WO2019082647A1 - Vehicle control device - Google Patents

Vehicle control device

Info

Publication number
WO2019082647A1
WO2019082647A1 PCT/JP2018/037657 JP2018037657W WO2019082647A1 WO 2019082647 A1 WO2019082647 A1 WO 2019082647A1 JP 2018037657 W JP2018037657 W JP 2018037657W WO 2019082647 A1 WO2019082647 A1 WO 2019082647A1
Authority
WO
WIPO (PCT)
Prior art keywords
cpu
microcomputer
current value
vehicle control
control device
Prior art date
Application number
PCT/JP2018/037657
Other languages
French (fr)
Japanese (ja)
Inventor
文博 大澤
啓人 栗原
暢紀 長濱
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2019550964A priority Critical patent/JP6807467B2/en
Publication of WO2019082647A1 publication Critical patent/WO2019082647A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures

Definitions

  • the present invention relates to a vehicle control device that controls devices mounted on a vehicle.
  • a vehicle control device that controls devices mounted on the vehicle includes a microcomputer that performs control calculations.
  • the microcomputer generally includes a CPU (Central Processing Unit), a ROM (Read Only Memory) which is a non-volatile memory, and a RAM (Random Access Memory) which is a volatile memory.
  • the CPU is an arithmetic unit for calculating and controlling information stored in the RAM and the ROM. If the CPU fails, the microcomputer can not carry out the correct operation, causing a failure. Therefore, the vehicle control device has a function of diagnosing the CPU.
  • Patent Document 1 describes a failure diagnosis method of a control CPU.
  • a control CPU and a monitoring CPU are provided, and the control CPU and the monitoring CPU communicate with each other to confirm that they are in a normal state.
  • Patent Document 2 describes a method of collating output results to detect an abnormality when the same input is given to a plurality of CPUs.
  • failsafe processing when an abnormality occurs in the computer or the CPU, failsafe processing is performed so that the car is not in a dangerous state.
  • An example of failsafe processing is described below.
  • the control unit of the automatic transmission when the CPU of the control unit of the automatic transmission breaks down, the control unit of the automatic transmission is controlled to prevent the occurrence of an unintended shift, because the actuator for realizing the shift control of the automatic transmission does not operate properly.
  • JP 2003-97344 A Japanese Patent Application Laid-Open No. 2000-172521
  • the CPU failure diagnosis method described in Patent Documents 1 and 2 has a problem that it can not be determined as a CPU failure unless the CPU is completely broken. Another problem is that it is difficult to detect which CPU has failed. Also, when a CPU failure occurs, despite having a microcomputer or CPU that has not failed, transition to fail-safe processing is performed, and the vehicle as a whole still has the potential to be able to travel normally. There is also a problem that the driving performance is lowered.
  • An object of the present invention is a vehicle control apparatus capable of maintaining a driving performance by specifying a normal CPU which has not failed and effectively using a normal CPU which has not failed when a CPU abnormality occurs. It is to provide.
  • the vehicle control device connects a microcomputer having a main CPU and a sub CPU, a power supply unit, a first connection line connecting the power supply unit and the main CPU, and the power supply unit and the sub CPU A second connection line, and a current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line.
  • the current value flowing through one of the first connection line and the second connection line is larger than a set value
  • the current value flowing through the other of the first connection line and the second connection line is If it is less than the set value, the operation is continued using the main CPU or the sub CPU connected to the other.
  • the vehicle control device According to the vehicle control device according to the present invention, it is possible to maintain the driving performance by effectively using a normal CPU that is not broken even when an abnormality occurs in the CPU.
  • FIG. 1 is a diagram showing a vehicle control system according to a first embodiment. It is a figure showing an example of notional composition of a microcomputer. It is a figure which shows the conceptual structural example of a power supply part. It is a figure for demonstrating the structure of a current measurement part. It is a figure for demonstrating increase of leakage current. It is a figure for demonstrating the correction method of the increase part of leakage current. It is a figure which shows the structural example of the address space of ROM114, ROM124. 7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. 7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. FIG.
  • FIG. 7 is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment. It is a figure explaining the implementation timing of the failure potential diagnosis which concerns on the modification 1.
  • FIG. FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the second modification.
  • FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the third modification.
  • FIG. 7 is a diagram for explaining a control procedure according to the first embodiment.
  • FIG. 7 is a diagram showing a vehicle control system according to a second embodiment.
  • FIG. 10 is a diagram for explaining a control procedure according to the second embodiment.
  • FIG. 18 is a diagram for explaining an example of change of assignment of control tasks according to the second embodiment.
  • FIG. 7 is a view showing a vehicle control system according to a third embodiment.
  • FIG. 13 is a diagram for explaining a control procedure according to a third embodiment.
  • the CPU included in the microcomputer of the vehicle control device causes the foreign matter mixed in the semiconductor manufacturing process to short-circuit the adjacent transistor or wiring, and the transistor deterioration failure due to long-term use, etc. There is a possibility of failure without depending on it.
  • a general CPU failure diagnosis method it is possible to detect a CPU failure when a transistor constituting the CPU completely fails and the CPU operation result comes to output a value different from the originally intended operation result. it can.
  • the general CPU failure diagnosis method has a problem that it can not be determined as a CPU failure unless the CPU is completely in failure.
  • the output result of the CPU is used in the same manner as in the normal operation, so the CPU erroneous operation
  • the result may be used.
  • the vehicle behaves in an unintended manner, for example, by giving an incorrect instruction to the actuator or transmitting an incorrect information to another unit.
  • failsafe control is performed such that the vehicle is in a safe state, and in general, the driving performance of the vehicle is reduced, or The vehicle can not run.
  • the adjacent transistor may be short-circuited to cause failure of the CPU.
  • the potential fluctuation caused by the short circuit may remain to such an extent that it does not reach the determination threshold.
  • a failure is diagnosed by a lock step method in which a plurality of CPUs are used and output values when the same input signal is given are compared.
  • this lock step method although it is possible to detect even if a failure occurs in either of the CPUs, there is a problem that it is difficult to detect which CPU has failed.
  • a CPU incorporated in a microcomputer detects a CPU failure as early as possible by judging a failure potential of the CPU caused by foreign particles mixed in during manufacturing or aging. Can.
