JPH0991034A - Electronic control unit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To suppress communication quantity between a main control means and a subcontrol means as less as possible while securing the reliability of an electronic control unit and to improve the reliability of failure detection by a watchdog method. SOLUTION: In this electronic control unit provided with a main CPU 1 for controlling an object to be controlled and a sub-CPU 2 to be used only for the judgement of a failure, the main CPU 1 outputs a control signal based upon the control logic of ABS control to solenoid valves S1 to S4 being objects to be controlled and outputs a reference signal based upon the same control logic also to the sub-CPU 2 and the sub-CPU 2 is constituted so as to monitor the control signal outputted from the main CPU 1 to the valves S1 to S4. The sub-CPU 2 is provided with a failure judging part 24 for comparing the reference signal with a monitored control signal, and when contradiction is generated between both the signals, judging a failure.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic control unit, in particular, a main control means for controlling a controlled object, and separately from the main control means, for determining the presence / absence of a failure of the main control means without controlling the controlled object. And a sub-control means for controlling the electronic control unit.

[0002]

2. Description of the Related Art As is well known, in recent years, as a control system for various machines and devices / equipment or vehicles such as automobiles, a system using an electronic control unit equipped with a microcomputer has been generalized. For example, in the case of an automobile, such an electronic control unit is equipped to precisely control various controlled objects such as an engine, an automatic transmission or a brake system to improve fuel efficiency, running performance or braking performance. The ones that have been adopted are widely adopted.

In a control system using such an electronic control unit, it is important how to prevent malfunction or malfunction of the system due to failure (failure) of the control unit. That is, the CP of the electronic control unit
U sometimes fails, and such CPU
If such a failure occurs, the controlled object will not operate normally, so it is necessary to detect such a failure early and take appropriate measures. For this reason, the electronic control unit is generally provided with a fail detecting means for detecting a CPU failure.

As an effective method for detecting the CPU failure of the electronic control unit,
There is a so-called double microcomputer method in which two CPUs having the same function are provided, the same control information is given to both CPUs to perform the same control operation, and the operation results of both CPUs are compared with each other by mutual communication. It is known (see, for example, JP-A-59-130798). In this case, when the calculation results of both CPUs are inconsistent, at least one of the CPUs has failed, so the driver is notified of such a failure. In this case, even if one CPU is normal, whichever CPU
Since it is not possible to determine in practice whether it is failing, the electronic control unit will eventually lose its function.

However, in such a so-called double microcomputer fail detection method, it is necessary to provide two CPUs having a large calculation capacity capable of controlling the controlled object, so that the cost for the CPU is doubled and the CPU-related cost increases. There are problems that the circuit becomes complicated and large-scaled, and the cost of the electronic control unit becomes very high. For this reason,
The applicant of the present application, in Japanese Patent Application No. 167030/1993, discloses a main control unit (main CPU) for controlling an object to be controlled,
A sub-control means (sub-CPU) for determining whether or not the main control means has a failure without controlling the controlled object is provided, and a predetermined numerical value is given to the main control means to perform a predetermined calculation unrelated to the control calculation. After the calculation based on the formula is performed, whether the calculation result is correct or not is judged by the sub control means, and when the calculation result is wrong, it is judged that the main control means is out of order (so-called). 1.5
Microcomputer) was proposed.

According to this method, the sub-control means does not need to have the same computing capacity as the main control means, so that the capacity can be set to be significantly smaller than that in the so-called double microcomputer system. A large-capacity and expensive CPU only needs to be provided (main control means). That is, it is possible to improve the reliability of the electronic control unit and reduce the cost thereof.

[0007]

However, in the above-mentioned conventional method (so-called 1.5 microcomputer method), the main CPU (main control means) is communicated with the sub CPU (sub control means) during normal operation. In order to improve the fail detection accuracy of the main control means, it is necessary to perform the above-mentioned calculation performance check very finely. Moreover,
The communication amount for this check generally increases as the control system becomes more sophisticated, and the configuration becomes complicated accordingly.

By the way, as one of the methods for relatively easily detecting the presence / absence of a failure of the CPU of the electronic control unit during the normal operation, the CPU basically outputs a pulse signal of a constant cycle, A method using a so-called watchdog, which performs fail detection by monitoring a disorder of the cycle, has been conventionally known, but such a method is applied to fail detection of a main control unit (main CPU) by a sub control unit (sub CPU). In this case, when a failure occurs in the sub CPU itself, there is a problem that the failure occurrence of the main CPU cannot be effectively detected.

The present invention has been made in view of the above problems, and suppresses the amount of communication between the main control means and the sub control means as much as possible while ensuring the reliability of the electronic control unit, and also enables the watch. It is a basic object to provide an electronic control unit capable of improving the reliability of failure detection by the dog method.

[0010]

For this reason, the invention according to claim 1 of the present application (hereinafter referred to as the first invention) includes the main control means for controlling the controlled object and the above without controlling the controlled object. An electronic control unit comprising sub-control means for determining whether or not there is a failure in the main control means, wherein the main control means outputs a control signal based on a predetermined control logic to the controlled object, and While outputting a signal based on the control logic to the sub control means, the sub control means is configured to monitor the control signal output to the control target by the main control means. The control means is provided with a failure determination section that compares the signal input from the main control means with the monitored control signal and determines a failure when both signals conflict. It is obtained by said being.

Further, the invention according to claim 2 of the present application (hereinafter referred to as “the invention”)
In the first invention, the signal output from the main control unit to the sub-control unit is different from the specific state when the same output state is continued for a predetermined time. Is configured to be output for a short time, and if the sub-control means does not detect the signal in the specific state even if the same state of the output of the main control means continues for the predetermined time or more, The feature is that it is determined as a failure.

