares the allowable value with the estimated value and outputs a cutoff signal to the driving unit when the estimated value is out of the range of the allowable value A second sensor value used by the estimated value calculating unit when the first sensor value of the plurality of sensors used by the estimated value calculating unit becomes abnormal due to a failure. An electronic control device comprising an independence assurance unit that obtains the first sensor value and the second sensor value that do not become abnormal within a set time due to the same factor as a failure. Etc.

  According to the present invention, it is possible to provide an electronic control device and a control method for the electronic control device that improve the reliability of control based on the three-level monitoring concept while minimizing a redundant configuration.

It is a functional block diagram which shows the structure of the electronic control apparatus concerning Embodiment 1 of this invention. It is a schematic diagram for demonstrating the estimated value and allowable value in the electronic control apparatus concerning Embodiment 1 of this invention. It is a block diagram which shows another example of a structure of the power supply supplied to the sensor in the electronic control apparatus concerning Embodiment 1 of this invention and a sensor. It is a figure for demonstrating one form of the relationship of the control period of the 2nd level control process part equivalent to the sensor abnormality in the electronic control apparatus concerning Embodiment 1 of this invention, and a 2nd level program. It is a figure for demonstrating another form of the relationship of the control period of the 2nd level control process part equivalent to the sensor abnormality in the electronic control apparatus concerning Embodiment 1 of this invention, and a 2nd level program. It is a functional block diagram of one form of the electronic control unit concerning Embodiment 2 of this invention, and its periphery structure. It is a functional block diagram of another form of the electronic control apparatus concerning Embodiment 2 of this invention, and its periphery structure. It is an operation | movement flowchart which shows an example of the processing operation of the independence guarantee part and control period change part of the electronic control apparatus concerning Embodiment 2 of this invention. It is a figure which shows an example of the general structure of the microcomputer of the electronic controller by this invention.

In this invention, it is a control apparatus incorporating the microcomputer 10 mounted in a vehicle, Comprising: The program which the microcomputer 10 performs is comprised by three levels. The first level is a program for controlling an object to be controlled, and the second level is a program for determining whether the control processing and input processing of the first level are correctly performed.
Further, the second level program includes a plurality of input signals. A plurality of input signals are provided with a mechanism in which each of the plurality of input signals corresponds to an independent element so that a plurality of input signals do not fail due to one factor. An estimated value calculating process for deriving an estimated value of a value output from the controlled object using a plurality of input signals and an allowable value calculating process for deriving an allowable value of the value output by the controlled object at that time are provided. By comparing the results of the estimated value calculation process and the allowable value calculation process, it is possible to detect an abnormality in the sensor value and an abnormality in the value output by the process based on the first level program. At this time, since a plurality of input signals that do not become abnormal simultaneously due to one factor are provided, one of the signals input to the estimated value calculation process always shows a correct value. Therefore, an abnormality can be detected in the allowable value calculation process and the estimated value calculation process. Further, when an abnormality is detected in the second level program, a cutoff signal is transmitted to the drive unit so that an output corresponding to the control signal output by the first level is not output from the drive unit.
Furthermore, the third level program monitors the normal operation of the second level program at a predetermined set time interval, and if it is determined that the operation is abnormal, Send a cut-off signal.

With such an electronic control device of the present invention, the reliability of control based on the three-level monitoring concept can be improved while minimizing redundant configuration.
In general, when there are two sensors that fail due to different factors, the probability of both of them failing is quite low, so it is not necessary to consider them.

Hereinafter, an electronic control device and a control method for the electronic control device according to the present invention will be described with reference to the drawings according to each embodiment. In each embodiment, the same or corresponding parts are denoted by the same reference numerals, and redundant description is omitted.
In each of the following embodiments, a case where an electronic control device (hereinafter referred to as first ECU 101) is mounted on a vehicle will be described.
In addition, the portions that perform the control processing according to the above-described first, second, and third level programs are referred to as first, second, and third level control processing units, respectively.

Embodiment 1 FIG.
FIG. 1 is a functional block diagram showing the configuration of the electronic control apparatus according to Embodiment 1 of the present invention. The first ECU 101, which is an electronic control device, performs electronic control throttle control for outputting driving force in the vehicle and motor generator control.