  • a maintainable vehicle control system (100) can be provided.
  • the CPU (111, 112, 121, 122) is a power supply line (connection line: L1) supplying power to the CPU by shorting or aging of the transistor causing the failure of the CPU. , L 2, L 3, L 4)), and focus on the feature of increasing current (leakage current). Detecting and measuring the value of the leak current of the CPU using current measurement units (current detection units: 150, 160, 152, 162), and judging the deterioration state of the transistor from the value or amount of the measured leak current Can. That is, the failure potential of the CPU can be determined.
  • current measurement units current detection units: 150, 160, 152, 162
  • the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU, and excluding the drive current component of the CPU, the leak of the CPU It is necessary to measure only the current component.
  • the operation state of the CPU is a state in which the CPU is not driving (a non-calculation state), that is, a standby state
  • the driving current component of the CPU zero.
  • the CPU in the driven state is used to measure the current flowing to the CPU in the standby state.
  • This current is treated as CPU leak current (Ileak 2) for fault potential diagnosis.
  • Ileak 2 CPU leak current
  • the CPU leak current (Ileak 2) for fault potential diagnosis includes variations due to manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU, excluding these variation factors of the leak current, It is necessary to extract only the increase in CPU leak current due to transistor degradation. For this reason, it is necessary to correct the measured value of the CPU leak current for failure potential diagnosis. Correction of leak current variation due to manufacturing variation of microcomputer or CPU and leak current variation due to temperature change are corrected.
  • the CPU leak current value (Ileak1) for fault potential diagnosis As a method of correcting leak current variation due to manufacturing variation of microcomputer or CPU, measure CPU leak current value (Ileak1) for fault potential diagnosis at the time of microcomputer or CPU production, and store memory area (ROM: 114, 124) of microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes ( ⁇ Ileak) can be extracted. Let this be the increase amount of CPU leak current before temperature correction. Further, the CPU leak current value (Ileak1) for failure potential diagnosis may be stored by measuring the CPU leak current for failure potential diagnosis at the time of manufacture of the vehicle control device, not at the time of manufacture of the microcomputer or CPU.
  • a correlation map (TCM) of the temperature of the CPU and the leak current of the CPU can be prepared in advance.
  • the temperature of the microcomputer or CPU can be measured by a temperature sensor (TSEN: 115, 125) built in the microcomputer. Alternatively, it may be estimated from temperature information from a temperature sensor disposed on the substrate of the vehicle control device (1). From the measured CPU temperature and the CPU leak current temperature change map (TCM), it is possible to calculate the amount of change in CPU leak current due to temperature.
  • the CPU leak current increase amount ( ⁇ Ileakc) after the temperature correction can be calculated using the CPU leak current increase amount ( ⁇ Ileak) before the temperature correction and the CPU leak current change amount (Icv) due to the temperature.
  • the increase amount ( ⁇ Ileakc) of the CPU leak current after the temperature correction is larger than the determination threshold (TH) of the increase amount of the current determined to have a predetermined failure potential, the CPU has not completely failed. However, it can be determined that it has a potential for failure in the future.
  • the determination threshold can be regarded as a set value or a predetermined value.
  • the measurement of the leak current and the CPU failure potential diagnosis can be performed at any timing, but it is effective to carry out at the time of starting or shutdown of the vehicle control device in order to put at least one CPU in the standby state. Also, the combination of CPUs to be diagnosed may be changed at each startup or every shutdown (FIGS. 9A, 9B, 9C, 9D).
  • the CPU can calculate normally at the present time, but can detect a state in which it may fail in the future at an early stage.
  • failure-safe processing such as stopping the vehicle control actuator is generally executed by degenerating the vehicle control even if there is another normal CPU.
  • the vehicle control is degenerated by using the normal CPU which is not failed when the failure of the CPU occurs.
  • the traveling performance of the vehicle can be maintained without causing
  • the operation control that the CPU having a high failure potential takes over is transferred to another CPU, and the vehicle control device does not degenerate functions. Since the driver can be notified of the CPU failure, it is possible to move safely and smoothly to repair the vehicle.
  • the normal CPU when the CPU completely fails, the normal CPU can be used even in the failure detection delay time until the failure is detected, so that the original operation performance is not sacrificed. It is possible to prevent the vehicle from acting unintended due to sudden stop or malfunction of an actuator such as a transmission or the like.
  • the CPU operation load is reduced by degenerating the task calculated by the CPU having a high failure potential in advance, thereby extending the time until the CPU completely fails. can do.
  • FIG. 1 is a diagram showing a vehicle control system according to a first embodiment.
  • the vehicle control device system 1 includes a vehicle control device 100 which is an electronic control unit (ECU: Electronic Control Unit).
  • the vehicle control device 100 is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 includes a main microcomputer (MMC) 110, a sub microcomputer (SMC) 120, a main power supply unit (MPSP) 130, a sub power supply unit (SPSP) 140, and a main CPU current measurement unit (MCM) 150, 152, A sub CPU current measurement unit (SMCM) 160, 162 and a temperature sensor 170 are provided.
  • the main microcomputer (MMC) 110 may be referred to as a first microcomputer
  • the sub microcomputer (SMC) 120 may be referred to as a second microcomputer.
  • the main microcomputer 110 is a microcomputer or a microcontroller that controls in-vehicle devices mounted on a vehicle.
  • the main microcomputer 110 controls on-vehicle equipment by controlling, for example, an actuator (ACU) 202.
  • ACU actuator
  • a message can be displayed via the display device (DISP) 203.
  • the message may be in any form, for example, a message such as a character or an image, a notification by lighting a lamp, or the like.
  • the main microcomputer (MMC) 110 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. .
  • the main microcomputer (MMC) 110 includes a main CPU (MCPU: first CPU) 111, a sub CPU (SCPU: second CPU) 112, a random access memory (RAM) 113 which is a volatile memory, and a ROM (read) which is a non-volatile memory. Only memory (114), a temperature sensor (TSEN) 115 capable of measuring the temperature of the main microcomputer 110, a comparator (COMP) 116, and an analog-to-digital converter (ADC) 117.
