JP6268071B2 - Electronic control unit - Google Patents

Description

  The present invention relates to an electronic control device that controls various objects to be controlled, and in particular, an electronic control device including a multi-core processor having two or more processor cores, and each processor core can execute an independent control function. It is about.

  There is known a multi-core processor in which a plurality of processor cores are mounted in one microcomputer and each processor core can perform processing independently and in parallel. Since a multi-core processor can perform parallel processing, for example, in the field of in-vehicle control devices, it is expected to use a plurality of control devices having different control functions in an integrated manner. In addition, the multi-core processor has an advantage that other processor cores can perform alternative processing when a failure occurs in any of the processor cores depending on usage.

  For example, in Japanese Patent Application Laid-Open No. 2012-226409 (Patent Document 1), in an electronic control device having a plurality of processor cores, the processor cores are divided into an operating processor core group and a spare processor core group, and the operating processor core fails. In such a case, it has been proposed to perform alternative arithmetic processing with a spare processor core. It is proposed to change the designation of the spare processor core every time a predetermined switching timing arrives. According to this, when the predetermined switching timing arrives, the designation of the spare processor core is changed, so that the reliability that the processor core waiting as the spare processor core can operate normally becomes high. When performing an alternative operation process for a processor core in which an error occurred, the possibility that the corresponding operation process has been performed in the past is also high, and the reliability of the alternative operation process that is performed when an abnormality occurs in one of the processor cores It can be improved.

JP 2012-226409 A

  By the way, in the field of in-vehicle control devices, the arithmetic processing to be executed by the processor core is increasing and tends to approach the limit of the processing capability of the processor core. Therefore, it is expected that the arithmetic processing is shared and executed and each processor core executes the arithmetic processing with a margin. Here, the arithmetic processing means processing for calculating an output value (hereinafter referred to as an output value), processing for setting an output value, and other necessary processing, and is executed by a processor core. Various processes are collectively referred to as arithmetic processing.

  For example, when two processor cores are used, one processor core performs an arithmetic process of calculating an output value to be controlled, and the other processor core performs an arithmetic process of setting the calculated output value to an output port. The division of functions to be performed is performed. The calculation processing of the processor core that calculates the output value is executed at the timing of the first predetermined time period (hereinafter referred to as processing timing), and the calculation processing of the processor core that sets the output value in the output port It is executed at the timing of the second predetermined time period shifted from the first predetermined time period of the processor core to be calculated (hereinafter referred to as processing timing).

  By the way, in the above-described multi-core processor, when a processor core that sets an output value at an output port fails, the setting process of the output value that was processed by the failed processor core is switched to the other processor core and replaced. It has become. In this case, it is conceivable that the processing timing of the output value setting process performed by the failed processor core is switched to the processing timing of performing the arithmetic processing of the output value of the other processor core. When the processing timing of the set processing changes, for example, the output signal may be interrupted, and the control target operation may become illegal. In the above-described example, the case where the processor core that sets the output value to the output port has failed has been described. However, when the processor core that calculates the output value fails, the processing timing of the switched processor core similarly changes. It is possible. As described above, if the processing timing of the alternative calculation processing by the switched processor core is shifted, there is a fear that normal alternative calculation processing cannot be performed.

  An object of the present invention is to perform arithmetic processing of a processor core that has failed by a normal processor core at the same processing timing as the processing timing of arithmetic processing by the failed processor core when the failed processor core is switched to a normal processor core. An object of the present invention is to provide an electronic control device that can be executed.

  The feature of the present invention is that, when the arithmetic processing of a failed processor core (hereinafter referred to as “failed processor core”) is executed instead of a normal processor core (hereinafter referred to as “normal processor core”), the normal processor detects the failure detected by the failure. Determine the elapsed time between the timing and the processing timing of the failed processor core operation processing before the failure detection timing, determine the difference time obtained by subtracting the elapsed time from the execution cycle time of the failed processor core operation processing, The new timing obtained by adding the difference time from the detection timing is used as an alternative processing timing for the arithmetic processing of the failed processor core.