Further, the invention according to claim 3 of the present application (hereinafter referred to as “the invention”)
(Third invention) is an electronic control unit provided with main control means for controlling an object to be controlled and sub-control means for judging whether or not there is a failure in the main control means without controlling the object to be controlled. Therefore, the main control means outputs a pulse signal of a constant cycle to the sub control means, the sub control means receives the pulse signal to determine a failure of the main control means, and the received pulse signal as it is. It is characterized in that it outputs to the main control means, and the main control means makes a failure judgment based on the pulse signal returned from the sub control means.

Further, the invention according to claim 4 of the present application
(Hereinafter, referred to as a fourth invention) is an electronic device provided with main control means for controlling a control target and sub-control means for judging the presence / absence of a failure of the main control means without controlling the control target. In the control unit, the main control means executes predetermined arithmetic operations unrelated to actual control at a plurality of points in the series of control processing according to a predetermined program, and Whether the result is correct or not is judged,
It is configured to output a predetermined pulse signal to the sub-control means, and the sub-control means determines that there is a failure when the pulse signal is not output even after a lapse of a certain time. It was done.

Furthermore, the invention according to claim 5 of the present application.
(Hereinafter, referred to as a fifth invention) is the same as any one of the first to fourth inventions, wherein at least one of the main control means and the sub control means has a constant cycle output from the other. It is characterized in that a failure determination means for monitoring the pulse signal and determining the presence / absence of a failure of the other control means is provided.

[0015]

In the first invention of the present application, the main control means outputs the same signal (a signal based on a predetermined control logic) as the control signal output to the controlled object to the sub control means, while the sub control means The means monitors the control signal output to the controlled object by the main control means, compares the monitored control signal with the signal input from the main control means by the failure determination section, and outputs both signals. If a contradiction occurs, it is determined as a failure.

In the second invention of the present application, basically, the same operation as that of the first invention is performed. Moreover,
In addition, the signal output from the main control means to the sub control means is configured such that when the same output state is continued for a predetermined time, a signal in a specific state different from the state is output for a short time. Therefore, if the sub control means does not detect the signal of the specific state even if the same state of the output of the main control means continues for the predetermined time or more, the output from the main control means to the sub control means is abnormal. It is determined that there is a failure.

Further, in the third invention of the present application, the main control means outputs a pulse signal (that is, a watchdog pulse) having a constant period to the sub control means, and the sub control means receives the pulse signal. The failure of the main control means is determined and the received pulse signal is output to the main control means as it is. That is, the failure of the main control means can be detected by monitoring the cycle of the pulse signal. Then, the main control means makes a failure determination based on the pulse signal returned from the sub control means. That is, if there is an abnormality in either the main or sub control means, it can be detected by monitoring the cycle of the pulse signal.

Further, in the fourth invention of the present application, the main control means respectively performs predetermined arithmetic operations unrelated to actual control at a plurality of points in the middle of a series of control processing according to a predetermined program. When the calculation result is correct, it is determined whether or not the calculation result is correct. When there is no error in the calculation result, a predetermined pulse signal is output to the sub control means. That is, the pulse signal is not output to the sub control means when a part of the prescribed routine according to the program is not executed or when the above calculation is not normally performed. If the pulse signal is not output even after a lapse of a certain period of time, the sub control unit determines that the main control unit has an abnormality and determines that it is in failure.

Further, in the fifth invention of the present application, basically, the same operation as any one of the above-mentioned first to fourth inventions is performed. Moreover, at least one of the main control means and the sub-control means is provided with the failure determination means, and the pulse signal of a constant cycle (that is, the watchdog pulse) output from the other is monitored. Then, it is determined whether or not there is a failure in the other control means. That is, in addition to the failure determination according to any one of the first to fourth aspects of the invention, the failure determination by the normal watchdog method is performed.

[0020]

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the embodiments of the present invention will be described with reference to the accompanying drawings by way of example in which an electronic control unit for controlling a so-called ABS (anti-lock brake system) of an automobile is a control target. It will be described in detail with reference. FIG. 1 is a block configuration diagram for explaining a signal system of the electronic control unit C according to the present embodiment.
As shown in this figure, the electronic control unit C includes a main CPU mainly for performing control calculation of ABS control.
1 and a sub CPU 2 for detecting a failure (failure) of the main CPU 1 are provided.

Between the main CPU 1 and the sub CPU 2, at least the main CPU 1 to the sub CPU 2
There is provided a communication line capable of communicating with. The main CPU 1 and the sub CPU 2 correspond to the "main control unit" and the "sub control unit" described in the claims, respectively. Main CPU1
Is composed of, for example, a 16-bit type CPU having a relatively large computing capacity, while the sub CPU 2 is composed of, for example, a 4-bit type CPU having a relatively small computing capacity. The internal configuration of each CPU will be described later.

The control signal output from the main CPU 1 is input to a driver D (driving circuit) that drives an actuator that operates the brake mechanism of the ABS device.
The brake mechanism of the ABS device is provided with a hydraulic circuit for controlling the brake mechanism. The hydraulic circuit is provided with electromagnetic solenoid valves S1 to S4 as actuators of the brake mechanism of the ABS device. There is.
That is, the hydraulic circuit includes right front wheels (FR), left front wheels (FL), right rear wheels (RR), and left rear wheels (RL).
Electromagnetic solenoid valves S1, S2, S3 and S4 for
Is provided, and each of these electromagnetic solenoid valves S1
To S4, through the drive circuit, the main CPU
The control signals from 1 are input respectively.

Each of the solenoid valves S1 to S4 is provided with a pair of an IN valve and an OUT valve for each hydraulic channel for the brake mechanism of each wheel. That is, the hydraulic circuit is provided with two electromagnetic solenoid valves, two for each brake mechanism of each wheel. Then, for each brake mechanism of each wheel, three pressure modes of increasing pressure, reducing pressure, and holding are respectively set in the control pattern of the electromagnetic solenoid valve as shown below. In this case, the solenoid valve for IN is OFF (non-energized) and is in the open state.
The solenoid valve for use is set to be closed (OFF) (non-energized).