  • MCPU main CPU
  • SCPU sub CPU
  • RAM random access memory
  • ROM read
  • Only memory 114
  • TSEN temperature sensor
  • COMP comparator
  • ADC analog-to-digital converter
  • the main CPU 111 and the sub CPU 112 are arithmetic devices that perform control calculations necessary to control the in-vehicle device.
  • the RAM 113 temporarily stores data used by the main CPU 111 and the sub CPU 112.
  • the ROM 114 stores control programs executed by the main CPU 111 and the sub CPU 112, diagnostic processing glomograms described later, etc., and information received by the main CPU 111 and the sub CPU 112, received from the sub microcomputer 120 and other in-vehicle devices. Information can be stored.
  • the comparator 116 supplies the same input information to the main CPU 111 and the sub CPU 112, and collates the output results of the main CPU 111 and the sub CPU 112.
  • This configuration is a general lock step system.
  • a power supply line (first connection line) L1 provided between the main CPU 111 and the main power supply unit 130 includes a main current measurement unit (current detection unit) 150 that measures a drive current of the main CPU 111.
  • the power supply line (second connection line) L2 provided between the sub CPU 112 and the main power supply unit 130 includes a sub current measurement unit (current detection unit) 160 that measures the drive current of the sub CPU 112.
  • the analog-to-digital converter (ADC) 127 of the sub-microcomputer 120 which will be described later, is connected to the main current measuring unit 150 and the sub-current measuring unit 160 via the measurement wirings LM1 and LM2, Second connection line) Measure the current value of the drive current of the main CPU 111 and the sub CPU 112 flowing through the L1 and L2.
  • the sub microcomputer 120 has the same configuration as the main microcomputer 110. That is, submicrocomputer (SMC) 120 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. ing.
  • SMC submicrocomputer
  • the sub microcomputer (SMC) 120 includes a main CPU (MCPU) 121, a sub CPU (SCPU) 122, a random access memory (RAM) 123 which is a volatile memory, a read only memory (ROM) 124 which is a non-volatile memory, A temperature sensor (TSEN) 125 capable of measuring the temperature of the microcomputer 120, a comparator (COMP) 126, and an analog-to-digital converter (ADC) 127 are provided.
  • the main CPU 121 and the sub CPU 122 are arithmetic devices that perform control calculations necessary to control the in-vehicle device.
  • the RAM 123 temporarily stores data used by the main CPU 121 and the sub CPU 122.
  • the ROM 124 stores control programs executed by the main CPU 121 and the sub CPU 122, diagnostic processing glomograms to be described later, etc., and information received by the main CPU 121 and the sub CPU 122 and received from the main microcomputer 110 and other in-vehicle devices. Information can be stored.
  • the comparator 126 gives the same input information to the main CPU 121 and the sub CPU 122, and collates the output results of the main CPU 121 and the sub CPU 122. If there is no abnormality in the main CPU 121 and the sub CPU 122, the comparison results of the comparator 126 match. When the comparison result of the comparator 126 does not match, an abnormality of the main CPU 121 or the sub CPU 122 can be detected.
  • This configuration is a general lock step system.
  • the function of the sub microcomputer 120 may be limited to detecting the functional abnormality of the main microcomputer 110 only.
  • a power supply line (third connection line) L3 provided between the main CPU 121 and the sub power supply unit 140 includes a main current measurement unit (current detection unit) 152 that measures a drive current of the main CPU 121.
  • the power supply line (fourth connection line) L4 provided between the sub CPU 122 and the sub power supply unit 140 includes a sub current measurement unit (current detection unit) 162 that measures the drive current of the sub CPU 122.
  • the analog-to-digital converter (ADC) 117 of the main microcomputer 110 is connected to the main current measuring unit 152 and the sub current measuring unit 162 via the measurement wirings LM3 and LM4, and the power supply lines (third and fourth connections Current values of drive currents of the main CPU 121 and the sub CPU 122 flowing through the lines L3 and L4 are measured.
  • ADC analog-to-digital converter
  • the submicrocomputer 120 uses the current value from the main current measurement unit 150 and the subcurrent measurement unit 160 and the temperature information from the temperature sensor 115 and fails the main CPU 111 and the sub CPU 112 of the main microcomputer 110 according to the procedure described later.
  • the potential diagnosis is performed, and the diagnosis result is stored in a storage area such as the ROM 124 of the submicrocomputer 120.
  • the submicrocomputer 120 notifies the main microcomputer 110 of information on the diagnosis result when the main microcomputer 110 is activated next time.
  • the main microcomputer 110 uses the current value from the main current measurement unit 152 and the sub current measurement unit 162 and the temperature information from the temperature sensor 125 to follow the procedure described later for the main CPU 121 and the sub CPU 122 of the sub microcomputer 120. And the diagnosis result is stored in a storage area such as the ROM 114 of the main microcomputer 110. The main microcomputer 110 notifies the sub microcomputer 120 of information on the diagnosis result when the sub microcomputer 120 is started next time.
  • the submicrocomputer 120 performs failure potential diagnosis of the main microcomputer 110, and the main microcomputer 110 performs failure potential diagnosis of the submicrocomputer 120.
  • the reason for this is that, as described above, the CPU can not distinguish between the CPU leakage current and the CPU drive current in the driven state, so the CPU is not driven, so-called CPU standby state, and another normal drive is in progress. By measuring the drive current of the CPU in the standby state by the microcomputer, it is possible to accurately measure the leak current of the CPU.
  • the vehicle control device 100 receives supply of power from a battery 201 mounted on the vehicle.
  • the main power supply unit 130 steps up or down the voltage received from the battery 201 and supplies the voltage to the main microcomputer 110.
  • the sub power supply unit 140 boosts or steps down the voltage received from the battery 201 and supplies the voltage to the sub microcomputer 120.
  • Main power supply unit 130 and sub power supply unit 140 are configured to start power supply to main microcomputer 110 and sub microcomputer 120 according to the reception of power signal (PS) 200.
  • PS power signal
  • the main power supply unit 130 is internally divided into circuits so as to individually supply power to the main CPU 111, the sub CPU 112, the RAM 113, and the ROM 114, respectively. This is to suppress the influence of the drive current supplied to the main CPU 111 and the sub CPU 112 from the current fluctuation of the RAM 113 and the ROM 114.
