JPWO2019082647A1 - Vehicle control device - Google Patents

Abstract

It is an object of the present invention to provide a vehicle control device capable of identifying a normal CPU that has not failed and effectively using the normal CPU that has not failed to maintain driving performance when an abnormality occurs in the CPU. Therefore, the vehicle control device connects a microcomputer having a main CPU and a sub CPU, a power supply unit, a first connection line connecting the power supply unit and the main CPU, and the power supply unit and the sub CPU. And a current detection unit that detects a current value flowing in the first connection line and a current value flowing in the second connection line. In the macro computer, the current value flowing through one of the first connection line and the second connection line is larger than a set value, and the current value flowing through the other of the first connection line and the second connection line is When it is less than or equal to the set value, the operation is continued using the main CPU or the sub CPU connected to the other.

Description

The present invention relates to a vehicle control device that controls devices installed in a vehicle.

A vehicle control device (ECU: Electronic Control Unit) that controls a device mounted on a vehicle includes a microcomputer that performs a control calculation. The microcomputer generally includes a CPU (Central Processing Unit: Central Processing Unit), a ROM (Read Only Memory) that is a non-volatile memory, a RAM (Random Access Memory) that is a volatile memory, and the like. The CPU is a computing device for computing and controlling the information stored in the RAM and ROM. If the CPU fails, the microcomputer cannot carry out the correct calculation, resulting in a malfunction. Therefore, the vehicle control device has a function of diagnosing the CPU.

A method of mutually diagnosing an abnormality of CPUs using a plurality of microcomputers, or a method of collating output results of each CPU using a plurality of CPUs incorporated in a microcomputer and diagnosing an abnormality from the matching. The so-called lockstep method and the like generally exist.

Japanese Patent Laying-Open No. 2003-97344 (Patent Document 1) describes a failure diagnosis method for the control CPU. In this document, a control CPU and a monitoring CPU are provided, and the control CPU and the monitoring CPU communicate with each other to confirm that they are in a normal state.

Japanese Patent Laying-Open No. 2000-172521 (Patent Document 2) describes a method of detecting an abnormality by collating output results when the same input is given to a plurality of CPUs.

As described above, when an abnormality occurs in the computer or the CPU, the fail safe process is performed so that the automobile does not fall into a dangerous state. An example of fail-safe processing is described below. For example, when the CPU of the control device of the automatic transmission fails, the control device of the automatic transmission must be operated in order to prevent an unintended shift from occurring because the actuator that implements the shift control of the automatic transmission does not operate properly. There is a fail-safe process in which the actuator is fixed and the gear ratio of the automatic transmission is kept constant.

JP, 2003-97344, A JP-A-2000-172521

The CPU failure diagnosis methods described in Patent Documents 1 and 2 have a problem that it cannot be determined that the CPU is in failure unless the CPU is completely in failure. There is also a problem that it is difficult to detect which CPU has failed. In addition, when a CPU failure occurs, even though the microcomputer or the CPU is not in failure, the process shifts to the fail-safe processing, so that the vehicle as a whole has the potential to run normally. However, there is also a problem that the driving performance is deteriorated.

An object of the present invention is to provide a vehicle control device capable of identifying a normal CPU that has not failed and effectively using the normal CPU that has not failed to maintain driving performance when an abnormality occurs in the CPU. To provide.

Other problems and novel features will be apparent from the description of the present specification and the accompanying drawings.

The outline of a typical one of the present invention will be briefly described as follows.

That is, the vehicle control device connects a microcomputer having a main CPU and a sub CPU, a power supply unit, a first connection line connecting the power supply unit and the main CPU, and the power supply unit and the sub CPU. And a current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line. In the macro computer, the current value flowing through one of the first connection line and the second connection line is larger than a set value, and the current value flowing through the other of the first connection line and the second connection line is When it is less than the set value, the main CPU or the sub CPU connected to the other is used to continue the operation.

According to the vehicle control device of the present invention, it is possible to maintain the driving performance by effectively utilizing the normal CPU that has not failed even when an abnormality occurs in the CPU.

FIG. 1 is a diagram showing a vehicle control device system according to a first embodiment. It is a figure which shows the conceptual structural example of a microcomputer. It is a figure which shows the conceptual structural example of a power supply part. It is a figure for demonstrating the structure of a current measuring part. It is a figure for demonstrating the increase of a leak current. It is a figure for demonstrating the correction method of the increase of the leak current. It is a figure which shows the structural example of the address space of ROM114 and ROM124. 5 is a flowchart showing an example of a failure potential diagnosis procedure according to the first embodiment. 5 is a flowchart showing an example of a failure potential diagnosis procedure according to the first embodiment. FIG. 6 is a diagram illustrating a timing of performing a failure potential diagnosis according to the first embodiment. FIG. 8 is a diagram illustrating a timing of performing a failure potential diagnosis according to Modification Example 1. It is a figure explaining the implementation timing of the failure potential diagnosis which concerns on the modification 2. It is a figure explaining the implementation timing of the failure potential diagnosis which concerns on the modification 3. FIG. 6 is a diagram illustrating a control procedure according to the first embodiment. It is a figure which shows the vehicle control apparatus system which concerns on Example 2. FIG. 8 is a diagram illustrating a control procedure according to the second embodiment. FIG. 11 is a diagram illustrating an example of changing control task allocation according to the second embodiment. It is a figure which shows the vehicle control apparatus system which concerns on Example 3. FIG. 8 is a diagram illustrating a control procedure according to a third embodiment.

Hereinafter, the problems of the present invention will be described in detail.

The CPU provided in the microcomputer of the vehicle control device may cause an operation state of the vehicle control device to be deteriorated due to short-circuiting of adjacent transistors and wiring due to foreign substances mixed in the semiconductor manufacturing process or transistor deterioration due to long-term use. There is a possibility of failure without depending.

Commonly known CPU failure modes include, for example, the following. When even one of these failure modes occurs, the failed CPU cannot execute the arithmetic processing correctly.
(Fault 1) The arithmetic circuit output inside the CPU is fixed to "0" or "1".
(Fault 2) The output of the arithmetic circuit inside the CPU is different from the original correct arithmetic result.

A general CPU failure diagnosis method can detect a failure of the CPU when a transistor forming the CPU completely fails and the CPU operation result outputs a value different from the originally expected operation result. it can. In other words, the general CPU failure diagnosis method has a problem that it cannot be determined that the CPU is in failure unless the CPU is completely in failure.

Therefore, in the unstable state before the CPU completely fails, or in the state before the CPU failure is determined in the CPU failure diagnosis, the output result of the CPU is used in the same manner as the normal time, so that the CPU miscalculates. Results may be used. For example, there is a risk that the vehicle will behave unintentionally by giving an erroneous instruction to the actuator or sending erroneous information to another unit. Further, when a CPU failure state is diagnosed by a general CPU failure diagnosis method, fail-safe control is performed so that the vehicle is in a safe state, and generally the driving performance of the vehicle is lowered, or The vehicle cannot run.

In addition, a general CPU failure diagnosis method has a problem that a CPU having a potential to become a failure in the future cannot be detected although it is not completely failed.

If a foreign substance adheres to a transistor forming a CPU and moves due to some cause, and the foreign substance adheres between adjacent transistors, the adjacent transistors may be short-circuited, causing a failure of the CPU. However, depending on the short-circuit state between the transistors, there are cases where the potential fluctuation caused by the short-circuit does not reach the determination threshold. In this case, even if a short-circuit failure has occurred between the transistors, it is difficult to detect such a failure with a general CPU failure diagnosis method. It is known that a similar phenomenon occurs due to aged deterioration of a transistor.

If such a short-circuit fault of the transistor is left as it is, it is assumed that the short-circuit state progresses, the transistors are completely short-circuited, and the CPU is diagnosed as a fault. As described above, it is desirable to detect a potential failure potential that will appear as a failure of the CPU in the future, as early as possible.

Further, a general CPU failure diagnosis method uses a plurality of CPUs and diagnoses a failure by a lock-step method in which output values when the same input signal is applied are compared. In the case of this lockstep method, it is possible to detect even if a failure occurs in either CPU, but there is a problem that it is difficult to detect which CPU has failed.

Similarly, in a mutual monitoring method for microcomputers that transmits and receives information to and from each other using a plurality of microcomputers and diagnoses the contents of the information, the transmitted information is destroyed due to a CPU failure, or the received information is erroneously received. Since there is a failure such as calculation, it is difficult to determine which CPU has failed.

As described above, it is difficult to identify the faulty CPU by general CPU fault diagnosis. Further, generally, when even one of the plurality of CPUs detects a CPU failure, a method of shifting to a fail-safe process is adopted. In other words, even though the microcomputer or the CPU is not in failure, the process shifts to the fail-safe process, so that the driving performance is deteriorated even though the vehicle as a whole has the potential to run normally. This is the current situation.

<Embodiment>
Next, an embodiment of the present invention will be described.

In the embodiment of the present invention, in the CPU built in the microcomputer, the failure of the CPU is detected at the earliest possible stage by determining the failure potential of the CPU caused by foreign matter mixed in during manufacturing or deterioration over time. You can In addition, when a CPU failure occurs or when a CPU abnormality occurs, it is possible to identify a normal CPU that has not failed, and by effectively using a normal CPU that has not failed, operating performance can be improved. A maintainable vehicle controller (100) can be provided.

In the embodiment of the present invention, the CPU (111, 112, 121, 122) supplies power to the CPU due to a short circuit of a transistor that causes a failure of the CPU or deterioration over time (connection line: L1). , L2, L3, L4), the current (leakage current) flowing increases. To detect and measure the leak current value of the CPU using a current measuring unit (current detecting unit: 150, 160, 152, 162), and determine the deterioration state of the transistor from the measured leak current value or amount. You can That is, the failure potential of the CPU can be determined.

