JPH11190251A - Electronic control unit of internal combustion engine - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic control unit of an internal combustion engine which has a main computer and a subsidiary computer which are able to monitor so that no unintended output signals are output. SOLUTION: A subsidiary computer 12 monitoring a main computer 10 and performing an emergency function if the main computer fails, watchdog circuits 11, 13 for monitoring the computers, and a signal output means 14.3 which outputs to a control output terminal 16 a signal having two levels one of which is a safety level are provided. When the watchdog circuit 13 detects that the function of the subsidiary computer is normal while the watchdog circuit 11 detects the failure of the main computer, or when both of the watchdog circuits detect that the function of each computer is normal and the subsidiary computer detects that the function of the main computer is not normal while the output signals of both of the computers agree with each other, then the output signals of the subsidiary computer are output to the associated control output terminal 16.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to an electronic control unit for an internal combustion engine, and more particularly, to at least one electronic control unit for an internal combustion engine.
The present invention relates to an electronic control unit for an internal combustion engine having at least one control output terminal for outputting a digital control signal to two controllable circuit units and components, for example, an actuator of a diesel injection pump.

[0002]

2. Description of the Related Art An electronic control unit for an internal combustion engine is often provided with two computers. Hereinafter, each computer is referred to as a main computer and a sub computer, respectively. The sub-computer monitors the main computer in particular and performs an emergency function if the main computer fails. For various control devices,
The subcomputer has only this emergency function. In other controllers, the sub-computer assists the main computer, even when normally operating for control purposes. In this case, either of the two computers can perform an emergency function if the other computer fails.

The sub-computer monitors the main computer using data exchanged between the two computers via data lines. Two more computers are monitored by a watchdog circuit operated by both computers. While at least one of the computers is outputting a trigger signal for activating the watchdog circuit, the watchdog circuit outputs a pass signal to an AND circuit provided in a stage preceding the control output terminal. When no signal is output from the watchdog circuit to the AND circuit, the AND circuit outputs a logic level “zero”. This level corresponds to a safety potential and moves the actuated components of the internal combustion engine into position so that a failure of the control device does not endanger the occupant of the motor vehicle equipped with the internal combustion engine.

When the sub-computer detects a failure of the main computer, it outputs a switching signal to the signal output means, indicating that an output signal from the sub-computer should be output to the control output terminal. The problem is that the sub-computer may output a switching signal due to an erroneous function. In that case, the signal from the main computer is not output to the control output terminal, and is switched to the signal from the sub computer even though the sub computer is malfunctioning.

[0005]

SUMMARY OF THE INVENTION An object of the present invention is to provide an electronic control unit for an internal combustion engine having a main computer and a sub-computer, which can be monitored as reliably as possible so that an unintended output signal is not output. It is to provide.

[0006]

SUMMARY OF THE INVENTION In order to solve the above-mentioned problems, the present invention provides a main computer (10) and a sub-computer (12) that monitors the main computer and performs an emergency function if the main computer fails. And a watchdog circuit for monitoring a computer (11, 13)
And signal output means (14.3) for outputting a signal having two levels to at least one control output terminal (16).
One of the levels has a safety potential, and when the potential is continuously output, the internal combustion engine is maintained in a safe driving state, and a first watchdog for monitoring the function of the main computer (10) is provided. A circuit (11) is provided;
In the electronic control unit for an internal combustion engine provided with a second watchdog circuit (13) for monitoring the function of the subcomputer (12), the signal output means (14.3) is controlled by the second watchdog circuit. Is normal and the first watchdog circuit detects a failure of the main computer, or both watchdog circuits detect that the functions of the respective computers are normal. Even when the sub-computer detects that the function of the main computer is abnormal and the output signals of the two computers output to the control output terminals are the same, the output signals of the sub-computers are respectively related to the control output terminals Computer that outputs to (16), while both watchdog circuits are monitoring Is configured to output a safety potential to each control output terminal when the failure is detected (the configuration of FIG. 3).

According to the control device having such a configuration, when a failure of the main computer is detected by the sub-computer, an output signal from the computer is output to the control output terminal instead of outputting a safety potential to the control output terminal. , But only if the output signals of the two computers match.

