JPH1021107A - Microcomputer system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To surely diagnose the fault of a CPU itself by reloading the contents in an input converting area, arithmetic work converting area or output converting area into write data for diagnosis stored inside a ROM and collating them with output expected data. SOLUTION: Out of one set of paired data in a ROM 8 selected beforehand first of all, are selected, and next, these output expected data OD to be outputted expected data are collated with data in an arithmetic work converting area A-2 and an output converting area A-3 provided by preceding operation. In this case, the matching of collation is discriminated concerning all the data of collating objects, in order to recover ordinary control, the contents in an input converting area A-1, arithmetic work converting area A-2 and output converting area A-3 are returned into initial state and afterwards, output processing is executed similarly to the time of ordinary control. When the nonmatching of collation is discriminated in any parameter, on the other hand, instruction execution abnormality processing is immediately executed and the alarm of such a state is issued to the outside and the operation of a CPU 10 is stopped.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a microcomputer device suitable for application to a control system and the like, and more particularly to a CPU itself (in particular, an ALU "Arithmetic and Logical Unit").
The present invention relates to a microcomputer device provided with a failure diagnosis function of an arithmetic unit represented by "nit" or the like.

[0002]

2. Description of the Related Art Conventionally, in a control system requiring a high degree of reliability, for example, an anti-lock brake system for a vehicle (referred to as an ABS), two microcomputer devices are provided for a controlled object. A double microcomputer system has been adopted in which the outputs of two microcomputers are collated, and if they differ, a microcomputer failure is diagnosed. The result was higher costs.

[0003] In recent years, there has been a demand for the development of a highly reliable microcomputer device capable of covering even such a control system with a single device. As one method for realizing such a microcomputer device, the microcomputer itself has a self-diagnosis function, and when any abnormality occurs, it is surely detected at an initial stage,
By taking necessary countermeasures, it is possible to prevent the target load from malfunctioning during control.

Conventionally, as a method of diagnosing a failure of a microcomputer device, a method based on a ROM sum check, a method based on monitoring a control cycle using a watch dog timer, a method based on monitoring execution of each module of a control program, and the like are known. ing.

[0005] However, in the method based on the checksum of the ROM, although a program or data can be checked for abnormality, the CPU that executes the program is checked.
A malfunction of the microcomputer device caused by its own abnormality cannot be avoided. Further, in the method of monitoring the control cycle by the watch dog timer and monitoring the execution of each module of the control program,
Although it is possible to avoid the operation abnormality of the microcomputer device due to the so-called program abnormality, although such a program abnormality has not occurred, the CPU A
It is not possible to avoid a malfunction of the microcomputer device due to an error in the numerical operation result due to an LU abnormality.

On the other hand, as a method for diagnosing a microcomputer malfunction caused by a CPU error other than a program error, for example, a pseudo signal is input from the outside to the microcomputer, and a corresponding external signal is input to the microcomputer. It is conceivable that a failure diagnosis is performed by monitoring an output signal output to the CPU and comparing the monitored output signal with a previously obtained normal output signal.

[0007] Such a failure diagnosis method will be described with reference to the block diagram of FIG. 3 and the flowchart of FIG. In FIG. 3, a microcomputer device 100
In this example, is an electronic control unit (hereinafter referred to as ECU) used for vehicle ABS control, and its external input elements are a brake switch 101 for detecting whether or not a brake operator is operated, A stroke sensor 102 for detecting the operation stroke of the brake operating element, an Fr wheel speed sensor 103 for outputting a pulse train corresponding to the rotation speed of the front wheel, and an Rr wheel for outputting a pulse train corresponding to the rotation speed of the rear wheel A speed sensor 104 is shown, and a motor 105 and a solenoid 106 for driving a brake actuator are shown as output elements.

The microcomputer 100 has a brake switch input circuit 107 for receiving a signal from the brake switch 101 as an input system.
, A stroke sensor input circuit 108 for receiving a signal from the stroke sensor 102, a Fr wheel speed sensor input circuit 109 for receiving a signal from the Fr wheel speed sensor 103, and a signal from the Rr wheel speed sensor 104. And an Rr wheel speed input circuit 110 for outputting a signal to the motor 105 and a solenoid signal for outputting a signal to the solenoid 106 as an output system. An output circuit 112 is provided.

The CPU 113 is located at the heart of the microcomputer device 100. In this embodiment, the CPU 113 is constituted by an 8-bit one-chip microcomputer. In the CPU 113, as will be described later in detail, in addition to various programs for ABS, a RO for storing a failure diagnosis program and various data are stored.
M114 and a RAM 115 provided with an input variable area, a calculation work variable, an output variable area, and areas such as various flags and registers are provided. As is well known, CPU
The instruction execution in 113 is performed using a program counter, an instruction decode unit, a register, an ALU, a timing control unit, and the like built in the CPU 113. In this example, for convenience of explanation, Of those circuit elements, only the ALU 116 that most significantly affects the numerical result is shown. In the figure, 117 is an internal bus of the CPU, 10
7a, 108a, 109a, 110a 119a, 120
a is an internal input circuit, and 118a, 111a, and 112a are internal output circuits.