・ Pressure increase: IN / OUT are both OFF (non-energized) ・ Pressure reduction: IN / OUT are both ON (energized) ・ Holding: IN is ON (energized) / OUT is OFF
(Non-energized) State The electromagnetic solenoid valves S1 to S4 can control both IN / OUT solenoid valves for each wheel, but in the present embodiment, for example, the front wheels (FR, FL side is for IN (S1i, S2i) / OUT
Both solenoid valves (S1o, S2o) were controlled, and only the OUT solenoid valve on the rear wheel (RR, RL) side was controlled. This is because decompression fixing on the rear wheel side is the least dangerous, and by thus reducing the number of control targets as much as possible, it is possible to suppress the required processing amount for the sub CPU 2 that requires a particularly simple configuration. ,
It is possible to prevent the calculation capacity from increasing.

As shown in FIG. 2, the main CPU 1 executes a calculation based on the control logic of the ABS control to calculate a control amount and the like, and a control execution unit 11 based on the calculated control amount. Control signal output unit 1 for outputting a control signal
2 is provided, and the output control signal is input from each output port 13 to each electromagnetic solenoid valve S1 to S4 via the driver D. Further, the main CPU 1 is provided with a driver D from the electromagnetic solenoid valves S1 to S4.
A signal monitor unit 14 for monitoring the signal value of a control signal input to the control signal output unit 12 is provided, and a comparison and determination unit 15 for comparing and comparing the monitoring result of the signal monitor unit 14 and the output value of the control signal output unit 12 Is provided. By this comparison determination, it is possible to detect an abnormality in the output port 13, the driver D, or the transmission line to the electromagnetic solenoid valves S1 to S4.

Further, the main CPU 1 has a sub CPU 2
On the other hand, a W / D signal output unit 16 that outputs a pulse signal having a constant cycle (for example, a cycle of 8 msec. Which is the same as a control cycle described later) as a so-called watchdog (W / D) signal is provided. Here, the watchdog pulse is basically a rectangular wave signal that repeatedly turns on and off in a constant cycle, and the on-time and off-time in one cycle are set to constant values. Further, in the present embodiment, as will be described in detail later, a control signal to be output to each electromagnetic solenoid valve S1 to S4 that is a direct control target (a control signal based on the control logic of the ABS control). A signal similar to the above is output to the sub CPU 2 as a reference signal for failure determination, and the main CPU 1 outputs a reference signal output from the control execution unit 11 to the sub CPU 2. 17 are provided.

On the other hand, the sub CPU 2 includes the main CPU 1
A period monitor unit 21 for monitoring the pulse period of the W / D signal from is provided, and the monitoring result is sent to the W / D circuit 3. Further, the sub CPU 2 includes a reference signal monitor unit 22 that receives and monitors the above-mentioned reference signal, and a control signal monitor unit 23 that takes in and monitors the control signal output from the main CPU 1 to the driver D. The main CPU is provided by comparing the monitor results of both monitor sections 22 and 23 and determining whether there is a contradiction between both signals, as will be described later.
A failure determination unit 24 that performs the failure determination of No. 1 is provided.

The period monitor section 21 is the same as that well known in the prior art, and the W from the main CPU 1 is used.
When the pulse cycle of the / D signal is monitored and the disturbance is detected, the W / D circuit 3 determines that an abnormality has occurred in the main CPU 1. That is, the watchdog pulse (W / D pulse) is generated by the W / D signal output section 16 of the main CPU 1, but the main CP
When U1 is failing, the W / D pulse is disturbed and the ON time or OFF time becomes larger or smaller than the originally set value. So this W
When the ON time or the OFF time of the / D pulse is not between the predetermined lower limit value and the upper limit value, it is determined that the CPU 1 has failed. In the present embodiment, the W / D signal is sent from the main CPU 1 to the sub CPU.
Although it is only transmitted to the PU2, a W / D pulse may be transmitted from the sub CPU 2 to the main CPU 1 instead, and a cycle monitor unit may be provided on the main CPU 1 side. Alternatively, the main CPU1 and the sub CPU2
It is also possible to send W / D pulses from both parties to the other party and mutually monitor the cycle.

Although not specifically shown, when a failure occurs in the driver D, for example, by cutting a relay (fail safe relay), the driver AB
A fail-safe circuit for forcibly deactivating the S device is provided, and the fail-safe circuit is connected to the comparison determination unit 15 of the main CPU 1, the W / D circuit 3 and the failure determination unit 24 of the sub CPU 2. , Each determination result is input as a signal. Based on these signals, the fail-safe circuit keeps the fail-safe relay in the activated state under the AND condition (that is, when none of the signals indicates the determination of the failure), and the main CPU 1 transfers the driver D to the driver D. The input control signal is directly output to each electromagnetic solenoid valve S1 to S4. Conversely, if any of the signals indicates a failure determination, the fail safe relay is cut off and the ABS device is deactivated. At this time, a warning lamp (not shown) is turned on or blinks to notify the driver of the occurrence of a failure in the electronic control unit.

In the present embodiment, as described above, the main CPU 1 outputs a control signal based on the control logic of the ABS control to each of the electromagnetic solenoid valves S1 to S4 which are direct control targets, and the sub CPU The CPU 2 also outputs a similar signal (a signal based on the above control logic), and the sub CPU 2 is configured to monitor the control signal output from the main CPU 1 to the electromagnetic solenoid valves S1 to S4. Then, the sub CPU 2 compares the signal input from the main CPU 1 with the monitored control signal, and determines a failure when both signals conflict.