  According to the present invention, the normal processor core can execute the arithmetic processing of the failed processor core at the same processing timing as that of the arithmetic processing executed by the processor core before the failure. It can be carried out.

It is a block diagram which shows the structure of the electronic controller which becomes one Example of this invention. It is a timing chart for demonstrating the switching state at the time of failure of a processor core. It is a flowchart figure which shows the control flow performed by the 1st processor core. It is a flowchart figure which shows the control flow performed by the 2nd processor core. It is a flowchart figure which shows the compare match interruption process of a 1st processor core.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the present invention is not limited to the following embodiments, and various modifications and application examples are included in the technical concept of the present invention. Is also included in the range.

  FIG. 1 shows an internal configuration of an electronic control device (hereinafter referred to as a microcomputer) in a representative embodiment of the present invention. In this embodiment, one processor core has a function of performing an operation of calculating an output value to be controlled, and the other processor core has a function of performing an operation of setting the calculated output value to an output port. .

  The microcomputer 1 uses a first processor core 2 (denoted as CPU-A in the drawing) and a second processor core 3 (denoted as CPU-B in the drawing) that perform operations and output processing by accessing peripheral modules and peripherals. It has a RAM 4 for temporarily storing information and calculation results, a free-run timer 8 as a peripheral module for measuring time, and an output port 9 as a peripheral module for performing output value setting processing. The function of the first processor core 2 has an arithmetic processing function for calculating the output value to be controlled, and the function of the second processor core 3 has a set processing function for setting the calculated output value to the output port 9. doing. These processor cores 2 and 3 are processed in parallel and finally output an output signal 10 from the output port 9. This output signal controls the actuator to be controlled.

  Several storage areas are allocated to the RAM 4. RAM-A5 is an area for temporarily storing the output value calculated by the first processor core 2, RAM-B6 is an area for storing the processing timing of the second processor core 2, and RAM-C7 is the second area. This is an area for storing the calculation cycle of the processor core 2. Information on these RAM areas is accessed from the first processor core 2 and the second processor core 3 and used for necessary calculations in the respective processor cores 2 and 3.

  Then, the first processor core 2 calculates the output value, and stores the output value as the calculation result in the RAM-A 5 at a predetermined processing timing. The second processor core 3 reads the output value stored in the RAM-A 5 at a predetermined processing timing and sets it in the output port 9 of the peripheral module. As a result, the output value calculated by the first processor core 2 can be output as the output signal 10 to drive an actuator (not shown). Here, the output port 9 that outputs the output signal 10 and the free-run timer 8 that has a function of measuring time can be accessed from both the first processor core 2 and the second processor core 3. Yes.

  In this embodiment, when any one of the processor cores 2 and 3 detects a failure, the normal processor core core can perform the substitute operation processing. In this embodiment, when the first processor core 2 is executing the abnormality diagnosis process for the second processor core 3 and the second processor core 3 performing the set process for setting the output value to the output port 9 fails, The processor core 2 performs this set process instead. The time chart shown in FIG. 2 is a time chart for explaining the concept when the set processing is switched to the first processor core 2 when the second processor core 3 has failed.

  The first processor core 2 and the second processor core 3 perform arithmetic processing in parallel at a predetermined processing timing. In this embodiment, the first processor core 2 performs an output value calculation process at time A at its own first processing timing 101 (10 mS in this embodiment), and stores the calculated output value in the RAM-A5. . The second processor core 3 reads out the output value stored in the RAM-A 5 at the second processing timing 102 (10 mS in this embodiment) at every time B and sets it in the output port 9. Therefore, when both the processor cores 2 and 3 are normal, an output signal is given to the actuator after the output value is set in the output port 9 via the RAM-A 5.