As is apparent from the above description, the function of the entire control device depends on the function of the watchdog circuit. Therefore, it is preferable that the monitor signal is output to the watchdog circuit by a computer, and the output signal of the watchdog circuit is tested after the output of the monitor signal (FIG. 4). As a result of the test, when it is revealed that the watchdog circuit is not functioning properly, a safety potential is output from the signal output means to the control output terminal. The watchdog circuit can be composed of a common watchdog circuit that monitors both computers as in the case of the related art, or can be an individual watchdog circuit.

[0009] Even if it is determined that the function of the computer is normal, there is always a risk that an erroneous output signal is output. To eliminate such danger-based malfunctions, the signal output to the control output terminal was tested by at least one computer and it was detected that the value of the tested signal did not match the expected value. In such a case, safety control is performed. Instead of the signal output at the control output terminal, it is also possible to test the output signal of the output stage activated by the signal at the control output terminal.

The functions of monitoring the two computers and the function of testing that the output signals are accurate may be used individually or together. It is very effective to use together all means that contribute to increasing safety.

[0011]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail using embodiments shown in the drawings.

The control device shown in all of FIGS.
Main computer 10, first watchdog circuit 11 for monitoring main computer, sub-computer 1
2. A second watchdog circuit 13 for monitoring the subcomputer and a signal output means 14.1 having a group of circuits for performing different functions are provided. This signal output means 14.1 is indicated by a dash-dot line. Each control unit drives at least one circuit unit of the internal combustion engine. In FIG. 1, two circuits 15.
1 and 15.2 are provided. Each circuit unit has
A control signal is input from at least one control output terminal 16. The control device shown in FIG.
6.1 and 16.2 are provided. The circuit unit is, for example, a drive circuit or a controller that drives an actuator. In the former case, that is, in the case of an actuator drive circuit, the output control signal is an operation signal, and in the latter case, that is, in the case of a controller, it is a target value signal. Different control signals can be output to different control output terminals. However, the control signal is a digital signal and therefore a signal having two levels. Each of the circuit units 15 is configured such that when one level of the signal is continuously output, the vehicle equipped with the internal combustion engine can be maintained in a safe driving state. A potential at a level at which a safe state occurs is hereinafter referred to as a safe potential. This potential can be at a low level or a high level according to the configuration of the circuit unit 15 to be driven.

The signal output means 14. of the control device shown in FIG.
1 is provided with an OR gate 17, an AND gate 18, a switching device 19 and two shut-off AND gates 20.1 and 20.2. The signals from the first watchdog circuit 11 and the second watchdog circuit 13 are input to the OR gate 17. The output of the OR gate 17 becomes the first input signal of the blocking AND gates 20.1 and 20.2. The second input signal of the first shut-off AND gate 20.1 is the first output signal HAS.1 of the main computer. The second input signal of the second shut-off AND gate 20.2 is the second output signal HAS.2 of the main computer 10. The output signal of the first blocking AND gate 20.1 is directed to a first control output terminal 16.1. Similarly, the output signal of the second blocking AND gate 20.2 is applied to a second control output terminal 16.2.
Is output to

However, shut-off and gates 20.1 and 20.
2, the output signals HAS.1 and HAS.2 are input only when the main computer 10 is functioning normally. If the function of the main computer 10 is not normal, the switching device 19 switches, whereby the shut-down AND gates 20.1 and 20.2.
And the output signals NAS.1 and NAS.2 are input. This switching is performed when an output signal is output from the AND gate 18. The output signal of the second watchdog circuit 13 is input to one input terminal of the AND gate 18, and the switching signal US is input to the other input terminal. When the two signals go high, a switch is made.

The logical processing of the above functions is performed in the following procedure.

If at least one of the two watchdog circuits 11 and 13 indicates that one of the two computers is functioning normally, a high-level signal is output from the OR gate 17; Thereby, the two shut-off AND gates 20.1 and 20.2 are switched on. Therefore, a signal applied to the second input terminal of the shut-off AND gate is output from the output of the shut-off AND gate. This signal is the respective output signal HAS.1 or HAS.2 if the main computer is functioning properly. However, when an error signal is input to the sub-computer 12 via the data exchange line 21 or no signal is input to the sub-computer and the sub-computer determines that the main computer 10 has failed, the output signal NAS of the sub-computer 12 .1 to NAS.2. When the above-described circuit is provided with the AND gate 18, a switching signal is output from the sub-computer 12, and at the same time, the second watchdog circuit 13 detects that the sub-computer 12 is functioning normally. Only by the switching signal, switching is performed. In a conventional known control device, the sub-computer may erroneously recognize that the function of the main computer is not normal due to a malfunction, and thereafter, the switching may be performed and the sub-computer may output an erroneous output signal. This disadvantage is solved in the control device shown in FIG.