Next, the generation of the control signal and the reference signal in the main CPU 1 will be mainly described with reference to FIGS.
This will be described with reference to the flowchart of FIG. Main CP
Detection data necessary for ABS control is input to U1 as a signal from various sensors.
Reads these detection data, and the control execution unit 11
The control amount is calculated by performing an operation based on the control logic of the BS control. In this case, the control logic of the ABS control itself and the method of arithmetic processing based thereon are the same as those well known in the prior art. Then, a control signal based on the control amount calculated for each wheel is output from the control signal output unit 12 through the output port 13 by the driver D to the electromagnetic solenoid valves S1 to S4 of each wheel. .

FIG. 3 is a flow chart for explaining the ABS control logic execution process in the control execution unit of the main CPU 1. In the present embodiment, this AB
The execution of the S control logic is set to be repeated at a control cycle of 8 msec. (Millisecond), for example. When the setting of the output signals (control signal and reference signal) from the main CPU 1 in the previous control cycle is completed (step # 0), the wheel speed data input processing (step # 1) is first performed as the current control cycle. After that, the vehicle speed and the road surface μ (friction coefficient) are sequentially calculated (steps # 2 and # 3), and the lock determination for each wheel (step # 4) is performed based on these values. Then, the control amount is calculated for each wheel (step # 5).
After that, the fail-safe processing for setting the fail-safe circuit and the RAM check (steps # 6 and # 7) are performed.

This series of flows (control cycle is 8 m, for example)
sec.), interrupt processing is performed, for example, every 1 msec., and data of the control amount (pressure increase amount or pressure decrease amount) for each hydraulic channel for each wheel is output to the control signal output unit 1.
2 is set in the output buffer, and a control signal based on this control amount (specifically, for example, a signal in which contents such as pressure increase or pressure decrease are set for several msec) is output from the output buffer to the output port 13. It Note that the above step #
The RAM check 7 is to check the RAM of this output buffer. After the above steps are executed, the process returns to step # 0, and the main CP in the current control cycle
The output signals (control signal and reference signal) from U1 are set. That is, from the main CPU 1 to the sub CPU
The reference signal set to 2 subroutine is executed here.

Next, the reference signal setting subroutine will be described. As shown in FIG. 4, in this subroutine, first, at step # 11, an ABS control determination flag (ABS flag) indicating that ABS control is being performed.
If YES, it is determined whether the ABS speed is controlled after the ABS signal indicating that the ABS control is in progress is set (step # 12). Whether the vehicle speed is equal to or higher than the permitted vehicle speed (step # 13) and whether the vehicle is in the fail-safe control permitted state (step # 14) are sequentially determined,
If both are YES, step # 15 is executed. On the other hand, in any of the above step # 11, step # 13 or step # 14, the determination result is N
In the case of O, in step # 21, the pressure increase signals are set for all hydraulic channels (all ch.),
After the non-ABS signal indicating that the ABS control is not being performed is set, a mismatch signal setting subroutine which will be described in detail later is executed.

In the above step # 15, it is determined whether or not the lock determination is established for each wheel. If the determination is YES, in step # 16, it is not the pressure reduction prohibition condition in the ABS control, and the pressure reduction is not performed. It is determined whether the quantity is not 0 (zero). If the determination result is NO in any of these steps # 15 and # 16, in step # 22, the pressure increase signal is set for the hydraulic channel of the wheel, and then the inconsistency signal setting subroutine is executed. Is executed. Then, the above step # 1
If the determination result in 6 is YES, step # 17
Then, it is determined whether or not the depressurization time is less than 8 msec. (1 control cycle). If this is YES, the reversal signal is set for the wheel (step # 18). If the determination result in step # 17 is NO, the pressure reduction signal is set for the wheel (step # 19).
After the execution of either step # 18 or step # 19, the mismatch signal setting subroutine is executed.

Next, the mismatch signal setting subroutine will be described. As shown in FIG. 5, in this subroutine, first, in step # 31, it is determined whether or not the ABS signal is being set. If this is YES, in step # 32, one of the hydraulic channels is set. At, it is determined whether or not the pressure reduction signal set is continuously maintained. Then, if this is YES, that is, if the ABS signal is being set and there is a hydraulic channel in which the pressure reducing signal is still set, it is determined whether or not a certain time has elapsed in this state (step # 33), this is Y
At ES, a non-ABS signal is set in step # 34 even though the ABS signal is actually being set. That is, the signals of disagreement are intentionally set. As a result, the timer on the side of the sub CPU 2 (timer A described later) is cleared. This disagreement signal is output periodically while the above state continues. If the result of the determination in any of the above steps # 31 and # 32 is NO, after the timer is cleared in step # 35, steps # 33 and # 34 are skipped and the process is returned. It

FIG. 6 shows the main CPU 1 as described above.
3 is a time chart showing an example of a reference signal output from the CPU to the sub CPU 2 and an example of a control signal output from the main CPU 1 to the driver D. In this time chart, all control signals are not shown, and the IN and OUT solenoid valves S1i and S1o of the right front wheel (FR) and the I of the left front wheel (FL) are not shown.
An example is shown for the solenoid valve S2i for N. As shown in this figure, in the present embodiment, the reference signal is a signal indicating six solenoid valves and the ABS signal by time sharing in interrupt processing for every 1 msec. In one control cycle (8 msec.). Is output including. Further, in this example, from the Lo (reduced pressure) to the H for IN of the right front wheel (FR), OUT of the right rear wheel (RR), and OUT of the left rear wheel (RL).
i (increase in pressure). An example of the change of the pressure state in the control signal is shown for the IN solenoid valve S1i of the right front wheel (FR).

In the example of FIG. 6, the ABS signal is Lo → Hi.
Is under ABS control, Hi → Lo represents a non-ABS state. That is, in the example of FIG. 6, the ABS signal is Lo → Hi, which indicates that the ABS control is being performed. In the above non-matching signal setting subroutine, even when the ABS control is actually being performed, this signal state is forcibly set to the non-ABS control state (Hi → Lo) and the non-matching signal is output. In the present embodiment, as described above, the main CPU 1 outputs a pulsed W / D signal having a period of 8 msec. To the sub CPU 2.
2 synchronizes by looking at the rising (Lo / Hi) state of the W / D signal.