  When the second processor core 3 is normal, the output signal 103 output from the output port 9 is generated by the set processing from the second processor core 3 every time time B of the second processing timing 102 arrives. . Here, the output signal 10 output from the output port 9 is a drive signal for the step motor, and outputs a pulsed output signal 10. Further, every time time A of the first processing timing 101 of the first processor core 2 arrives, the first processor core 2 performs a diagnosis of the second processor core 3, and if a failure is detected, the second processor core 2 is the failed processor core. The output value setting process executed by the processor core 3 is switched to the first processor core 2 to execute the setting process. As shown in FIG. 2, when the second processor core 3 is normal, the normal output signal 103 is output on and off from the output port 9 in synchronization with the time B generated at the second processing timing 102. . This on-off output signal is used as a signal for rotating the pulse motor.

  If a failure occurs in the second processor core 3 at a certain time, when the first processor core 2 detects this failure at the time Ae of the first processing timing 101 thereof, the first processor core 2 3 is transferred to the first processor core 2. However, there is a possibility that the set process is executed at the time Ae of the first process timing 101 where the calculation process of the output value of the first processor core 2 is performed for some reason. Therefore, the set processing by the first processor core 2 is executed starting from this time Ae, and the processing timing of the set processing is shifted from the regular second processing timing 102 of the second processor core 3. In the present embodiment, since the first processing timing and the second processing timing are both 10 mS, the timing is the same after time Ae. If the period of the first process timing is different from the period of the second process timing, the set process is executed for each period of the second process timing starting from the time Ae.

  Thus, when a failure occurs in the second processor core 3, in this embodiment, the set processing is executed at the first processing timing 101 of the first processor core 2, and the signal change of the output port 10 at the normal time is There is a possibility that the signal change after the failure will have different timing. In the example of FIG. 2, the output signal is a time between “time Tf−time Te”, and the pulse width is shortened. Therefore, in a signal that controls the pulse width, such as a step motor drive signal, a step-out occurs when the pulse width is shortened, causing a problem that the actual position of the step motor is different from the control recognition position. Furthermore, since the timing of the subsequent set processing also deviates from the timing of the regular set processing, there is a problem that adversely affects the control accuracy.

  Therefore, in this embodiment, using the free-run timer 8, the time A (the time when the failure is detected) at the first processing timing 101 of the first processor core 2 and the time B at the second processing timing 102 of the second processor core 3 are used. And the difference time obtained by subtracting the elapsed time from the time of the execution cycle of the arithmetic processing of the second processor core 3 is obtained, and the time Ae (the processing timing 101 of the first processor core 2 in the first processor 2 is obtained. The new timing obtained by adding the difference time starting from the time when the failure is detected is set as the processing timing for executing the arithmetic processing of the failed processor core. Here, in this embodiment, the abnormality is determined by the program activated at the first processing timing 101 of the first processor core 2, so this time A becomes the failure detection timing.

  Specifically, the second processor core 3 acquires the time value of the time information 105 of the free-run timer 8 for each time B of its second processing timing 102, stores it in the RAM-B6, and performs the previous processing. The time value of the time information 105 of the free-run timer 8 acquired at the timing is acquired from the RAM-B6, and the time difference is calculated and stored in the RAM-C7. This time difference becomes the cycle of the second processing timing 102 of the second processor core 3. Therefore, “time value Tb−time value Ta”, “time value Tc−time value Tb”, “time value Td−time value Tc”, “time value Te−” for each time B adjacent to the second processing timing 102. The period of time is obtained by calculating the time value Td.

  Next, a case where the first processor core 2 detects a failure of the second processor core 3 will be described. As described above, since the abnormality is determined by the program activated by the first processing timing 101 of the first processor core 2, the time Ae becomes the failure detection timing. Before the failure detection timing, the “time value Te” of the time information 105 of the free-run timer 8 is stored in the RAM-B 6. The RAM-C 7 stores a period of “time value Te−time value Td” from the time information 105 of the free-run timer 8.

  When the failure of the second processor core 3 is detected, the first processor core 2 acquires the “time value Tf” from the time information 105 of the free-run timer 8 at that time. Therefore, the second processor core 3 executes the set process next from the “time value Te” stored in the RAM-B 6 and the period “time value Te-time value Td” stored in the RAM-C 7. The second process timing 102 can be newly calculated, and based on this, the first processor core 2 performs a substitute process for the set process.