However, when the CPU is in a driving state, the current flowing through the power supply line of the CPU includes a CPU leakage current component and a CPU driving current component. Only the current component needs to be measured. Here, when the operating state of the CPU is a state in which the CPU is not driven (non-calculation state), that is, a so-called standby state, the drive current component of the CPU can be zero. Further, the current flowing through the CPU in the standby state is measured by using the CPU in the driven state separately from the CPU in the standby state. This current is treated as a CPU leak current (Ileak2) for failure potential diagnosis. In this way, the CPU to be measured is placed in the standby state and the measurement CPU is placed in the driven state for the failure potential diagnosis.

Further, since the CPU leak current (Ileak2) for fault potential diagnosis includes the manufacturing variation of the microcomputer or the CPU and the variation due to the temperature change of the microcomputer or the CPU, these variation elements of the leak current are eliminated, It is necessary to extract only the increase in CPU leakage current due to transistor deterioration. Therefore, it is necessary to correct the measured CPU leak current value for failure potential diagnosis. Two of the leakage current variation due to the manufacturing variation of the microcomputer or the CPU and the leakage current variation due to the temperature change are corrected.

As a method of correcting the leakage current variation due to the manufacturing variation of the microcomputer or CPU, the CPU leakage current value (Ileak1) for failure potential diagnosis is measured at the time of manufacturing the microcomputer or CPU, and the storage area (ROM: 114, 124) of the microcomputer is measured. ) Is stored as a leak current value when the CPU is manufactured. By subtracting the leak current value (Ileak1) at the time of manufacturing the microcomputer or CPU from the current CPU leak current value (Ileak2) for failure potential diagnosis, the increase of the leak current from the time of manufacturing the microcomputer or CPU to the present Minutes (ΔIleak) can be extracted. This is the amount of increase in the CPU leak current before temperature correction. Further, the CPU leak current value for fault potential diagnosis (Ileak1) may be measured and stored as the CPU leak current for fault potential diagnosis at the time of manufacturing the vehicle control device, not at the time of manufacturing the microcomputer or the CPU.

Next, the change in leak current due to temperature is corrected. It is generally known that the CPU leakage current and the CPU temperature have a correlation. Therefore, a correlation map (TCM) of the CPU temperature and the CPU leakage current can be prepared in advance. The temperature of the microcomputer or the CPU can be measured by a temperature sensor (TSEN:115, 125) built in the microcomputer. Alternatively, it may be estimated from temperature information from a temperature sensor arranged on the substrate of the vehicle control device (1). From the measured CPU temperature and the CPU leak current temperature change map (TCM), the change amount of the CPU leak current due to the temperature can be calculated.

The CPU leak current increase amount (ΔIleakc) after temperature correction can be calculated using the CPU leak current increase amount (ΔIleak) before temperature correction and the CPU leak current change amount (Icv) depending on the temperature. When the increase amount (ΔIleakc) of the CPU leak current after the temperature correction is larger than the determination threshold value (TH) of the increase amount of the current which is determined to have the failure potential defined in advance, the CPU is not completely failed. However, it can be judged that there is a potential for failure in the future. The determination threshold can be regarded as a set value or a predetermined value.

The leak current measurement and the CPU failure potential diagnosis can be carried out at arbitrary timings, but it is effective to carry out at the time of starting or shutting down the vehicle control device in order to put at least one CPU in the standby state. Further, the combination of CPUs to be diagnosed may be changed each time the system is started up or every time it is shut down (FIGS. 9A, 9B, 9C, 9D).

According to the vehicle control device according to the embodiment, the CPU can normally perform calculation at the present time, but can detect a state in which there is a possibility of failure in the future at an early stage.

As described above, although a failure is detected using a plurality of microcomputers and a plurality of CPUs, it is possible to detect that a failure has occurred, but the failed CPU could not be specified. Therefore, when a CPU failure occurs, a fail-safe process is generally executed such that the vehicle control is degenerated and the vehicle control actuator is stopped even if there is another normal CPU.

On the other hand, according to the embodiment, it is possible to identify the failed CPU from the result of the failure potential diagnosis of the CPU. Therefore, when the failure of the CPU occurs, the vehicle control is degenerated by using the normal CPU that has not failed. It is possible to maintain the running performance of the vehicle without causing it.

Further, according to the embodiment, before the CPU having the high failure potential completely fails, the arithmetic control which the CPU having the high failure potential transfers is transferred to another CPU without degrading the function of the vehicle control device. Since the driver can be notified of the CPU failure, it is possible to safely and smoothly move to repair the automobile.

Further, according to the embodiment, when the CPU completely fails, the normal CPU can be used even during the failure detection delay time until the failure is detected, so that the original driving performance is not sacrificed and the engine is not sacrificed. It is possible to prevent an unintended behavior of the vehicle due to sudden stop or malfunction of an actuator such as a transmission or a transmission.

Further, according to the embodiment, before the CPU completely fails, the task to be calculated by the CPU having a high failure potential is degenerated in advance to reduce the CPU calculation load, thereby extending the period until the CPU completely fails. can do.

Examples will be described below with reference to the drawings. However, in the following description, the same components may be assigned the same reference numerals and repeated description may be omitted. It should be noted that the drawings may be schematically illustrated in comparison with the actual embodiment for the sake of clarity, but they are merely examples and do not limit the interpretation of the present invention.

Hereinafter, Embodiment 1 will be described with reference to the drawings.

(Vehicle control device system configuration)
FIG. 1 is a diagram illustrating a vehicle control device system according to a first embodiment. The vehicle control device system 1 includes a vehicle control device 100 which is an electronic control unit (ECU: Electronic Control Unit). The vehicle control device 100 is a device that electronically controls an on-vehicle device (for example, an automatic transmission, an engine, etc.) mounted on a vehicle. The vehicle control device 100 includes a main microcomputer (MMC) 110, a sub microcomputer (SMC) 120, a main power supply unit (MPSP) 130, a sub power supply unit (SPSP) 140, main CPU current measurement units (MCM) 150 and 152, Sub CPU current measurement units (SMCM) 160, 162 and a temperature sensor 170 are provided. It can be said that the main microcomputer (MMC) 110 is a first microcomputer and the sub microcomputer (SMC) 120 is a second microcomputer.

The main microcomputer 110 is a microcomputer or a microcontroller that controls an in-vehicle device mounted on the vehicle. The main microcomputer 110 controls the vehicle-mounted device by controlling the actuator (ACU) 202, for example. Also, a message can be displayed via the display device (DISP) 203. As the message, for example, a message such as a character or an image, a notification by lighting a lamp, or the like can be used in any form.

The main microcomputer (MMC) 110 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technique. .. The main microcomputer (MMC) 110 includes a main CPU (MCPU: first CPU) 111, a sub CPU (SCPU: second CPU) 112, a volatile memory RAM (Random Access Memory) 113, and a nonvolatile memory ROM (Read). An only memory 114, a temperature sensor (TSEN) 115 capable of measuring the temperature of the main microcomputer 110, a comparator (COMP) 116, and an analog-digital conversion circuit (ADC) 117 are provided. The main CPU 111 and the sub CPU 112 are arithmetic units that perform control arithmetic necessary for controlling the in-vehicle device. The RAM 113 temporarily stores data used by the main CPU 111 and the sub CPU 112. The ROM 114 stores a control program executed by the main CPU 111 and the sub CPU 112, a diagnostic processing program to be described later, and the like, and receives information calculated by the main CPU 111 and the sub CPU 112 and the sub microcomputer 120 and other vehicle-mounted devices. Information can be stored. The comparator 116 gives the same input information to the main CPU 111 and the sub CPU 112, and collates the output results of the main CPU 111 and the sub CPU 112. If there is no abnormality in the main CPU 111 and the sub CPU 112, the comparison result of the comparator 116 will match. When the comparison result of the comparator 116 does not match, the abnormality of the main CPU 111 or the sub CPU 112 can be detected. This configuration is a general lockstep method.

The power supply line (first connection line) L1 provided between the main CPU 111 and the main power supply unit 130 includes a main current measurement unit (current detection unit) 150 that measures the drive current of the main CPU 111. The power supply line (second connection line) L2 provided between the sub CPU 112 and the main power supply unit 130 includes a sub current measurement unit (current detection unit) 160 that measures the drive current of the sub CPU 112. An analog-to-digital conversion circuit (ADC) 127 of the sub-microcomputer 120, which will be described later, is connected to the main current measuring unit 150 and the sub-current measuring unit 160 via measurement wirings LM1 and LM2, and a power supply line (first, Second connection line) The current values of the drive currents of the main CPU 111 and the sub CPU 112 flowing in L1 and L2 are measured.

The sub-microcomputer 120 has the same configuration as the main microcomputer 110. That is, the sub-microcomputer (SMC) 120 is a semiconductor integrated circuit device, and is formed by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technique, for example. ing. The sub-microcomputer (SMC) 120 includes a main CPU (MCPU) 121, a sub-CPU (SCPU) 122, a RAM (Random Access Memory) 123 that is a volatile memory, a ROM (Read Only Memory) 124 that is a non-volatile memory, and a sub-computer. A temperature sensor (TSEN) 125 capable of measuring the temperature of the microcomputer 120, a comparator (COMP) 126, and an analog-digital conversion circuit (ADC) 127 are provided. The main CPU 121 and the sub CPU 122 are arithmetic units that perform control arithmetic necessary for controlling the in-vehicle device. The RAM 123 temporarily stores data used by the main CPU 121 and the sub CPU 122. The ROM 124 stores a control program executed by the main CPU 121 and the sub CPU 122, a diagnostic processing program to be described later, and the like, and receives information calculated by the main CPU 121 and the sub CPU 122, the main microcomputer 110, and other in-vehicle devices. Information can be stored. The comparator 126 gives the same input information to the main CPU 121 and the sub CPU 122, and collates the output results of the main CPU 121 and the sub CPU 122. If there is no abnormality in the main CPU 121 and the sub CPU 122, the comparison result of the comparator 126 will match. When the comparison result of the comparator 126 does not match, the abnormality of the main CPU 121 or the sub CPU 122 can be detected. This configuration is a general lockstep method. The function of the sub-microcomputer 120 may be limited to only detecting the malfunction of the main microcomputer 110.