While the main CPU 1 generates and outputs the control signal and the reference signal as described above, the sub CPU 2 executes the following failure detection processing. Note that this failure detection processing is, for example, 42
It is executed in a control cycle of 0 μsec. (Microsecond). That is, as shown in FIG. 7, in this failure detection processing process, first, the reference signal input from the main CPU 1 is read (step # 41), and each electromagnetic solenoid valve of the hydraulic channel of each wheel is read from the main CPU 1. The monitor signal for 8 msec. Which takes in the control signal output to S1 to S4 is read (step # 42). The reading of the reference signal and the reading of the monitor signal are performed, for example, every 420 μsec.

Then, in step # 43, 8 msec.
It is determined whether or not (1 control cycle) is the timing to end, and if this is YES, then in step # 44, the electromagnetic solenoid valves S1 to S4 of the hydraulic channels of the wheels are set.
With respect to, it is determined whether or not the control contents of the reference signal and the monitor signal match (that is, there is no contradiction between the two signals). In this case, when comparing the two signals, the presence or absence of the contradiction may be determined by checking only the presence or absence of the change without determining the direction of increase or decrease. If this is YES, then for the reference signal from the main CPU 1,
It is determined whether or not the BS control is being performed (step # 47), and subsequently, it is determined whether or not the pressure reduction is continuously shown in any hydraulic channel (ch.) (Step # 47). # 48). If this is YES, that is, the ABS is under control for the reference signal,
If there is a hydraulic channel that continuously indicates a reduced pressure state, at step # 49, the timer A
Is incremented.

At this time, the control execution unit 1 of the main CPU 1
1 and the output port 18 for outputting the reference signal to the sub CPU 2 are both normal, the ABS signal is set in the reference signal to be output to the sub CPU 2, and
If there is a hydraulic pressure channel for which the pressure reduction signal is continuously set, a non-matching signal (non-ABS signal) is forcibly set at regular time intervals. Is NO,
Although the timer A is cleared (step # 52), if the control execution unit 11 of the main CPU 1 is abnormal, the above-described mismatch signal (non-ABS signal) is generated.
Is forcibly not set, and the increment of the timer A (step # 49) proceeds as it is. Further, even if an abnormality occurs in the output port 18 that outputs the reference signal to the sub CPU 2 and the port sticks, the above-described mismatch signal (non-ABS signal) is not output. The increment of the timer A (step # 49) proceeds as it is. Then, in step # 50, the timer value of the timer A is set to the predetermined value Ta.
(For example, Ta = 20) It is determined whether or not the value is equal to or more, and if this is YES, the system cut is performed in step # 51. That is, the fail-safe relay is cut off, the output of the control signal from the main CPU 1 to the electromagnetic solenoid valves S1 to S4 is stopped,
Further, the output of the W / D pulse from the main CPU 1 to the sub CPU 2 is also stopped.

On the other hand, if the decision result in the step # 50 is NO, the process returns to the step # 41, and the execution of the subsequent steps is repeated. Further, when the result of the determination in any one of the steps # 47 and # 48 is NO, the timer A is cleared in step # 52 and then the process returns to step # 41. Further, if the determination result in step # 44 is NO, the timer B (NG timer) is incremented (step # 45), and then, in step # 46, the timer value of this timer B is set to the predetermined value Tb ( For example, it is determined whether or not Tb = 10) or more. If this is YES, it is determined that an abnormality has occurred in the main CPU 1, and the system cut in step # 51 is executed. On the other hand, if the decision result in the step # 46 is NO, the step # 4
Each step after 7 is executed.

As described above, according to the present embodiment, the main CPU 1 has the electromagnetic solenoid valve S.
1 to S4, a signal (reference signal) based on the control logic of the ABS control as well as the control signal output to the sub CPU
2 is also output to the main CPU1
Monitors the control signal output to the electromagnetic solenoid valves S1 to S4, compares the monitored control signal with the reference signal input from the main CPU 1 by the failure determination section 24, and outputs both signals. If there is a contradiction, it is judged as a failure. That is, on the control signal side, when a signal is generated by passing a part of the program or when an abnormality occurs in the output portion (control signal output unit 12 or output port 13), this is effectively detected. be able to. Therefore, compared to the case where the main CPU is caused to perform an operation irrelevant to the actual control and the operation result is checked by the sub CPU to detect a failure, the configuration is simpler and the amount of communication between them is reduced. It is possible to perform highly reliable failure detection without increasing the size or enlarging the calculation capacity of the sub CPU.

In addition, as the reference signal output from the main CPU 1 to the sub CPU 2, when the same output state is continued for a predetermined time, a signal in a specific state different from that state is output for a short time. (That is, AB
The signal indicating the non-ABS state is forcibly output even during the S control), and the sub CPU 2
When the same state of the output of the main CPU 1 is not detected even when the same state is continued for the predetermined time or more,
It is determined that there is an abnormality in the output from the main CPU 1 to the sub CPU 2, and the system determines that a failure has occurred. As a result, not only the main CPU 1 malfunctions but also the main CP
Output port 1 when outputting from U1 to sub CPU2
Port abnormalities such as sticking of No. 8 can be effectively detected, and the reliability of failure detection can be further enhanced. Further, in addition to the above-mentioned failure detection, failure detection by a normal watchdog method is also performed, so that it is possible to further improve reliability while avoiding complication of the configuration.