  • the sub main power supply unit 140 is internally divided into circuits so as to individually supply power to each of the main CPU 121, the sub CPU 122, the RAM 123, and the ROM 124. This is to suppress the influence of the drive current supplied to the main CPU 121 and the sub CPU 122 from the current fluctuation of the RAM 123 and the ROM 124.
  • the configurations of the main power supply unit 130 and the sub main power supply unit 140 will be described later with reference to FIG.
  • FIG. 2 is a view showing a conceptual configuration example of the microcomputer MC.
  • the microcomputer MC shows the configurations of the main microcomputer 110 and the main microcomputer 120.
  • the microcomputer MC includes main CPUs (MCPUs: 111, 121), sub CPUs (SCPUs: 112, 121), RAMs (113, 123), ROMs (114, 124) and a peripheral circuit PERI. It is connected.
  • the peripheral circuit PERI includes, for example, a temperature sensor TSEN (115, 125), a comparator COMP (116, 126), an analog-to-digital converter ADC (117, 127), a control area network (Controller Area Network) interface CANIF, It has an input / output port IOP and the like.
  • the microcomputer MC has an external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU, an external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU, an external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM, and a power supply to the ROM. It has an external terminal VDD4 for supplying the voltage Vdd4 and a reference potential terminal VSS to which a ground voltage such as 0 (zero) volt or a reference voltage Vss is supplied.
  • the microcomputer MC further includes external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-to-digital converter ADC, the temperature sensor TSEN, the comparator COMP, CANIF, the signal input / output port IOP, etc. And an external terminal VDD5 for supplying the power supply voltage Vdd5 to the peripheral circuit PERI.
  • the power supply voltages Vdd1, Vdd2, Vdd3, Vdd4 and Vdd5 can be different power supply voltages.
  • the analog-to-digital converter ADC has analog signal input terminals AN0, AN1, AN2, AN3.
  • the microcomputer MC is the main microcomputer 110
  • the analog signal input terminals AN0 and AN1 are connected to the MCM 152 via the LM3
  • the analog signal input terminals AN2 and AN3 are connected to the SCM 162 via the LM4. Be done.
  • the microcomputer MC is the main microcomputer 120
  • the analog signal input terminals AN0 and AN1 are connected to the MCM 150 via the LM1
  • the analog signal input terminals AN2 and AN3 are connected to the SCM 160 via the LM2.
  • the analog-to-digital converter ADC may have analog signal input terminals AN4 to ANn in addition to the analog signal input terminals AN0, AN1, AN2, and AN3.
  • the analog signal input terminals AN4-ANn can be connected to the output of another analog sensor or the like.
  • the CANIF also has an input / output terminal CAN0 that can be connected to the CAN bus.
  • the CAN bus can be connected to an electric power steering EPS or other electronic control unit (ECU) capable of CAN communication based on the CAN protocol.
  • ECU electronice control unit
  • the signal input / output port IOP has port terminals PD0 to PDN that enable input and output of digital signals.
  • FIG. 3 is a diagram showing a conceptual configuration example of the power supply unit PSP.
  • the power supply unit PSP shows the configuration of the main power supply unit (MPSP) 130 and the sub power supply unit (SPSP) 140.
  • the power supply unit PSP has a plurality of regulators REG1-RG6.
  • the regulator REG1 supplies the power supply voltage to the external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU.
  • the regulator REG2 supplies the power supply voltage to the external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU.
  • the regulator REG3 supplies the power supply voltage to the external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM.
  • the regulator REG4 supplies the power supply voltage to the external terminal VDD4 for supplying the power supply voltage Vdd4 to the ROM.
  • the regulator REG5 supplies the power supply voltage Vdd5 to the external terminal VDD5 for supplying the power supply voltage to the peripheral circuit PERI.
  • the regulator REG6 supplies the analog power supply voltage Avdd and the analog reference voltage Avss to the external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-digital conversion circuit ADC.
  • the plurality of regulators REG1 to RG6 are supplied with voltages from the battery (BAT) 201 in response to the reception of the power supply signal 200 instructing start of power supply, and the power supply voltages Vdd1 to Vdd5, Avdd, and power supply voltages for analog are supplied. Generates Avdd and the analog reference voltage Avss.
  • the power supply unit PSP includes the main CPU (MCPU: 1111, 121), the sub CPU (SCPU: 112, 122), the RAM (113, 123), the ROM (114, 124), and the periphery.
  • a plurality of regulators REG1 to RG6 are provided to enable power supply individually to each of the circuit PERI and the analog-to-digital converter ADC (117, 127).
  • the drive current supplied to the main CPU 111 and the sub CPU 112 is the RAM (113, 123), the ROM 114 (114, 124), the peripheral circuit PERI, the analog-to-digital converter ADC (117, 127). This is to suppress the influence of the current fluctuation.
  • external terminal VDD5 for supplying power supply voltage to peripheral circuit PERI and regulator REG5 for generating power supply voltage for peripheral circuit PERI are further configured as a plurality of external terminals and a plurality of regulators. Also good.
  • the power supply potential can be supplied according to the required specification of the power supply potential of each circuit or each functional module included in the peripheral circuit PERI.
  • FIG. 4 is a diagram for explaining the configuration of the current measurement unit.
  • FIG. 4 exemplarily shows the configuration of the main current measurement unit 150 as a current measurement unit.
  • the configuration of the current measurement unit 150 is the same as the configuration of the current measurement units 160, 152, 162, and the other connection configuration is easily understood from FIG. 1, so the description of the configuration of the current measurement units 160, 152, 162 Is omitted.
  • the power supply measurement unit 150 includes a resistance element R1 having a resistance value Rs.
  • the resistance element R1 is provided in series in the power supply line L1 provided between the output of the regulator REG1 of the main power supply unit 130 and the external terminal VDD1 of the main CPU 111 of the main microcomputer 110.
  • the nodes VRH and VRL at both ends of the resistive element R1 are respectively connected to analog input terminals AN0 and AN1 of the analog-to-digital converter 127 built in the sub microcomputer 120 via the LM1.
  • the current measurement unit 160 is connected to the analog input terminals AN2 and AN3 of the analog-to-digital converter 127 built in the sub-microcomputer 120 via the LM2.
