JP6620688B2 - Electronic control unit - Google Patents

Description

  The present invention relates to an electronic control device that controls the operation of an actuator mounted on a vehicle.

  A device for controlling the operation of an actuator mounted on a vehicle (hereinafter referred to as an electronic control device) is a microcomputer (hereinafter referred to as a control microcomputer) that executes various arithmetic processes based on data input from an in-vehicle sensor. It is configured as a subject. In this type of electronic control device, the control microcomputer is equipped with a function that executes arithmetic processing for controlling the operation of the actuator (hereinafter referred to as control arithmetic unit), and whether or not the control arithmetic unit is operating normally. It is common to have a function for monitoring (hereinafter referred to as a self-diagnosis function).

  In recent years, the standard safety design philosophy of an electronic control device is generally a configuration in which a module (hereinafter referred to as an external monitoring device) that detects an abnormal operation of the control microcomputer itself is provided outside the control microcomputer. is there. For convenience, when the external monitoring device and the self-diagnosis function of the control microcomputer are not distinguished, they are described as an abnormality detection unit.

  When detecting the abnormal operation of the monitoring target, these abnormality detection units output a signal for shutting down the output of the drive signal to the control target (hereinafter referred to as a shut-off signal) to the drive circuit, and the control signal to the actuator Cut off the output. The drive signal here is a signal that causes the actuator to be controlled to output a desired torque. The drive circuit is a circuit that generates a drive signal according to the calculation result of the control calculation unit. The calculation result of the control calculation unit is input to the drive circuit as a control signal.

  By cutting off the output of the drive signal to the actuator to be controlled (in other words, energization), the vehicle state shifts to a predetermined safe state. For example, when the control target of the electronic control device is a motor that adjusts the opening degree of the throttle valve (hereinafter, throttle motor), the cutoff signal acts to cut off the energization of the throttle motor. As a result, the throttle valve has a predetermined intermediate opening, and as a result, the vehicle shifts to the retreat travel mode in which the torque output is limited. Hereinafter, for convenience, the function of the electronic control device that cuts off the energization of the actuator accompanying the detection of an abnormality will be referred to as an output cutoff function.

  By the way, there is a concern that the output cutoff function does not operate normally when a failure occurs somewhere along the path through which the cutoff signal flows (hereinafter, cut path). For this reason, in the International Organization for Standardization (ISO) 262626, which is a safety regulation regarding electric / electronics of automobiles, whether or not the cut path is in a normal state at least once in one driving cycle (in other words, It is obliged to diagnose whether it is effective.

  As a method of diagnosing whether or not the cut path is in a normal state (in other words, whether or not it is effective), for example, there is a method disclosed in Patent Document 1. In the method disclosed in Patent Document 1, the abnormality detection unit outputs a cutoff signal in a state where the control calculation unit inputs a control signal for driving the actuator to the drive circuit. Then, the state of the controlled object at the time when a predetermined first time has elapsed since the start of the output of the cutoff signal is compared with the state of the controlled object at the time when a predetermined second time has passed from that time. If the states do not match, it is determined that a defect has occurred in the cut path.

JP 2009-13823 A

  In the method disclosed in Patent Document 1, only the time obtained by adding the first time and the second time is required for diagnosing the effectiveness of one cut path. Usually, a cut path is provided for each abnormality detection unit. In view of such circumstances, the total time (hereinafter referred to as total diagnosis time) required for diagnosis of the output cutoff function provided in the electronic control device becomes longer in proportion to the number of abnormality detection units provided in the electronic control device. Is concerned.

  The present invention has been made based on this situation, and an object of the present invention is to provide an electronic control device capable of suppressing an increase in total diagnosis time due to an increase in abnormality detection units. It is in.

  In order to achieve the object, the present invention calculates a control amount of a predetermined actuator based on data input from a plurality of sensors mounted on a vehicle, and outputs a control signal corresponding to the control amount. An electronic control device comprising: a device (20); and a drive circuit (50) that generates a drive signal in accordance with a control signal output from the arithmetic device and outputs the drive signal to an actuator. Including at least three cutoff signal output units (F2, 30, 53) that output a cutoff signal for shutting down when an abnormal operation of a predetermined monitoring target is detected, and the cutoff signal output unit functions as a cutoff signal Output a signal corresponding to either a cut level to be cut or a non-cut level that does not function as a cut-off signal, and the drive circuit outputs the output signals of a plurality of cut-off signal output units. A logical sum output unit configured to stop the output of the drive signal when the logical sum is at the cut level, and outputs a signal level corresponding to the logical sum of the output signals of the plurality of cutoff signal output units ( 54), a cut path diagnosis unit (F31) for diagnosing a plurality of cut paths that are paths through which the cutoff signal flows based on the correspondence relationship between the output patterns and logical sums of the plurality of cutoff signal output units, and a plurality of cutoffs In a state where at least one output level of the signal output unit is set to the cut level, the output of the drive circuit is set to the logic of the cutoff signal by causing the drive circuit to output a control signal corresponding to a predetermined control amount for a certain period of time. A blocking function diagnosis unit (F32) for diagnosing whether or not blocking is performed based on the sum.

  In the above configuration, the cut path diagnosis unit determines whether each of the plurality of cut paths is normal based on the correspondence between the output pattern of the plurality of cutoff signal output units and the logical sum of the output signals of the respective cutoff signal output units. Diagnose. The drive circuit is configured to stop the output of the drive signal when the logical sum of the output signals of the plurality of cutoff signal output units is at a cut level. Therefore, when at least one output level of the plurality of cutoff signal output units is set to the cut level, the logical sum becomes the cut level and the output of the drive signal should be cut off.

  Therefore, in a state where at least one output level of the plurality of cutoff signal output units is set to the cut level, the output of the drive circuit is blocked based on the logical sum of the cutoff signals by causing the arithmetic device to output the control signal. Whether or not can be diagnosed.

  According to such a configuration, the number of times that the control signal is output from the arithmetic device to the drive circuit for a certain period of time for diagnosis of the output cutoff function may be one. That is, even when there are a plurality of shut-off signal output units, there is no need to carry out the process of continuously outputting the control signal for a certain period of time. In addition, since the interruption | blocking signal output part is an element which outputs a interruption | blocking signal when the abnormality of a predetermined monitoring object is detected, the above-mentioned interruption | blocking signal output part is equivalent to an abnormality detection part.

  Therefore, according to the above configuration, it is possible to suppress an increase in the total diagnosis time due to an increase in the abnormality detection unit included in the electronic control device.

  In addition, the code | symbol in the parenthesis described in the claim shows the correspondence with the specific means as described in embodiment mentioned later as one aspect, Comprising: The technical scope of this invention is limited is not.