In the above embodiment, the watchdog pulse (W / D pulse) is sent from the main CPU 1 to the sub CPU.
It is output to PU2, and the cycle monitor unit 2 of this sub CPU 2
The cycle was monitored in 1 and the failure was determined by the normal watchdog method.
Instead of or in addition to this, the main CPU
The sub CPU 2 receives the W / D pulse transmitted from the main CPU 1 to determine the failure of the main CPU 1, and outputs the received pulse signal as it is to the main CPU 1,
By making the PU1 perform the failure determination based on the pulse signal returned from the sub CPU 2, it is possible to perform the failure detection by the watchdog with higher reliability. Hereinafter, another embodiment of the present invention will be described with reference to FIG.
This will be described with reference to the flowchart of FIG. In the following description, the same components as those in the above-described embodiment shown in FIGS. 1 to 7 are designated by the same reference numerals,
Further description is omitted.

In the fault detection by the W / D pulse according to the other embodiment, as shown in the flowchart of FIG. 8, the sub CPU 2 receives the W / D pulse from the main CPU 1 and the fault detection subroutine starts. Then,
First, in step # 61, the W / D from the main CPU 1
It is determined whether or not the pulse (main W / D pulse) rises from Lo to Hi. The failure detection subroutine using the W / D pulse is executed at a control cycle of, for example, 70 μsec. The determination result of step # 61 is 3
If the answer is YES in succession, the sub C
PU2 is a W / D pulse for the main CPU1 (sub W
/ D pulse) to output Hi. And step # 6
At 3, it is determined whether or not the time from the previous change from Lo to Hi (time from the previous change) is within the specified range. If the decision result in the step # 63 is YES, there is no abnormality and the process returns to the step # 61.
On the other hand, in the case of NO, since it is recognized as an abnormality, the NG counter is incremented in step # 67, and when the counter value Ka becomes equal to or larger than the predetermined value (for example, Ka = 10) (step # 68: YES), the system It is cut (step # 69).

On the other hand, if the decision result in the step # 61 is NO, it is determined in the step # 64 whether 4 msec. Has elapsed. If it is YES, the sub CPU 2 determines in the step # 65. W for main CPU1
Lo is output by the / D pulse (sub W / D pulse). Then, in step # 66, it is determined whether or not a prescribed time or more has elapsed. If this is YES, it is recognized as an abnormality, so the NG counter is incremented in step # 67, and this counter value is the above predetermined value Ka. When the above is reached (step # 68: YES), the system is cut (step # 69). If the decision result in the step # 66 is NO, the operation is not abnormal and the process returns to the step # 61. When the result of the determination in step # 64 is NO, step # 65 is skipped and step # 66 is executed.

As described above, W from the main CPU 1
The cycle of the / D pulse is monitored by the sub CPU 2, and the main CPU 1 also outputs its Lo based on the W / D pulse output (returned) from the sub CPU 2.
Failure is detected by monitoring the cycle with reference to the rise from HI to Hi. By performing such mutual monitoring, various failures can be detected as follows. That is, when the clock of the main CPU 1 is abnormal,
Normally, the sub CPU 2 detects the abnormality of the W / D pulse cycle of the main CPU 1. If there is an abnormality in the clock of the sub CPU 2, the sub CPU 2 cannot detect its own abnormality, but the main C
Failure detection is performed assuming that the W / D pulse of PU1 has a cycle abnormality. When a program abnormality of the main CPU 1 occurs, the sub CPU 2 detects it as a cycle abnormality of the W / D pulse of the main CPU 1. When a program abnormality of the sub CPU 2 occurs, the W / D pulse from the sub CPU 2 to the main CPU 1 does not occur (is not returned), so the main CPU 1
Detect the abnormality of 2.

As described above, according to this embodiment, the sub CPU 2 that receives the W / D pulse from the main CPU 1 receives the W / D pulse from the main CPU 1 based on the pulse signal.
And the received W / D pulse is output (returned) to the main CPU 1 as it is. Then, the main CPU 1 makes a failure determination based on the pulse signal returned from the sub CPU 2. That is, if there is an abnormality in either the main or sub CPU, it can be detected by monitoring the cycle of the pulse signal. Further, in this case, the sub CPU 2 independently operates W /
Mutual monitoring by the W / D pulse can be performed without generating and outputting the D pulse, and reliability of failure detection can be improved while avoiding complication of the configuration.

Next, still another embodiment of the present invention will be described. In this embodiment, the main CPU 1
A series of control processing (that is, AB according to a predetermined program)
S control processing) executes predetermined arithmetic operations unrelated to actual control at a plurality of points on the way,
Whether the calculation result is right or wrong is determined, and when there is no error in the calculation result, a predetermined pulse signal (that is, W / D pulse signal) is output to the sub CPU 2. Then, the sub CPU 2 determines that there is a failure if the W / D pulse signal is not output even after a lapse of a certain period of time. Hereinafter, the failure determination by monitoring the W / D pulse in this other embodiment will be described with reference to the flowchart of FIG. 9 and the time chart of FIG.

Incidentally, A in this other embodiment of the present invention.
The BS control logic is the control logic shown in FIG.
Step # 1 to Step # 7), and the execution of this control logic is repeated, for example, in a control cycle of 8 msec. (Millisecond) as in the case of FIG. It is set. And
In this series of flows (control cycle is, for example, 8 msec.), Interrupt processing is performed, for example, every 1 msec., And in this interrupt processing, a predetermined calculation (TEST) unrelated to actual control is executed. It has become. The up and down arrows in the time chart of FIG. 10 represent the timing of this interrupt processing.

When the previous control cycle ends and the current control cycle starts (step # 80), at the start of the current control cycle, first, in step # 81, the test (calculation) result in the previous control cycle conforms to the specified value. Or not (that is, whether or not there is an error in the calculation result). still,
A specific example of the test performed in the interrupt process will be described later. If the decision result in the step # 81 is NO, there is an abnormality in the main CPU 1, so the system is down (step # 82). On the other hand, if the determination result in step # 81 is YES, the test is reset in step # 83 (TEST = 0), the W / D pulse output flag is set (step # 84), and the pulse rises. (See arrow 1 in FIG. 10). Then, the first calculation (TEST) is executed (step # 85).