The power supply line (third connection line) L3 provided between the main CPU 121 and the sub power supply unit 140 includes a main current measurement unit (current detection unit) 152 that measures the drive current of the main CPU 121. The power supply line (fourth connection line) L4 provided between the sub CPU 122 and the sub power supply unit 140 includes a sub current measurement unit (current detection unit) 162 that measures the drive current of the sub CPU 122. The analog-digital conversion circuit (ADC) 117 of the main microcomputer 110 is connected to the main current measuring unit 152 and the sub-current measuring unit 162 via the measurement wirings LM3 and LM4, and the power supply lines (third and fourth connection). Lines) The current values of the drive currents of the main CPU 121 and the sub CPU 122 flowing in L3 and L4 are measured.

The sub-microcomputer 120 uses the current values from the main current measuring unit 150 and the sub-current measuring unit 160 and the temperature information from the temperature sensor 115 to cause a failure of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 according to the procedure described below. The potential diagnosis is performed, and the diagnosis result is stored in the storage area such as the ROM 124 of the sub-microcomputer 120. The sub-microcomputer 120 notifies the main microcomputer 110 of information on the diagnosis result when the main microcomputer 110 is activated next time.

On the other hand, the main microcomputer 110 uses the current values from the main current measuring unit 152 and the sub-current measuring unit 162 and the temperature information from the temperature sensor 125 to perform a procedure to be described later, according to a procedure to be described later. The failure potential diagnosis is performed and the diagnosis result is stored in the storage area such as the ROM 114 of the main microcomputer 110. The main microcomputer 110 notifies the sub-microcomputer 120 of the diagnostic result information when the sub-microcomputer 120 is activated next time.

In this way, the sub-microcomputer 120 carries out the failure potential diagnosis of the main microcomputer 110, and the main microcomputer 110 carries out the failure potential diagnosis of the sub-microcomputer 120. The reason for this is that, as described above, the CPU leakage current and the CPU driving current cannot be separated when the CPU is in a driving state, so that the CPU is not driven, that is, a so-called CPU standby state. This is because the microcomputer measures the drive current of the CPU in the standby state so that the leak current of the CPU can be accurately measured.

The vehicle control device 100 receives power supply from a battery 201 mounted on the vehicle. The main power supply unit 130 steps up or down the voltage received from the battery 201 and supplies it to the main microcomputer 110. Similarly, the sub power supply unit 140 steps up or down the voltage received from the battery 201 and supplies it to the sub microcomputer 120. The main power supply unit 130 and the sub power supply unit 140 are configured to start power supply to the main microcomputer 110 and the sub microcomputer 120, respectively, in response to the reception of the power supply signal (PS) 200.

The main power supply unit 130 is internally divided into circuits so as to individually supply power to the main CPU 111, the sub CPU 112, the RAM 113, and the ROM 114. This is to suppress the influence of the current fluctuations of the RAM 113 and the ROM 114 on the drive current supplied to the main CPU 111 and the sub CPU 112. Similarly, the sub main power supply unit 140 is also internally divided into circuits so as to individually supply electric power to the main CPU 121, the sub CPU 122, the RAM 123, and the ROM 124. This is to suppress the influence of the current fluctuations of the RAM 123 and the ROM 124 on the drive current supplied to the main CPU 121 and the sub CPU 122. The configurations of the main power supply unit 130 and the sub-main power supply unit 140 will be described later with reference to FIG.

(Microcomputer configuration)
FIG. 2 is a diagram showing a conceptual configuration example of the microcomputer MC. The microcomputer MC shows the configuration of the main microcomputer 110 and the main microcomputer 120. The microcomputer MC includes a main CPU (MCPU: 111, 121), a sub CPU (SCPU: 112, 121), a RAM (113, 123), a ROM (114, 124) and a peripheral circuit PERI, and they are mutually connected by a bus BUS. It is connected. The peripheral circuit PERI includes, for example, a temperature sensor TSEN (115, 125), a comparison unit COMP (116, 126), an analog-digital conversion circuit ADC (117, 127), a control area network (Controller Area Network) interface CANIF, and a signal. It has an input/output port IOP and the like.

The microcomputer MC has an external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU, an external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU, an external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM, and a power supply to the ROM. It has an external terminal VDD4 for supplying a voltage Vdd4, and a reference potential terminal VSS to which a ground voltage such as 0 (zero) volt or a reference voltage Vss is supplied. The microcomputer MC further includes external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-digital conversion circuit ADC, the temperature sensor TSEN, the comparators COMP, CANIF, the signal input/output port IOP, and the like. It has an external terminal VDD5 and the like for supplying the power supply voltage Vdd5 to the peripheral circuit PERI. The power supply voltages Vdd1, Vdd2, Vdd3, Vdd4, and Vdd5 can be different power supply voltages.

As shown in FIG. 2, the analog-digital conversion circuit ADC has analog signal input terminals AN0, AN1, AN2, AN3. When the microcomputer MC is the main microcomputer 110, the analog signal input terminals AN0 and AN1 are connected to the MCM152 via the LM3, and the analog signal input terminals AN2 and AN3 are connected to the SCM162 via the LM4. To be done. When the microcomputer MC is the main microcomputer 120, the analog signal input terminals AN0 and AN1 are connected to the MCM150 via LM1, and the analog signal input terminals AN2 and AN3 are connected to the SCM160 via LM2. Connected to. The analog-digital conversion circuit ADC may have analog signal input terminals AN4-ANn in addition to the analog signal input terminals AN0, AN1, AN2, AN3. The analog signal input terminals AN4-ANn can be connected to the outputs of other analog sensors or the like.

The CANIF also has an input/output terminal CAN0 that can be connected to the CAN bus. An electric power steering EPS or other electronic control unit (ECU) capable of CAN communication based on the CAN protocol can be connected to the CAN bus. The signal input/output port IOP has port terminals PD0-PDN that enable input/output of digital signals.

(Structure of power supply unit)
FIG. 3 is a diagram showing a conceptual configuration example of the power supply unit PSP. The power supply unit PSP shows the configuration of the main power supply unit (MPSP) 130 and the sub power supply unit (SPSP) 140. The power supply unit PSP has a plurality of regulators REG1-RG6. The regulator REG1 supplies the power supply voltage to the external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU. The regulator REG2 supplies the power supply voltage to the external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU. The regulator REG3 supplies the power supply voltage to the external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM. The regulator REG4 supplies the power supply voltage to the external terminal VDD4 for supplying the power supply voltage Vdd4 to the ROM. The regulator REG5 supplies the power supply voltage Vdd5 to the external terminal VDD5 for supplying the power supply voltage to the peripheral circuit PERI. The regulator REG6 supplies the analog power supply voltage Avdd and the analog reference voltage Avss to the external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-digital conversion circuit ADC. The plurality of regulators REG1 to RG6 are supplied with a voltage from the battery (BAT) 201 in response to the reception of the power supply signal 200 instructing the start of the power supply, and the power supply voltages Vdd1 to Vdd5, Avdd, and the analog power supply voltage are supplied. Avdd and the analog reference voltage Avss are generated.

As described above, the power supply unit PSP (130, 140) includes the main CPU (MCPU: 111, 121), sub CPU (SCPU: 112, 122), RAM (113, 123), ROM (114, 124), peripherals. A plurality of regulators REG1 to RG6 are provided so that electric power can be individually supplied to each of the circuit PERI and the analog-digital conversion circuit ADC (117, 127). This is because the drive currents supplied to the main CPU 111 and the sub CPU 112 are the RAM (113, 123), the ROM 114 (114, 124), the peripheral circuit PERI, and the analog-digital conversion circuit ADC (117, 127) as described above. This is to suppress the effect of current fluctuations.

2 and 3, the external terminal VDD5 that supplies the power supply voltage to the peripheral circuit PERI and the regulator REG5 that generates the power supply voltage of the peripheral circuit PERI are further defined as a plurality of external terminals and a plurality of regulators. Is also good. As a result, the power supply potential can be supplied so as to comply with the required specifications of the power supply potential of each circuit or each functional module included in the peripheral circuit PERI.

(Configuration of current measuring unit)
FIG. 4 is a diagram for explaining the configuration of the current measuring unit. FIG. 4 exemplarily shows the configuration of the main current measuring unit 150 as the current measuring unit. The configuration of the current measuring unit 150 is the same as the configuration of the current measuring units 160, 152, 162, and the other connection configurations can be easily understood from FIG. 1. Therefore, the configuration of the current measuring units 160, 152, 162 will be described. Is omitted. The power supply measuring unit 150 has a resistance element R1 having a resistance value Rs. The resistance element R1 is provided so as to be inserted in series in the power supply line L1 provided between the output of the regulator REG1 of the main power supply unit 130 and the external terminal VDD1 of the main CPU 111 of the main microcomputer 110. The nodes VRH and VRL at both ends of the resistance element R1 are connected to the analog input terminals AN0 and AN1 of the analog-digital conversion circuit 127 incorporated in the sub-microcomputer 120 via LM1. With the same configuration, the current measuring unit 160 is connected via the LM2 to the analog input terminals AN2 and AN3 of the analog-digital conversion circuit 127 built in the sub-microcomputer 120, respectively. The current measuring units 152 and 162 are connected to the analog input terminals AN0 and AN1 and AN2 and AN3 of the analog-digital conversion circuit 117 built in the main microcomputer 110 via the LM3 and LM4, respectively.

With such a configuration, the drive current Is including the leak current of the main CPU 111 flowing through the resistance element R1 is obtained by the following formula.
Is=Vs/Rs
Here, Vs is a voltage value corresponding to the voltage difference between the node VRH and the node VRL on both ends of the resistance element R1.