  The first ECU 101 includes a microcomputer 10, a monitoring IC (Integrated Circuit) 11, a drive unit 12 for electronic control throttle control and motor generator control that are driven by signals output from the microcomputer 10, and a drive unit 12. A target value output unit 200 for outputting a target value for causing the first ECU 101 to perform a desired operation, and a plurality of first values for detecting a current value related to a vehicle and a vehicle control state necessary for performing the calculation by the first ECU 101. A sensor 201, a second sensor 202, and a third sensor 203 are provided. There may be a plurality of sensors.

  As is well known, the microcomputer 10 has, for example, an outline as shown in FIG. Input / output to / from the outside via the interface (I / F) 10a, and the CPU 10b is used for various controls in accordance with the programs and data necessary for the control processing stored in the memory 10c, as well as external data and signals, etc. Arithmetic processing is performed, and the processing result is output to the outside and recorded in the memory 10c as necessary. In the microcomputer 10 of FIG. 1, each process executed according to the above program is shown as a functional block.

The microcomputer 10 can be divided into first to third level control processing units 21, 22, and 23 that are executed by first to third level programs, respectively.
The first level control processing unit 21 executed by the first level program uses a sensor value obtained from the first to third sensors 201, 202, and 203 and a target value obtained from the target value output unit 200 to drive the driving unit. The normal control part 21a which outputs the control signal for controlling 12 to a desired state is provided.
The second level control processing unit 22 executed by the second level program determines whether the first level control processing unit 21 and the sensors 201-203 are operating correctly.
The third level control processing unit 23 executed by the third level program confirms whether the second level control processing unit 22 and the microcomputer 10 are operating correctly in cooperation with the monitoring IC 11.

The second level control processing unit 22
Two sensor values of the second sensor 202 and the third sensor 203 are input, and then an estimated value of the output of the drive unit 12 and then an estimated value of the control signal output from the normal control unit 21a is calculated. When,
One or more sensor values or a target value of the target value output unit 200 is input, and then an allowable value calculation unit that calculates an allowable value of the output of the drive unit 12 and, in turn, an allowable value of the control signal output from the normal control unit 21a. 22a,
A comparison processing unit 22c that compares the result of the allowable value calculation with the result of the estimated value calculation, determines that the estimated value is out of the allowable value setting range, and outputs a cutoff signal 1 to the drive unit 12 is provided.
When the monitoring IC 11 starts diagnosis, a level 2 diagnosis receiving unit that receives a level 2 diagnosis signal transmitted from the third level control processing unit 23 to the second level control processing unit 22; A level 2 diagnostic transmission unit that transmits the execution result of the second level control processing unit 22 as a level 2 diagnostic result signal to the third level control processing unit 23, and these are used as the first level 2 diagnostic transmission / reception unit 22d. Show.

The third level control processing unit 23
A microcomputer diagnostic receiver for receiving a microcomputer diagnostic signal transmitted from the monitoring IC 11;
A level 2 diagnostic signal generation unit that generates and transmits a level 2 diagnostic signal in response to the microcomputer diagnostic signal and transmits a diagnosis start to the second level control processing unit 22;
A command duplication inspection diagnostic unit for performing a test by duplicating a part of the processing of the second level control processing unit 22;
A level 2 diagnostic receiver for receiving a level 2 diagnostic result signal transmitted from the second level control processor 22;
A diagnosis result generation unit that determines whether or not there is an abnormality according to the diagnosis execution result and the level 2 diagnosis result signal transmitted from the second level control processing unit 22;
A microcomputer diagnosis transmission unit that transmits the diagnosis result of the microcomputer 10 to the monitoring IC 11 is provided.
Here, the level 2 diagnostic signal generator and the level 2 diagnostic receiver are shown as the second level 2 diagnostic transmitter / receiver 23a, the microcomputer diagnostic receiver and the microcomputer diagnostic transmitter are shown as the first microcomputer diagnostic transmitter / receiver 23d, and the instruction duplication inspection The diagnosis unit and the diagnosis result generation unit are shown as the instruction duplication inspection diagnosis unit 23b and the diagnosis result generation unit 23c as they are.