1 is a block diagram showing a schematic configuration of an electronic control device 1. FIG. It is the functional block diagram which showed the function with which the microcomputer 20 is provided. It is a figure showing the contents of correspondence data. 2 is a state transition diagram of the electronic control device 1. FIG. It is a flowchart for demonstrating a diagnostic process at the time of IG ON. FIG. 6 is a diagram showing a continuation of the flowchart shown in FIG. 5. It is a flowchart for demonstrating a diagnostic process at the time of IG OFF. FIG. 8 is a diagram showing a continuation of the flowchart shown in FIG. 7. It is a figure showing the output pattern when the malfunction has arisen in the 1st cut path, and the output level of the OR output part. It is a figure showing the output pattern and the output level of the OR output part 54 when the malfunction has arisen in the 2nd cut path. It is a figure showing the output pattern when the malfunction has occurred in the 3rd cut path, and the output level of the OR output part. It is a figure for demonstrating the flow of a series of processes by the cut path diagnostic part F31. 5 is a diagram illustrating an example of an implementation mode of a logical sum output unit 54.

  Hereinafter, an electronic control device 1 to which the present invention is applied will be described with reference to the drawings. The electronic control device 1 is mounted on a vehicle, and is connected to each of an in-vehicle power source 2, an accelerator sensor 3, a throttle sensor 4, and a throttle actuator 6, as shown in FIG.

  In the present embodiment, as an example, the vehicle on which the electronic control device 1 is mounted (hereinafter referred to as a mounted vehicle) is a vehicle including an engine as a drive source, but is not limited thereto. The on-board vehicle may be a vehicle (so-called electric car) including only a motor as a drive source, or may be a vehicle (so-called hybrid car) including both an engine and a motor as drive sources.

  In addition, a signal indicating an on / off state of an ignition switch (hereinafter referred to as IGSW) (not shown) is input to the electronic control unit 1. Even after the IGSW is switched from on to off, the electronic control device 1 is configured to continue to receive power for operation from the in-vehicle power supply 2 until all the processes in the electronic control device 1 are completed. ing. The in-vehicle power source 2 is, for example, an in-vehicle battery. The in-vehicle power supply 2 supplies a predetermined power supply voltage Vb to the electronic control device 1. IGSW corresponds to the travel power switch described in the claims.

  The accelerator sensor 3 is a sensor that detects an operation position of an accelerator pedal by a driver as an accelerator operation amount. The throttle sensor 4 is a sensor that detects the position of the throttle valve 5 that adjusts the intake air amount into the engine (in other words, the rotation angle) as the throttle opening. The detection results of the accelerator sensor 3 and the throttle sensor 4 are sequentially provided to the electronic control device 1.

  The throttle actuator 6 is an actuator that adjusts the opening degree of the throttle valve 5. The output of the throttle actuator 6 is controlled by the electronic control unit 1. The throttle valve 5 is configured to have a preset intermediate opening when the drive of the throttle actuator 6 is stopped. The intermediate opening is, for example, an opening at which the engine can be operated at a predetermined output (for example, idling operation or retreat travel).

  The electronic control device 1 is a device that controls the throttle actuator 6 based on data input from the accelerator sensor 3 and the throttle sensor 4. As shown in FIG. 1, the electronic control device 1 includes a power circuit module 10, a microcomputer (hereinafter referred to as a microcomputer) 20, an external monitoring device 30, a relay MOS 40, and a drive unit 50. MOS in this specification refers to an N-channel MOSFET as a switching element. In this embodiment, an N-channel MOSFET is used as the switching element, but the present invention is not limited to this. As the switching element, other known elements (for example, IGBT) may be employed instead of the N-channel MOSFET.

  The power supply circuit module 10 is a circuit module for connecting the electronic control device 1 to the in-vehicle power source 2 and receiving power supply from the in-vehicle power source 2. For example, the power supply circuit module 10 adjusts and outputs the power supply voltage supplied from the in-vehicle power supply 2 to a predetermined voltage suitable for the operation of the microcomputer 20 or the like. The voltage adjusted by the power supply circuit module 10 is supplied to various members of the electronic control device 1 such as the microcomputer 20.

  The microcomputer 20 includes a CPU 21 as a central processing unit, a RAM 22 as a volatile memory, a ROM 23 as a nonvolatile storage medium, and the like. The ROM 23 stores various programs and parameters used for arithmetic processing. The RAM 22 and the ROM 23 provide an address space for the CPU 21 to execute various arithmetic processes. Hereinafter, when the RAM 22 and the ROM 23 are not distinguished from each other, they are simply referred to as a memory. In addition to the above-described members, the microcomputer 20 includes a bus that connects various members constituting the microcomputer 20, a bus controller, an interrupt controller, an input / output port, a clock oscillator, and the like.

  As shown in FIG. 2, the microcomputer 20 includes a control calculation unit F1, an internal monitoring unit F2, and a diagnostic processing unit F3 as functional blocks that are expressed when the CPU 21 executes a program stored in the ROM 23. . Further, the microcomputer 20 includes a correspondence storage unit M1 that stores correspondence data described later. The correspondence relationship storage unit M1 may be realized using a storage area provided in the ROM 23. The microcomputer 20 corresponds to the arithmetic device described in the claims.

  The control calculation unit F1 calculates a target opening (in other words, a target position) of the throttle valve 5 from the accelerator operation amount detected by the accelerator sensor 3. Then, the control amount of the throttle actuator 6 for setting the actual throttle opening detected by the throttle sensor 4 to the target opening is calculated, and a control signal corresponding to the control amount is output to the drive unit 50.

  The internal monitoring unit F2 determines (in other words, monitors) whether or not the control calculation unit F1 is operating normally. A well-known method can be used as a method for determining whether or not the control calculation unit F1 is operating normally.

  For example, the internal monitoring unit F2 calculates the allowable torque of the engine from the accelerator operation amount detected by the accelerator sensor 3, and the engine is currently generated from the throttle opening detected by the throttle sensor 4. An estimated torque that is an estimated value of the torque is calculated. Then, as a result of comparing the allowable torque and the estimated torque, when the estimated torque exceeds the allowable torque, it is determined that the control calculation unit F1 is operating abnormally. In addition, what is necessary is just to let the allowable torque be the maximum value of the output torque of the engine considered from the accelerator operation amount, for example.

  The internal monitoring unit F2 may determine that the control calculation unit F1 is not operating normally when the same calculation processing is performed on a plurality of cores and the calculation results do not match. . Further, when the control calculation unit F1 or the like is programmed to add ECC (Error Correcting Code) to the data stored in the memory, the internal monitoring unit F2 detects the data error by the ECC. Also good. Naturally, when a data error is detected, it is determined that the control calculation unit F1 is not operating normally. Note that determining that the control calculation unit F1 is not operating normally corresponds to detecting an abnormal operation of the control calculation unit F1.

  When it is determined that the control calculation unit F1 is not operating normally, the internal monitoring unit F2 outputs a cutoff signal to the cutoff signal line L1. The cutoff signal is a signal for invalidating the control signal by the control calculation unit F1.