Next, a description will be given of elements newly added to the microcomputer device 100 for failure diagnosis. The simulation signal input unit 118 includes a CPU
It operates based on the simulation signal input request given from 113, and outputs a simulation signal for failure diagnosis prepared in advance from each of the brake switch 101, the stroke sensor 102, the Fr wheel speed sensor 103, and the Rr wheel speed sensor 104. Signal instead of the brake switch input circuit 10
7. It has a function of inputting to the stroke sensor input circuit 108, the Fr wheel speed sensor input circuit 109, and the Rr wheel speed sensor input circuit 110. The output monitor units 119 and 120 have a function of reading the output signal output from the motor driver circuit 111 to the motor 105 and the signal output from the solenoid signal output circuit 112 to the solenoid 106 into the CPU 113, respectively. is there.

Next, the configuration of a program stored in the ROM 114 in the CPU 113 will be described with reference to the flowchart of FIG. As shown in the drawing, this program includes processing prepared for the original purpose of the ABS control (input signal reading processing 402, calculation processing 403, calculation result determination processing 404, output data rewriting processing 40).
5, 406, signal output processing 407) and processing parts prepared for failure diagnosis (simulated signal input request processing 401,
Output signal monitor processing 408, output signal collation processing 409,
Abnormality processing 410).

That is, when the program is started, a simulation signal input request is first given to the simulation signal input section 118 (step 401), whereby the brake switch input circuit 107, the stroke sensor input circuit 108, the Fr wheel speed sensor Instead of signals from the brake switch 101, the stroke sensor 102, the Fr wheel speed sensor 103, and the Rr wheel speed sensor 104, a signal from a simulation signal input unit 118 is given to an input circuit 109 and an Rr wheel speed sensor input circuit 110. Then, a so-called simulation signal is input.

Next, the input simulation signals are supplied to the brake switch input circuit 1 in the same manner as in normal control.
07, stroke sensor input circuit 108, Fr wheel speed sensor input circuit 109, Rr wheel speed sensor input circuit 110
Via the RAM 113 of the CPU 113.

Next, arithmetic processing is executed on the basis of the fetched input signals. Here, a slip ratio calculation, a brake control judgment, a duty calculation, etc. necessary for the ABS are performed (step 403).

Thereafter, a predetermined judgment process is executed based on the operation result obtained in the above operation process (step 40).
4) If the result of the determination is a certain value (A) or (C), data corresponding to motor normal rotation and solenoid ON is written to the output variable area in the RAM 115 (step 405), and the control state is changed to ( In the case of B), the data corresponding to the motor stop and the solenoid off are similarly written in the output variable area in the RAM 115 (step 406).

Thereafter, the output data written in the output variable area of the RAM 115 is transmitted to the motor 10 via a motor driver circuit 111 and a solenoid signal output circuit 112.
5 is output to the solenoid 106 (step 407).

Thereafter, output signal monitoring processing is executed,
The signals output from the motor driver circuit 111 and the solenoid signal output circuit 112 are taken into the CPU 113 via the output monitor 119 and the output monitor 120 (step 408), and then the output signal comparison processing is executed (step 408). 409).

Here, if the output signal output to the outside matches the output data corresponding to the correct answer data prepared in advance (step 409 YES), the diagnosis result is determined to be normal, and the processing is terminated. If they do not match (NO in step 409), a prepared abnormal time process is executed (step 410), and an appropriate countermeasure such as notifying the fact to the outside or switching from automatic operation to manual operation is adopted. Can be

[0019]

However, in the above-described fault diagnosis method, even if the mismatch of the collation is determined in the output collation processing (step 409) described above, the cause is the CPU 113 or not. In addition to the fact that it is impossible to identify itself in the arithmetic unit, particularly the ALU 116, there is a problem that it is impossible to diagnose any abnormality in the arithmetic unit that causes an error only in the result of the arithmetic operation.

That is, in the case of the above-described diagnosis method, when performing a diagnosis, the output circuit 118a in the CPU 113 → the pseudo signal input section 118 → the external input circuit group (107 to 110)
→ Input circuit (107a to 110) inside CPU 113
The simulation signal is read by the CPU 113 via the signal path sequentially passing through a), and the simulation signal is written to the input variable area in the RAM 115. Therefore, if there is an error or abnormality in any of the circuit elements interposed in such a signal path, if an error occurs in the simulation data itself written in the input variable area in the RAM 115 due to the error or abnormality. There is also. For example, if an error or abnormality exists in any of the external input circuit groups 107 to 110, erroneous data is stored in the input variable area of the RAM 115 even if a normal signal is output from the simulation signal input unit 118. In this case, if there is an error or abnormality in the simulation signal input unit 118 itself, the external input circuits 107-1
A similar result will occur if 10 is normal. In particular, with respect to the wheel speed sensor input circuits 109 and 110 for causing the CPU 113 to receive the periodic pulse trains from the wheel speed sensors 103 and 104, the simulation signal is used because of the detection principle of repeatedly measuring the pulse train cycle. From the input unit 118, the sensor input circuits 109,
It is very difficult to accurately input the periodic data corresponding to the designated simulation signal to the simulation signal 110. As a result, the simulation data input section 118 and the wheel speed sensor input circuits 109 and 110 are used to store the data in the RAM 115. In some cases, it is not possible to accurately write wheel speed data corresponding to a predetermined simulation signal in the input variable area. in this way,
In consideration of the case where the input variable data itself written in the RAM 115 is wrong, if the collation mismatch is determined in the above-described output collation processing (step 409), this is immediately determined as an abnormality of the ALU 116 in the CPU 113. Has a problem.