The above disadvantage can be further improved by using a principle as described below with reference to FIG. That is, in FIG. 2, when the watchdog circuit provided in the sub-computer indicates a failure of the sub-computer, not only the output of the signal from the sub-computer is prevented but also the watch provided in the main computer 10 Although the dog circuit 11 indicates that the function of the main computer is normal, even when the sub-computer 12 indicates that the main computer 10 has failed, the output of signals from the sub-computer is prevented.

In order to realize the above principle, the signal output means 14.2 of the control device shown in FIG. 2 has a second AND gate in addition to the function of the signal output means 14.1 shown in FIG. 22 are provided. The output signals of the OR gate 17 and the AND gate 18 are input to the second AND gate 22 and only to the second AND gate 22. In this case, the signal of the AND gate 18 is inverted and input. The input signals of the OR gate 17 and the AND gate 18 are the signals described with reference to FIG.

For the sake of simplicity, in FIG. 2 and also in FIGS.
Only one is shown. A circuit unit 15 activated by the signal is connected to the control output terminal. Similarly, the main computer 10 outputs only one output signal HAS, and the sub-computer 12 outputs only one output signal NAS.
It is shown as outputting AS. However, even when a large number of control signals are output from each computer to a large number of control output terminals, the principle of the control device does not change.

The output signal of the shut-off AND gate 20 is input to the control output terminal 16 described above. Shut-off and gate 2
To 0, two input signals, in particular, the output signal of the second AND gate 22 and the output signal of the switching device 19 are input.
In the embodiment shown in FIG.
Is switched not by the switching signal US output from the sub-computer 12, but by the output signal of the first watchdog circuit 11.
When this signal falls to a low level, the switching device 19 switches from the output signal HAS of the main computer 10 to the output signal NAS of the sub computer 12.

By operating the switching device 19 as described above, when the first watchdog circuit 11 detects that the function of the main computer 10 is normal, the output signal of the sub computer 12 is controlled. There is no output to the output terminal 16. However, at the same time, the sub-computer 12 detects an abnormality in the function of the main computer, so that the switching signal US
, The signal output from the second AND gate 22 to the shut-off AND gate 20 in the circuit described above falls to a low level, whereby the shut-off AND gate 20
Outputs a signal having a low level to the control output terminal 16. This is because the switching signal US is combined at the AND gate 18 with the signal from the watchdog circuit 13,
This is performed by inputting the inverted signal to the second input terminal of the second AND gate.

Therefore, in the circuit shown in FIG. 2, the signals from the two watchdog circuits 11 and 13 disappear (one input of the second AND gate 22 becomes low level) or the sub-computer 12 performs switching. When the signal US is output and the watchdog circuit 13 detects that the function of the sub-computer 12 is normal (the other input of the second AND gate 22 becomes low level), 20 is shut off, and the safety potential is output to the control output terminal 16.

The control device shown in FIG. 3 is a modified example of the control device shown in FIG. In the case of FIG.
When the first watchdog circuit 11 indicates that the function of the main computer 10 is normal, the safety potential is not always continuously output to the control output terminal. When the output signal HAS of the sub-computer 12 matches the output signal HAS of the sub-computer 12, control is performed by a digital signal. Furthermore, this embodiment is different from the embodiment of FIG.
The switching device 19 is not provided, and the output signal HAS of the main computer 10 or the output signal NAS of the sub-computer 12 is supplied to the control output terminal 16 by a large number of logic circuits, or under the conditions shown in the preceding paragraph. In, both signals are supplied to the control output terminal.