  A low level signal, a high level signal, and a two level signal flow through the cutoff signal line L1, and here, as an example, a high level signal functions as a cutoff signal. Therefore, the internal monitoring unit F2 in the present embodiment operates abnormally while outputting a low level signal to the cutoff signal line L1 when it is determined that the control calculation unit F1 is operating normally. If it is determined that, a high level signal is output to the cutoff signal line L1. The high level corresponds to the cut level recited in the claims, and the low level corresponds to the non-cut level recited in the claims.

  Hereinafter, for the sake of convenience, the cutoff signal output by the internal monitoring unit F2 is also referred to as a first cutoff signal. The first cutoff signal is input to the logical sum output unit 54 included in the drive unit 50 via the cutoff signal line L1. Since the internal monitoring unit F2 plays a role as an output source of the cutoff signal, it corresponds to the cutoff signal output unit described in the claims.

  In the present embodiment, the internal monitoring unit F2 is realized by the CPU 21 executing a predetermined program, but is not limited thereto. The internal monitoring unit F2 may be realized as hardware. For example, the function of detecting memory abnormality using ECC or the like may be realized using a dedicated IC chip.

  The diagnosis processing unit F3 includes, as finer functional blocks, a cut path diagnosis unit F31 that performs cut path diagnosis processing, which will be described later, and a blocking function diagnosis unit F32 that executes blocking function diagnosis processing. The cut path diagnosis process includes an IG on-time diagnosis process performed in parallel with the startup process of the electronic control device 1 and an IG off-time process performed based on the IGSW being turned off. In other words, the diagnosis processing unit F3 in the present embodiment divides and executes a series of cut path diagnosis processes into two parts, a first half part that is executed when the IG is on and a second half part that is executed when the IG is off.

  The diagnosis processing unit F3 has a function of outputting a voltage error signal as a sub function for executing the cut path diagnosis processing. The voltage error signal is a signal that causes the voltage monitoring unit 53 described later to determine that the drive voltage Vdd is abnormal. The drive voltage is a voltage supplied to the drive circuit 52 and corresponds to the voltage on the source side of the relay MOS 40.

  In addition, the microcomputer 20 has a function of periodically outputting watchdog pulses to the external monitoring device 30.

  The external monitoring device 30 monitors whether the microcomputer 20 is operating normally. When an abnormality is detected, a cutoff signal is output to the cutoff signal line L2. The cutoff signal line L2 is configured such that low level, high level, and two level signals flow, and the high level signal functions as a cutoff signal.

  That is, when it is determined that the microcomputer 20 is operating normally, the external monitoring device 30 outputs a low level signal to the cutoff signal line L1, while determining that the microcomputer 20 is operating abnormally. If so, it outputs a high level signal that functions as a blocking signal. Similarly to the internal monitoring unit F2, the external monitoring device 30 also serves as an output source of the cutoff signal. That is, the external monitoring device 30 corresponds to the cutoff signal output unit described in the claims. Hereinafter, for the sake of convenience, the cutoff signal output by the external monitoring device 30 is also referred to as a second cutoff signal. The second cutoff signal is input to the logical sum output unit 54 included in the drive unit 50 via the cutoff signal line L2.

  Whether or not the microcomputer 20 is operating normally can be determined using a known method such as a watchdog timer method or a homework answering method. In the watchdog timer method, when the watchdog timer expires without being cleared by a watchdog pulse input from the microcomputer 20, it is determined that the microcomputer 20 is operating abnormally.

  In the homework answering method, the external monitoring device 30 sends a predetermined monitoring signal to the microcomputer 20 and the microcomputer 20 is normal depending on whether the answer returned from the microcomputer 20 is correct. This is a method for determining whether or not. In the homework answering method, the microcomputer 20 performs a predetermined calculation based on the monitoring signal input from the external monitoring device 30, and returns the calculation result to the external monitoring device 30. When the calculation result received from the microcomputer 20 is different from the normal value, or when the calculation result is not answered from the microcomputer 20 within a predetermined time limit, the external monitoring device 30 is not operating normally (that is, abnormal). It is operating).

  The determination result of the external monitoring device 30 that the microcomputer 20 is operating abnormally (hereinafter referred to as microcomputer abnormality determination) is configured so that it cannot be canceled unless the microcomputer 20 executes a predetermined abnormality determination cancellation process. Although the specific content of the abnormality determination cancellation process is a design matter, it is generally accompanied by a reset process of the microcomputer 20. For example, the microcomputer 20 can cancel the microcomputer abnormality determination by executing a reset process and outputting a predetermined release key code to the external monitoring device 30 after restarting.

  The relay MOS 40 is a MOS that functions as a relay that switches a power supply state (that is, energization / cutoff) from the in-vehicle power source 2 to the drive circuit 52. On / off of the relay MOS 40 is controlled by the microcomputer 20. When the relay MOS 40 is on, power is supplied from the in-vehicle power source 2 to the drive circuit 52, and when the relay MOS 40 is off, the relay MOS 40 is cut off.

  In general, the drive unit 50 is a unit that generates a current signal (hereinafter referred to as a drive signal) corresponding to a control signal input from the microcomputer 20 and outputs the current signal to the throttle actuator 6. In response to the drive signal output from the drive unit 50, the throttle actuator 6 outputs torque corresponding to the control signal output from the microcomputer 20, and guides the opening degree of the throttle valve 5 to the target opening degree. The drive unit 50 includes a signal distributor 51, a drive circuit 52, a voltage monitoring unit 53, and a logical sum output unit 54 as finer components.

  The signal distributor 51 is a member for outputting a signal input from the microcomputer 20 to a port corresponding to the type of the signal. The signal distributor 51 can be realized using, for example, a logic circuit element. When the voltage error signal is input from the microcomputer 20, the signal distributor 51 outputs the voltage error signal to the voltage monitoring unit 53. The control signal input from the microcomputer 20 is output to the drive circuit 52.

  The drive circuit 52 is a circuit for generating a drive signal according to the control signal, and is realized by using the first pre-driver 521, the second pre-driver 522, the first output MOS 523, and the second output MOS 524. Is done. Hereinafter, when the first pre-driver 521 and the second pre-driver 522 are not distinguished, they are referred to as pre-drivers. When the first output MOS 523 and the second output MOS 524 are not distinguished, they are described as output MOS.

  Various pre-drivers play a role of generating a current (that is, a driving current) for driving the subsequent output MOS. That is, the first pre-driver 521 is a driver for driving the first output MOS 523, and the second pre-driver 522 is a driver for driving the second output MOS 524. When the first pre-driver 521 is on, the first output MOS 523 is energized (that is, turned on). Further, when the second pre-driver 522 is on, the second output MOS 524 is on.

  A control signal from the microcomputer 20 is input to each of the first pre-driver 521 and the second pre-driver 522 via the signal distributor 51. Each of the first pre-driver 521 and the second pre-driver 522 operates based on the control signal. As a result, the first output MOS 523 and the second output MOS 524 are also switched between energization / cutoff states in accordance with the control signal, and a drive signal for realizing a desired opening degree is output to the throttle actuator 6.