That is, the drive current Is including the leak current of the main CPU 111 is obtained by measuring the voltage value Vs between the node VRH and the node VRL by the analog-digital conversion circuit 127.

The output voltage value of the regulator REG1 of the main power supply unit 130 is the reference operating voltage of the main CPU 111 of the main microcomputer 110, the resistance value Rs of the resistance element R1, and the maximum current value of the drive current Is flowing through the resistance element R1. , And the voltage drop (Vs) due to the drive current Is flowing through the resistance element R1 may be taken into consideration so as to satisfy the reference operating voltage of the main CPU 111 of the main microcomputer 110. The output voltage values of the regulator REG2 of the main power supply unit 130 and the regulators REG1 and REG2 of the sub power supply unit 140 are also based on the same concept as described above, the sub CPU 112 of the main microcomputer 110, the main CPU 121 of the sub microcomputer 120, and the sub CPU 122. It may be determined so as to satisfy each of the reference operating voltages.

In the above description, the example in which the analog-digital conversion circuits 117 and 127 incorporated in the microcomputers 110 and 120 are used has been described, but the present invention is not limited to this. When a conversion bit number (for example, 100 bits) larger than the conversion bit numbers (for example, 10 bits or 12 bits) of the analog-digital conversion circuits 117 and 127 is required, the vehicle control device 100 is externally attached with a large conversion bit number. The individual analog-to-digital conversion circuit may be mounted and the individual analog-to-digital conversion circuit may be used instead of the analog-to-digital conversion circuits 117 and 127. In the measurement of the leak current value, the leak current value itself is small, so that the leak current value can be measured more accurately by using an individual analog-digital conversion circuit having a large number of conversion bits.

(Leakage current and its correction)
FIG. 5 is a diagram for explaining an increase in leak current. The main microcomputer 110 and the sub-microcomputer 120 are composed of a plurality of CMOS transistors and the like, and the leak current may increase due to factors such as manifestation of manufacturing defects and deterioration over time due to long-term use.

In FIG. 5, the vertical axis represents the leak current value Ileak, and the horizontal axis represents the time Time. Generally, a manufacturer of a semiconductor integrated circuit device performs a pre-shipment inspection before shipping the semiconductor integrated circuit device, measures a leak current, and selects a semiconductor integrated circuit device in which the leak current Ileak1 is within a predetermined range. , Shipped as a normal product. In FIG. 5, an example in which the leak current value Ileak1 is measured by a pre-shipment inspection of the main microcomputer 110 or the sub-microcomputer 120 will be described. However, the leak current value Ileak1 is set when the vehicle control device 1 is manufactured. It may be measured and stored in the ROM (114, 124) of the main microcomputer 110 or the sub-microcomputer 120.

At time T1, a leak current value Ileak1 of a normal product at the time of pre-shipment inspection is shown, and at time T2, a leak current value Ileak2 of an abnormal product whose leak current Ileak has increased due to long-term use is shown. At time T1, the range of the leak current of the normal product is, for example, a range between the minimum value (0 mA (milliampere)) and the maximum value (M mA), and the main micrometer measured by the pre-shipment inspection. It is assumed that the leak current value Ileak1 of the computer 110 or the sub-microcomputer 120 is TmA, for example.

It is assumed that the leak current value Ileak2 of the main microcomputer 110 or the sub-microcomputer 120 has increased to T+Y mA at time T2. That is, the leak current Ileak is increased by the value of YmA=ΔIleak=Ileak2-Ileak1.

The value of ΔIleak includes, in addition to deterioration over time, variations in temperature characteristics of leakage current in the main microcomputer 110 or the sub-microcomputer 120, and variations in leakage current due to manufacturing variations in the main microcomputer 110 or the sub-microcomputer 120. Has been. Therefore, it is necessary to correct the value of the increase amount ΔIleak of the leak current.

FIG. 6 is a diagram for explaining a method of correcting the increase in leak current. The increase amount ΔIleak of the leak current is corrected in consideration of the leak current value Ileak1 at the time of manufacturing, the leak current value Ileak2 at the time of measurement, and the temperature characteristic or temperature dependence of the leak current value Ileak2. The temperature characteristic or temperature dependence of the leak current value Ileak2 is corrected by the temperature information TM measured by the temperature sensor TSEN of the main microcomputer 110 or the sub microcomputer 120 and the temperature correction map (table) TCM of the leak current. .. The temperature correction map (table) TCM is unique to each of the main microcomputer 110 and the sub microcomputer 120, and can be obtained from, for example, a semiconductor manufacturer. The temperature correction map (or temperature correction table) TCM describes the correction current value (Icv) of the leak current at each temperature.

Therefore, the corrected increase amount ΔIleakc of the leak current used for diagnosing the failure potential is obtained by the following equation.
ΔIleakc=Ileak2+Icv-Ileak1
Here, Icv indicates a correction current value described in the temperature correction map (table) TCM in the temperature information TM.

As a result, variations in leak current value due to temperature and variations in manufacturing of the main microcomputer 110 or the sub-microcomputer 120 can be eliminated, and a corrected increase amount ΔIleakc of the leak current value due to deterioration over time can be obtained. When diagnosing the failure potential, the presence or absence of the failure potential is determined by whether or not the corrected increase amount ΔIleak of leak current exceeds a threshold value or a predetermined value (TH). With such a configuration, it is possible to determine whether or not the CPU (111, 112, 121, 122) has a potential to become a failure in the future although it is not completely failed. The threshold value or the predetermined value (TH) can be referred to as a set value or a specified value.

(Configuration example of address space of ROM 114, 124)
FIG. 7 is a diagram showing a configuration example of the address spaces of the ROM 114 and the ROM 124. 7A shows a configuration example of the address space of the ROM 114, and FIG. 7B shows a configuration example of the address space of the ROM 124.

As shown in FIG. 7A, in the address space of the ROM 114 of the main microcomputer 110, programs executed by the main CPU 111 and the sub CPU 112, data referred to when the programs are executed, maps or tables, data of operation results, etc. Is stored. The ROM 114 has, for example, a first address space ADSP1a and a second address space ADSP2a.

The first address space ADSP1a stores a control program CPROG, reference data referred to when the control program CPROG is executed, and the like. The control program CPROG is a control program for electronically controlling in-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on the vehicle.

The processing program or data according to the present invention is stored in the second address space ADSP2a, and the control is executed when the abnormality determination of the diagnostic program DPROG described in FIGS. 8A and 8B and the CPU described in FIG. The program CNTPROG and the calculation program LCCPROG for leak current correction described in FIG. 6 are stored. In the second address space ADSP2a, a temperature correction map (table) TCM of the leak current relating to the main microcomputer 110, a threshold value or a predetermined value (TH), a leak current value Ileak1 (110), a main of the sub-microcomputer 120 are further provided. The measured leak current values Ileak2 (121) and Ileak2 (122) regarding the CPU 121 and the sub CPU 122 are stored. In the second address space ADSP2a, the corrected leakage current increase amounts ΔIleakc (121) and ΔIleakc (122), the diagnostic results DRResult (121) and DRResult (122) regarding the main CPU 121 and the sub CPU 122 of the sub-microcomputer 120 are further included. , And experience information DHist indicating a diagnosis history are stored.

The diagnosis results DRResult (121) and DRResult (122) are the results of the diagnosis regarding the sub-microcomputer 120 by the diagnostic program DPROG, and the presence or absence of the failure potential of the main CPU 121 and the sub-CPU 122 of the sub-microcomputer 120 is stored. The experience information DHist stores the data of the main microcomputer 110 or the sub-microcomputer 120 that was diagnosed last time or last time.

As shown in FIG. 7B, in the address space of the ROM 124 of the sub-microcomputer 120, programs executed by the main CPU 121 and the sub-CPU 122, data referred to when the programs are executed, maps or tables, data of operation results, etc. Is stored. The ROM 124 has, for example, a first address space ADSP1b and a second address space ADSP2b.

The first address space ADSP1b stores a control program CPROG and reference data that is referred to when the control program CPROG is executed. The control program CPROG is a control program for electronically controlling in-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on the vehicle.

A processing program or data according to the present invention is stored in the second address space ADSP2b, and a diagnostic program DPROG described with reference to FIG. 8 and a control program CNTPROG executed with a CPU abnormality determination described with reference to FIG. The calculation program LCCPROG for correcting the leak current described in FIG. 6 is stored. In the second address space ADSP2b, a temperature correction map (table) TCM of the leak current relating to the sub-microcomputer 120, a threshold value or a predetermined value (TH), a leak current value Ileak1 (120), a main microcomputer 110 main. The measured leak current values Ileak2(111) and Ileak2(112) for the CPU 111 and the sub CPU 112 are stored. In the second address space ADSP2b, the corrected leak current increase amounts ΔIleakc (111) and ΔIleakc (112), the diagnostic results DRResult (111) and DRResult (112) regarding the main CPU 111 and the sub CPU 112 of the main microcomputer 110 are further included. , And experience information DHist indicating a diagnosis history are stored.

The diagnosis results DRResult (111) and DRResult (112) are the results of the diagnosis regarding the main microcomputer 110 by the diagnosis program DPROG, and the presence or absence of the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 is stored. The experience information DHist stores the data of the main microcomputer 110 or the sub-microcomputer 120 that was diagnosed last time or last time.

7A and 7B, the measured leak current values Ileak2 (111), Ileak2 (112), Ileak2 (121), and Ileak2 (122), and the increased amount of the leak current after correction. An example of storing ΔIleakc(111), ΔIleakc(112), ΔIleakc(121), and ΔIleakc(122) in the address spaces of the ROMs 114 and 124 has been shown, but these values should be stored in the address spaces of the ROMs 114 and 124. Instead, it can be temporarily stored in the RAMs 113 and 123 at the time of diagnosis.