  Specifically, by using the “difference time Tn” obtained by “(time value Te−time value Td) − (time value Tf−time value Te)”, a new set process executed by the second processor core 3 is performed. Processing timing can be obtained. Here, “time value Tf−time value Te” is the time of the first processor core 2 that is the failure detection timing from the time B (time B before failure detection) of the second processing timing 102 of the second processor core 3. The elapsed time until time Ae of one processing timing 101 is shown. Therefore, the above-described calculation determines the remaining time until the set processing timing after the failure detection timing. Therefore, as shown in the output port signal 104 after countermeasures shown in FIG. 2, a new time Bn0 obtained by adding the “difference time Tn” to the time Ae that is the failure detection timing is replaced by the first processor core 2 This is the processing timing of the processing. As described above, since the set process executed by the second processor core 3 is replaced by the first processor core 2, the interrupt is performed after the “difference time Tn” has elapsed from the failure detection time Ae of the first processor core 3. An interrupt setting process is performed for the free-run timer 8 so that the error occurs.

  In the interrupt process executed for the first processor core 2 at the new time Bn0 when the “difference time Tn” has elapsed, the set process that was executed by the second processor core 3 before the failure detection is executed in place of the interrupt process. . After the time Bn0 when the “difference time Tn” has elapsed, the cycle “time value Te−time value” of the free-run timer 8 stored in the RAM-C7, as shown in the output port signal 104 after the countermeasure shown in FIG. Every time “Td”, the first processor core 2 substitutes the output value setting process by causing the first processor core 2 to continuously perform interrupt processing such as time Bn1, time Bn2, and time Bn3. Can be made. In this embodiment, the time B of the second processing timing 102 is generated by adding the “difference time Tn” to the time value of the free-run timer 8 for each time A of the first processing timing 101.

  By such a method, even if the second processor core 3 fails, the output signal to the actuator can be continuously output without being interrupted at a regular timing. As described above, the second processor core 3 controls the on / off of the output signal 10 before the time Ae, but after the time Ae, the first processor core 2 turns on / off the output signal 10. To control.

  Next, a specific control flow of the present embodiment will be described in detail based on the control flowcharts of FIGS. 3, 4, and 5. These control flowcharts show the contents of realizing the above-described operations as control functions.

  FIG. 3 shows the arithmetic processing executed by the first processor core 2, showing the arithmetic processing of the output value, the failure determination of the second processor core 3, and the arithmetic processing at normal time and abnormal time based on the failure determination result Yes. FIG. 4 shows arithmetic processing executed by the second processor core 3, and shows arithmetic processing executed when the second processor core 3 is normal. Further, FIG. 5 shows arithmetic processing performed by the first processor core 2 when the second processor core 3 is abnormal, and is executed when the abnormality of the second processor core 3 is detected by the first processor core 2 shown in FIG. Shows the interrupt processing to be performed. Hereinafter, each control flowchart will be described in detail.

  In the present embodiment, the flowchart of FIG. 3 is executed by the first processor core 2 at a cycle of 10 ms. First, an output value calculation process is performed in step S201 to determine an output value, and the output value is stored in the RAM-A5 in step S202. Next, in step S203, diagnostic processing of the second processor core 3 is performed to determine whether the second processor core 3 has failed, and in accordance with the result, normality in the case where the second processor core 3 is normal in step S204. Processing branches to time processing and failure time processing when the second processor core 3 is abnormal.

  If the second processor core 3 is normal, in step S209, the compare match interrupt by the first processor core 2 is prohibited and settings are made so as not to generate unnecessary interrupt processing, and the process ends. That is, the first processor core 2 is set to a state in which the second processor core 3 is not set. If it is determined in step S204 that the second processor core 3 has failed, it is determined in step S205 whether the failure determination is the first time or two or more times. Sets the compare match interrupt so that an interrupt is generated at the processing timing of the set processing by the second processor core. In the case of the first time, the process proceeds to step S206 in order to execute the process for obtaining the process timing Bn0 shown in FIG.