  In addition to the control signal from the microcomputer 20, the output of the OR output unit 54 is input to each of the first pre-driver 521 and the second pre-driver 522. The operations of the first pre-driver 521 and the second pre-driver 522 are controlled according to the output signal of the logical sum output unit 54. Specifically, when a high level signal is input from the OR output unit 54, the first predriver 521 is turned off, and as a result, the first output MOS 523 is also turned off. It becomes a state. The same applies to the second pre-driver 522.

  Therefore, when the output of the logical sum output unit 54 is at a high level, the first output MOS 523 and the second output MOS 524 are turned off, and the drive signal output is cut off. Further, when the output of the logical sum output unit 54 is at a low level, the first output MOS 523 and the second output MOS 524 operate based on the control signal, and drive signals for realizing a desired opening degree. Is output to the throttle actuator 6.

  The voltage monitoring unit 53 determines whether or not the driving voltage is normal based on whether or not the driving voltage is within a preset normal range. Specifically, the voltage monitoring unit 53 determines that the driving voltage is normal when the driving voltage is within the normal range. On the other hand, when the driving voltage takes a value outside the normal range or when a voltage error signal is injected from the microcomputer 20, it is determined that the driving voltage is abnormal. The normal range may be set in advance as a range of values for determining that the drive voltage is normal. The voltage monitoring unit 53 detects a state where an overvoltage is applied to the drive circuit 52 as an abnormal state.

  When the voltage monitoring unit 53 determines that the driving voltage is abnormal, the voltage monitoring unit 53 outputs a cutoff signal to the cutoff signal line L3. The mode of the signal flowing through the cutoff signal line L3 is the same as that of the other cutoff signal lines L1 and L2. It is assumed that low level, high level, and two level signals flow through the cutoff signal line L3, and the high level signal functions as a cutoff signal. When the driving voltage is a value within the normal range, the voltage monitoring unit 53 outputs a low level signal to the cutoff signal line L3, while the driving voltage is a value outside the normal range. Outputs a high level signal as a cut-off signal.

  Thus, the voltage monitoring unit 53 also serves as an output source of the cutoff signal, like the internal monitoring unit F2 and the external monitoring device 30. That is, the voltage monitoring unit 53 corresponds to the cutoff signal output unit described in the claims. Hereinafter, for convenience, the cutoff signal output by the voltage monitoring unit 53 is also referred to as a third cutoff signal. The third cutoff signal is input to the logical sum output unit 54 via the cutoff signal line L3.

  The logical sum output unit 54 outputs a signal set to a high level when at least one of the cutoff signal lines L1 to L3 is set to a high level. When all of the cutoff signal lines L1 to L3 are set to the low level, a signal set to the low level is output. That is, the logical sum output unit 54 outputs a logical sum of signals flowing through the cutoff signal lines L1 to L3. The output level of the logical sum output unit 54 is provided to the diagnosis processing unit F3.

  FIG. 3 shows an output state (hereinafter referred to as an output pattern) for each interruption signal output source and an output level of the logical sum output unit 54 when all of the paths (hereinafter referred to as cut paths) through which various interruption signals flow are normal. The correspondence relationship is shown. The correspondence relationship data stored in the correspondence relationship storage unit M1 is data indicating the same contents as in FIG. That is, the correspondence relationship data corresponds to appropriate level data indicating an appropriate level that is a signal level to be output by the OR output unit 54 for each output pattern of a plurality of cutoff signal output sources. Accordingly, the correspondence relationship storage unit M1 corresponds to the appropriate level storage unit described in the claims.

  The cut path here includes not only the cutoff signal line through which the cutoff signal flows, but also the output port from which the cutoff signal is output, the input port of the logical sum output unit 54, and the like. For convenience, the path through which the first blocking signal flows is referred to as a first cut path, the path through which the second blocking signal flows is referred to as a second cut path, and the path through which the third blocking signal flows is referred to as a third cut path.

  When all of the first to third cut paths are normal, the output pattern of each cutoff signal output source and the input pattern of the OR output unit 54 match. Therefore, when the cut path corresponding to each of the first to third cutoff signals is normal, the output level of the OR output unit 54 is a level corresponding to the output pattern of each cutoff signal output source.

  However, when a certain interruption signal line is short-circuited with other signal lines such as a signal line providing a ground potential (hereinafter referred to as a ground potential line), the output level of the interruption signal output source and the logical sum output The input level to the unit 54 does not always match. Further, even when an input port, an output port, or both of which a certain cut path is in failure, the output level of the cutoff signal output source and the input level to the OR output unit 54 are different from each other. There is.

  If the output pattern of each cut-off signal output source and the output level of the logical sum output unit 54 are not predefined patterns, it indicates that a defect has occurred in any of the plurality of cut paths. The above-described diagnosis processing unit F3 is a functional block that diagnoses whether various cut paths provided in the electronic control device 1 are normal based on such a concept.

  The above-described OR output unit 54 may be realized by a well-known logic circuit. Further, as will be described later as Modification 2, it may be realized using a plurality of switching elements. Specifically, it can be realized as a wired OR circuit in which a plurality of MOSs are connected in parallel.

  The signal set to the high level output from the logical sum output unit 54 functions to block the output of the drive signal as described above. That is, the signal set to the high level output from the logical sum output unit 54 functions as a cutoff signal. Further, the case where the output level of the logical sum output unit 54 becomes a high level is a case where any one of a plurality of cutoff signal output sources outputs a cutoff signal. Hereinafter, a function in which the output of the drive signal is interrupted by any one of the plurality of interrupt signal output sources outputting the interrupt signal is referred to as an output interrupt function.

<About the states that the electronic control device 1 can take>
Next, various states that the electronic control apparatus 1 can take will be described with reference to FIG. As shown in FIG. 4, the electronic control device 1 generally takes six states: a stop state St1, a start state St2, a normal control state St3, an inspection execution state St4, a shutdown execution state St5, and a watchdog standby state St6.

  The stop state St1 is a state where the power supply is cut off and the operation is stopped. When the IGSW is turned on by the user (generally a driver) in the stop state St1, the ignition power supply is turned on and the state transitions to the start state St2.

  In the activation state St2, a preset activation sequence such as initialization of the microcomputer 20 and cancellation of output restriction of each unit is executed. In the initialization of the microcomputer 20, the RAM 22 and the ROM 23 are checked, a program loading process, and the like are executed. In addition, various cutoff signal output sources immediately after the IGSW is turned on are configured to output a signal set to a high level (that is, a cutoff signal) regardless of the actual monitoring target state. . The cancellation of the output restriction for each cutoff signal output source means that the forced high level output is canceled.