The monitoring IC 11 includes a microcomputer diagnosis start unit that transmits a microcomputer diagnosis signal for starting diagnosis of whether the microcomputer 10 is operating correctly to the third level control processing unit 23 of the microcomputer 10;
A microcomputer diagnosis result receiver for receiving a microcomputer diagnosis result signal transmitted by the third level control processor 23;
When it is determined that the microcomputer 10 is in an abnormal state, the microcomputer 10 includes a microcomputer diagnosis result determination unit that transmits a cutoff signal 2 to the drive unit 12.
Here, the microcomputer diagnosis start part and the microcomputer diagnosis result receiving part are shown as the second microcomputer diagnosis transmission / reception part 23aa, and the microcomputer diagnosis result judging part is shown as the microcomputer diagnosis result judging part 23bb as it is.

Next, the operation of each part of the first ECU 101 will be described.
In order to operate the drive unit 12, the normal control unit 21 a of the first level control processing unit 21 performs periodic control and transmits a control signal to the drive unit 12.
The processing of the allowable value calculation unit 22a, the estimated value calculation unit 22b, and the comparison processing unit 22c of the second level control processing unit 22 is periodically executed. When the presence / absence of an abnormality is confirmed and determined as abnormal, the comparison processing unit 22 c transmits a blocking signal 1 to the drive unit 12.
The third level control processing unit 23 starts execution by an interrupt triggered by the microcomputer diagnostic signal from the monitoring IC 11. The cycle in which the monitoring IC 11 transmits the microcomputer diagnostic signal to the microcomputer 10 is executed at a cycle longer than the control cycle of the first level control processing unit 21 and the second level control processing unit 22. When it is determined that the microcomputer 10 is in an abnormal state as a diagnosis result, the cutoff signal 2 is transmitted to the drive unit 12.

  The estimated value calculation unit 22b calculates the estimated value using the formula of “αx + βy” using the coefficients α and β, the sensor value x of the second sensor 202 and the sensor value y of the third sensor 203, and the allowable value calculation unit 22a. When the result of the above needs to be between the lower limit value a and the upper limit value b, the comparison processing unit 22c checks whether or not the following expression (1) is satisfied.

  a <αx + βy <b (1)

  Α and β are weighting factors, and the lower limit value a and the upper limit value b, which are allowable values, are communication data from the target value output unit 200 and the other first ECU 101, that is, second and second ECUs described later. Calculation is performed from communication data from the third ECU, values detected in the first ECU 101, and the like. In particular, it is indispensable to set a numerical value that does not threaten the safety of the vehicle such as a safety goal so as not to cause sudden start of the vehicle, sudden deceleration of the vehicle, ignition or explosion of the vehicle.

The estimated value and allowable value are determined as shown in FIG. FIG. 2 is a torque curve of the motor, where the horizontal axis indicates the rotational speed and the vertical axis indicates the torque. EC1 is an estimated torque calculation value when detection is all correct, EC2 and EC3 are estimation torque calculation values when phase current detection is incorrect, and PE is an allowable torque range.
If it is a relational expression related to the motor, it is performed as follows. The lower limit value a and the upper limit value b, which are allowable values (PE), are set according to the current rotational speed based on the torque curve of the motor. It is desirable that the data used for calculating the allowable value is correct. For example, the data used for the allowable value calculation may be in the range of “target value ± margin” based on the target value transmitted from the external ECU 101a indicated by the broken line in FIG. In that case, CRC (Cyclic Redundancy Check), checksum, etc. are superimposed on the value sent from the external ECU, so that the correctness of the value used for calculating the allowable value is added without adding hardware cost. Can be guaranteed.

The estimated values (EC1, EC2, EC3) are relational expressions using power supply voltage, phase current, and the like. At this time, when the phase current detection is correct (EC1), it falls within the allowable value (PE), and when the phase current detection becomes abnormal (EC2, EC3), the allowable value (PE) range. A formula for calculating the estimated value is set so as to deviate from.
Data or tables of motor torque curves for allowable values, margins, coefficients α, β, etc. for estimated values are stored in advance in a memory.

  In addition to the configuration as described above, the first ECU 101 determines that the sensor values of the second sensor 202 and the third sensor 203 used for calculating the estimated value included in the first ECU 101 are both within a set time due to a certain factor. Both are equipped with an independence assurance unit to keep them from becoming abnormal values. The independence assurance unit is realized by each of the independence assurance units 501a to 501d described below.