After executing this TEST, input processing of wheel speed data is performed according to the ABS control logic (step # 86), and then calculation of vehicle speed and road surface μ (friction coefficient) is performed (step # 88 and step # 88). 90), and further, the lock determination for each wheel (step # 92) is sequentially executed based on these values. Before execution of these steps # 88, # 90 and # 92, TEST, and ( Steps # 87, # 89 and # 91) are executed by interrupt processing. Then, after the wheel lock determination (step # 92) is completed, at step # 93, until now (T
It is determined whether or not the test (calculation) result of EST ~) is in accordance with the specified value (that is, whether the calculation result has an error).

A specific example of the operation (TEST-) performed in the interrupt processing up to now is shown below. In these arithmetic expressions, A, B, C, D and E are constants. -TEST: A + B-TEST: C * (calculated value of TEST) -TEST: (calculated value of TEST) / D-TEST: (calculated value of TEST) -E Therefore, in step # 93 above, the calculated value of TEST is If there is an error in at least one of the operations (TEST-) performed in the interrupt processing up to now by determining whether or not it is according to the specified value, or
If there is a step that has not been executed, the calculated value of TEST does not match the specified value, and the determination result of step # 93 is N.
Since it becomes O, the system is down (step # 94),
W / D signal pulses are no longer generated. That is, since the sub CPU 2 does not receive the W / D pulse from the main CPU 1, if the W / D pulse is not received for a certain time or longer, it can be detected that the main CPU 1 has a failure. Of.

If the decision result in the step # 93 is NO, the system is down because the main CPU 1 has an abnormality (step # 94). On the other hand, step # 93
If the result of the determination is YES in step # 95, the test is reset (TEST = 0) and the output signal for inverting the W / D pulse is set. In other words, W /
The D pulse output flag is reset (step # 9)
6). The pulse inversion is performed, for example, by temporarily setting the signal in the accumulator and inverting it.
As a result, the pulse falls (see arrow 5 in FIG. 10). Then, the fifth calculation (TEST) is executed (step # 97).

After executing this TEST, the control amount is calculated according to the ABS control logic (step # 98),
The fail safe process (step # 100) and the RAM check (step # 102) are sequentially executed, but before the execution of these steps # 100 and # 102, the TEST
And (steps # 99 and # 101) are executed by interrupt processing. When the RAM check (step # 102) is completed, the process returns to step # 80. Although not shown in the figure,
Since one control cycle ends when the RAM check is completed,
The control signal from the main CPU 1 is set.

W / D pulse inversion (see step # 96)
A specific example of the operation (TEST-) performed in the subsequent interrupt processing is shown below. In these arithmetic expressions, A ′,
B ', C'and D'are constants. -TEST: A '+ B'-TEST: C'x (calculated value of TEST) -TEST: (calculated value of TEST) / D' Therefore, after returning, in step # 81 above, TE
If there is an error in at least one of the operations (TEST-) performed in the interrupt processing after the W / D pulse inversion by determining whether or not the operation value of ST is the specified value, Alternatively, if there is a step that has not been executed, the calculated value of TEST does not match the specified value. Then, since the determination result of step # 81 is NO, the system is down (step # 82) and the pulse generation of the W / D signal is stopped. That is, the sub CPU 2
Does not receive the W / D pulse from the main CPU 1, so if the W / D pulse is not received for a certain period of time, it is determined that the main CPU 1 has failed.

As described above, according to this embodiment, the main CPU 1 has a plurality of predetermined points irrelevant to actual control at a plurality of points in the series of control processing according to the program of the ABS control logic. Calculation (TEST)
And the correctness of this operation result is determined. If there is no error in this operation result, the sub CPU
2 outputs a predetermined pulse signal. That is, the pulse signal is not output to the sub control means when a part of the prescribed routine according to the program is not executed or when the above calculation is not normally performed. Therefore, when the sub-control means does not output the pulse signal even after a lapse of a certain period of time, the sub-control means can determine that the main control means has an abnormality and be in failure.
In this case, it is possible to detect the failure including the program execution abnormality and the arithmetic function abnormality on the main CPU 1 side.
As the failure detection using the / D pulse, it is possible to perform failure detection with extremely high reliability. This failure detection method can also be used in combination with the conventional failure detection by the W / D pulse.

[0059]

According to the first invention of the present application, the main control means is the same signal as the control signal to be output to the control target.
(A signal based on a predetermined control logic) is also output to the sub-control means, while the sub-control means monitors the control signal output to the controlled object by the main control means, and the failure determination unit monitors this control signal. The control signal is compared with the above-mentioned signal input from the main control means, and if there is a contradiction between both signals, it is determined that a failure has occurred.
Compared to the case where the PU performs an operation unrelated to the actual control, and the operation result is checked by the sub CPU to detect a failure, the configuration is simpler and the amount of communication between the sub CPU and the sub Without inviting an increase in the calculation capacity of the CPU,
Fault detection with high reliability can be performed.

According to the second invention of the present application, basically, the same operation as that of the first invention is performed. In addition, the signal output from the main control means to the sub control means is such that when the same output state is continued for a predetermined time, a signal in a specific state different from that state is output for a short time. If the same state of the output of the main control means is not detected even if the same state of the output of the main control means continues for the predetermined time or more, the sub control means outputs the signal from the main control means to the sub control means. Since it is determined that there is an abnormality and it is determined as a failure, not only the occurrence of an abnormality in the control unit itself of the main control unit but also a port abnormality such as sticking of an output port from the main control unit to the sub-control unit is effectively detected. Therefore, the reliability of failure detection can be further enhanced.