(Example of failure potential diagnosis procedure)
8A and 8B are flowcharts illustrating an example of the failure potential diagnosis procedure of the CPU according to the first embodiment. The lower A in FIG. 8A and the upper A in FIG. 8B are connected. 8A and 8B are flowcharts for explaining a procedure for diagnosing the failure potentials of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 using the sub microcomputer 120 when the vehicle control device 100 shuts down. The flowchart for diagnosing the failure potentials of the main CPU 121 and the sub CPU 122 of the sub-microcomputer 120 by using the main microcomputer 110 seems to be easily understood from FIGS. 8A and 8B, and therefore the description thereof is omitted. Hereinafter, each step of FIGS. 8A and 8B will be described.

(Step S100)
When the main microcomputer 110 and the sub-microcomputer 120 receive the power signal 200 indicating that the power is turned on, this flowchart starts. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have already started to supply power according to the power supply signal 200. It should be noted that this flowchart corresponds to the diagnostic program DPROG of FIG. 7.

(Step S101)
The main microcomputer 110 and the sub-microcomputer 120 each have a leakage current value (Ileak1) at the time of manufacturing the main microcomputer 110 and the sub-microcomputer 120 from their respective storage areas (ROMs 114 and 124), and failure potential implementation experience information (DHist). Read out. The leak current value (Ileak1) is measured not only when the main microcomputer 110 and the sub-microcomputer 120 are manufactured, but also when the vehicle control device 100 is manufactured, and the leak currents of the main microcomputer 110 and the sub-microcomputer 120 are measured. They may be stored in the respective storage areas (ROM 114, 124).

(Step S102)
The main microcomputer 110 does not carry out this failure potential diagnosis until the conditions for carrying out the failure potential diagnosis are satisfied. The condition for executing the failure potential diagnosis is satisfied when all the self-shut processes executed after the power supply signal 200 is turned off are completed.

(Step S103)
The main microcomputer 110 determines a diagnostic target microcomputer of the current failure potential from the failure potential implementation experience information of the main microcomputer 110 and the sub-microcomputer 120 read out in step S101, and sets it as the measured microcomputer. For example, when the failure potential of the main CPU 111 and the sub CPU 112 built in the main microcomputer 110 is diagnosed in the previous failure potential diagnosis, the main CPU 121 and the sub CPU 122 built in the sub microcomputer 120 are targeted for diagnosis in this failure potential diagnosis. To do. As described above, in this example, the microcomputer to be diagnosed is switched every time the self-shut process is performed, because the main CPU and the sub CPU incorporated in the microcomputer to be diagnosed need to be in a stopped state (standby state). Is. Details will be described in the description of FIG. 9A. In this example, it is described that the measured microcomputer is the main microcomputer 110 and the failure potentials of the main CPU 111 and the sub CPU 112 incorporated in the main microcomputer 110 are diagnosed.

(Step S104)
In order to estimate the temperatures of the main CPU 111 and the sub CPU 112 of the measured microcomputer 110, the temperature of the main microcomputer 110 is measured by the temperature sensor 115 built in the main microcomputer 110. In this example, the temperature sensor 115 built in the main microcomputer 110 is used, but the temperature sensor may be the temperature sensor 170 installed in the vehicle control device 100. Further, an estimated temperature value depending on the temperature condition of the outside world or the operating time of the vehicle control device 100 may be used.

(Step S105)
The main CPU 111 and the sub CPU 112 of the measured microcomputer 110 use the temperature of the leak current Ileak2 to correct the change in the value of the leak current Ileak2 of the CPUs 111 and 112 based on the temperature information of the main microcomputer 110 acquired in step S104. The temperature correction value Icv of the leak current is calculated from the correction map TCM. The temperature correction map TCM of the leak current is defined in advance for each type of microcomputer under test. The temperature correction map TCM of the leak current can be stored in advance in the ROMs 114 and 124 included in the main microcomputer 110 and the sub-microcomputer 120, as shown in FIG.

(Step S106)
The temperature correction value Icv of the leakage current calculated in step S105 is notified to the sub-microcomputer 120.

(Step S107)
The main CPU 111 and the sub CPU 112 of the measured microcomputer 110 are shifted to a stopped state (standby state), and the subsequent calculation is performed using the sub microcomputer 120.

(Step S108)
The microcomputer under test 110 waits until the transition to the standby mode is completed. The determination of the completion of the transition is made when the output of the measured microcomputer 110 is turned off for a specified time.

(Step S109)
The sub-microcomputer 120 measures the current leakage current values (Ileak2(111), Ileak2(112)) of the main CPU 111 and the sub-CPU 112 of the measured microcomputer 110 with the main current measuring unit 150 and the sub-current measuring unit 160. To do.

(Step S110)
For each of the main CPU 111 and the sub CPU 112, the sub-microcomputer 120 compares the manufacturing leak current (Ileak1) obtained in step S101 with the current leak current (Ileak2(111), Ileak2(112)) obtained in step S109 and The leak current values for diagnosis (ΔIleakc(111), ΔIleakc(112)) are calculated from the leak current temperature correction value (Icv) acquired in S106. That is, the calculation program LCCPROG in FIG. 7 is executed, and the calculation for correcting the leak current value described in FIG. 6 is executed.

(Step S111)
The sub-microcomputer 120 determines, for each of the main CPU 111 and the sub CPU 112, whether or not the diagnostic leak current values (ΔIleakc(111), ΔIleakc(112)) are equal to or less than a threshold value (TH). If the diagnostic leak current value (ΔIleakc(111), ΔIleakc(112)) of either the main CPU 111 or the sub CPU 112 is below the threshold value (TH), it is determined that the main CPU 111 and the sub CPU 112 are normal, It proceeds to step S113. If the diagnostic leak current values (ΔIleakc(111), ΔIleakc(112)) exceed the threshold value (HT), it is determined that there is a failure potential, and the process proceeds to step S112. The threshold value (TH) can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub-microcomputer 120, as shown in FIG.

(Step S112)
The sub-microcomputer 120 stores the results of the determination that there is a failure potential in step S111 in the storage area (ROM 124) in the sub-microcomputer 120 as the determination results DRResult (111) and DRResult (112).

(Step S113)
The sub-microcomputer 120 stores execution experience information (DHist) for failure potential diagnosis in a storage area (ROM 124) in the sub-microcomputer 120. The failure potential implementation experience information (DHist) is read from the storage areas (ROMs 114 and 124) in step S101 and used as information for determining the target microcomputer for the failure potential diagnosis in step 103.

(Timing of failure potential diagnosis)
FIG. 9A is a diagram illustrating a timing of performing the failure potential diagnosis according to the first embodiment. FIG. 9A is a diagram illustrating that, as described in step 103 of FIG. 8A, the diagnostic target microcomputer of the failure potential is switched every time the vehicle control device 100 is shut down. That is, for example, it is assumed that the main microcomputer 110 and the sub-microcomputer 120 are performing normal control, and then the power supply signal 200 is turned off. In this case, as the first shutdown, the self-shut process is performed after the power supply signal 200 is turned off. After the self-shut processing is executed and all the self-shut processing is completed, the main microcomputer 110 is put in the standby state, and the sub-microcomputer 120 in the driving state performs the failure potential diagnosis on the main microcomputer 110 in the standby state. After the failure potential diagnosis is performed, the main microcomputer 110 and the sub microcomputer 120 are shut off.

On the other hand, for example, at the time of the second shutdown, the sub-microcomputer 120 is put in the standby state after the self-shut processing is completely completed, and the main microcomputer 110 in the driving state has a failure potential with respect to the sub-microcomputer 120 in the standby state. After the diagnosis is performed and the failure potential diagnosis is performed, the main microcomputer 110 and the sub-microcomputer 120 are shut off.

As described above, the failure potential diagnosis of each of the main microcomputer 110 and the sub-microcomputer 120 can be performed uniformly by switching the diagnosis target microcomputer for each shutoff.

(Modification 1 of implementation timing)
FIG. 9B is a diagram for explaining a modified example 1 of the execution timing of the failure potential diagnosis. FIG. 9A shows an example in which the microcomputer to be diagnosed is switched for each shutoff.
In FIG. 9B, after the power signal 200 is turned off, the self-shut process is performed, and then the self-shut process is performed. After all the self-shut processes are completed, the main microcomputer 110 is placed in the standby state and the sub-microcomputer The computer 120 performs the failure potential diagnosis on the main microcomputer 110 in the standby state. After that, the sub-microcomputer 120 is put in the standby state, and the main microcomputer 110 performs the failure potential diagnosis on the sub-microcomputer 120 in the standby state, and then performs the failure potential diagnosis.

Even with such a timing of performing the failure potential diagnosis, it is possible to determine the failure potentials of both the main microcomputer 110 and the sub-microcomputer 120 at shorter time intervals.

(Modification 2 of implementation timing)
FIG. 9C is a diagram illustrating a second modification of the execution timing of the failure potential diagnosis. 9A and 9B show an example in which the failure potential diagnosis is performed after the power supply signal 200 is turned off. FIG. 9C shows an example in which after the power signal 200 is turned on, the target microcomputer for failure potential diagnosis is switched every time the main microcomputer 110 and the sub-microcomputer 120 are activated, and failure potential diagnosis is performed. There is. That is, for example, after the power supply signal 200 is turned on for the first time, the sub-microcomputer 120 is placed in the standby state, and the main microcomputer 110 in the driving state performs the failure potential diagnosis on the sub-microcomputer 120 in the standby state. carry out. After that, the main microcomputer 110 and the sub microcomputer 120 are reset. In this example, the main microcomputer 110 is placed in a wait state until the sub-microcomputer 120 completes the reset, and then the main microcomputer 110 and the sub-microcomputer 120 are synchronized, and the main microcomputer 110 and the sub-microcomputer 120 are synchronized. The microcomputer 120 shifts to normal control.