  The independence assurance unit 501a in FIG. 1 operates the second sensor 202 and the third sensor 203 with different power sources. For example, the second sensor 202 is set to the same power source PS1 as that supplied to the monitoring IC 11 that monitors the microcomputer 10, and the third sensor 203 is set to the same power source PS2 as that supplied to the microcomputer 10.

  The term “within the set time” refers to an interval from when an abnormal sensor value is detected to when the control signal generated according to the abnormal sensor value drives the drive unit 12, for example, executed at the first level. This time is shorter than the control cycle in the first level control processing unit 21 corresponding to the program to be executed.

  By doing in this way, even if a failure that causes an abnormality in any sensor value used in the estimated value calculation unit 22b of the first ECU 101 occurs, both sensor values used in the estimated value calculation unit 22b become abnormal. Since one can reliably input a normal value to the estimated value calculation unit 22b, comparing the results of the estimated value calculation and the allowable value calculation can indicate that one of the sensors has failed. It can be detected.

  That is, it is possible to construct the first ECU 101 that does not require redundant sensors for all of the sensors as in the prior art for failure of the sensors.

In addition, as shown in FIG. 1, in consideration of the functional safety standard ISO 26262, a target value output unit 200, various sensors 201-203, and a normal control unit 21a, which are basic components of the first ECU 101, are set under certain setting conditions. When “ASIL X” is assigned to the drive unit 12 and the ASIL decomposition is adopted, all the sensors used in the estimated value calculation unit 22b in addition to the normal control unit 21a are at the QM (Quality Management) level. Therefore, the safety requirements of the development process imposed on each sensor 201-203 can be relaxed. In addition, it is not necessary to consider a countermeasure for the latency fault related to each of the sensors 201-203 that is essential for "ASIL C" or higher.
“ASIL X” is an Automotive Safety Integrity Level, and X indicates any one of A, B, C, and D.

  At this time, since the independence assurance unit is a safety requirement of ASIL, the independence assurance unit is developed by “ASIL X”. Since the second level control processing unit 22 corresponding to the second level program can be divided into “QM (X)” and “ASIL X (X)” by decomposition with the normal control unit 21a from the beginning. There may be only one ASIL component.

  In the first embodiment, two of the second sensor 202 and the third sensor 203 are used for the estimated value calculation unit 22b. However, even when there are three or more sensors, at least one of them and the other sensors All that is necessary is that the conditions under which the sensor fails are independent.

  In this embodiment, the relational expression between the estimated value calculation unit 22b and the allowable value calculation unit 22a is not limited to the above example as long as it can be constructed so that it can be detected when an abnormality occurs in the sensor.

  The target value output unit 200 in this embodiment is a transceiver that receives and outputs a value transmitted from the outside of the first ECU 101, or a target value from a value detected inside the first ECU 101. What is necessary is just to have the function which sets the thing corresponded to the value which the drive part 12 can output, such as the microcomputer 10 which calculates and outputs other microcomputers, or IC.

  In this embodiment, the input to the normal control unit 21a is the input of the target value output unit 200, the first sensor 201, the second sensor 202, and the third sensor 203. In the normal control unit 21a, the drive unit 12 is used. If the normal control is possible, the input information to the normal control unit 21a is not limited to the above example.

FIG. 3 is a block diagram showing another example of the configuration of the second sensor 202, the third sensor 203, and the power source in this embodiment. The same sensor power supply SPS is used for the operation of the second sensor 202 and the third sensor 203, and the second sensor 202 has a withstand voltage lower than that of the third sensor 203. For example, if the withstand voltage of the third sensor 203 is Vmax3rd and the withstand voltage of the second sensor 202 is Vmax2nd, then Vmax3rd> Vmax2nd.
3 constitutes an independence assurance unit 501b based on the following description.

  4 and 5 are diagrams for explaining two forms of the relationship between the sensor abnormality and the control cycle of the second level program corresponding to the second level control processing unit 22 in the electronic control device of this embodiment. is there. 4 and 5, (a) shows the output voltage of the DC / DC circuit 210, and (b) shows the control cycle of the second level program corresponding to the second level control processing section.