  Further, the relay MOS 40 is set to an off state immediately after the IGSW is turned on. The microcomputer 20 switches the relay MOS 40 from the off state to the on state after the initialization is completed. As a result, a driving voltage is applied to the driving circuit 52.

  When the various processes programmed as the activation sequence are completed, the electronic control unit 1 shifts to the normal control state St3. In parallel with the startup process described above, the diagnosis processing unit F3 executes the cut path diagnosis process when the IG is on.

  The normal control state St3 is a state in which calculation of the target control amount by the control calculation unit F1 is executed, or the cutoff signal output source outputs a cutoff signal according to a real-time state. In the normal control state St3, when the IGSW is turned off, the state transits to the inspection execution state St4.

  The inspection execution state St4 is a state in which an IG-off diagnostic process is being executed. When the process at the time of IG OFF is completed, the process proceeds to the shutdown execution state St5. In the shutdown execution state St5, a predetermined shutdown process is executed. In the shutdown processing, for example, abnormality information is stored in a backup RAM, a rewritable nonvolatile memory (specifically, a flash memory), or the like. When the shutdown process is completed, the process transits to the stop state St1. However, when the IGSW is turned on again during the shutdown process, the state transits to the watchdog standby state St6.

  The watchdog standby state St6 is a state where the microcomputer 20 stops outputting the watchdog pulse to the external monitoring device 30 and is waiting for the watchdog timer counted by the external monitoring device 30 to expire. . When the watchdog timer expires, the external monitoring device 30 resets the microcomputer 20 in hardware. As a result, the electronic control unit 1 transitions to the activation state St2. The reset means returning the microcomputer 20 to the initial state. The initial state refers to a state in which the program counter is at address 0 and the count values of various timers have returned to predetermined values.

<Diagnostic processing when IG is on>
Next, with reference to the flowcharts shown in FIGS. 5 and 6, the IG-on-time diagnosis process that is executed as part of the cut path diagnosis process by the diagnosis processing unit F3 will be described. The flowchart shown in FIG. 5 may be started when the IGSW is turned on and the state of the electronic control device 1 transitions from the stop state St1 to the start state St2. The execution subject of each step is the microcomputer 20 (particularly, the cut path diagnosis unit F31 of the diagnosis processing unit F3).

  At the start of this IG-on-time diagnostic process, the output level of each shut-off signal output source is at a high level based on the output restriction described above. Further, the relay MOS 40 is in an off state. That is, the output pattern of the cutoff signal output source at the time of starting the diagnostic process when the IG is on is the eighth output pattern (hereinafter, the eighth output pattern) in FIG.

  First, in step S101, referring to the output level of the logical sum output unit 54, the process proceeds to step S102. In step S102, it is determined whether or not the output level of the logical sum output unit 54 matches an output level corresponding to the current output pattern of each cutoff signal output source (in other words, an appropriate level). The appropriate output level of the logical sum output unit 54 here is an output level (that is, a high level) associated with the eighth output pattern in the correspondence data.

  Therefore, when the output level of the logical sum output unit 54 is high, it is determined that the output level of the logical sum output unit 54 is an appropriate level, and the process proceeds to step S103. On the other hand, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate and the process proceeds to step S104. Step S102 and S107, S112, S117, S202, S207, S212, and S217, which will be described later, correspond to the correspondence determination processing described in the claims.

  In step S103, the eighth output pattern is stored in the memory as an output pattern (hereinafter referred to as a normal pattern) in which the OR output unit 54 outputs a signal having an output level corresponding to the current output pattern of each cutoff signal output step. The process moves to S105. In step S104, the eighth output pattern is stored in the memory as a defect pattern, and the process proceeds to step S105. The defect pattern is an output pattern in which the output level of the logical sum output unit 54 is an output level that does not correspond to the current output pattern of each cutoff signal output source. The case where the eighth output pattern is a failure pattern is a case where a failure occurs in the logical sum output unit 54 or a signal line connected to the output port of the logical sum output unit 54.

  In step S105, the relay MOS 40 is switched from off to on. As a result, a driving voltage is applied to the driving circuit 52. Further, the output restriction on the voltage monitoring unit 53 is released. As a result, the output level of the voltage monitoring unit 53 is switched from the high level to the low level, and the output pattern is the seventh output pattern (hereinafter, the seventh output pattern) in FIG. When the switching of the relay MOS 40 and the output restriction release of the voltage monitoring unit 53 are completed, the process proceeds to step S106.

  In step S106, the output level of the logical sum output unit 54 is referred to, and the process proceeds to step S107. In step S107, it is determined whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the OR output unit 54 here is an output level corresponding to the seventh output pattern (that is, a high level).

  Therefore, when the output level of the logical sum output unit 54 is high, it is determined that the output level of the logical sum output unit 54 is an appropriate level, and the process proceeds to step S108. On the other hand, if the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S109.

  In step S108, the seventh output pattern is stored in the memory as a normal pattern, and the process proceeds to step S110. In step S109, the seventh output pattern is stored in the memory as a defect pattern, and the process proceeds to step S110.

  In step S110, the output restriction of the internal monitoring unit F2 is released, the output level to the cutoff signal line L1 is set to a low level, and the process proceeds to step S111. By executing this step S110, the output pattern becomes the third output pattern in FIG. 3 (hereinafter, the third output pattern).

  In step S111, referring to the output level of the logical sum output unit 54, the process proceeds to step S112. In step S112, it is determined whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the third output pattern (that is, a high level).

  Therefore, when the output level of the logical sum output unit 54 is high, the output level of the logical sum output unit 54 is determined to be an appropriate level, and the process proceeds to step S113. On the other hand, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate and the process proceeds to step S114.

  In step S113, the third output pattern is stored in the memory as a normal pattern, and the process proceeds to step S115. In step S114, the third output pattern is stored in the memory as a defect pattern, and the process proceeds to step S115.

  In step S115, the output restriction of the external monitoring device 30 is released, the output level to the cutoff signal line L2 is changed to a low level, and the process proceeds to step S116. By executing step S115, the output pattern becomes the first output pattern in FIG. 3 (hereinafter referred to as the first output pattern).

  In step S116, referring to the output level of the logical sum output unit 54, the process proceeds to step S117. In step S117, it is determined whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the first output pattern (that is, a low level).

  Therefore, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is an appropriate level, and the process proceeds to step S118. On the other hand, if the output level of the logical sum output unit 54 is high, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S119.

  In step S118, the first output pattern is stored in the memory as a normal pattern, and this flow ends. In step S119, the first output pattern is stored in the memory as a defect pattern, and this flow is terminated.

<Diagnostic processing when IG is off>
Next, with reference to flowcharts shown in FIGS. 7 and 8, the IG-off diagnostic process executed by the diagnostic processing unit F3 as part of the cut path diagnostic process will be described. The flowchart shown in FIG. 7 may be started when the IGSW is turned off from on. The state in which this IG OFF diagnostic process is executed corresponds to the above-described test execution state St4.