Next, although not shown in the figure, after the power signal 200 is turned on for the second time, the main microcomputer 110 is placed in a standby state, and the sub-microcomputer 120 in a drive state fails with respect to the main microcomputer 110 in a standby state. Conduct potential diagnosis. After that, the main microcomputer 110 and the sub-microcomputer 120 are reset, the main microcomputer 110 and the sub-microcomputer 120 are synchronized, and the main microcomputer 110 and the sub-microcomputer 120 shift to normal control.

The failure potentials of the main microcomputer 110 and the sub-microcomputer 120 can be diagnosed even at the timing of performing such a failure potential diagnosis.

(Modification 3 of implementation timing)
FIG. 9D is a diagram illustrating a third modification of the execution timing of the failure potential diagnosis. In FIG. 9C, an example is shown in which each time the main microcomputer 110 and the sub-microcomputer 120 are activated, the microcomputer targeted for diagnosis of the failure potential is switched and the failure potential diagnosis is performed. FIG. 9D shows an example in which the failure potentials of both the main microcomputer 110 and the sub-microcomputer 120 are diagnosed each time the main microcomputer 110 and the sub-microcomputer 120 are activated. That is, after the power signal 200 is turned on for the first time, the sub-microcomputer 120 is placed in the standby state, and the main microcomputer 110 in the drive state performs the failure potential diagnosis on the sub-microcomputer 120 in the standby state. , Perform failure potential diagnosis. After that, the main microcomputer 110 and the sub-microcomputer 120 are reset, the main microcomputer 110 is set to the standby state, and the sub-microcomputer 120 in the driving state performs the failure potential diagnosis on the main microcomputer 110 in the standby state. .. After that, the main microcomputer 110 and the sub-microcomputer 120 are synchronized, and the main microcomputer 110 and the sub-microcomputer 120 shift to normal control.

(Modification 4 of implementation timing)
The execution timing of the failure potential diagnosis may be a combination of the execution timing shown in FIG. 9C and the execution timing shown in FIG. 9A. That is, the failure potential diagnosis of one of the main microcomputer 110 and the sub-microcomputer 120 is performed at the time of startup (the power supply signal 200 is on), and at the time of shut-off (the power supply signal 200 is off). The other failure potential diagnosis of the microcomputer 120 is performed. The microcomputer to be diagnosed is switched each time the system is started up or shut off.

Of course, the failure potential diagnosis may be performed by combining FIG. 9B and FIG. 9D.

(Control procedure using failure potential diagnosis result)
FIG. 10 is a diagram illustrating a control procedure according to the first embodiment. FIG. 10 shows means for using CPU information that is not in failure by using the failure potential diagnosis result when the outputs of the main CPU 111 and the sub CPU 112 in the vehicle control device 100 are mismatched by the comparator 116. 2 is an example of a flowchart illustrating This flowchart corresponds to the control program CNTPROG in FIG.

(Step S300)
When the main microcomputer 110 and the sub-microcomputer 120 receive the power signal 200 indicating that the power is turned on, this flowchart starts. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have already started to supply power according to the power supply signal 200. The operation of the main microcomputer 110 will be described below as an example. As described with reference to FIG. 1, the sub-microcomputer 120 notifies the main microcomputer 110 of the information of the diagnosis result (DRresult (111), DRresult (112)) when the main microcomputer 110 is activated. Also, it is assumed that the main microcomputer 110 notifies the sub-microcomputer 120 of the diagnostic result (DRresult (121), DRresult (122)) information when the sub-microcomputer 120 is activated.

(Step S301)
The main microcomputer 110 includes a main CPU 111 and a sub CPU 112, and a comparator 116 that compares the output results of the main CPU 111 and the sub CPU 112, and determines whether the comparison results of the comparator 116 match. If the comparison results of the comparator 116 match, it is determined that there is no CPU failure and the process proceeds to step S302. If the comparison result of the comparator 116 does not match, it is determined that there is a CPU failure and the process proceeds to step S303.

(Step S302)
The main microcomputer 110 determines that there is no failure in the main CPU 111 and the sub CPU 112, and uses the output signal of the main CPU 111. Alternatively, the output value of the sub CPU 112 may be used.

(Step S303)
The main microcomputer 110 determines whether or not the failure potential diagnostic result (DRResult(111)) of the main CPU 111 stored in step S112 is normal. When the failure potential diagnosis result (DRResult(111)) of the main CPU 111 is normal, the process proceeds to step S304. If the failure potential diagnosis result (DRResult(111)) of the main CPU 111 is abnormal, the process proceeds to step S307.

(Step S304)
The main microcomputer 110 determines whether or not the failure potential diagnosis result (DRResult (112)) of the sub CPU 112 stored in step S112 is normal.
When the failure potential diagnosis result (DRResult (112)) of the sub CPU 112 is normal, the process proceeds to step S305. When the failure potential diagnosis result (DRResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S306.

(Step S305)
The main microcomputer 110 determines that there is a failure other than the main CPU 111 and the sub CPU 112, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.

(Step S306)
The main microcomputer 110 determines that the main CPU 111 is normal although the sub CPU 112 has a failure, and uses the output signal of the main CPU 111 to continue normal processing (operation of normal vehicle control).

(Step S307)
In step S307, the same determination as in step S304 is performed. When the failure potential diagnosis result (DRResult (112)) of the sub CPU 112 is normal, the process proceeds to step S308. If the failure potential diagnosis result (DRResult(112)) of the sub CPU 112 is abnormal, the process proceeds to step S309.

(Step S308)
The main microcomputer 110 determines that the sub CPU 112 is normal although the main CPU 111 has a failure, and uses the output signal of the sub CPU 112 to continue normal processing (operation of normal control of the vehicle).

(Step S309)
The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.

(Step S310)
The main microcomputer 110 notifies the other unit of the mismatch information of the comparator 116 as CPU failure information. Further, the CPU failure information may be notified to other units only when the process proceeds to step S305 or step S309.

As described above, it is possible to identify a normal CPU that does not fail when a CPU failure occurs or when a CPU abnormality occurs, and by effectively using a normal CPU that does not fail, It is possible to provide the vehicle control device 100 capable of maintaining driving performance.

According to the first embodiment, in the CPUs (111, 112, 121, 122) built in the microcomputers (110, 120), by determining the failure potential of the CPUs caused by foreign substances mixed in during manufacturing or aged deterioration, CPU failures can be detected as early as possible. In addition, when a CPU failure occurs or when a CPU abnormality occurs, it is possible to identify a normal CPU that has not failed, and by effectively using a normal CPU that has not failed, operating performance can be improved. It is possible to provide the maintainable vehicle control device 100.

According to the first embodiment, the value of the current (leakage current) of the CPU flowing through the power supply lines (connection lines: L1, L2, L3, L4) that supply power to the CPUs (111, 112, 121, 122). Is detected and measured using the current measurement unit (current detection unit: 150, 160, 152, 162). Thus, the deterioration state of the transistor can be determined from the measured value or amount of leak current. That is, the failure potential of the CPU can be determined based on the measured value or amount of leak current.

In the first embodiment, the value of the current (leakage current) of the CPU is measured by using the CPU in the driving state and measuring the current flowing in the power supply line that supplies the power to the CPU in the standby state. When the CPU is in a driving state, the current flowing through the power supply line of the CPU includes a leak current component of the CPU and a drive current component of the CPU. By setting the measured CPU to the standby state, it is possible to measure only the leak current component (Ileak2) of the CPU, excluding the drive current component of the CPU.

The CPU leak current (Ileak2) for failure potential diagnosis includes manufacturing variation of the microcomputer or CPU and variation due to temperature change of the microcomputer or CPU. In order to eliminate the variation element of the leak current and to extract only the increase of the CPU leak current due to the transistor deterioration, the value of the measured CPU leak current for the failure potential diagnosis is corrected. The correction targets are two corrections: correction of leakage current variation due to manufacturing variation of the microcomputer or CPU, and correction of leakage current variation due to temperature change.

A method of correcting a leak current variation due to a manufacturing variation of a microcomputer or a CPU measures a CPU leakage current value (Ileak1) for failure potential diagnosis at the time of manufacturing a microcomputer or a CPU, and stores it in a storage area (ROM: 114, 124) of the microcomputer. ) Is stored as a leak current value when the CPU is manufactured. By subtracting the leak current value (Ileak1) at the time of manufacturing the microcomputer or CPU from the current CPU leak current value (Ileak2) for failure potential diagnosis, the increase of the leak current from the time of manufacturing the microcomputer or CPU to the present Minutes (ΔIleak) can be extracted.

The change in the leak current due to the temperature can be corrected by preparing a correlation map (TCM) of the temperature of the CPU and the leak current of the CPU in advance. The temperature of the microcomputer or the CPU is measured by the temperature sensor (TSEN: 115, 125) built in the microcomputer, and the temperature of the microcomputer or the CPU is measured, and the correlation map of the measured CPU temperature and the CPU leakage current or the temperature change. From the map (TCM), the change amount (Icv) of the CPU leak current depending on the temperature is calculated.

The CPU leak current increase amount (ΔIleakc) after the temperature correction is performed by using the CPU leak current increase amount (ΔIleak) before the temperature correction and the change amount (Icv) of the CPU leak current due to the temperature using the correlation map (TCM). Is calculated. When the increase amount (ΔIleakc) of the CPU leakage current after the temperature correction is larger than the determination threshold value (TH) of the increase amount (ΔIleakc) of the current which is determined to have the predetermined failure potential, the CPU completely fails. Although it has not, it is judged that it has the potential for failure in the future.

As a result, the CPU can normally operate at the present time, but can detect a state in which there is a possibility of failure in the future at an early stage. That is, since the faulty CPU can be identified from the result of the fault potential diagnosis of the CPU, when a fault occurs in the CPU, the normal CPU that is not faulty is used to degenerate the vehicle control without degrading the vehicle control. The running performance can be maintained.