As shown in FIG. 4, when the output voltage of the DC / DC circuit 210 for DC / DC converting the sensor power source SPS made of, for example, a lead battery rises as shown in FIG. The time A until this is set to be longer than at least one cycle of the execution cycle B which is the control cycle shown in (b) of the second level program corresponding to the second level control processing unit 22.
In another embodiment, as shown in FIG. 5, even when the control of the DC / DC circuit 210 is abnormal and the output voltage oscillates as shown in (a), the DC / DC circuit 210 can be output when it is abnormal. The maximum voltage is set larger than Vmax2nd and smaller than Vmax3rd. In this case, since the third sensor 203 does not fail, the time from the failure of the second sensor 202 to the failure of the third sensor 203 is longer than the execution period B shown in (b).

  Further, when the control of the DC / DC circuit 210 becomes abnormal and the output voltage oscillates, when the oscillation voltage is Vmax3rd or less and Vmax2nd or less, only the second sensor 202 is destroyed and the sensor value is indefinite. Or zero. Even in this case, since the third sensor 203 does not fail, the time from the failure of the second sensor 202 to the failure of the third sensor 203 is longer than at least one cycle of the execution period B shown in (b). To.

  In this way, when the power supply related to the sensor becomes abnormal, one of the sensor values input to the estimated value calculation unit 22b can always be set to a correct value, and the abnormal sensor value can be surely detected. Can be detected. With this method, it is not necessary to make all sensors resistant to abnormalities, so it is possible to minimize the redundant structure.

  Further, at this time, the estimated value calculation unit 22b is expressed by the above-described formula of “αx + βy” using the coefficients α and β, the sensor value x of the second sensor 202 and the sensor value y of the third sensor 203, and calculates an allowable value. When the result of the unit 22a needs to be between the lower limit value a and the upper limit value b, the comparison processing unit 22c checks whether the following expression (1) is satisfied.

  a <αx + βy <b (1)

Α and β are weighting factors, and weight is given to a sensor having a high degree of threatening the safety of the vehicle when the sensor value deviates from the original value. By making α a large value, it becomes possible to detect the abnormality at an early stage by making the abnormality of x noticeable.
Note that a and b are detected in the first ECU 101, communication data from the target value output unit 200 and the other first ECU 101, that is, communication data from the second and third ECUs, which will be described later. The value is set to a value that does not threaten the safety of the vehicle.

Further, in this embodiment, the configuration of the second sensor 202 and the third sensor 203 is a second level program corresponding to a second level program after a failure that causes an abnormality in the sensor value of the second sensor 202 occurs. If an abnormality is generated in the sensor value of the third sensor 203 after a time longer than the period diagnosed by the two-level control processing unit 22, the above is not limited.
For example, when the sensor temperature rises due to an abnormality, the time constant of the second sensor 202 may be made shorter than the time constant of the temperature rise of the third sensor 203 to create a time difference that causes failure due to heat. In other words, the voltage resistance, heat resistance, vibration resistance, etc. of the third sensor 203 may be made more durable than the other sensor. More broadly, at least one of voltage resistance, heat resistance, and vibration resistance is changed in a plurality of sensors.

Embodiment 2. FIG.
FIG. 6 is a functional block diagram of one form of the electronic control device and its peripheral configuration according to the second embodiment of the present invention. In FIG. 6, in the first ECU 101 according to the second embodiment, the independence assurance unit 501 c is a second ECU 102 that is a first external electronic control device that is different from the first ECU 101 in the sensor value of the second sensor 202. The value acquired from the communication line CL via the communication line CL, and the sensor value of the third sensor 203 is a signal that can be detected inside the first ECU 101.

With this configuration, even if the sensor that outputs the sensor value of the third sensor 203 becomes abnormal due to a failure in the first ECU 101, it is estimated as long as the second ECU 102 moves correctly. Since at least one sensor value input to the value calculation unit 22b can be a correct value, abnormality determination can be performed correctly.
The first ECU 101 only needs to be able to communicate with the second ECU 102, and may be connected by wireless communication.

  In the functional safety ISO 26262 standard, the probability of a double failure between the same items is extremely low, so the second ECU 102 does not operate normally, and the sensor value transmitted from the second ECU 102 becomes abnormal. In this case, the sensor value of the third sensor 203 may be detected correctly.