  • the current measurement units 152 and 162 are connected to analog input terminals AN0 and AN1 and AN2 and AN3 of the analog-to-digital converter circuit 117 built in the main microcomputer 110 via the LM3 and the LM4, respectively.
  • the drive current Is including the leak current of the main CPU 111 flowing to the resistance element R1 can be obtained by the following equation.
  • Is Vs / Rs
  • Vs is a voltage value corresponding to the voltage difference between the node VRH and the node VRL at both ends of the resistive element R1.
  • the drive current Is including the leak current of the main CPU 111 can be obtained.
  • the output voltage value of the regulator REG1 of the main power supply unit 130 is the reference operating voltage of the main CPU 111 of the main microcomputer 110, the resistance value Rs of the resistance element R1, and the maximum current value of the drive current Is flowing through the resistance element R1. It may be determined so as to satisfy the reference operating voltage of the main CPU 111 of the main microcomputer 110 in consideration of the voltage drop (Vs) due to the drive current Is flowing through the resistance element R1.
  • the respective output voltage values of the regulator REG2 of the main power supply unit 130 and the regulators REG1 and REG2 of the sub power supply unit 140 are also the sub CPU 112 of the main microcomputer 110 and the main CPU 121 and sub CPU 122 of the sub microcomputer 120 based on the same idea as above. It should be determined so as to satisfy each of the reference operating voltages.
  • the present invention is not limited to this.
  • a conversion bit number for example, 100 bits
  • the conversion bit number for example, 10 bits or 12 bits
  • the vehicle control apparatus 100 externally adds a large number of conversion bits.
  • the individual analog-to-digital converter circuit may be implemented and used instead of the analog-to-digital converter circuits 117 and 127. In the measurement of the leak current value, since the leak current value itself is small, the leak current value can be more accurately measured by using an individual analog-to-digital converter having a large number of conversion bits.
  • FIG. 5 is a diagram for explaining the increase of the leak current.
  • the main microcomputer 110 and the sub-microcomputer 120 are composed of a plurality of CMOS transistors and the like, and leakage current may increase due to factors such as the appearance of manufacturing defects and aged deterioration due to long-term use.
  • the vertical axis indicates the leak current value Ileak
  • the horizontal axis indicates the time Time.
  • a manufacturer of a semiconductor integrated circuit device performs a pre-shipment inspection before shipment of the semiconductor integrated circuit device, measures a leak current, and a semiconductor integrated circuit device in which the leak current Ileak1 is within a predetermined range. Ship as normal products.
  • the leak current value Ileak1 will be described using an example measured by the pre-shipment inspection of the main microcomputer 110 and the sub microcomputer 120. However, the leak current value Ileak1 It may be measured and stored in the ROM (114, 124) of the main microcomputer 110 or the sub microcomputer 120.
  • the leak current value Ileak1 of the normal product at the time of inspection before shipment is shown, and at time T2, the leak current value Ileak2 of the abnormal product whose leak current Ileak increased due to long-term use is shown.
  • the range of the leak current of the normal product is, for example, the range between the minimum value (0 mA (milliamps)) and the maximum value (M mA), and the main micro-circuits measured by the pre-shipment inspection It is assumed that the leak current value Ileak1 of the computer 110 or the submicrocomputer 120 is, for example, TmA.
  • the value of ⁇ Ileak includes, in addition to deterioration over time, fluctuation of temperature characteristics of leakage current in main microcomputer 110 or sub microcomputer 120 and fluctuation of leakage current due to manufacturing variation of main microcomputer 110 or sub microcomputer 120. It is done. Therefore, it is necessary to correct the value of the increase amount ⁇ Ileak of the leak current.
  • FIG. 6 is a diagram for explaining a correction method of an increase in leak current.
  • the increase amount ⁇ Ileak of the leak current is corrected in consideration of the leak current value Ileak1 at the time of manufacture, the leak current value Ileak2 at the time of measurement, and the temperature characteristics or temperature dependency of the leak current value Ileak2.
  • the temperature characteristic or temperature dependency of the leak current value Ileak2 is corrected by the temperature information TM measured by the temperature sensor TSEN of the main microcomputer 110 or the sub microcomputer 120 and the temperature correction map (table) TCM of the leak current. .
  • the temperature correction map (table) TCM is unique to each of the main microcomputer 110 or the sub microcomputer 120, and can be obtained from, for example, a semiconductor manufacturer.
  • the temperature correction map (or temperature correction table) TCM describes the correction current value (Icv) of the leak current at each temperature.
  • the increase amount ⁇ Ileakc of the corrected leak current used for diagnosing the failure potential can be obtained by the following equation.
  • ⁇ Ileakc Ileak2 + Icv-Ileak1
  • Icv represents the correction current value described in the temperature correction map (table) TCM in the temperature information TM.
  • the presence or absence of the failure potential is determined depending on whether the corrected increase amount of leakage current ⁇ Ileakc exceeds a threshold value or a predetermined value (TH).
  • TH a predetermined value
  • the threshold value or predetermined value (TH) can also be referred to as a set value or a prescribed value.
  • FIG. 7 is a view showing a configuration example of the address spaces of the ROM 114 and the ROM 124. As shown in FIG. 7A shows an example of the configuration of the address space of the ROM 114, and FIG. 7B shows an example of the configuration of the address space of the ROM 124.
  • the ROM 114 has, for example, a first address space ADSP1a and a second address space ADSP2a.
  • the first address space ADSP1a stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed.
  • the control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
  • the processing program or data according to the present invention is stored in the second address space ADSP 2a, and the diagnostic program DPROG described with reference to FIGS. 8A and 8B and the control executed when judging abnormality of the CPU described with FIG.
  • a program CNTPROG, a calculation program LCCPROG for leak current correction described in FIG. 6 is stored.
  • the second address space ADSP 2 a further includes a temperature correction map (table) TCM of the leak current related to the main microcomputer 110, a threshold value or a predetermined value (TH), a leak current value Ileak1 (110), and the main of the sub microcomputer 120.
  • the measured leakage current values Ileak2 (121) and Ileak2 (122) for the CPU 121 and the sub CPU 122 are stored.