Similarly, in the diagnosis processing, the CPU
Output circuit groups 111 and 112 inside 113 → output monitor sections 119 and 120 → input circuit 11 inside CPU 113
9a through the signal path passing through 120a, the CPU 113 captures the output data,
5 is written in the output variable area. Therefore, if there is an error or abnormality in any of the circuit elements interposed in such a path, an error may exist in the output variable data itself written in the output variable area in the RAM 115. For example, motor driver circuit 1
11 or the output signal from the solenoid signal output circuit 112 is correct, but if the output monitor 119 or 120 is not operating normally, the output data written to the output variable area of the RAM 115 may have an incorrect value. There is. Therefore, in the case where the collation mismatch is determined in the output collation processing (step 409) performed based on such output data, this is immediately determined by the CPU 113.
There is a problem in deciding that there is an abnormality in the ALU 116 inside.

In addition, in the above-described diagnostic method, the object to be compared with the expected model output variable data is limited to the signals finally monitored from the external output circuits 111 and 112. Any numerical data which is operation variable data obtained during the control operation is compared with a specific threshold value and binarized, and the result is passed through an output circuit inside the CPU 113 and an external output circuit. If a program that gives the load
In spite of the fact that an error has occurred in the numerical operation result due to an abnormality of the LU 116, if the value of the erroneous numerical data thus obtained happens to fall within the threshold value, the externally obtained binary signal There is no difference in the value from the normal case, and as a result, such an abnormality of the ALU 116 cannot be determined. For example, any numerical operation result is compared with a threshold value of 80H (hexadecimal number) to be discriminated into a binary value.
(Hexadecimal number) or more, if the program is set to turn off if less than 80H (hexadecimal number), the numerical operation result should be A0H (hexadecimal number) Even if the value is 90H (hexadecimal) due to an abnormality, it is not possible to diagnose such a malfunction of the ALU by only monitoring the output signal.

Further, as shown in Steps 404 and 405 of FIG. 4, the intermediate calculation results that result in the same output state (motor normal rotation, solenoid ON) are the calculation results (A) and (C). In the case where there are a plurality of such cases, simply monitoring the output state means that the output state should be (A) due to the abnormality of the ALU, but the output state should be (C). ,
Cannot be determined.

As described above, the control program is simulated by giving the simulation signal through the external input circuit, the result is monitored through the external output circuit, and the monitored result is compared with the normal data prepared in advance. In the failure diagnosis method of collating and performing the failure diagnosis, even if the failure is diagnosed, it is difficult to immediately determine the abnormality of the CPU itself based on the failure diagnosis. There is a problem that depending on the assembling method, it is impossible to cope with an abnormality in the intermediate calculation result caused by an abnormality in the arithmetic unit, especially the ALU, in particular.

The present invention has been made to solve the above-mentioned problems, and has as its object the purpose of the present invention.
An object of the present invention is to provide a microcomputer device having a function of accurately diagnosing a failure of U itself.

[0026]

According to a first aspect of the present invention, there is provided a signal input circuit for externally inputting a signal, a signal output circuit for externally outputting a signal,
A ROM in which a control program is stored, and an input variable area, an operation work variable area, and an output variable area for storing input variable data, operation work variable data, and output variable data used in the control program are provided, respectively. And a CPU for executing a control program stored in the ROM, wherein at least one set of diagnostic writing data corresponding to a specific control state is stored in the ROM. And the expected output data are newly stored, and when the operation mode is set to the diagnostic mode, the contents of the input variable area, the operation work variable area, or the output variable area are stored in the R variable.
A microcomputer device configured to rewrite the diagnostic write data stored in the OM and collate with expected output data to diagnose the operation of the CPU itself based on the collation result. It is in.

The “microcomputer device” here
Has a signal input circuit, a signal output circuit, a ROM,
An AM and a CPU are provided.

Here, the "signal input circuit" is not limited to a circuit for taking in a binary signal inputted from an external sensor or a switch, a circuit for taking in an analog signal after converting it into an A / D, or a circuit for converting a pulse train into a cycle. A variety of formats may be included, such as importing.

The "signal output circuit" includes various types of digital signal output from the CPU through a D / A conversion circuit as an analog signal, an output as an on / off signal as it is, and the like. Will be included.

The "RAM" and "ROM" include those built in the CPU itself, such as an 8-bit control one-chip microcomputer.

A "control program" is stored in the ROM. The “control program” can include “signal input processing”, “control calculation processing”, and “signal output processing”. These three processes are generally performed in a time-division manner with different time zones, but the present invention is not necessarily limited thereto. For example, it is also possible to use a so-called execution method in which a signal input process is performed on specific input data, a control operation process relating to the specific input data is immediately performed, and then the corresponding output data is output to the outside as an output signal. In this case, the corresponding data will be written at random timing in each of the input variable area, the operation work variable area, and the output variable area of the RAM described later. Here, the “input variable area”, “calculation work variable area”, and “output variable area” are input variable data taken in from outside, calculation work variable data used during the calculation, and These are areas that function as storage areas for output variable data to be output, and these areas do not necessarily exist physically in blocks in memory, and individual variables are appropriately stored in memory. This includes the case where they are dispersed.

The ROM stores at least one set of diagnostic write data and expected output data corresponding to a specific control state. Here, the "specific control state"
This means that the control load is controlled to a specific state. For example, in the case of ABS, a state in which the ABS is operating, such as when sudden braking is applied, and a state in which the ABS is not operating, such as when the brake is applied lightly during normal driving, are given. be able to.