  Note that the output level of each shut-off signal output source at the start of the IG-off diagnostic process is a level corresponding to the state of each monitoring target. Here, as an example, it is assumed that each unit operates normally at the stage of transition from the normal control state St3 to the inspection execution state St4, and the output level of each cutoff signal output source is low. That is, the output pattern of each cutoff signal output source is the first output pattern.

  First, in step S201, the cut path diagnosis unit F31 sets the output level of the internal monitoring unit F2 to the cutoff signal line L1 to a high level, and proceeds to step S202. By executing step S201, the output pattern of each shut-off signal output source becomes the fifth output pattern in FIG. 3 (hereinafter, the fifth output pattern).

  In step S202, the cut path diagnosis unit F31 refers to the output level of the logical sum output unit 54, and proceeds to step S203. In step S203, it is determined whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the fifth output pattern (that is, a high level).

  Therefore, when the output level of the logical sum output unit 54 is high, the output level of the logical sum output unit 54 is determined to be an appropriate level, and the process proceeds to step S203. On the other hand, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S204.

  In step S203, the cut path diagnosis unit F31 stores the fifth output pattern in the memory as a normal pattern, and proceeds to step S205. In step S204, the cut path diagnosis unit F31 stores the fifth output pattern in the memory as a defect pattern, and proceeds to step S205.

  In step S205, the cut path diagnosis unit F31 outputs a voltage error signal, and causes the voltage monitoring unit 53 to determine that the drive voltage is abnormal. That is, the output level of the voltage monitoring unit 53 to the cutoff signal line L3 is set to a high level, and the process proceeds to step S206. By executing step S205, the output pattern becomes the sixth output pattern in FIG. 3 (hereinafter, the sixth output pattern).

  In step S206, the cut path diagnosis unit F31 refers to the output level of the logical sum output unit 54, and proceeds to step S207. In step S207, it is determined whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the sixth output pattern (that is, a high level).

  Therefore, when the output level of the logical sum output unit 54 is high, the output level of the logical sum output unit 54 is determined to be an appropriate level, and the process proceeds to step S208. On the other hand, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S209.

  In step S208, the cut path diagnosis unit F31 stores the sixth output pattern in the memory as a normal pattern, and proceeds to step S210. In step S209, the cut path diagnosis unit F31 stores the sixth output pattern in the memory as a defect pattern, and proceeds to step S210.

  In step S210, the cut path diagnosis unit F31 sets the output level of the internal monitoring unit F2 to the cutoff signal line L1 to a low level, and proceeds to step S211. By executing this step S210, the output pattern becomes the second output pattern in FIG. 3 (hereinafter referred to as the second output pattern).

  In step S211, the cut path diagnosis unit F31 refers to the output level of the logical sum output unit 54, and proceeds to step S212. In step S212, the cut path diagnosis unit F31 determines whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the second output pattern (that is, a high level).

  Therefore, when the output level of the logical sum output unit 54 is high, it is determined that the output level of the logical sum output unit 54 is an appropriate level, and the process proceeds to step S213. On the other hand, when the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S214.

  In step S213, the cut path diagnosis unit F31 stores the second output pattern in the memory as a normal pattern, and proceeds to step S215. In step S214, the cut path diagnosis unit F31 stores the second output pattern in the memory as a defect pattern, and proceeds to step S215.

  In step S215, the cut path diagnosis unit F31 changes the output level of the external monitoring device 30 to the cutoff signal line L2 to a high level by causing the external monitoring device 30 to determine that the microcomputer 20 is operating abnormally. The process proceeds to S216. By executing step S215, the output pattern becomes the fourth output pattern in FIG. 3 (hereinafter, the fourth output pattern). The microcomputer 20 can cause the external monitoring device 30 to determine that the microcomputer 20 is operating abnormally, for example, by outputting an incorrect answer to the homework input from the external monitoring device 30.

  In step S216, the cut path diagnosis unit F31 refers to the output level of the logical sum output unit 54, and proceeds to step S217. In step S217, the cut path diagnosis unit F31 determines whether or not the output level of the logical sum output unit 54 is an appropriate output level. The appropriate output level of the logical sum output unit 54 here is an output level corresponding to the fourth output pattern (that is, a high level).

  Accordingly, when the output level of the logical sum output unit 54 is high, the output level of the logical sum output unit 54 is determined to be an appropriate level, and the process proceeds to step S218. On the other hand, if the output level of the logical sum output unit 54 is low, it is determined that the output level of the logical sum output unit 54 is inappropriate, and the process proceeds to step S219.

  In step S218, the cut path diagnosis unit F31 stores the fourth output pattern in the memory as a normal pattern, and proceeds to step S222. In step S219, the cut path diagnosis unit F31 stores the fourth output pattern in the memory as a defect pattern, and proceeds to step S220.

  In step S220, the cutoff function diagnosis unit F32 determines whether or not the eighth output pattern is registered as a normal pattern. If the eighth output pattern is registered as a normal pattern, an affirmative determination is made in step S220 and the process proceeds to step S221. On the other hand, if the eighth output pattern is not registered as a normal pattern, a negative determination is made in step S220 and the process proceeds to step S223. In step S221, the shutoff function diagnosis unit F32 sets the output level of the internal monitoring unit F2 to a high level, thereby setting the output pattern to the eighth output pattern and proceeds to step S222.

  In step S222, the interruption function diagnosis unit F32 executes an interruption function diagnosis process. This interruption function diagnosis process is a process for determining whether or not the output interruption function of the electronic control device 1 is operating normally on the drive circuit 52 (in other words, whether or not it is functioning).

  Specifically, the shutoff function diagnostic unit F32 requests the control calculation unit F1 to output a control signal for setting the opening degree of the throttle valve 5 to a predetermined opening degree for verification to the drive unit 50 for a certain period of time. . The verification opening may be other than the intermediate opening, but is preferably set to a value larger or smaller than a predetermined threshold with respect to the intermediate opening. Based on the request from the shutoff function diagnostic unit F32, the control calculation unit F1 generates a control signal corresponding to the verification opening and starts to output it to the drive circuit 52. And the interruption | blocking function diagnostic part F32 refers to the opening degree of the throttle valve 5 at the timing when predetermined response waiting time passed after moving to step S222, and determines whether it is an intermediate opening degree.

  Since the output level of the logical sum output unit 54 is set to a high level when executing step S222, the drive signal should not be output even if the microcomputer 20 outputs a control signal to the drive unit 50. It is. Therefore, when the response waiting time has elapsed since the start of outputting the control signal, the opening of the throttle valve 5 should be an intermediate opening. In other words, if the opening degree of the throttle valve 5 is a value other than the intermediate opening degree (for example, the opening degree for verification) when a predetermined response waiting time has elapsed since the start of outputting the control signal, This means that the blocking function is not functioning.