  • the diagnosis results DResult (121) and DResult (122) are the results of diagnosis regarding the submicrocomputer 120 by the diagnostic program DPROG, and the presence or absence of the failure potential of the main CPU 121 and the sub CPU 122 of the submicrocomputer 120 is stored.
  • the experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
  • the ROM 124 has, for example, a first address space ADSP1b and a second address space ADSP2b.
  • the first address space ADSP1b stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed.
  • the control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
  • the second address space ADSP 2b stores the processing program or data according to the present invention, and the diagnostic program DPROG described in FIG. 8, the control program CNTPROG executed at the time of abnormality judgment of the CPU described in FIG.
  • a calculation program LCCPROG for leak current correction described in FIG. 6 is stored.
  • the second address space ADSP 2 b further includes a temperature correction map (table) TCM of the leak current related to the submicrocomputer 120, a threshold value or a predetermined value (TH), a leak current value Ileak 1 (120), and the main microcomputer 110.
  • the measured leakage current values Ileak2 (111) and Ileak2 (112) for the CPU 111 and the sub CPU 112 are stored.
  • the diagnosis results DResult (111) and DResult (112) are the results of diagnosis regarding the main microcomputer 110 by the diagnosis program DPROG, and the presence or absence of the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 is stored.
  • the experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
  • the measured leak current values Ileak 2 (111), Ileak 2 (112), Ileak 2 (121), Ileak 2 (122), and the increase amount of the leak current after correction Although an example of storing ⁇ Ileakc (111), ⁇ Ileakc (112), ⁇ Ileakc (121), ⁇ Ileakc (122) in the address space of the ROMs 114 and 124 has been shown, store these values in the address spaces of the ROMs 114 and 124. Instead, it is also possible to temporarily store in the RAMs 113 and 123 at the time of diagnosis.
  • FIGS. 8A and 8B are flowcharts illustrating an example of the failure potential diagnosis procedure of the CPU according to the first embodiment.
  • the lower A in FIG. 8A and the upper A in FIG. 8B are connected.
  • FIGS. 8A and 8B are flowcharts illustrating a procedure for diagnosing the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 using the sub microcomputer 120 when the vehicle control device 100 shuts down.
  • a flowchart for diagnosing the failure potential of the main CPU 121 and the sub CPU 122 of the sub microcomputer 120 using the main microcomputer 110 is considered to be easily understood from FIGS. 8A and 8B, and thus the description thereof is omitted.
  • each step of FIG. 8A and FIG. 8B is demonstrated.
  • Step S100 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • This flowchart corresponds to the diagnostic program DPROG shown in FIG.
  • Step S101 The main microcomputer 110 and the sub-microcomputer 120 are provided with leak current values (Ileak1) at the time of manufacture of the main microcomputer 110 and the sub-microcomputer 120 from respective storage areas (ROMs 114 and 124) and failure potential operation experience information (DHist) Read out.
  • the leak current value (Ileak1) described above measures the leak current of the main microcomputer 110 and the sub-microcomputer 120 not only at the time of manufacturing the main microcomputer 110 and the sub-microcomputer 120 but also at the time of manufacturing the vehicle control device 100. It may be stored in each storage area (ROMs 114 and 124).
  • Step S102 The main microcomputer 110 does not carry out the failure potential diagnosis until the condition for carrying out the failure potential diagnosis is established.
  • the execution condition of the failure potential diagnosis is satisfied when all the self shut processing performed after the power supply signal 200 is turned off is completed.
  • the main microcomputer 110 determines a microcomputer to be diagnosed with the failure potential of this time from the failure potential implementation experience information of the main microcomputer 110 and the sub microcomputer 120 read out in step S101, and sets it as a microcomputer to be measured. For example, when the failure potential of main CPU 111 and sub CPU 112 in main microcomputer 110 is diagnosed in the previous failure potential diagnosis, main CPU 121 and sub CPU 122 in sub microcomputer 120 are regarded as diagnosis targets in this failure potential diagnosis. Do. As described above, in this example, the reason for switching the microcomputer to be diagnosed each time self-shut processing is performed is that the main CPU and the sub CPU built in the microcomputer to be diagnosed need to be in the stop state (standby state). It is. Details will be described in the description of FIG. 9A. In this example, the microcomputer to be measured is described as the main microcomputer 110, which diagnoses the failure potential of the main CPU 111 and the sub CPU 112 built in the main microcomputer 110.
  • Step S104 In order to estimate the temperatures of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110, the temperature of the main microcomputer 110 is measured from the temperature sensor 115 built in the main microcomputer 110.
  • the temperature sensor 115 built in the main microcomputer 110 is used, but the temperature sensor may be the temperature sensor 170 mounted in the vehicle control device 100.
  • Step S105 From the temperature information of the main microcomputer 110 acquired in step S104, the main CPU 111 and the sub CPU 112 of the measured microcomputer 110 correct the temperature change of the leakage current Ileak2 of the CPUs 111 and 112 due to the temperature.
  • the temperature correction value Icv of the leakage current is calculated from the correction map TCM.
  • the temperature correction map TCM of the leak current is defined in advance for each type of microcomputer to be measured.
  • the temperature correction map TCM of the leakage current can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
  • Step S106 The sub-microcomputer 120 is notified of the temperature correction value Icv of the leakage current calculated in step S105.
  • Step S107 The main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 are shifted to the stop state (standby state), and the subsequent calculations are performed using the sub microcomputer 120.
  • Step S108 It waits for the measured microcomputer 110 to complete transition to the standby state mode.
  • the determination of the completion of the transition is made based on a specified time or that the output of the measured microcomputer 110 is turned off.
  • Step S109 The submicrocomputer 120 measures the current leakage current values (Ileak2 (111), Ileak2 (112)) of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 by the main current measurement unit 150 and the subcurrent measurement unit 160. Do.
  • Step S110 The submicrocomputer 120 processes the leak current (Ileak1) at the time of manufacture acquired in step S101 and the current leak current (Ileak2 (111), Ileak2 (112)) acquired in step S109 for each of the main CPU 111 and the sub CPU 112 From the leak current temperature correction value (Icv) acquired in S106, the diagnostic leak current values ( ⁇ Ileakc (111), ⁇ Ileakc (112)) are calculated. That is, the calculation program LCCPROG of FIG. 7 is executed, and the calculation for correcting the leakage current value described in FIG. 6 is executed.