"Diagnosis write data" includes various data required to simulate a specific control state. Generally, this type of control operation is performed not only by input variable data but also by reference to operation work variable data reflecting the operation history and the like, and in some cases, even output variable data. . Therefore, the "diagnosis write data" referred to here includes all data necessary to simulate a specific control state.

The “output expected data” includes, among data expected to be obtained when the CPU operates normally as a result of simulating a specific control state, arbitrary data to be collated. Everything is included. In particular, the "expected output data" includes not only output variable data to be finally sent to the outside but also operation work variable data reflecting the result of the operation and the operation history up to that time.
Here, it is considered that the data to be collated as “output expected data” is not necessarily all data, but may be set arbitrarily.

The control program stored in the ROM can be supplemented with "diagnosis data rewriting processing" and "data collation processing". Here, the “diagnostic data rewriting process” is different from the diagnostic method described above.
This can be performed without going through any external input circuit or the like. Similarly, in the "data collation process", unlike the conventional method, the collation of the output data can be performed directly using the expected output data stored in the ROM without monitoring any external output signal. And "data rewriting process" and "data collation process"
Is performed on condition that the operation mode is set to the diagnostic mode. Here, the setting of "diagnosis mode"
In the initialization process immediately after turning on the power, or
This can be performed during a standby time zone unique to the control system. As a specific example, when the control system is a vehicle ABS, in the initialization processing immediately after turning on the power, or at least a time when the vehicle is stopped and the brake operation by the electronic control is not performed is selected. It would be good.

The main object of the present invention is to
In a state in which the influence of peripheral circuits such as an external input circuit and an external output circuit is avoided, the control program is simulated based on the diagnostic write data, and the result is compared with the expected output data, whereby the CPU itself can be evaluated. The operation is diagnosed, and how to use the diagnosis result is not always a requirement. Regarding this, when it is determined that the operation of the CPU itself is abnormal, C
Various cases may be considered, such as stopping the operation of the PU, switching from the automatic mode to the manual mode, or notifying the fact to the outside and taking appropriate appropriate countermeasures.

According to the first aspect of the present invention, the input variable area and the operation work variable area rewritten with the diagnostic write data on condition that the operation mode is set to the diagnostic mode. , And if needed,
The control program is executed (simulated) based on the contents of the output variable area, and the contents of the operation work variable area and the output variable area obtained from the execution result are collated with the output expected data prepared in advance. Therefore, in the failure diagnosis by the control program simulation of the present invention, the operation of the CPU itself can be accurately diagnosed by not passing through any external input circuit or external output circuit.

According to the first aspect of the present invention, instead of the output data monitored from the external output circuit as in the diagnosis method described above, the data is written to the output variable area and the operation work area of the RAM. It is not necessary to send the contents of the output variable area to the external output circuit at the time of diagnosis because the correct / incorrect judgment of the simulation result is performed using the contents and the expected output data. This type of diagnosis can be made without giving.

Furthermore, since the correctness / incorrectness of the simulation result can be determined by using the data of the calculation work variable area and the output variable area of the RAM, not only the final output data to be output to the outside but also the calculation result in the middle thereof can be obtained. The corresponding data can also be used to determine whether the simulation result is correct or not. Therefore, even if the intermediate calculation result is incorrect, the ALU abnormal operation such that the final output data does not change from the normal state can be used. This can be accurately diagnosed. That is, such an abnormal operation of the ALU means that, for example, as described above, the numerical data obtained as an intermediate calculation result is compared with a specific threshold value to binarize and discriminate, and the result is output to the outside. This is the case where the program performs such a program, or the case where the final output data is generated by taking the logical sum of a plurality of numerical operation results or logical operation results.

In the invention described in claim 2 of the present application, the diagnostic write data and the output expectation data are provided only in a plurality of sets, and in the diagnostic data rewriting processing, the plurality of sets are read from the plurality of sets. By the diagnostic writing data constituting the selected set of data, all or a part of the input variable area, all or a part of the operation work variable area, and / or all or a part of the output variable area. In the data collation processing, the output collation data constituting one set of data selected from the plurality of sets and the operation work variable area rewritten by execution of the control operation processing are included in the data collation processing. 2. The microcomputer according to claim 1, wherein all or part of the output variable area and / or all or part of the output variable area are collated. In the over the other apparatus.

The failure of the arithmetic unit represented by the ALU or the like
It is conceivable that this will be noticeable when one or more specific patterns of numerical operations are performed on such an operation unit. On the other hand, when viewed from the control system side,
In particular, it is considered that there are some control states that require control reliability. Therefore, if a plurality of sets of diagnostic writing data and expected output data are provided in correspondence with a control state suitable for diagnosing the state of such an operation unit or particularly reliability, this kind of microcomputer Will be able to further enhance the reliability of the control system using the.

According to a third aspect of the present invention, in the data rewriting process, the data rewriting process is performed prior to rewriting.
A variable saving process for saving the contents of a specific variable area in the AM is included, and the data collating process is performed on the condition that a matching match is made, and before the signal output process, the specific variable saved is saved. 3. The microcomputer according to claim 1, further comprising a variable return process for restoring the contents of the area.

