JP6895356B2 - Electronic control device for vehicles - Google Patents

Description

The present invention relates to an electronic control device for a vehicle capable of diagnosing a latency fault (potential failure).

Patent Document 1 includes an arithmetic processing unit (CPU: Central Processing Unit) that performs an operation for controlling a device to be controlled of a vehicle, and a drive processing unit that drives the device to be controlled. Describes an electronic control device for a vehicle that exchanges data with a processing unit via SPI (Serial Peripheral Interface) communication. The drive processing unit is composed of an ASIC (Application Specific Integrated Circuit), and the processing in the drive processing unit is monitored by a watchdog timer to perform self-diagnosis.

Japanese Unexamined Patent Publication No. 2014-89672

By the way, in recent years, in ISO 26262 (functional safety) compliance in the automobile industry, it is required to diagnose that the safety mechanism operates correctly in order to prevent the vehicle from falling into a dangerous state due to a latency fault. .. For example, in the electronic control device for vehicles of Patent Document 1, if a failure of the SPI line or an abnormality occurs in the self-diagnosis function itself, normal diagnosis cannot be performed. Therefore, in order to further improve safety, diagnosis of latency fault is performed. You will need it.

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an electronic control device for a vehicle capable of diagnosing a latency fault.

The electronic control device for a vehicle of the present invention includes a drive device that has a self-diagnosis function and drives a control target, and a processing device that generates a control signal for the control target and supplies the control signal to the drive device by SPI communication. An electronic control device for a vehicle that sets error information in the content of SPI communication from the processing device and diagnoses a latency fault by the processing device using the diagnosis result by the self-diagnosis function. Short frame data, long frame data, and CRC error data are attached to the transmitted communication from the master SPI and sequentially transmitted to the drive device, and the processing device shorts using the diagnosis result by the self-diagnosis circuit of the drive device. It is determined whether or not a frame has occurred, whether or not a long frame has occurred, and whether or not a CRC error has occurred, and when any one of the short frame occurrence, the long frame occurrence, and the CRC error occurrence exceeds a predetermined number of times, the mode shifts to the fail-safe mode. However, if it does not exceed, it ends.

According to the present invention, it is possible to determine the presence or absence of a latency fault of the self-diagnosis function by confirming the operation when an abnormality is intentionally caused in the SPI communication between the driving device and the processing device. Further, since the diagnosis can be performed in a state including the SPI communication function, the reliability of the self-diagnosis result of the drive device can be improved. Therefore, it is possible to diagnose that the safety mechanism operates correctly, and it is possible to prevent the vehicle from falling into a dangerous state.

It is the schematic of the electronic control device for a vehicle which concerns on embodiment of this invention. It is a figure which shows the configuration example of the SDI frame and SDO frame in the SPI communication part of FIG. It is a schematic diagram which shows the transmission data of an SDI frame at the time of error setting, and the reception data of an SDO frame. It is a flowchart which shows the operation of the latent failure diagnosis processing executed by the processing apparatus in the electronic control apparatus for a vehicle shown in FIG. It is a timing chart of a clock signal, a transmission signal, a reception signal and a chip select signal when SPI communication is normal. It is a timing chart of a clock signal, a transmission signal, a reception signal and a chip select signal in a short frame error state. It is a timing chart of a clock signal, a transmission signal, a reception signal and a chip select signal in a long frame error state.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 shows an electronic control device for a vehicle according to an embodiment of the present invention, in which a TCU (Transmission Control Unit) 10 for driving a solenoid valve of a hydraulic control device 50 used for shifting control of a transmission 40 is used as a control target. Taking an example. Power is transmitted from the engine 20 to the transmission 40 via a torque converter 30, a clutch, and the like. The transmission 40 has a transmission mechanism 40a that shifts the rotational power transmitted from the torque converter 30 and outputs it to the output shaft, an oil pump 40b that supplies hydraulic oil to hydraulic drive parts, and a flood control that is supplied from the oil pump 40b. It is provided with a hydraulic control device 50 that controls the transmission mechanism 40a using the above.

Further, a sensor 40c such as an input rotation speed sensor, an output rotation speed sensor, and an oil temperature sensor is provided in the transmission 40. The detection signal DS of these sensors 40c is input to the TCU 10, and the operating state of the transmission 40 is detected by the TCU 10. The transmitted power is changed in torque, rotation speed, and rotation direction by the transmission 40, and is transmitted from the output shaft of the transmission mechanism 40a to the drive wheels via a drive transmission path (not shown).