  • Step S111 The submicrocomputer 120 determines, for each of the main CPU 111 and the sub CPU 112, whether or not the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) is equal to or less than the threshold value (TH). If the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) of either the main CPU 111 or the sub CPU 112 falls below the threshold (TH), the main CPU 111 and the sub CPU 112 judge that they are normal. The process proceeds to step S113. If the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) exceeds the threshold value (HT), it is determined that there is a failure potential, and the process proceeds to step S112.
  • the threshold value (TH) can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
  • Step S112 The submicrocomputer 120 stores the result of having determined that there is a failure potential in step S111 in the storage area (ROM 124) in the submicrocomputer 120 as the determination results DResult (111) and DResult (112).
  • Step S113 The submicrocomputer 120 stores the execution experience information (DHist) of the failure potential diagnosis in the storage area (ROM 124) in the submicrocomputer 120.
  • the failure potential execution experience information (DHist) is read from the storage area (ROMs 114 and 124) in step S101, and is used as information for determining a target microcomputer for failure potential diagnosis in step 103.
  • FIG. 9A is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment.
  • FIG. 9A is a diagram for explaining that the microcomputer to be diagnosed with the failure potential is switched at each shutdown of the vehicle control device 100 as described in step 103 of FIG. 8A. That is, for example, it is assumed that the main microcomputer 110 and the submicrocomputer 120 perform normal control, and then the power supply signal 200 is turned off. In this case, as the first shutdown, after the power supply signal 200 is turned off, the processing shifts to the self shut processing.
  • the main microcomputer 110 After self-shut processing is completed and all self-shut processing is completed, the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driving state performs fault potential diagnosis for the main microcomputer 110 in the standby state. After execution of the fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
  • the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state has a failure potential with respect to the submicrocomputer 120 in the standby state. After performing diagnosis and performing fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
  • the failure potential diagnosis of each of the main microcomputer 110 and the sub microcomputer 120 can be uniformly performed by switching the microcomputer to be diagnosed every shutoff.
  • FIG. 9B is a diagram for explaining a modification 1 of the execution timing of failure potential diagnosis.
  • FIG. 9A shows an example in which the microcomputer to be diagnosed is switched every shutoff.
  • the process proceeds to the self shut process, and then the self shut process is performed.
  • the main microcomputer 110 is put into the standby state.
  • the computer 120 executes fault potential diagnosis for the main microcomputer 110 in the standby state.
  • the sub-microcomputer 120 is put into the standby state, and the main microcomputer 110 performs fault potential diagnosis on the sub-microcomputer 120 in the standby state, and performs fault potential diagnosis.
  • FIG. 9C is a diagram for explaining a modification 2 of the execution timing of the failure potential diagnosis.
  • 9A and 9B show an example in which the failure potential diagnosis is performed after the power supply signal 200 is turned off.
  • FIG. 9C shows an example in which the microcomputer as the diagnosis target of the failure potential is switched every time the main microcomputer 110 and the sub microcomputer 120 are activated after the power supply signal 200 is turned on, and the failure potential diagnosis is performed. There is. That is, for example, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis to the submicrocomputer 120 in the standby state. carry out.
  • the main microcomputer 110 and the sub microcomputer 120 are reset.
  • the sub microcomputer 120 is put in a wait state until the reset is completed, and then the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 are synchronized.
  • the microcomputer 120 shifts to normal control.
  • the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state fails to the main microcomputer 110 in the standby state.
  • Conduct a potential diagnosis After that, the main microcomputer 110 and the sub microcomputer 120 are reset, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to the normal control.
  • the failure potential of the main microcomputer 110 and the sub microcomputer 120 can also be diagnosed at such an execution timing of the failure potential diagnosis.
  • FIG. 9D is a diagram for explaining a third modification of the execution timing of failure potential diagnosis.
  • FIG. 9C shows an example in which the microcomputer to be diagnosed with the failure potential is switched at each activation of the main microcomputer 110 and the sub-microcomputer 120, and the failure potential diagnosis is performed.
  • FIG. 9D shows an example in which the failure potentials of both the main microcomputer 110 and the sub microcomputer 120 are diagnosed and implemented each time the main microcomputer 110 and the sub microcomputer 120 are started. That is, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis for the submicrocomputer 120 in the standby state. Perform fault potential diagnosis.
  • the main microcomputer 110 and the sub microcomputer 120 are reset, and the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state performs fault potential diagnosis for the main microcomputer 110 in the standby state. . Thereafter, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to normal control.
  • fault potential diagnosis may be performed by combining FIG. 9B and FIG. 9D.
  • FIG. 10 is a diagram for explaining a control procedure according to the first embodiment.
  • FIG. 10 shows a means for using unfailed CPU information using failure potential diagnosis results when the outputs of the main CPU 111 and the sub CPU 112 in the vehicle control apparatus 100 do not match in the comparator 116. It is an example of the flowchart explaining FIG. This flowchart corresponds to the control program CNTPROG shown in FIG.
  • Step S300 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • the following describes the operation of the main microcomputer 110 as an example. As described in FIG. 1, the submicrocomputer 120 notifies the main microcomputer 110 of the information of the diagnosis results (DResult (111), DResult (112)) when the main microcomputer 110 is activated. Also, it is assumed that the main microcomputer 110 notifies the sub microcomputer 120 of the information of the diagnostic results (DResult (121), DResult (122)) when the sub microcomputer 120 is activated.
  • Step S301 The main microcomputer 110 is provided with a main CPU 111 and a sub CPU 112, and a comparator 116 for comparing the output results of each, and determines whether or not the comparison results in the comparator 116 match. If the comparison results of the comparator 116 match, there is no CPU failure, and the process proceeds to step S302. If the comparison results of the comparator 116 do not match, it is determined that there is a CPU failure, and the process proceeds to step S303.
  • Step S302 The main microcomputer 110 determines that there is no failure in the main CPU 111 and the sub CPU 112, and uses the output signal of the main CPU 111. Alternatively, the output value of the sub CPU 112 may be used.