  FIG. 7 is a functional block diagram of another embodiment of the electronic control apparatus according to the second embodiment of the present invention and its peripheral configuration. In FIG. 7, the sensor value of the second sensor 202 transmitted by the second ECU 102 can also be received from the third ECU 103 which is the second external electronic control device connected to the first ECU 101 via the communication line CL. The configuration. At this time, in the second level control processing unit 22 corresponding to the second level program, the first ECU 101 determines whether or not the estimated value of the estimated value calculating unit 22b is within a setting range based on the allowable value of the allowable value calculating unit 22a. When it is determined that the value is out of the set range, the sensor value of the second sensor 202 is requested to the third ECU 103.

In this way, even when the second ECU 102 becomes abnormal, the first ECU 101 can continue to operate.
The independence assurance unit 501d includes a second ECU 102, a third ECU 103, and a third sensor 203. For the independence assurance unit 501d, the control processing change unit 22e provided in the second level control processing unit 22 in the microcomputer 10 operates in cooperation.
The first ECU 101 only needs to be able to communicate with the third ECU 103, and may be connected by wireless communication.

  FIG. 8 is an operation flowchart showing a cooperative operation between the first ECU 101, the second ECU 102, and the third ECU 103 connected to each other by a communication line and the control process changing unit 22e. Next, each operation will be described.

In step F801, it is determined whether or not the difference between the estimated value in the estimated value calculation unit 22b of the comparison processing unit 22c and the allowable value in the allowable value calculation unit 22a is equal to or less than the warning deviation amount. If the amount of deviation is less than or equal to the warning deviation, the operation is continued assuming that the influence on the operation due to the abnormality is small. At the same time, since there is a possibility that an abnormality has occurred in the second ECU 102, the sensor value is transmitted from the third ECU 103. When the difference between the estimated value and the allowable value exceeds the warning deviation amount, the process proceeds to step F807.
The warning deviation amount is set to an amount that does not affect the operation of the vehicle abruptly, such as when the sensor value drifts and the sensor value deviates from the original value.

In step F802, the control cycle changing unit 22e is caused to change the execution control cycle of the second level control processing unit 22 corresponding to the second level program.
In step F803, the control cycle changing unit 22e extends the execution control cycle of the second level control processing unit 22 and notifies the completion thereof.
In step F804, the sensor value of the second sensor 202 is requested from the third ECU 103, and the third ECU 103 transmits the sensor value of the second sensor 202 to the first ECU 101 to receive the sensor value.
In step F805, after receiving the sensor value of the second sensor 202 from the third ECU 103, the control cycle changing unit 22e is caused to return the execution cycle, which is the control cycle of the second level control processing unit 22, before the change.
In step F806, the same processing as in step F801 is performed, and when the difference between the estimated value and the allowable value exceeds the warning deviation amount, the control processor 22c is instructed to transmit the cutoff signal 1.

  By doing so, a minor abnormality of the second ECU 102 can correctly receive the sensor value of the second sensor 202 continuously without starting the abnormality process of the first ECU 101. The operation of the second level control processing unit 22 corresponding to the second level program of the microcomputer 10 of the ECU 101 can be continued.

The independence assurance units 501a to 501d in the present invention
The power supplied to the second sensor 202 and the third sensor 203 is a separate power source,
Changing at least one of voltage resistance, heat resistance and vibration resistance of the second sensor 202 and the third sensor 203,
Use the value transmitted from the external ECU and the value acquired by the internal ECU,
However, any configuration can be applied as long as the two sensors do not break down within one control cycle period of the microcomputer due to one factor.

10 microcomputer, 10a interface (I / F), 10b CPU,
10c memory, 11 monitoring IC, 12 driving unit,
21 first level control processing unit, 21a normal control unit,
22 second level control processing unit, 22a allowable value calculation unit, 22b estimated value calculation unit,
22c comparison processing unit, 22d first level diagnostic transmission / reception unit,
22e control cycle changing unit, 23 third level control processing unit,
23a second level 2 diagnostic transmission / reception unit, 23b instruction duplication inspection diagnostic unit,
23c diagnostic result generation unit, 23d first microcomputer diagnostic transmission / reception unit,
23aa second microcomputer diagnosis transmission / reception unit, 23bb microcomputer diagnosis result determination unit,
101 first ECU, 101a external ECU, 102 second ECU,
103 third ECU, 200 target value output unit, 201 first sensor,
202 2nd sensor, 203 3rd sensor, 210 DC / DC circuit,
501a-501d Independence assurance unit, CL communication line, SPS sensor power supply,
PS1, PS2 power supply.