  Therefore, when the opening degree of the throttle valve 5 at the timing when the response waiting time has elapsed after starting to output the control signal coincides with the intermediate opening degree, it is determined that the output cutoff function is functioning, and the intermediate opening degree is determined. If it does not match the degree, it is determined that the output cutoff function is not functioning. Here, the term “match” includes not only perfect match but also approximate match. The determination result in step S222 is stored in the memory, and the process proceeds to step S223.

  In step S223, the cut path diagnosis unit F31 performs the defect location estimation process and ends this flow. The defect location estimation process determines whether or not there is a defective cut path from the registration information for each output pattern, and if there is a defective cut path, a defect occurs. It is the process which estimates the location which is.

  Specifically, the cut path diagnosis unit F31 first determines whether there is an output pattern registered as a defect pattern. When there is no output pattern registered as a defect pattern, that is, when all output patterns are registered as normal patterns, it is determined that all cut paths are normal. On the other hand, if there is an output pattern registered as a defect pattern, it is determined that a defect has occurred in any of the plurality of cut paths. If it is determined that a defect has occurred in any of the plurality of cut paths, the defect occurrence location is estimated from the number of the output pattern registered as the defect pattern.

  For example, when the cutoff signal line L1 is short-circuited to the ground potential line or the like, and the potential of the first cut path is fixed to a potential corresponding to the low level, the fifth output pattern is as shown in FIG. Detected as a defect pattern. Therefore, when the fifth output pattern is detected as a failure pattern, it is determined that a failure has occurred in the first cut path.

  If an output pattern other than the fifth output pattern is registered as a normal pattern, it is determined that the defective cut path is only the first cut path and the remaining cut paths are normal. That's fine. The cut path determined to be normal as a result of the defect location estimation process corresponds to the normal path described in the claims. Note that a normal cut path corresponds to a cut path through which a blocking signal is normally transmitted.

  Further, when the potential of the second cut path is fixed to a potential corresponding to the low level, the third output pattern is detected as a defect pattern as shown in FIG. Therefore, if the third output pattern is detected as a failure pattern, it may be determined that a failure has occurred in the second cut path. Further, when an output pattern other than the third output pattern is registered as a normal pattern, it may be determined that the remaining cut paths are operating normally.

  Furthermore, when the potential of the third cut path is fixed to a potential corresponding to the low level, the second output pattern is detected as a defect pattern as shown in FIG. Therefore, when the second output pattern is detected as a failure pattern, it may be determined that a failure has occurred in the third cut path. If an output pattern other than the second output pattern is registered as a normal pattern, it may be determined that the remaining cut paths are operating normally. Thus, based on the output pattern detected as a defect pattern or the output pattern determined as a normal pattern, a cut path in which a defect has occurred or a cut path that is functioning normally can be identified.

  By the way, when any one of the first to third cut paths is fixed to a potential corresponding to the high level, the first output pattern is detected as a defective pattern. In that case, it is unclear which of the first to third cut paths has a defect, but it can be recognized that a defect has occurred in any of the first to third cut paths. . When a certain cut path is fixed at a high level, the cut-off signal line constituting the cut path is in contact with a signal line (hereinafter referred to as a high voltage line) that provides a driving voltage or a power supply voltage. This is the case.

  Further, in any output pattern, when the output level of the logical sum output unit 54 is low, a problem occurs in the logical sum output unit 54 itself or a signal line corresponding to the output destination of the logical sum output unit 54. Suggest the possibility.

  In this way, the diagnosis processing unit F3 estimates a defect occurrence location from the output pattern registered as the defect pattern. In addition, the information about the defect occurrence location estimated by the diagnosis processing unit F3 (hereinafter, defect information) may be notified to the occupant by an indicator, a display, a voice, or the like. Further, the defect information may be transmitted to an external device by wireless communication or wired communication.

<Summary of Embodiment>
In the above configuration, the diagnosis of the cut path itself is executed based on the correspondence between the output pattern of the cutoff signal output source and the output level of the logical sum output unit 54. Then, after the diagnosis of the cut path itself is completed, the effectiveness of the output cutoff function is diagnosed using the output pattern that is operating normally (step S222).

  According to such a configuration, the number of times of executing the cutoff function diagnosis process using the change over time of the throttle opening may be one. That is, even when there are a plurality of cut paths, it is not necessary to perform the blocking function diagnosis process a plurality of times. Therefore, it is possible to avoid an increase in the total time required for diagnosing the effectiveness of all cut paths in proportion to the number of cut paths.

  In addition, as a comparison structure, the structure which collectively performs various diagnostic processes at the timing when IGSW was turned off from ON can be considered. In the present embodiment, the time required for a series of diagnostic processes can be shortened. Therefore, for such a comparison configuration, the time from when the IGSW is turned off to when the electronic control device 1 shifts to the stop state St1 is shortened. Can do. As a result, the power consumption associated with the diagnostic process can be suppressed.

  In particular, in this embodiment, as shown in FIG. 12, the cut path diagnosis process is divided into two parts, an IG on-time diagnosis process and an IG off-time diagnosis process. As described above, by performing a part of the cut path diagnosis process during the startup sequence, it is possible to reduce the time during which the test execution state St4 continues. FIG. 12 is a diagram summarizing the contents of a series of cut path diagnosis processes described with reference to FIGS.

  Furthermore, in the above-described embodiment, after the microcomputer abnormality is determined, the correspondence determination process for the output pattern that requires the output level of the external monitoring device 30 to be low is not performed. Specifically, the correspondence determination process (S217) for the fourth output pattern is performed at the end of a series of determination processes for each output pattern. According to such an aspect, since the microcomputer 20 does not need to perform the abnormality determination cancellation process for the cut path diagnosis process, the total diagnosis time can be further shortened.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to the above-mentioned embodiment, The various modifications described below are also contained in the technical scope of this invention, and also in addition to the following However, various modifications can be made without departing from the scope of the invention.

  In addition, about the member which has the same function as the member described in the above-mentioned embodiment, the same code | symbol is attached | subjected and the description is abbreviate | omitted. In addition, when only a part of the configuration is mentioned, the configuration of the above-described embodiment can be applied to the other portions.

[Modification 1]
In the above-described embodiment, a mode in which a signal set to a high level functions as a cutoff signal is disclosed, but the present invention is not limited to this. A signal set to a low level may function as a cutoff signal.

  That is, in the above-described embodiment, the aspect in which each unit is operated with the high active logic is disclosed, but each unit may be operated based on the low active logic. In any case, it is only necessary that the output of the drive circuit 52 is cut off when any of the plurality of cut-off signal output sources outputs a cut-off signal.

[Modification 2]
In the above-described embodiment, the mode in which the output of the logical sum output unit 54 is input to the pre-driver is disclosed, but the present invention is not limited to this. The drive circuit 52 may not include a pre-driver. In that case, the output of the logical sum output unit 54 may be input to the output MOS.