The engine 20 is controlled by an ECU (Electronic Control Unit) 60, and according to the operating conditions of the driver, the state of the engine 20 detected by various sensors, the surrounding environment, etc., for example, the ignition timing, the fuel injection amount, and the opening / closing of the throttle valve. , And valve timing are controlled. CAN (Controller Area Network) communication is performed between the ECU 60 and the TCU 10 in order to optimize the control of the engine 20 and the control of the transmission 40 in relation to each other.

The TCU 10 includes a processing device 1 and a driving device 2. The processing device 1 is composed of a microcomputer (microcomputer) or the like, and generates, for example, pulse width-modulated pulse signals P1, P2, ..., Pn as control signals for driving each solenoid valve of the hydraulic control device 50, and drives the drive device 1. Output to 2. The processing device 1 has an SPI communication unit 3 for performing SPI communication and a latent failure diagnosis processing function (referred to as a latent failure diagnosis unit 7 here). The clock signal CLK, the transmission signal Tx, and the chip select signal CS output from the SPI communication unit 3 are each input to the drive device 2, and the signal output from the drive device 2 is input to the SPI communication unit 3 as a reception signal Rx. To.

The drive device 2 is composed of an ASIC, includes a driver 5 (for example, a high-side driver and a low-side driver) that drives a solenoid valve of the hydraulic control device 50 to be controlled, and a pulse signal P1 supplied from the processing device 1. , P2, ..., Pn is driven by selectively passing a current through the coil (solenoid) of the solenoid valve. Further, the drive device 2 is provided with a self-diagnosis circuit 6, and by detecting whether a short frame error, a long frame error, or a CRC (Cyclic Redundancy Check) error has occurred, is the drive device 2 operating normally? It is configured so that it can be self-diagnosed.

The latent failure diagnosis unit 7 diagnoses the latency fault of the self-diagnosis circuit 6 and executes a process of determining whether or not to shift to fail-safe based on the error information of the SDO frame (to the master SPI). The latent failure diagnosis unit 7 instructs the SPI communication unit 3 to transmit information that causes an error in the communication content. Then, based on the diagnosis result of the self-diagnosis circuit 6 when the error information is set in the SPI communication, the latent failure diagnosis unit 7 of the processing device 1 determines whether or not there is a latency fault of the self-diagnosis function. The presence or absence of this latency fault is determined according to, for example, the data format of the error information. In this way, by confirming the operation of the self-diagnosis circuit 6 when an abnormality is intentionally caused in the SPI communication between the drive device 2 and the processing device 1, the processing device 1 can determine the presence or absence of a latency fault. .. At this time, since error information is transmitted and received via the SPI communication unit 3, it is possible to diagnose whether or not the communication function (SPI communication unit 3 and communication line) is operating normally.

FIG. 2 is a configuration example of the SPI frame in the SPI communication unit 3 of FIG. 1, and shows an SDI frame from the master SPI and an SDO frame to the master SPI. The SDI frame is composed of 2-byte registers FR0 and FR1, and consists of 3-bit CRC data, 13-bit data bits, 7-bit data, 1-bit reserve bit (= 0), 7-bit address, and 1-bit. It has a write / read bit Wr / Rdn. The SDO frame is composed of 2-byte registers FR0 and FR1, 3-bit CRC data, 13-bit data bits, 7-bit data, 6-bit channel exception, 1-bit CRC error, and 1-bit long. It has a frame error and a 1-bit short frame error.

FIG. 3 is a schematic diagram showing transmission data of SDI frames and reception data of SDO frames at the time of error setting. The latent failure diagnosis unit 7 of the processing device 1 instructs the SPI communication unit 3 to transmit information that causes an error in the communication content. For example, from the SPI communication unit 3, the data SFa in which the clock signal CLK is set to "CLK <32" so as to be a short frame, and the data LFa and CRC in which the clock signal CLK is set to "CLK> 32" so as to be a long frame. The data CRCa set so as to cause a CRC error is transmitted by changing the calculation method of. Then, the self-diagnosis circuit 6 of the drive device 2 detects an error, and the diagnosis result is returned to the processing device 1 in the SDO frame. The diagnosis results are data SFb indicating the presence / absence of short frame error detection, data LFb indicating the presence / absence of long frame error detection, and data CRCb indicating the presence / absence of CRC error detection. Based on the diagnosis result, the latent failure diagnosis unit 7 performs the latent failure diagnosis process and determines whether it is necessary to shift to the fail-safe mode.