The signal output means 14.3 shown in FIG. 3 includes a main AND gate 24.1 and a sub AND gate 24.1.
2 and signal OR gate 25.1 and cut-off OR gate 25.2
(And the second AND gate 22). The second AND gate 22 has an OR gate 2 as an input signal.
The output signals of 5.1 and 25.2 are input. The signal OR gate 25.1 has two AND gates 24.1 and 2
The output signal of 4.2 is input as an input signal. Both OR gates 25.2 have two watchdog circuits 11 and 13
Is input as an input signal. Further, the output signal of the first watchdog circuit 11 is input to the main AND gate 24.1 as an input signal. Similarly, the output signal of the second watchdog circuit 13 is input to the sub AND gate 24.2 as an input signal. The second input signal of the main AND gate 24.1 is the output signal HAS of the main computer 10, and the second input signal of the sub AND gate 24.2 is the sub-computer 12
Is the output signal NAS.

Here, the function of the control device configured as described above will be briefly described again. When the first watchdog circuit 11 and the sub-computer 12 detect that the function of the main computer 10 is normal, the output signal HAS of the main computer is output to the control output terminal 16. When the failure of the main computer 10 is detected by the first watchdog circuit 11 and the sub computer 12, the output signal NAS of the sub computer 12 is output.
Is output to the control output terminal 16. Both watchdog circuits 11 and 13 are connected to respective computers 10 to 12
Is detected, the safety potential is continuously output to the control output terminal 16. Further, the sub-computer 12
Is detected when the watchdog circuit 11 detects that the function of the main computer 10 is normal, and when the outputs HAS and NAS of the two computers 10 and 12 match, , A digital output signal is output to the control output terminal. Otherwise, a safety potential is output.

As is apparent from the above description, it is important for the desired driving safety whether the watchdog circuits 11 and 13 function normally. In order to test whether the function is perfect, in the control device of the embodiment shown in FIG. 4, the output signal of the first watchdog circuit 11 is fed back to the main computer 10 and the second watchdog circuit 13 Is fed back to the sub-computer 12. In the test program, the main computer 10 stops the trigger signal for activating the first watchdog circuit 11, and then determines whether the output signal of the watchdog circuit has dropped to a low level. If it does not decrease, it indicates that there is an error in the function of the first watchdog circuit 11, and thereafter the main computer 10 outputs the emergency running signal NLS.H to the signal output means 14. The configuration of the signal output means 14 is not shown in FIG. The signal output means of FIG. 4 preferably operates according to any of the principles described in FIGS. In order to output the emergency traveling signal NLS.H, the signal output means 14 outputs a safety potential to the control output terminal,
Alternatively, it outputs a digital signal that significantly restricts traveling driving. This prompts the driver of the car to go to the repair shop to repair the control unit.

Similarly to the case where the main computer 10 tests the first watchdog circuit 11 and outputs the emergency running signal NLS.H when the first watchdog circuit has failed, the subcomputer 12 is also operated. A test of the second watchdog circuit 13 is performed, and if there is a failure, an emergency running signal NLS.N is output.

The above-described test can also be performed when two different watchdog circuits are not provided and two computers operate a common watchdog circuit. In this case, the main computer 10 informs the sub computer 12 via the data exchange line 21 that no operation signal (trigger signal) is output. Thereafter, either computer detects whether the output signal of the watchdog circuit has disappeared. If it does not disappear, activate the emergency traveling means.

As is apparent from the above description, all the various embodiments of the signal output means are used to ensure the drive in the event that either computer fails. However, if the function of the signal output means itself is erroneous, or if the activated circuit unit 15 processes the input signal incorrectly, the result may be different from the intended one. The control device shown in FIG. 4 is configured to feed back the output signal of the control output terminal 16 to both the main computer 10 and the sub-computer 12 in order to improve the driving safety even with this kind of error. In that case, each computer tests whether the signal generated at the control output terminal 16 matches the expected signal. To this end, the output signal of the circuit unit 15 can be fed back to the two computers to compare the predicted signals. If an error occurs in either of the comparisons, the block signals SPS.H to SPS.N are output from the main computer 10 to the sub computer 12. This signal is output from the circuit unit 15
The safety switch connected to the subsequent stage outputs the ground potential or another safety potential according to the purpose of use to an output line. Also, instead of the safety switch 26 connected at the subsequent stage, the circuit unit 1
By providing a second connection point (not shown in FIG. 4) acting in parallel with the output terminal 16 having
It is also possible to obtain a safe state via another output terminal as shown in FIG.