As described above, there are several cases in which the diagnostic mode should be set in what state. For example, immediately after the power is turned on and in a so-called initial state before the transition to the execution of the control program, or when the control is started once but the vehicle is stopped and the brake operation by the electronic control is performed. There is no such condition. In some of them, after some control has already been performed, various data are written in the input variable area, the operation work variable area, and the output variable area in the RAM. It is conceivable that some of these data require the state immediately before the control is resumed. Nevertheless, if the data is rewritten by the diagnostic data rewriting process and the execution at the time of simulating the control program in the diagnostic mode,
It is also conceivable that subsequent control may be hindered.

Therefore, in the present invention, data that is still required after such a diagnosis is saved in a predetermined area in the RAM in advance, and when the control is resumed after the diagnosis is completed, the data is again stored in a predetermined variable area in the RAM. Let it return.

By doing so, even if the fault diagnosis is performed in the middle after the control is started once, the control is interrupted by such a fault diagnosis, and the load to be controlled is adversely affected. Can be prevented beforehand.

The invention according to claim 4 of the present application is characterized in that, in the output data collation processing, a transition to a predetermined instruction execution abnormality processing is performed on condition that the collation does not match. It is in a microcomputer device.

As described above, the first aspect of the present invention accurately diagnoses a failure of a CPU itself, particularly a failure of an arithmetic unit represented by an ALU, without being affected by an external input circuit or an external output circuit. Therefore, what kind of countermeasures to take based on the diagnostic results is not necessarily required.

Therefore, in the invention according to claim 4,
If a mismatch is determined in the output data matching process described above, a predetermined instruction execution abnormality process is performed on the condition of the mismatch. Here, "predetermined instruction execution abnormal processing"
Various cases can be considered. For example, CPU
If an alarm is issued to the outside by an alarm signal, or the operation of the CPU is forcibly stopped, or if a so-called double microcomputer system is employed, the control right may be changed to another. Appropriate measures such as transfer to a microcomputer can be taken.

The invention according to claim 5 of the present application is characterized in that the microcomputer device is a control microcomputer used for controlling an antilock brake system for a vehicle. It is in a microcomputer device.

The microcomputer device according to claim 1 can be applied to various control systems. Here, the microcomputer device described above is used for controlling an antilock brake system for a vehicle. Conventionally, for this control, a so-called double microcomputer system in which a plurality of microcomputers are provided in parallel has been adopted for the required high control reliability, but the microcomputer device of the present invention is applied. As a result, the failure of the microcomputer CPU itself
Diagnosis by other microcomputers may not be necessary.

The invention described in claim 6 of the present application is based on the condition that the control immediately after the power is turned on and before the transition to the control.
The microcomputer device according to claim 5, wherein the setting to the diagnosis mode is permitted at least on condition that the vehicle is stopped and the brake operation by the electronic control is not performed.

As described above, according to the first aspect of the present invention, the conditions for setting the diagnostic mode include:
It is appropriately determined according to the characteristics of the control system to which the microcomputer is applied. Here, claim 1
And the so-called initial state, particularly immediately after the power is turned on, before shifting to control, and the brake operation by electronic control is performed when the vehicle is stopped. There is no so-called control idle time. In the case of the ABS system, since the brake operation by the electronic control is frequently performed during traveling, the failure diagnosis of the present invention cannot be performed during such traveling. On the other hand, if the failure diagnosis is not performed at all after the control is started once, if any abnormality occurs in the microcomputer device during traveling, there is a possibility that a control failure may occur thereafter.
Therefore, according to the invention described in claim 6, it is attempted to set the diagnosis mode by selecting a time that does not affect such traveling.

Here, “at least” means that
In addition to these conditions, consideration is given to adding other conditions (for example, a timer process for confirming elapse of a predetermined time).

In the invention according to claim 7 of the present application, the diagnostic write data and the output expectation data are provided only in plural sets, and at least one of the sets is operated by the antilock brake system. The microcomputer device according to claim 5, wherein the microcomputer device corresponds to a state in which the anti-lock brake system does not operate.

As described above, the microcomputer C
An abnormality that occurs in the PU itself, particularly an abnormality of the arithmetic unit represented by the ALU, often occurs during control related to numerical calculation. When this is applied to the control of the ABS system, when the vehicle speed and the amount of brake operation satisfy certain conditions, the operation of an arithmetic unit such as an ALU is determined based on whether the antilock brake system operates or does not operate. It is considered that abnormalities can be diagnosed accurately.

Therefore, in the present invention, such two cases are assumed as representative control states, and two sets of diagnostic write data and output expected data are stored in the ROM corresponding to each control state. The stored data is used to simulate the corresponding control state and collate the result.

The invention according to claim 8 of the present application is characterized in that the diagnostic mode is maintained in a set state only during a loop of execution of the control program. The microcomputer device described in the above.

This kind of diagnostic processing is preferably performed in a time as short as possible. Here, the diagnostic processing of the present invention
The diagnostic data is written in the input variable area and the operation work variable area of the RAM and, if necessary, in a necessary portion in the output variable area, and a control program is simulated based on the written data, and the result is written. Since only the contents of the replaced operation variable area and output variable area of the RAM are compared with the expected output data prepared in advance, not only the logical operation but also the order operation requiring the past history is performed. Even if this is done, if some of the results of these calculations are prepared in advance as diagnostic calculation work data, this will be completed during the round of execution of the control program.

[0059]

Preferred embodiments of the present invention will be described below in detail with reference to the accompanying drawings.

As described above, when diagnosing the abnormality of the CPU using the simulation technique, the simulation signal is taken in from the outside via the input circuit, or the output signal to be verified is output from the monitor circuit through the monitor circuit. If these are taken in from the system, these circuit elements are interposed in the diagnostic system, so that the reliability of the diagnostics is reduced by that much, making it difficult to accurately diagnose the CPU itself.