If it cannot be determined to be normal by the above procedure, it is determined that there is a problem with the SPI communication unit 3, the communication line or the self-diagnosis circuit 6, and the control of the control target hydraulic control device 50 for the solenoid valve is suppressed or controlled. Shift to fail-safe mode such as stopping the vehicle gently.
The injection of the error information from the SPI communication unit 3 to the drive device 2 described above is performed at a predetermined cycle. The transmission of data that causes such an error and the reception of an error answer are repeated a plurality of times, and when an error is not detected more than a predetermined number of times, it is determined to be abnormal.

As a result, it is possible to confirm in real time whether or not the self-diagnosis circuit 6 of the drive device 2 is operating normally on the processing device 1 side, and it is possible to prevent a latency fault. Further, since the determination is made by the processing device 1, it can be confirmed that there is no problem in the SPI communication unit 3 and the driving device 2.
Note that FIG. 3 shows an example in which data that causes an error is added to the end of communication from the master SPI of actual control and continuously transmitted, but the data that causes an error is sent at any timing in one cycle. Of course, the data may be transmitted, and the data that causes the short frame error, the long frame error, and the CRC error may be transmitted separately.

Next, the diagnosis of the latency fault of the SPI communication unit 3 and the self-diagnosis circuit 6 described above will be described in detail with reference to FIG. FIG. 4 is a flowchart showing a latent failure diagnosis process (operation of the latent failure diagnosis unit 7) executed by the processing device 1. First, the short frame data SFa is attached to the communication from the master SPI transmitted from the processing device 1 and transmitted to the drive device 2 (step S1). Next, the processing device 1 determines whether or not a short frame has occurred using the diagnosis result (data SFb) by the self-diagnosis circuit 6 of the drive device 2 (step S2). If it is determined that a short frame has occurred, the variable A is set to 0 because it is operating normally (step S3), and if it is determined that no short frame has occurred, it is an abnormal operation, so the variable A is increased by 1 (step S3). A = A + 1) (step S4).

The clock signal CLK, the transmission signal Tx, the reception signal Rx, and the chip select signal CS when the SPI communication is normal are as shown in the timing chart of FIG. 5, respectively. In this example, the clock signal CLK of one frame is 32 bits, and clock synchronous serial communication is performed. When the chip select signal CS reaches a significant level (low level), the transmission signal Tx and the reception signal Rx are exchanged during one frame period set by the clock signal CLK.

On the other hand, when a short frame error occurs, the clock signal CLK of one frame becomes less than 32 bits as shown in FIG. Then, when the chip select signal CS reaches a significant level, the transmission signal Tx and the reception signal Rx are exchanged in one frame period shorter than the 32 bits set by the clock signal CLK.

In the next step S5, the long frame data LFA is added to the communication from the master SPI transmitted from the processing device 1 and transmitted to the drive device 2. The processing device 1 determines whether or not a long frame has occurred using the diagnosis result (data LFb) by the self-diagnosis circuit 6 of the drive device 2 (step S6). If it is determined that a long frame has occurred, the variable B is set to 0 because it is operating normally (step S7), and if it is determined that no long frame has occurred, it is an abnormal operation, so the variable B is increased by 1 (step S7). B = B + 1) (step S8).

When a long frame error occurs, the clock signal CLK of one frame becomes more than 32 bits as shown in FIG. Then, when the chip select signal CS reaches a significant level, the transmission signal Tx and the reception signal Rx are exchanged in one frame period longer than the 32 bits set by the clock signal CLK.

In the next step S9, CRC error data CRCa is attached to the communication from the master SPI transmitted from the processing device 1 and transmitted to the drive device 2. The processing device 1 determines whether or not a CRC error has occurred using the diagnosis result (data CRCb) by the self-diagnosis circuit 6 of the drive device 2 (step S10). If it is determined that a CRC error has occurred, the variable C is set to 0 because it is operating normally (step S11), and if it is determined that no CRC error has occurred, it is an abnormal operation, so the variable C is increased by 1 (step S11). C = C + 1) (step S12).

In the next step S13, it is determined whether or not any one of the variables A, B, and C exceeds the predetermined value m, and if it exceeds the predetermined value m, the mode shifts to the fail-safe mode (step S14), and if not, the process ends. .. The transition to the fail-safe mode depends on the function provided in the drive device 2, but for example, the control of the hydraulic control device 50 by driving the solenoid valve is stopped. Alternatively, when the hydraulic control device 50 is used to control shifting / not shifting by the transmission 40 by driving the solenoid valve, the vehicle is prevented from shifting while moving. Further, actuators such as shift control and motor drive may be controlled. When moving the core part of the vehicle, the processing device 1 can be stopped. Further, CAN communication may be stopped.
By implementing at least one of these, the shift to the fail-safe mode according to the function of the drive device 2 is performed. Fail-safe mode will be canceled as soon as it is confirmed that it has returned to normal.