The safety measures described with reference to FIG. 4 can preferably be used together, but can also be used individually. It is extremely effective to use the means described with reference to FIG. 4 together with the means described with reference to FIG. 2 or FIG.

[0031]

As described above, according to the present invention,
Only when the probability that the function of the subcomputer is normal is very high, the signal of the subcomputer can be output to at least one control output terminal.

[Brief description of the drawings]

FIG. 1 is a configuration in which an output signal of a sub-computer can be output to a control output terminal only when a watch-dog circuit provided in the sub-computer determines that the sub-computer is functioning normally. FIG. 2 is a block circuit diagram of the electronic control device that has been implemented.

FIG. 2 is a diagram showing a state in which a watchdog circuit provided in a subcomputer determines that a subcomputer is functioning normally and a watchdog circuit provided in a main computer indicates a failure of the main computer. FIG. 3 is a block circuit diagram of an electronic control device configured to be able to output an output signal of a sub-computer to a control output terminal.

FIG. 3 is a diagram showing that a watchdog circuit provided in the subcomputer determines that the subcomputer is functioning normally, and a watchdog circuit provided in the main computer indicates a failure of the main computer, or FIG. 11 is a block circuit diagram of an electronic control device configured to output an output signal of the sub-computer to a control output terminal only when the computer and the sub-computer output the same output signal.

FIG. 4 is a block circuit diagram of an electronic control device configured to monitor an output signal and apply a safety potential to an output terminal of the control device when the obtained output signal does not match an expected output signal.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 Main computer 11 1st watchdog circuit 12 Subcomputer 13 2nd watchdog circuit 14 Signal output means 15 Circuit unit 16 Control output terminal

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Herbert Graf Germany 7295 Dornstedten am Bergwerk 2 (72) Inventor Werner Zimmermann Germany 7000 Stuttgart 40 Dorisestrasse 9b ( 72) Inventor Johannes Locher Germany 7000 Stuttgart 50 Mövenweg 50

Claims (4)

[Claims] 1. A main computer (10) and a sub-computer (1) that monitors the main computer and performs an emergency function when the main computer fails.
2) and a watchdog circuit (11, 1
3) and signal output means (14.3) for outputting a signal having two levels to at least one control output terminal (16), wherein one of the levels has a safety potential and the potential is continuous. The internal combustion engine is maintained in a safe driving state when it is output, and a first watchdog circuit (11) for monitoring the function of the main computer (10) is provided, and a first watchdog circuit (11) for monitoring the function of the subcomputer (12) is provided. In the electronic control unit for an internal combustion engine provided with the second watchdog circuit (13), the signal output means (14.3) detects that the function of the subcomputer is normal by the second watchdog circuit; When the failure of the main computer is detected by the first watchdog circuit, or when the functions of the respective computers are correct by the two watchdog circuits. However, if the sub-computer detects that the function of the main computer is abnormal and the output signals of both computers output to the control output terminal match, the sub-computer is also detected. Are output to the associated control output terminals (16), respectively. On the other hand, when a failure of the computer monitored by both watchdog circuits is detected, a safety potential is output to each control output terminal. An electronic control unit for an internal combustion engine, comprising: 2. A computer (10, 12) outputs a monitoring signal to a watchdog circuit (11, 13), and after the output of the monitoring signal, an output signal of the watchdog circuit is tested. The safety potential is output from the main computer (10) or the sub-computer (12) when it is found that the provided watchdog circuit is not functioning properly. An electronic control unit for an internal combustion engine according to claim 1. 3. The signal applied to the control output terminal (16) is tested by at least one of the computers (10, 12) and it is detected that the value of the signal tested does not match the expected value. 3. The electronic control unit for an internal combustion engine according to claim 1, wherein safety control is performed in such a case. 4. The output signal of a controlled circuit unit (15) is tested by at least one computer (10, 12), said circuit unit being activated by a signal applied to an associated control output terminal (16), respectively. 4. The internal combustion engine according to claim 1, wherein a safety control is performed when it is detected that the value of the tested signal does not match the expected value. Electronic control unit.