Therefore, the present invention adopts a method of taking in both the input data corresponding to the simulated input signal necessary for the diagnosis and the output data corresponding to the output signal to be checked from inside the microcomputer. In addition, the occurrence of erroneous diagnosis results due to errors and abnormalities of the input circuit and the output circuit, which has been considered as a problem, is prevented. In addition, at the time of diagnosis, since a new operation work variable is also collated, it is possible to accurately diagnose an abnormality of the arithmetic unit represented by the ALU through checking the result of the arithmetic operation.

That is, FIG. 1 shows the microcomputer device 1 as an 8-bit one-chip microcomputer used for controlling the vehicle ABS in this example. A brake switch input circuit 2 for receiving a signal from a brake switch (not shown) and a brake stroke sensor input circuit for receiving a signal from a stroke sensor (not shown) are provided inside the microcomputer device 1. 3, a Fr wheel speed sensor input circuit 4 for detecting the cycle of the pulse train coming from the front wheel speed sensor, and taking in the pulse train, and detecting the cycle of the pulse train coming from the rear wheel speed sensor. Rr wheel speed sensor input circuit 5 for taking in and a motor (not shown) for operating a brake actuator
Drive circuit 6 for sending an output signal to
Similarly, a solenoid drive circuit 7 for sending an output signal to a solenoid (not shown) for operating a brake actuator, and a control program,
A ROM 8 storing diagnostic write data and output expected data, which will be described in detail later, and a RAM 9 having an operation work variable area and a variable save area, as will be described later, in addition to an input variable area and an output variable area. And a CPU 10 for executing a control program stored in the ROM 8. Here, the ROM 8 and the RAM 9
Are arranged outside the CPU 10, but these R
The OM 8 and the RAM 9 can be built in the CPU 10.

Next, the program and data stored in the ROM 8 will be described. ABS in ROM8
Control program is stored. This control program includes a brake switch input circuit 2, a brake stroke sensor input circuit 3, and a F
a signal input process of writing input signals input from the r wheel speed sensor input circuit 4 and the Rr wheel speed sensor input circuit 5 as input variable data in an input variable area A-1 in the RAM 9, and an input variable area A-1 in the RAM 9 , And a predetermined value using the input variable data read from the operation variable area A-2 and / or the output variable area A-3 and the operation variable data and / or the output variable data, respectively. The control operation (ABS operation) is executed, and the obtained operation work variable data and / or output variable data are stored in the operation work variable area A-2 and / or in the RAM 9.
Or, a control calculation process for writing to the output variable area A-3;
In this control calculation processing, the output variable area A-3 in the RAM 9 is output.
And a signal output process for outputting the output data written to the motor drive circuit 6 and the solenoid drive circuit 7 as output signals to a motor and a solenoid (not shown).

With the above basic configuration, a desired ABS control is realized while exchanging input / output signals with a brake actuator for ABS control, which is a control object.

In addition to the control program described above, RO
In the M8, in association with the present invention, N sets of diagnostic write data ID and output expectation data OD forming a pair are stored (N is an integer of 1 or 2 or more). That is, in this example, the diagnostic write data ID-1 and the expected output data OD-1, the diagnostic write data ID-2 and the expected output data OD-2,..., The diagnostic write data ID-N and the expected output data OD- And N form a pair.
Each data pair corresponds to a typical control state in the ABS. For example, a set of the diagnostic write data ID-1 and the expected output data OD-1 is AB
S corresponds to the control state in the state in which S operates, and the diagnostic write data ID-2 and the expected output data OD-2
The set corresponds to the control state when the ABS does not operate. In addition, each diagnostic write data ID-1 to
In such a control state, ID-N is a signal of a signal that would normally be input from the brake switch input circuit 2, the brake stroke sensor input circuit 3, the Fr wheel speed sensor input circuit 4, and the Rr wheel speed sensor input circuit 5. The values of the output expected data OD-1 to OD-N correspond to the values of the operation work variables at that time, and the operation work variable area A-2 in the RAM 9 in such a control state. Also, it corresponds to the content of data to be written to the output variable area A-3. As described above, unlike the diagnosis method described above, the output expected data OD includes not only output variable data to be finally output to the outside, but also results such as a calculation intermediate result and a control history up to that time. The operation work variable data to be executed is also stored.

In the RAM 9, the input variable area A-1, the operation variable area A-2, and the output variable area A-3 are described in detail in accordance with the various diagnostic data in the ROM 8 described above. A variable save area A-4 used in a variable save process to be described is provided. The input variable area A-1 indicates that the brake switch input circuit 2, the brake stroke sensor input circuit 3, and the Fr wheel speed sensor input circuit when the program is in the operation mode (actually sending control output to the outside). 4 and used as an area for writing a signal read from the Rr wheel speed sensor 5,
In the diagnostic mode according to the present invention, it functions as an area in which any of the diagnostic write data ID-1 to ID-N stored in the ROM 8 is written. In the above-mentioned operation mode, the operation work variable area A-2 and the output variable area A-3 are used to write the operation work variables corresponding to the results of the operation in the CPU 10 and the like and the output variables to be output to the outside. On the other hand, in the diagnostic mode according to the present invention, it functions as a region for performing collation with any of the expected output data OD-1 to OD-N in the ROM 8. The variable evacuation area A-4 will be described in detail later. For example, when the control program is once executed and some control is performed, and thereafter, for example, when the vehicle is stopped and the brake is not operated, the diagnosis is performed. When the mode is executed, the input variable area A-1, the operation work variable area A-2,
In addition, it functions as an area for temporarily saving data that is inconvenient to be rewritten in the diagnostic processing in the data stored in the output variable area A-3.