  In step S206, a “difference time Tn” between the first processing timing 101 of the first processor core 2 and the second processing timing 102 of the second processor core 3 is obtained. For this reason, using the time information 105 of the free-run timer 8, an operation of “difference time Tn = (time value Te−time value Td) − (time value Tf−time value Te)” is executed.

  Next, time information for interrupt is set in the general register of the free-run timer 8 in order to generate a compare match interrupt after the “difference time Tn” has elapsed in step S207. The time value obtained by adding the “difference time Tn” to the “time value Tf” of the free-run timer 8 at the time Ae of the processing timing at which the failure is detected is set in the general register, and then the time information of the free-run timer 8 is general If it matches the time information set in the register, a compare match interrupt is permitted in step S208. As a result, it is possible to generate an interrupt process at the second timing originally output from the second processor core 3 and execute the output value setting process.

  Next, calculation processing performed when the second processor core 3 is normal will be described based on the flowchart of FIG. The second processor core 3 is executed at the second processing timing with a cycle of 10 ms. In this control flowchart, step S210 is a process of outputting the output value stored in the RAM-A5 to the output port 9. Step S211 and the subsequent steps are processing steps for preparing information for executing an alternative process when the second processor core 3 fails and cannot operate.

  In step S211, in order to store the second processing timing 102 of the second processor core 3, “time values Ta, Tb, Tc, Td, Te,...” Of the free-run timer 8 are read and stored in the RAM-B6. To do. In step S212, the period of the second processing timing 102 of the second processor core 3 is calculated from the difference between the previous time value stored in the RAM-B6 and the current time value stored in step S211, and stored in the RAM-C7. To do. These pieces of time information are referred to in processing when the second processor core 3 shown in FIG. 3 fails and are used for calculation.

  Next, interrupt processing of the first processor core 2 that is executed when an abnormality of the second processor core 3 is detected will be described based on the control flowchart of FIG. This interrupt process is an interrupt process for replacing the output value setting process in the first processor core 2 when the second processor core 3 fails.

  This control flowchart is started by generating an interrupt at the processing timing set in step S207 shown in FIG. In step S220, the first processor core 2 substitutes the processing for setting the output value to the output port 9 that the second processor core 3 executed in step S210 shown in FIG. Next, in step S221, a new processing timing is set in the general register in order to continuously perform subsequent interrupt processing. In this case, a time value obtained by adding “difference time Tn” to the time value of the free-run timer 8 for each time A may be set in the general register. Therefore, if it is determined in step S205 of FIG. 3 that the second or later failure determination has been made, this control flow is executed.

  In this embodiment, the processing timing cycle of the first processor core 2 and the second processor core 3 is described as 10 ms, but the processing timing cycle of the first processor core 2 and the second processor core 3 is changed. However, since the timing at which the arithmetic processing is executed is measured and the processing timing after the failure detection is determined, the present invention can be applied to arithmetic processing at any processing timing cycle.

  As described above, in the present invention, when the arithmetic processing of a failed processor core (failed processor core) is executed by replacing with a normal processor core (normal processor core), the normal processor has a failure detection timing at which a failure is detected. , The elapsed time between the failure processor core operation processing timing before the failure detection timing is obtained, the difference time obtained by subtracting the elapsed time from the time of the execution cycle of the failure processor core operation processing is obtained, and the failure detection timing As a starting point, a new timing obtained by adding the difference time is used as an alternative processing timing of the arithmetic processing of the failed processor core.

  According to this, it is possible to execute the arithmetic processing of the processor core that has failed by the normal processor core at the same processing timing as the processing timing of the arithmetic processing by the processor core before the failure, and to perform normal substitute arithmetic processing Can do.