According to the above configuration, it is possible to determine the presence or absence of a latency fault of the self-diagnosis function by confirming the operation when an abnormality is intentionally caused in the SPI communication between the drive device 2 and the processing device 1. .. Further, the SPI communication function can be diagnosed, and the diagnosis can be performed in a state including the SPI communication function, so that the reliability of the self-diagnosis result of the drive device 2 can be improved. Therefore, it is possible to confirm that the safety mechanism operates correctly, and it is possible to prevent the vehicle from being put into a dangerous state due to a late tent fault.

<Modification example 1>
In the above embodiment, the driving of the solenoid valve of the hydraulic control device that controls the speed change of the TCU has been described as an example, but the control target is not limited to the solenoid valve, and for example, the control of the injector driver is also performed. Applicable. When controlling injector driver, the fail-safe mode when the abnormality is detected by the processing device 1, and notifies the abnormality to the driver, the injection amount of and O ₂ changes in fuel is at risk of unintended acceleration or deceleration Therefore, the vehicle is stopped gently. Of course, either one may be carried out depending on the vehicle, surrounding conditions, abnormal conditions, and the like. This fail-safe mode will be canceled as soon as it is confirmed that it has returned to normal.

<Modification 2>
Similarly, it can be applied to the control of the external EEPROM. In this case, as the fail-safe mode when the processing device 1 detects an abnormality, it is preferable to execute at least one of the following (a) to (c). (A) Notify the driver of the abnormality. (B) Prohibit writing to EEPROM. (C) Control with default values so that the actuator is controlled without relying on the parameters stored in EEPROM. This fail-safe mode will be canceled as soon as it is confirmed that it has returned to normal.

<Modification example 3>
The error information may be injected from the SPI communication unit 3 by changing the clock signal CLK or changing the length of the chip select signal CS.

<Modification example 4>
An example of injecting a short frame error, a long frame error, and a CRC error from the SPI communication unit 3 into the drive device 2 has been described, but error information using a checksum or hash can also be injected, and the data that causes an error. If so, it is not limited to these.

<Modification 5>
An example has been described in which a latent failure diagnosis unit 7 is provided in the processing device 1 and error information is injected from the SPI communication unit 3 into the drive device 2. However, since a memory is provided in the processing device 1 to generate error information in advance. It is also possible to store the program of the above and inject error information into the SPI communication unit 3 by software.

<Modification 6>
Further, although an example in which the SPI communication unit 3 is built in the processing device (microcomputer) 1 has been described, it is needless to say that the SPI communication unit 3 may be provided outside the processing device 1.

1 ... Processing device (microcomputer), 2 ... Drive device (ASIC), 3 ... SPI communication unit, 5 ... Driver, 6 ... Self-diagnosis circuit, 7 ... Potential failure diagnosis unit, 10 ... TCU, 20 ... Engine, 30 ... Torque converter, 40 ... transmission, 40a ... transmission mechanism, 40b ... oil pump, 40c ... sensor, 50 ... hydraulic control device (control target), 60 ... ECU, P1, P2 ..., Pn ... pulse signal (control signal)

Claims (3)

It is provided with a drive device having a self-diagnosis function and driving a control target, and a processing device that generates a control signal for the control target and supplies the control signal to the drive device by SPI (Serial Peripheral Interface) communication.
An electronic control device for a vehicle that sets error information in the content of SPI communication from the processing device and diagnoses a latency fault by the processing device using the diagnosis result by the self-diagnosis function.
Short frame data, long frame data, and CRC error data are attached to the communication from the master SPI transmitted from the processing device and sequentially transmitted to the drive device.
The processing device determines whether or not a short frame has occurred, whether or not a long frame has occurred, and whether or not a CRC error has occurred, respectively, using the diagnosis result of the self-diagnosis circuit of the driving device.
An electronic control device for a vehicle, characterized in that when any one of a short frame occurrence, a long frame occurrence, and a CRC error occurrence exceeds a predetermined number of times, the mode shifts to a fail-safe mode, and when any one of the occurrences does not exceed a predetermined number of times, the mode is set to the fail-safe mode. The electronic control device for a vehicle according to claim 1, wherein the processing device determines the presence or absence of a latency fault of at least one of the SPI communication function and the self-diagnosis function. The electronic control device for a vehicle according to claim 2, wherein the presence or absence of the late tent fault is determined according to the data format of the error information.

Images