FIG. 2 is a flowchart showing the configuration of the control program and the diagnostic program stored in the ROM 8. The operation of the microcomputer according to the present invention will be described systematically with reference to this flowchart. explain.

This program includes a process for the ABS control, which includes a signal input process (step 203), a brake control process (step 207), and an output process (step 210), a CPU initial diagnosis process (step 202),
Initial command failure diagnosis execution completion determination processing (step 204),
A failure diagnosis process including an instruction failure diagnosis determination process (step 205), an instruction failure diagnosis data writing process (step 206), an instruction failure diagnosis determination process (step 208), and a diagnosis output comparison process (step 209). Are roughly divided into

That is, when the execution of the program is started by turning on the power, a system initialization process is first executed to initialize various registers and flags in the RAM 9 and the areas A-1 to A-4 ( Step 20
1) Subsequently, a CPU initial diagnosis process (step 202) is executed, and it is confirmed whether the CPU 10 operates normally by a sum check of the ROM 8, a cycle monitoring of a watchdog timer, and the like (step 202).

When the sum check of the ROM and the confirmation of the operation of the watchdog timer are completed in this manner (step 202), a transition to the main body program is performed. First, the input signal processing is executed, and the brake is executed. Signals from the switch, the brake stroke sensor, the wheel speed sensor for the front wheels, and the wheel speed sensor for the rear wheels are taken into the CPU 10 via the corresponding input circuits 2 to 5, respectively. Area A-1
Is stored in.

Subsequently, it is determined that the initial instruction failure diagnosis has been performed. Here, by referring to a predetermined flag,
It is determined whether the initial instruction failure diagnosis (diagnosis processing of the present invention performed immediately after power-on) has been executed (step 204). Here, since the initial instruction failure diagnosis has not been performed yet (step 204 NO), the instruction failure diagnosis data writing process (step 206) is subsequently executed.

In the instruction failure diagnosis data writing processing (step 206), first, a variable saving processing is executed.
Of the data stored in the areas A-1 to A-3 of the RAM 9 at that time, data which is inconvenient to be rewritten during the failure diagnosis processing is saved to the variable save area A-4 ( Step 2061). Here, as such data, for example, from the relationship of performing sequence control, in the case of data that requires a past history or when restarting vehicle operation,
The data returned to the initial state may be inconvenient. Subsequently, a diagnostic write data selection process is executed, and the diagnostic write data ID stored in the ROM 8 is stored.
An appropriate one of -1 to ID-N is selected (step 2062), and then a diagnostic write data write process is executed. The selected diagnostic write data ID is stored in the input variable area A- in the RAM 9. 1 and operation variable area A-2, and if necessary, output variable area A-3
(Step 206).
3).

When the command failure diagnosis data writing process (step 206) is completed in this way, a brake control process is subsequently executed in the same manner as in normal control.
By operating the ALU in the CPU 10, the wheel speed calculation, the slip ratio calculation, the brake control determination, the brake control amount calculation, and the like are executed, and the calculation work variables and output variables obtained by the execution are calculated by the calculation work variables in the RAM 9. It is stored in the area A-2 and the output variable area A-3 (step 207).

Subsequently, an instruction failure diagnosis determination process is executed (step 208). Here, the determination process is affirmed (step 208 YES), and then a diagnosis output comparison process (step 209) is executed. In this diagnostic output comparison processing, expected output data OD is first selected from a set of data pairs in the ROM 8 previously selected (step 20).
91) Then, the output expected data and the operation work variable area A-2 and the output variable area A-
The data is compared with all or a part of the data No. 3 (step 2092). If it is determined that all the data to be verified match (step 2092YE).
S) Then, in order to return to normal control, the input variable area A-1, the operation work variable area A-2, and the output variable area A
-3 is returned to the initial state (step 2093),
Further, the data saved earlier in the variable save area A-4 is also returned to the original storage position (step 2094),
Thereafter, the output processing is performed in the same manner as in the normal control (step 2
10) is executed, and a transition to a normal control state is performed. On the other hand, in the variable matching process, if it is determined that any variable does not match (step 2092N).
O) Immediately, the command execution abnormal processing is executed, and the fact is notified to the outside, or the operation of the CPU is stopped (step 2095).

The output variable collation processing (step 209)
In 2), all variables to be matched are subjected to precise matching in bit units, and furthermore, external input circuits 2 to 2 are used.
5 and the output data 6 and 7 are generated without any influence from the output circuits 6 and 7, the result of this collation indicates the abnormality of the CPU itself, that is, the abnormality of the arithmetic unit centering on the ALU. Will be accurately reflected,
As a result, according to the diagnostic method of the present invention, it is possible to accurately diagnose a failure centering on the arithmetic unit of the CPU itself.

According to the above embodiment, not only are the signals from the external input circuits 2 to 5 not used at the time of failure diagnosis, but also the outputs of the external output circuits 6 and 7 are monitored at the time of verification. Since the method is not used, the effects of such errors and malfunctions are completely eliminated, and the CPU itself, that is, A
It is possible to diagnose the operation abnormality of the operation unit centering on the LU, and by using the diagnosis result, immediately
It is possible to easily determine whether the failure affects the entire control in which the operation of the operation 10 should be stopped or whether the failure is another minor failure by using another diagnostic process.