  Further, the drive unit 50 only needs to be configured so that the output of the drive signal to the throttle actuator 6 is cut off when any of the plurality of cut-off signal output sources outputs the cut-off signal. Therefore, the output stage of the drive unit 50 may be configured as a wired OR circuit as shown in FIG. In FIG. 13, the configuration on the second output MOS 524 side is omitted.

[Modification 3]
In the above description, the cut path diagnosis process is divided into two parts, that is, the IG on-time diagnosis process and the IG off-time diagnosis process. However, the present invention is not limited to this. A series of processing may be collectively performed when the IGSW is turned on. A series of processing may be performed collectively when the IGSW is turned off.

  Further, the order of executing the correspondence determination process for various output patterns is not limited to the order described above. For example, the correspondence determination processing for the third, fourth, seventh, and eighth output patterns may be performed after the correspondence determination processing for the first, second, fifth, and sixth output patterns.

[Modification 4]
In the above-described embodiment, the aspect in which the defect location estimation process is executed after the interruption function diagnosis process is executed is disclosed, but the present invention is not limited thereto. The defect location estimation process may be executed before the blocking function diagnosis process.

  In that case, the blocking function diagnosis unit F32 can perform the blocking function diagnosis process using the cut path determined to be normal by the cut path diagnosis unit F31 (that is, the normal path). That is, the effectiveness of the output cutoff function is diagnosed by outputting a cutoff signal to the cutoff signal output source corresponding to the normal path. According to such an aspect, it is possible to reduce the possibility of diagnosing the effectiveness of the output cutoff function using a cut path in which a problem has occurred.

[Other variations]
Although the aspect which made the control object of the electronic control apparatus 1 the throttle actuator 6 was disclosed above, it is not restricted to this. The control target of the electronic control device 1 may be another actuator.

  Moreover, although the electronic control apparatus 1 disclosed the aspect provided with three interruption | blocking signal output parts above, it is not restricted to this. The electronic control device 1 may include four or more cutoff signal output units. For example, a function for diagnosing whether or not the accelerator sensor 3 and the throttle sensor 4 are operating normally may be provided as a cutoff signal output unit.

DESCRIPTION OF SYMBOLS 1 Electronic control device, 2 Car power supply, 3 Accelerator sensor, 4 Throttle sensor, 5 Throttle valve, 6 Throttle actuator, 10 Power supply circuit module, 20 Microcomputer (arithmetic unit), 30 External monitoring device (cutoff signal output part), 40 Relay MOS, 50 drive unit, 51 signal distributor, 52 drive circuit, 53 voltage monitoring unit (cut-off signal output unit), 54 logical sum output unit, F1 control operation unit, F2 internal diagnosis unit (cut-off signal output unit), F3 diagnosis Processing unit, F31 cut path diagnostic unit, F32 cutoff function diagnostic unit, M1 correspondence storage unit (appropriate level storage unit), L1 to L3 cutoff signal line

Claims (9)

An arithmetic unit (20) that calculates a control amount of a predetermined actuator based on data input from a plurality of sensors mounted on the vehicle, and outputs a control signal according to the control amount;
A drive circuit (52) that generates a drive signal corresponding to the control signal output from the arithmetic unit and outputs the drive signal to the actuator,
Provided with at least three shut-off signal output units (F2, 30, 53) that output shut-off signals for shutting off the output of the drive circuit when an abnormal operation of a predetermined monitoring target is detected;
The cutoff signal output unit outputs a signal corresponding to either a cut level that functions as the cutoff signal and a non-cut level that does not function as the cutoff signal,
The drive circuit is configured to stop the output of the drive signal when the logical sum of the output signals of the plurality of cutoff signal output units is a cut level,
A logical sum output section (54) for outputting a signal of a level corresponding to the logical sum of the output signals of the plurality of cutoff signal output sections;
A cut path diagnosis unit (F31) for diagnosing a plurality of cut paths that are paths through which the cut-off signal flows based on a correspondence relationship between output patterns of the cut-off signal output units and the logical sum;
In a state where at least one output level of the plurality of shut-off signal output units is set to a cut level, the driving device causes the driving circuit to output the control signal corresponding to a predetermined control amount for a predetermined time. An electronic control device comprising: an interruption function diagnosis unit (F32) for diagnosing whether an output of the circuit is interrupted based on the logical sum of the interruption signals. In claim 1,
An appropriate level storage unit (M1) in which appropriate level data indicating an appropriate level, which is a signal level to be output by the OR output unit, is registered for each output pattern of the cutoff signal output unit;
The cut path diagnosis unit
When the output pattern of the cutoff signal output unit changes, the signal level as the logical sum output from the logical sum output unit is associated with the current output pattern in the appropriate level data. Perform correspondence determination processing to determine whether or not it matches the level,
If the signal level as the logical sum does not match the appropriate level associated with the current output pattern, the current output pattern is registered as a failure pattern, while if it matches, the Register the output pattern as a normal pattern,
An electronic control device, wherein when there is an output pattern registered as a failure pattern, it is determined that a failure has occurred in at least one of the plurality of cut paths. In claim 2,
The cut path diagnosis unit determines that all the cut paths are normal when all output patterns are registered as normal patterns. In claim 2 or 3,
The cut path diagnosis unit determines the correspondence relationship for at least some of the output patterns of all the cut-off signal output units when the vehicle power switch for the vehicle is set to ON. An electronic control device that performs processing. In any one of Claim 2 to 4,
The cut path diagnosis unit identifies a normal path that is the cut path to which the blocking signal is normally transmitted based on a determination result of the correspondence determination process for each output pattern,
The electronic control unit according to claim 1, wherein the cutoff function diagnosis unit sets the logical sum to a cut level by causing the cutoff signal output unit corresponding to the normal path to output the cutoff signal. In any one of Claim 2 to 5,
The arithmetic unit is:
A control calculation unit (F1) for calculating the control amount based on data input from a plurality of the sensors;
As one of the plurality of shut-off signal output units, an internal monitoring unit that determines whether or not the control calculation unit is operating normally,
The internal control unit outputs the cutoff signal when detecting an abnormal operation of the control calculation unit. In any one of Claims 2-6,
As one of the plurality of shut-off signal output units, an external monitoring device that determines whether the arithmetic device is operating normally outside the arithmetic device,
The electronic control device, wherein the external monitoring device outputs the blocking signal when detecting an abnormal operation of the arithmetic device. In any one of Claims 2-7,
As one of the plurality of shut-off signal output units, a voltage monitoring unit that determines whether or not a drive voltage that is a voltage applied to the drive circuit is normal,
The electronic control device, wherein the voltage monitoring unit outputs the cutoff signal when detecting an abnormality of the driving voltage. In claim 7,
The cut path diagnosis unit outputs an output in which the output level of the external monitoring device is set to the cut level after all the correspondence determination processing for the output pattern in which the output level of the external monitoring device is set to the non-cut level is completed. An electronic control unit that executes the correspondence determination process for a pattern.

Images