  DESCRIPTION OF SYMBOLS 1 ... Microcomputer, 2 ... 1st processor core, 3 ... 2nd processor core, 4 ... RAM, 5 ... RAM-A, 6 ... RAM-B, 7 ... RAM-C, 8 ... Free-run timer which is peripheral module , 9... Output ports that are peripheral modules, 10... Output signal.

Claims (5)

A multi-core processor having a first processor core that executes arithmetic processing at a first processing timing and a second processor core that executes arithmetic processing at a second processing timing, and each processor core can execute an independent control function In the electronic control device provided,
When replacing the failed processor core (hereinafter referred to as the second processor core ) with a normal processor core (hereinafter referred to as the first processor core ),
The first processor core detects a failure of the second processor core at the first processing timing, a failure detection timing at which the failure is detected, and the second processing of the second processor core before the failure detection timing The difference time obtained by subtracting the elapsed time from the period of the second processing timing of the second processor core is obtained, and the difference time is added starting from the failure detection timing. The new alternative timing is set as the first alternative processing timing of the second processor core, and the new timing obtained by adding the period of the second processing timing starting from the initial alternative processing timing is continued to the initial alternative processing timing. An electronic control device characterized in that it is a continuous substitution processing timing . The electronic control device according to claim 1.
The first processor core includes a failure detection function for obtaining the failure detection timing of the second processor core, and between the failure detection timing and the second processing timing of the second processor core before the failure detection timing. An elapsed time calculating function for determining the elapsed time, a difference time calculating function for determining the difference time obtained by subtracting the elapsed time from a period of the second processing timing of the second processor core, and the failure detection timing. A new timing obtained by adding the difference time from the starting point is used as the first alternative processing timing of the second processor core, and a new timing obtained by adding the period of the second processing timing starting from the first alternative processing timing. The timing is set as the continuous alternative processing timing following the initial alternative processing timing. Electronic control apparatus characterized by and a substitute processing timing calculation function. An electronic control device comprising a first processor core having an output value calculation function for calculating an output value at a first processing timing, and a second processor core having a set processing function for setting an output value to an output port at a second processing timing In
The first processor core includes a failure detection function for determining a failure detection timing of the second processor core, and the failure detection timing and the second processing timing of the second processor core before the failure detection timing. Starting from the elapsed time calculation function for determining the elapsed time, the difference time calculation function for determining the difference time obtained by subtracting the elapsed time from the period of the second processing timing of the second processor core, and the failure detection timing The new timing obtained by adding the difference time is set as the first alternative processing timing of the second processor core, and the new timing obtained by adding the period of the second processing timing from the initial alternative processing timing is used as the initial timing. alternate processing timing to continue alternative processing timing subsequent to the alternative processing timing Electronic control apparatus characterized by and a grayed calculation function. The electronic control device according to claim 3.
The second processor core stores the time information of the second processing provided separately from the timer from the first processor core and the second processor core each time the running timing, the second from the time information Calculate and store the execution cycle time of the processing timing,
The elapsed time calculation function of the first processor core obtains time information of the timer at this time when a failure of the second processor core is detected at the first processing timing, and the time information at the time of failure detection and the second Obtaining the elapsed time from the time information of the second processing timing before the failure detection stored in the processor core;
Wherein the differential time calculation function of the first processor core subtracts the elapsed time from the time period of the second the second processing timing stored in the processor core,
Wherein the substitute processing timing operation functions of the first processor core, the new timing obtained by adding the difference time on the time information of the timer of the time of the failure has been detected the first processing timing of the second processor core A first alternative process timing is set, and a new timing obtained by adding a period of the second process timing starting from the first alternative process timing is set as a continuous alternative process timing subsequent to the first alternative process timing. An electronic control device. The electronic control device according to claim 4.
The timer is a free run timer, sets time information obtained by adding the difference time to the time information of the free run timer when a failure is detected, and sets the time information set in the free run timer. When the value of the free-run timer reaches the first processor core, the first processor core is interrupted, and the first processor core sets the output value to the output port in response to the interrupt.

Images