It is effective to measure the leak current and diagnose the CPU failure potential at the time of starting or shutting down the vehicle control device in order to put at least one CPU in the standby state. Further, the combination of CPUs to be diagnosed may be changed each time the system is started up or shut down (see FIGS. 9A, 9B, 9C, and 9D).

FIG. 11 is a diagram illustrating the vehicle control device system according to the second embodiment. The vehicle control device system 1a shown in FIG. 11 includes a vehicle control device 100a which is an electronic control unit (ECU: Electronic Control Unit) as in FIG. The vehicle control device 100a is a device that electronically controls in-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle. The vehicle control device 100a of FIG. 11 is different from the vehicle control device 100 of FIG. 1 in that the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub-microcomputer 120 are eliminated. The main microcomputer 110 of the vehicle control device 100a is of a parallel processing type in which the main CPU 111 and the sub CPU 112 simultaneously execute different controls. Other than the above, the description is omitted because it is the same as the vehicle control device 100.

FIG. 12 is a diagram illustrating a control procedure according to the second embodiment. In the control procedure of the second embodiment, in the vehicle control device 100a, it is determined whether or not the result of the failure potential diagnosis is normal, and when abnormal, the control function originally executed is degenerated. As a result, it is possible to extend the period until the CPU completely fails, and to maintain the original function of the vehicle control device 100a even if the CPU completely fails.

(Step S400)
When the main microcomputer 110 and the sub-microcomputer 120 receive the power signal 200 indicating that the power is turned on, this flowchart starts. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have already started to supply power according to the power supply signal 200. The operation of the main microcomputer 110 will be described below as an example. The failure potential diagnosis is the same as described above, and the description thereof is omitted because it is the same.

(Step S401)
The main microcomputer 110 determines whether or not the main CPU 111 and the sub CPU 112 have experience (DHist) in performing a failure potential diagnosis. If there is no experience (DHist) in performing the failure potential diagnosis, the control ends, and if there is experience (DHist), the process proceeds to step S402.

(Step S402)
The main microcomputer 110 determines whether or not the failure potential diagnosis result (DRsult(111)) of the main CPU 111 is normal. When the failure potential diagnosis result (DRsult(111)) of the main CPU 111 is normal, the process proceeds to step S403. When the failure potential diagnosis result (DRsult(111)) is abnormal, the process proceeds to step S407.

(Step S403)
The main microcomputer 110 determines whether or not the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal. When the failure potential diagnosis result (DRsult(112)) of the sub CPU 112 is normal, the process proceeds to step S404. When the failure potential diagnosis result (DRsult (112)) is abnormal, the process proceeds to step S405.

(Step S404)
The main microcomputer 110 determines that neither the main CPU 111 nor the sub CPU 112 has a failure potential, and continues the normal operation according to the normal task operation setting.

(Step S405, Step S406)
The main microcomputer 110 determines that the main CPU 111 has no failure potential and the sub CPU 112 has a failure potential. Then, the function (task D) assigned to the control task of the sub CPU 112 is reduced, and the calculation load of the sub CPU 112 is reduced. This extends the time until the sub CPU 112 completely fails. At the same time, in step S406, the function (task D) assigned to the control task of the main CPU 111 is expanded. As a result, it is possible to create a situation in which the control task calculated by the total of the vehicle control device 100a does not change, although the share of calculation of the main CPU 111 and the sub CPU 112 changes. However, since the function exceeding the calculation load limit of the main CPU 111 cannot be assigned to the main CPU 111, the function assigned to the main CPU 111 and the function to be reduced by the sub CPU 112 must be determined in advance. FIG. 13 shows an example of changing the allocation of the control task when it is detected that the failure potential of the sub CPU 112 is high. The details will be described in the description of FIG.

(Step S407)
Since it is the same as step S403, description thereof will be omitted.

(Steps S408 and S409)
By using the same means as in steps S405 and S406, the function (task) of the control task of the main CPU 111 is reduced and the function (task) of the control task of the sub CPU 112 is expanded.

(Step S410)
The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and continues the normal operation according to the normal task operation setting. The normal task operation setting mentioned here means the task setting for the normal operation that does not change the task.

(Example of changing control task assignment)
FIG. 13 is a schematic diagram illustrating an example of changing the assignment of control tasks according to the second embodiment. FIG. 13 is an example of changing the assignment of control tasks when it is detected that the failure potential of the sub CPU 112 is high. When there is no failure potential in the main CPU 111 and the sub CPU 112 according to the failure potential diagnosis in FIG. 12 and the CPU is in a normal state, the main CPU 111 performs task A and task B as scheduled processing, as shown in FIG. The background job (hereinafter, BGJ) 1 is executed in the idle time. On the other hand, the sub CPU 112 executes task C and task D as the regular processing, and executes BGJ2 in the idle time.

Here, when it is determined by the failure potential diagnosis in FIG. 12 that the sub CPU 112 has a failure potential, an example is shown in which the task D of the sub CPU 112 is assigned to the main CPU 111, as shown in FIG. 13B. .. The main CPU 111 executes the task A, the task B, and the extended task D, and executes the background job (hereinafter, BGJ) 1 in the idle time. On the other hand, the sub CPU 112 executes task C and executes BGJ2 in the idle time. That is, the task D being executed by the sub CPU 112 is transferred to the main CPU 111.

The failure potential diagnosis of FIG. 12 is performed after the power supply signal 200 is turned off, and the task assignment change is performed when the vehicle control device 100a is activated by key-on of the vehicle. Therefore, there is no influence on the vehicle behavior due to a sudden change in control due to a task assignment change during normal control.

Further, although the sub CPU 112 allocates the function of task D to the main CPU 111 to reduce the calculation load, it still has a high failure potential. When the sub CPU 112 completely fails, the task C function and the BGJ2 are lost. Therefore, it is preferable to assign a function that does not affect the vehicle running even if the sub CPU 112 is lost in advance. In this case, even if the sub CPU 112 completely fails, the vehicle can continue traveling safely.

When changing from the task execution state of FIG. 13A to the task execution state of FIG. 13B, the normal task operation setting that defines the task execution state of FIG. The abnormal task operation setting 1 defining the task execution state of FIG. 13B is stored in the storage area of the ROM 114 of the main microcomputer 110, for example. When the main CPU 111 and the sub CPU 112 have no failure potential and the CPUs 111 and 112 are in a normal state, the normal task operation setting is executed. On the other hand, when it is determined that the sub CPU 112 has a failure potential, the normal task operation setting is changed to the abnormal task operation setting. As described above, the change from the normal task operation setting to the abnormal task operation setting 1 is performed when the vehicle control device 100a is activated by key-on of the vehicle.

When it is determined that the main CPU 111 has a failure potential, the task is changed such that, for example, the task B executed by the main CPU 111 is transferred to the sub CPU 112 according to the same idea as described above. You can In this case, the abnormal task operation setting 2 used when it is determined that the main CPU 111 has a failure potential may be provided in addition to the normal task operation setting and the abnormal task operation setting 1. The abnormal task operation setting 2 may be stored in the storage area of the ROM 114 of the main microcomputer 110 together with the normal task operation setting and the abnormal task operation setting 1.

According to the second embodiment, before the CPU (112) with a high failure potential completely fails, the arithmetic control (task D) that the CPU (112) with a high failure potential takes charge of is transferred to another CPU (111). Since the driver of the vehicle can be notified of the CPU failure without degrading the function of the vehicle control device (100a), the vehicle can be safely and smoothly moved for repair.

According to the second embodiment, when the CPU (112) completely fails, the normal CPU (111) can be used even in the failure detection delay time until the failure is detected. Therefore, the original driving performance of the vehicle control device (100a) is not sacrificed, and it is possible to prevent actuators such as the engine and the transmission from suddenly stopping or malfunctioning and causing the vehicle to behave unintentionally. ..

According to the second embodiment, the task (D) calculated by the CPU (112) having a high failure potential is degenerated before the CPU (112) completely fails. As a result, the calculation load of the CPU (112) can be reduced, and the period until the CPU (112) completely fails can be extended.

FIG. 14 is a diagram illustrating a vehicle control device system according to the third embodiment. The vehicle control device system 1b shown in FIG. 14 includes a vehicle control device 100b which is an electronic control unit (ECU) as in FIG. The vehicle control device 100b is a device that electronically controls in-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on the vehicle. In the vehicle control device 100b of FIG. 14, as compared with the vehicle control device 100 of FIG. 1, the main microcomputer 110 has only the CPU 111, and the sub-microcomputer 120 has only the CPU 121. Due to this change, the current measuring units SCM160 and 162 are deleted. Further, the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are deleted. Instead of the comparators 116 and 126, a signal matching unit COMPb having a function as a comparator is provided in the vehicle control device 100b as a semiconductor integrated circuit device different from the main microcomputer 110 and the sub-microcomputer 120. Other configurations are similar to those of the first embodiment, and the description thereof will be omitted.

The signal matching unit COMPb includes an output signal Smmc of the main microcomputer (first microcomputer) 110 or the CPU (first CPU) 111 and an output signal Ssmc of the sub microcomputer (second microcomputer) 120 or the CPU (second CPU) 121. Are compared to see if they match. When the output signal Smmc and the output signal Ssmc are the same, for example, the output signal Smmc of the main microcomputer 110 is used, and the signal matching unit COMPb connects the actuator (ACU) 202 and the signal matching unit connected to the signal matching unit COMPb. A display device 203 and an electric power steering device (EPS) 204, which are connected to the section COMPb via a CAN bus, are driven.

The signal matching unit COMPb is also adapted to receive the failure potential diagnosis result DRResult (121) from the main microcomputer 110 and the failure potential diagnosis result DRResult (111) from the sub-microcomputer 120, and these diagnosis signals DRResult are received. According to (121) and DRResult (111), the control procedure using the failure potential diagnosis result described in FIG. 15 is executed.