The output variable collation processing (step 209)
In 2), not only the final output variables but also the operation variables corresponding to the intermediate results are collated, so that the control program is a program that obtains the final output data by binarizing and discriminating the numerical operation results. Or a program that determines the final output data by taking the logical sum of two or more operation results, even if the numerical operation result or the data before the logical sum is taken Is set as a calculation work variable, it is possible to accurately diagnose even ALU abnormalities that may cause errors in the calculation results in the middle, even though the final output variables are correct. Becomes

In addition, when starting the fault diagnosis, the data stored in the input variable area A-1, the operation work variable area A-2, and the output variable area A-3 are rewritten during the diagnosis processing. In this case, data that is inconvenient is saved in the variable save area A-4, and is restored after the calculation is completed.
It is also possible to prevent the subsequent control from being abnormal due to the diagnostic processing.

Although the failure diagnosis processing immediately after the power is turned on has been described above, the diagnosis mode according to the present invention is applicable to other control such that the vehicle is stopped and the brake is not operated by the electronic control. It is executed even in a state where no trouble occurs. This execution is performed by determining that such a state exists in the instruction failure diagnosis permission determination processing (step 205) and giving permission for failure diagnosis. In particular, in this type of ABS control,
Since the brake operation by the electronic control is frequently performed during the driving of the vehicle, it is difficult to perform the fault diagnosis after the control is once started. In addition, by selecting the time when the brake operation is not performed, even after the vehicle starts driving, the failure diagnosis of the CPU itself can be performed frequently,
The reliability of the vehicle ABS can be significantly improved.

[0080]

As is clear from the above description of the embodiments, according to the present invention, there is provided an effect that a microcomputer device having a function of accurately performing self-diagnosis of a failure of a CPU itself can be provided. is there.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an example of a microcomputer device to which the present invention has been applied.

FIG. 2 is a flowchart showing a configuration of a control program and a diagnosis program of the microcomputer device to which the present invention is applied.

FIG. 3 is a block diagram illustrating an example of a microcomputer to which a conventional failure diagnosis method is applied.

FIG. 4 is a flowchart showing a configuration of a control program and a diagnosis program in a microcomputer device employing a conventional failure diagnosis method.

[Explanation of symbols]

 Reference Signs List 1 microcomputer device 2 brake switch input circuit 3 brake stroke sensor input circuit 4 Fr wheel speed sensor input circuit 5 Rr wheel speed sensor input circuit 6 motor drive circuit 7 solenoid drive circuit 8 ROM 9 RAM 10 CPU ID-1 to ID-N Diagnostic write data OD-1 to OD-N Output expected data A-1 Input variable area A-2 Operation work variable area A-3 Output variable area A-4 Variable save area

Claims (8)

[Claims] 1. A signal input circuit for externally inputting a signal, a signal output circuit for externally outputting a signal, a ROM storing a control program, and an input variable used in the control program A RAM provided with an input variable area, a calculation work variable area, and an output variable area for storing data, calculation work variable data, and output variable data, respectively, and a CPU for executing a control program stored in the ROM In the microcomputer device, at least one set of diagnostic write data and expected output data corresponding to a specific control state is newly stored in the ROM, and the operation mode is set to the diagnostic mode. When set, the contents of the input variable area, operation work variable area, or output variable area are stored in the ROM. Microcomputer apparatus characterized by being configured so as to diagnose the operation of the CPU itself, based on the comparison result by comparing the expected output data with rewrites the diagnostic write data. 2. The diagnostic writing data and the output expectation data are provided only in a plurality of sets, and in the diagnostic data rewriting process, one set of data selected from the plurality of sets is configured. The diagnostic writing data is used to rewrite all or part of the input variable area, and all or part of the operation work variable area, and / or all or part of the output variable area. In the data collation processing, output expected data configuring one set of data selected from the plurality of sets, and all or a part of the operation work variable area rewritten by execution of the control operation processing, and / or 2. The microcomputer device according to claim 1, wherein the microcomputer compares the whole or a part of the output variable area. 3. The data rewriting process includes a variable saving process for saving the contents of a specific variable area in the RAM prior to the rewriting. 2. The microcomputer device according to claim 1, further comprising a variable restoration process for restoring the contents of the saved specific variable region prior to the signal output process, on condition that they match. 4. The microcomputer device according to claim 1, wherein, in the data collation processing, a transition to predetermined instruction execution abnormality processing is performed on condition that the collation does not match. 5. The microcomputer device according to claim 1, wherein the microcomputer device is a control microcomputer used for controlling an antilock brake system for a vehicle. 6. The setting of the diagnostic mode is performed on condition that the control is not shifted to the control immediately after the power is turned on, and that at least the vehicle is stopped and the brake operation by the electronic control is not performed. The microcomputer device according to claim 5, wherein permission is given. 7. A plurality of sets of the diagnostic writing data and the expected output data are provided, at least one of the sets corresponding to a state in which an anti-lock brake system operates, and The microcomputer device according to claim 5, wherein the at least one other corresponds to a state in which the antilock brake system is not operating. 8. The microcomputer device according to claim 1, wherein the diagnosis mode is maintained in a set state only during a loop of the control program.