Further, according to the third invention of the present application, the main control means outputs a pulse signal (that is, a watchdog pulse) of a constant cycle to the sub control means, and the sub control means receives the pulse signal. Then, the failure of the main control means is determined and the received pulse signal is directly output to the main control means. That is, a failure of the main control means can be detected by monitoring the cycle of the pulse signal, and the main control means can make a failure determination based on the pulse signal returned from the sub control means. That is, if there is an abnormality in either the main or sub control means, it can be detected by monitoring the cycle of the pulse signal. Further, in this case, the sub CPU 2 can perform mutual monitoring by the W / D pulse without independently generating / outputting the W / D pulse, and can prevent failure detection while avoiding complication of the configuration. The reliability can be improved.

Further, in the fourth invention of the present application, the main control means respectively performs a predetermined calculation irrelevant to actual control at a plurality of points in the middle of a series of control processing according to a predetermined program. When the calculation result is correct, it is determined whether or not the calculation result is correct. When there is no error in the calculation result, a predetermined pulse signal is output to the sub control means. That is, the pulse signal is not output to the sub control means when a part of the prescribed routine according to the program is not executed or when the above calculation is not normally performed. Therefore, when the sub-control means does not output the pulse signal even after a lapse of a certain period of time, the sub-control means can determine that there is an abnormality in the main control means and determine that there is a failure. In this case, it is possible to detect the failure including the program execution abnormality and the arithmetic function abnormality on the main control means side, and as the failure detection by the W / D pulse,
A very reliable fault detection can be performed.

Further, according to the fifth invention of the present application,
Basically, the same operation as that of any one of the first to fourth inventions is performed. Moreover, at least one of the main control means and the sub-control means is provided with the failure determination means, and the pulse signal of a constant cycle (that is, the watchdog pulse) output from the other is monitored. Then, it is determined whether or not there is a failure in the other control means.
That is, in addition to the failure determination according to any one of the first to fourth inventions, the failure determination by the normal watchdog method can be performed, and the reliability of failure detection can be improved while avoiding the complication of the configuration. It can be further enhanced.

[Brief description of drawings]

FIG. 1 is a block configuration diagram showing a signal system of an electronic control unit according to an embodiment of the present invention.

FIG. 2 is a block configuration diagram schematically showing a configuration of each CPU of the electronic control unit.

FIG. 3 is a flow chart for explaining an ABS control logic execution process in the main CPU.

FIG. 4 is a flowchart for explaining a reference signal setting subroutine from the main CPU to the sub CPU.

FIG. 5 is a flow chart for explaining a subroutine for setting a mismatch signal from the main CPU to the sub CPU.

FIG. 6 is a time chart showing an example of reference signals and control signals output from the main CPU.

FIG. 7 is a flowchart for explaining a failure detection process in the sub CPU. FIG.

FIG. 8 is a flowchart for explaining failure determination by monitoring a watchdog pulse according to another embodiment of the present invention.

FIG. 9 is a flowchart for explaining failure determination by monitoring a watch dog pulse according to still another embodiment of the present invention.

FIG. 10 is a time chart for explaining failure determination by monitoring a watch dog pulse according to the still another embodiment.

[Explanation of symbols]

 1 ... Main CPU 2 ... Sub CPU 3 ... Watchdog (W / D) circuit 11 ... Control execution unit 12 ... Control signal output unit 16 ... Watchdog (W / D) signal output unit 17 ... Reference signal output unit 21 ... Period Monitor unit 22 ... Reference signal monitor unit 23 ... Control signal monitor unit 24 ... Failure determination unit C ... Electronic control unit S1, S2, S3, S4 ... Electromagnetic solenoid valve

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Tetsuhiro Yamashita, Shinchi Fuchu-cho, Aki-gun, Hiroshima 3-1, Mazda Co., Ltd. Within

Claims (5)

[Claims] 1. A main control means for controlling a controlled object,
An electronic control unit comprising: a sub-control unit that determines the presence or absence of a failure of the main control unit without controlling the control target, wherein the main control unit has a predetermined control logic for the control target. A control signal based on the control logic is output to the sub-control unit while the sub-control unit monitors the control signal output from the main control unit to the control target. The sub-control means is configured to compare the signal input from the main control means with the monitored control signal, and if there is a contradiction between both signals, a failure determination section that determines a failure. An electronic control unit comprising: 2. The signal output from the main control means to the sub control means is such that, when the same output state is continued for a predetermined time, a signal in a specific state different from the state is output for a short time. It is configured that, even if the same state of the output of the main control means continues for the predetermined time or more, if the sub control means does not detect the signal of the specific state, it is determined as a failure. Item 1. The electronic control unit according to item 1. 3. Main control means for controlling a controlled object,
An electronic control unit comprising: a sub-control unit that determines whether or not there is a failure of the main control unit without controlling the controlled object, wherein the main control unit has a predetermined cycle with respect to the sub-control unit. The pulse signal is output, the sub-control unit receives the pulse signal, determines the failure of the main control unit, and outputs the received pulse signal as it is to the main control unit.
The electronic control unit, wherein the main control means determines a failure based on the pulse signal returned from the sub control means. 4. Main control means for controlling a controlled object,
An electronic control unit comprising: a sub-control unit that determines whether or not the main control unit has a failure without controlling the controlled object, wherein the main control unit is a series of controls according to a predetermined program. At a plurality of points in the process, predetermined arithmetic operations unrelated to the actual control are executed, and the correctness of the arithmetic operation result is determined. If there is no error in the arithmetic operation result, the sub control means is An electronic control unit configured to output a predetermined pulse signal, wherein the sub-control unit determines a failure if the pulse signal is not output even after a lapse of a certain period of time. 5. A failure determination for monitoring at least one of the main control means and the sub-control means a pulse signal of a constant cycle output from the other to determine whether the other control means has a failure. Means are provided, The electronic control unit according to any one of claims 1 to 4.