FIG. 15 is a diagram illustrating a control procedure according to the third embodiment. The control procedure of the third embodiment will be described below with reference to FIG.

(Step S500)
When the main microcomputer 110 and the sub-microcomputer 120 receive the power signal 200 indicating that the power is turned on, this flowchart starts. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have already started to supply power according to the power supply signal 200.

(Step S501)
The signal matching unit COMPb compares whether or not the output signal Smmc of the main microcomputer 110 and the output signal Ssmc of the sub-microcomputer 120 match, and determines whether or not the matching results match. If the verification results of the signal verification unit COMPb match (YES), it is determined that there is no CPU failure, and the process proceeds to step S502. If the verification result of the signal verification unit COMPb does not match (NO), it is determined that there is a CPU failure, and the process proceeds to step S503.

(Step S502)
The signal matching unit COMPb determines that the CPU 111 of the main microcomputer 110 has no failure and uses the output signal Smc of the main microcomputer 110 as it is. Alternatively, it may be determined that the CPU 121 of the sub-microcomputer 120 has no failure and the output signal Ssmc of the sub-microcomputer 120 may be used.

(Step S503)
The signal matching unit COMPb determines whether or not the failure potential diagnosis result (DRresult(111)) of the CPU 111 stored in step S112 is normal. When the failure potential diagnosis result (DRResult(111)) of the CPU 111 is normal, the process proceeds to step S504. If the failure potential diagnosis result (DRResult(111)) of the CPU 111 is abnormal, the process proceeds to step S507.

(Step S504)
The signal matching unit COMPb determines whether or not the failure potential diagnosis result (DRresult(121)) of the CPU 121 of the sub-microcomputer 120 stored in step S112 is normal. When the failure potential diagnosis result (DRResult(121)) of the CPU 121 is normal, the process proceeds to step S505. If the failure potential diagnosis result (DRResult(121)) of the CPU 121 is abnormal, the process proceeds to step S506.

(Step S505)
It is determined that there is a failure other than the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub-microcomputer 120, and the process proceeds to a fail-safe process such as stopping the vehicle control actuator 202.

(Step S506)
The signal matching unit COMPb determines that the CPU 111 of the main microcomputer 110 is normal although the CPU 121 of the sub-microcomputer 120 has a failure, and uses the output signal Smc of the main microcomputer 110 for normal processing (normal for the vehicle). Control operation).

(Step S507)
In step S507, the same determination as in step S504 is performed. When the failure potential diagnosis result (DRResult(121)) of the CPU 121 is normal, the process proceeds to step S508. When the failure potential diagnosis result (DRResult(121)) of the CPU 121 is abnormal, the process proceeds to step S509.

(Step S508)
The signal matching unit COMPb determines that the CPU 121 of the sub-microcomputer 120 is normal although the CPU 111 of the main microcomputer 110 has a failure, and uses the output signal Sscm of the main microcomputer 110 for normal processing (normal for the vehicle). Control operation).

(Step S509)
The signal matching unit COMPb determines that both the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120 have a failure potential, transitions to a safe state such as stopping the vehicle control actuator 202, and performs fail-safe processing. Transition.

The signal matching unit COMPb may notify other units of the mismatch information as the CPU failure information. The CPU failure information may be notified to other units only when the process proceeds to step S505 or step S509.

According to the third embodiment, it is possible to obtain the same effect as that of the first embodiment, and it is possible to detect the state in which the CPU can normally operate at the present time but may possibly fail in the future at an early stage. it can.

Since the failed CPU can be identified from the result of the CPU failure potential diagnosis, the vehicle control can be degenerated by effectively using the normal CPU that has not failed when the CPU fails or the CPU fails. It is possible to provide the vehicle control device (100b) that can maintain the driving performance without performing the operation.

Although the invention made by the present inventor has been specifically described based on the examples, the present invention is not limited to the above-described embodiments and examples, and it goes without saying that various modifications can be made. ..

100: Vehicle control device 110: Main microcomputer (MMC) 111: Main CPU (MCPU) 112: Sub CPU (SCPU) 113: RAM 114: ROM 115: Temperature sensor (TSEN) 116: Comparator (COMP) 120: Sub microcomputer (SMC) 130: Main power supply IC (MPSP) 140: Sub power supply IC (SPSP) 150: Main CPU current measurement unit (MCM) 160: Sub CPU current measurement unit (SCM) 200: Power supply signal (PS) 201: Battery ( BAT) 202: Actuator (ACU) 203: Display device (DISP) L1, L2, L3, L4: Connection line

Claims (17)

A microcomputer having a main CPU and a sub CPU;
Power supply part,
A first connection line connecting the power supply unit and the main CPU;
A second connection line connecting the power supply unit and the sub CPU;
A current detector that detects a current value flowing in the first connection line and a current value flowing in the second connection line,
In the microcomputer, the current value flowing in one of the first connection line and the second connection line is larger than a set value, and the current value flowing in the other of the first connection line and the second connection line is A vehicle control device that continues driving using the main CPU or the sub CPU connected to the other when the value is equal to or less than the set value. The vehicle control device according to claim 1,
The microcomputer has a comparison unit that compares an output signal from the main CPU with an output signal from the sub CPU.
When the comparison result of the comparison unit does not match, the microcomputer continues the driving of the vehicle by using the main CPU or the sub CPU whose current value is the set value or less among the main CPU and the sub CPU. A vehicle control device. The vehicle control device according to claim 1,
The vehicle control device, wherein the current value is a leak current value. The vehicle control device according to claim 3,
Has a temperature sensor,
The vehicle control device, wherein the leak current value is a leak current value corrected by temperature information from the temperature sensor and a leak current value at the time of manufacturing the microcomputer. The vehicle control device according to claim 4,
The current detector detects the current value when the microcomputer is in a standby state,
The corrected leak current value is calculated by the current value, the temperature information, a temperature correction map representing a correlation between the leak current and temperature, and a leak current value at the time of manufacturing the microcomputer, Vehicle control device. A microcomputer having a main CPU and a sub CPU;
Power supply part,
A first connection line connecting the power supply unit and the main CPU;
A second connection line connecting the power supply unit and the sub CPU;
A current detector that detects a current value flowing in the first connection line and a current value flowing in the second connection line,
In the microcomputer, the current value flowing in one of the first connecting line and the second connecting line is larger than a set value, and the other connecting line of the first connecting line and the second connecting line flows. A vehicle control device that changes a function assigned to the main CPU or the sub CPU connected to the other connection line when the current value is equal to or less than the set value. A first CPU,
A second CPU,
A comparison unit that compares an output signal from the first CPU with an output signal from the second CPU;
Including
Comparing the leakage current value of the first CPU and the leakage current value of the second CPU with a threshold value to determine the failure potential of the first CPU and the second CPU,
A vehicle control device for continuing driving of a vehicle using the first CPU or the second CPU having the lower failure potential out of the first CPU and the second CPU when the comparison result of the comparison unit does not match. The vehicle control device according to claim 7,
A microcomputer that includes the first CPU, the second CPU, and the comparison unit;
Power supply part,
A first connection line connecting the power supply unit and the first CPU;
A second connection line connecting the power supply unit and the second CPU;
A current measuring unit that detects a current value flowing in the first connection line and a current value flowing in the second connection line;
A vehicle control device having a temperature sensor. The vehicle control device according to claim 8,
For the leak current value of the first CPU and the leak current value of the second CPU, the current value measured by the current measuring unit is the leak current value at the time of manufacturing the microcomputer, and the temperature information from the temperature sensor. And a temperature correction map representing a correlation between the leak current and the temperature, the vehicle control device having the leak current value corrected. The vehicle control device according to claim 9,
The vehicle control device, wherein the current measuring unit detects the current value when the microcomputer is in a standby state. The vehicle control device according to claim 7,
A first microcomputer including the first CPU;
A second microcomputer including the second CPU;
Power supply part,
A first connection line connecting the power supply unit and the first CPU;
A second connection line connecting the power supply unit and the second CPU;
A first current measuring unit that detects a first current value flowing through the first connection line;
A second current measuring unit for detecting a second current value flowing through the second connection line;
A vehicle control device having a temperature sensor. The vehicle control device according to claim 11,
The leak current value of the first CPU is obtained by correcting the first current value, the leak current value at the time of manufacturing the first microcomputer, the temperature information from the temperature sensor, and the temperature correction indicating the correlation between the leak current and the temperature. It is the leak current value corrected by the map and
The leak current value of the second CPU is obtained by correcting the second current value, the leak current value at the time of manufacturing the second microcomputer, the temperature information from the temperature sensor, and the temperature correction indicating the correlation between the leak current and the temperature. The vehicle control device, which is a leak current value corrected by the map. The vehicle control device according to claim 12,
The first microcomputer has a first analog-digital conversion circuit connected to the second current measuring unit,
The vehicle control device, wherein the second microcomputer has a second analog-digital conversion circuit connected to the first current measuring unit. The vehicle control device according to claim 13,
The first analog-to-digital conversion circuit measures the second current value using the second current measuring unit when the second microcomputer is in a standby state,
The vehicle control device, wherein the second analog-digital conversion circuit measures the first current value using the first current measuring unit when the first microcomputer is in a standby state. The vehicle control device according to claim 14,
One of the first microcomputer and the second microcomputer is in a standby state, and the other of the first microcomputer and the second microcomputer is in an activated state,
The first current value of the first microcomputer or the second current value of the second microcomputer in the standby state is measured by the first microcomputer or the second microcomputer in the activated state. The vehicle control device. The vehicle control device according to claim 15,
In the measurement of the first current value of the first microcomputer or the second current value of the second microcomputer in the standby state, the first microcomputer and the second microcomputer complete self-shut processing. After that, the vehicle control device is performed. The vehicle control device according to claim 16,
A vehicle control device in which the standby state and the activation state of the first microcomputer and the second microcomputer are switched for each self-shut process.

Images