Claims (8)

An electronic control device mounted on a vehicle,
A microcomputer that performs control of the drive unit by a control signal;
A monitoring IC that monitors the operation of the microcomputer and transmits a cut-off signal to the drive unit when there is an abnormality in the microcomputer;
A target value output unit that outputs a target value indicating a target control amount of the drive unit;
A plurality of sensors for detecting and outputting values necessary for control of the electronic control unit;
With
The microcomputer
A first level control processing unit that calculates and outputs the control signal for normal control using the target value of the target value output unit and the output of one or more of the plurality of sensors;
An allowable value calculation unit that calculates an allowable value of the output of the drive unit from a target value of the target value output unit, and an estimated value of the output of the drive unit using at least two sensor values of the plurality of sensors And a comparison processing unit that compares the estimated value with the estimated value and outputs a cutoff signal to the drive unit when the estimated value is out of the range of the permitted value. A level control processing unit;
Including
When the first sensor value of the plurality of sensors used in the estimated value calculation unit becomes abnormal due to a failure, the second sensor value used in the estimated value calculation unit is set for the same factor as the failure. An electronic control device comprising an independence assurance unit that obtains the first sensor value and the second sensor value that do not become abnormal. The independence assurance unit
When the failure occurs, after the abnormality occurs in the first sensor value, the same as the failure for at least one control cycle of the first level control processing unit or the second level control processing unit The electronic control device according to claim 1, wherein an abnormality is not caused in the second sensor value due to a factor. The independence assurance unit
The first sensor value is a value detected inside the electronic control device,
The electronic control device according to claim 1, wherein the second sensor value is a value transmitted from a first external electronic control device capable of communicating with the electronic control device. The electronic control device is communicably connected to a second external electronic control device capable of transmitting the second sensor value,
The independence assurance unit
The said 2nd external electronic control apparatus is requested | required for the said 2nd sensor value, if the said 1st external electronic control apparatus is out of order when the said estimated value remove | deviates from the range of the said allowable value. Electronic control unit.   The electronic control device includes a control cycle changing unit that changes a control cycle of the second level control processing unit, and before requesting the second sensor value from the second external electronic control device, the second level control. The electronic control device according to claim 4, wherein the control cycle of the processing unit is changed to a control cycle longer than that before the request.   6. When the second sensor value is transmitted from the second external electronic control unit, the control cycle changing unit returns the changed control cycle of the second level control processing unit to the control cycle before the change. The electronic control apparatus as described in.   2. The electronic control according to claim 1, wherein the independence assurance unit uses different power sources for a first sensor that outputs the first sensor value and a second sensor that outputs the second sensor value. apparatus. A microcomputer for controlling the drive unit by a control signal, a monitoring IC for monitoring the operation of the microcomputer and transmitting a cutoff signal to the drive unit when there is an abnormality in the microcomputer, and a target control amount of the drive unit A control method for an electronic control device mounted on a vehicle, comprising: a target value output unit that outputs a target value indicating a plurality of sensors that detect and output a value necessary for control;
A first control process for calculating and outputting the control signal for normal control using the target value of the target value output unit and the output of one or more of the plurality of sensors;
An allowable value calculation that calculates an allowable value of the output of the drive unit from a target value of the target value output unit, and an estimated value of the output of the drive unit is calculated using at least two sensor values of the plurality of sensors. A second control process comprising: an estimated value calculation; and a comparison process that compares the allowable value with the estimated value and outputs a cutoff signal to the drive unit when the estimated value is out of the allowable value range; ,
Including
When the first sensor value of the plurality of sensors used in the estimation value calculation becomes abnormal due to a failure, the second sensor value used in the estimation value calculation is within the set time due to the same factor as the failure. A control method for an electronic control device, wherein the first sensor value and the second sensor value are obtained so as not to become abnormal.

Images