  • Step S303 The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (111)) of the main CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is normal, the process proceeds to step S304. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is abnormal, the process proceeds to step S307.
  • Step S304 The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (112)) of the sub CPU 112 stored in step S112 is normal. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S305. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S306.
  • Step S305 The main microcomputer 110 determines that there is a failure other than the main CPU 111 and the sub CPU 112, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S306 The main microcomputer 110 determines that the main CPU 111 is normal although there is a failure in the sub CPU 112, and continues the normal processing (the operation of the normal control of the vehicle) using the output signal of the main CPU 111.
  • Step S307 In step S307, the same determination as in step S304 is performed. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S308. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S309.
  • Step S308 The main microcomputer 110 determines that the sub CPU 112 is normal although there is a failure in the main CPU 111, and continues normal processing (normal control operation of the vehicle) using an output signal of the sub CPU 112.
  • Step S309 The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S310 The main microcomputer 110 notifies other units of the information on the comparison of the comparison in the comparator 116 as CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S305 or step S309.
  • the vehicle control device 100 capable of maintaining the driving performance can be provided.
  • the CPU determines the CPU's failure potential caused by foreign matter mixed in at the time of manufacture or aged deterioration, CPU failure can be detected as early as possible.
  • a maintainable vehicle control device 100 can be provided.
  • the value of the current (leakage current) of the CPU flowing through the power supply line (connection line: L1, L2, L3, L4) supplying power to the CPU (111, 112, 121, 122) are detected and measured using current measurement units (current detection units: 150, 160, 152, 162).
  • current detection units current detection units: 150, 160, 152, 162
  • the failure potential of the CPU can be determined by the value or amount of the measured leakage current.
  • the current flowing in the power supply line supplying power to the CPU in the standby state is measured using the CPU in the drive state.
  • the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU.
  • the CPU leak current (Ileak2) for fault potential diagnosis includes manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU. In order to extract these variations in leak current and extract only the increase in CPU leak current due to transistor deterioration, correction of the measured value of CPU leak current for failure potential diagnosis is performed. There are two correction targets: correction of leak current variation due to manufacturing variation of microcomputer or CPU, and correction of leak current variation due to temperature change.
  • the method of correcting the leak current variation due to the manufacturing variation of the microcomputer or CPU is to measure the CPU leak current value (Ileak1) for fault potential diagnosis at the time of manufacturing the microcomputer or CPU, and to store the storage area (ROM: 114, 124) of the microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes ( ⁇ Ileak) can be extracted.
  • TCM correlation map
  • the CPU can correctly calculate, but can detect a state that may fail in the future at an early stage. That is, since the failed CPU can be identified from the result of the failure potential diagnosis of the CPU, when the failure of the CPU occurs, the vehicle control is not degenerated using a normal CPU that is not broken. Driving performance can be maintained.
  • FIG. 11 is a diagram illustrating a vehicle control system according to a second embodiment.
  • the vehicle control device system 1a shown in FIG. 11 includes a vehicle control device 100a that is an electronic control unit (ECU: Electronic Control Unit), as in FIG.
  • the vehicle control device 100a is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 a of FIG. 11 is configured such that the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are eliminated as compared with the vehicle control device 100 of FIG. 1.
  • the main microcomputer 110 of the vehicle control device 100a has a parallel processing type in which the main CPU 111 and the sub CPU 112 simultaneously execute different controls.
  • the vehicle control device 100 is the same as the vehicle control device 100, so the description thereof is omitted.
  • FIG. 12 is a diagram for explaining a control procedure according to the second embodiment.
  • the vehicle control device 100a determines whether the result of the failure potential diagnosis is normal or not, and degenerates the control function originally implemented when it is abnormal. As a result, it is possible to extend the time until the CPU completely fails, and to maintain the functions originally possessed by the vehicle control device 100a even if the CPU completely fails.
  • Step S400 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively. The following describes the operation of the main microcomputer 110 as an example. In addition, the failure potential diagnosis is as described above, and the description thereof will be omitted because it is the same.
  • Step S401 The main microcomputer 110 determines whether or not there is execution experience (DHist) of failure potential diagnosis of the main CPU 111 and the sub CPU 112. If there is no implementation experience (DHist) of failure potential diagnosis, the control is ended, and if there is implementation experience (DHist), the process proceeds to step S402.
  • DHist execution experience
  • Step S402 The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal. If the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal, the process proceeds to step S403. If the failure potential diagnosis result (DRsult (111)) is abnormal, the process proceeds to step S407.
  • Step S403 The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal. If the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal, the process proceeds to step S404. If the failure potential diagnosis result (DRsult (112)) is abnormal, the process proceeds to step S405.
  • Step S404 The main microcomputer 110 determines that neither the main CPU 111 nor the sub CPU 112 has a failure potential, and continues the normal operation according to the normal task operation setting.
  • Step S405, Step S406 The main microcomputer 110 determines that there is no failure potential in the main CPU 111 and that there is a failure potential in the sub CPU 112. Then, the function (task D) assigned to the control task of the sub CPU 112 is reduced, and the calculation load of the sub CPU 112 is reduced. This extends the time until the sub CPU 112 completely fails. At the same time, in step S406, the function (task D) assigned to the control task of the main CPU 111 is expanded. As a result, although the sharing ratio of calculation of the main CPU 111 and the sub CPU 112 changes, it is possible to create a situation in which the control task calculated in total of the vehicle control device 100a does not change.
  • FIG. 13 shows an example of the change in assignment of the control task when it is detected that the failure potential of the sub CPU 112 is high. Details will be described in FIG.
  • Step S407 It is omitted because it is the same as step S403.
  • Step S408, Step S409) As a means similar to steps S405 and S406, the function (task) of the control task of the main CPU 111 is reduced, and the function (task) of the control task of the sub CPU 112 is expanded.
  • Step S410 The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and continues the normal operation according to the normal task operation setting.
  • the normal task operation setting is the meaning of task setting for the normal operation in which the task change is not performed.
  • FIG. 13 is a diagram for explaining an example of change in assignment of control tasks according to the second embodiment.
  • FIG. 13 is an example of change in assignment of control tasks when it is detected that the failure potential of the sub CPU 112 is high. If the main CPU 111 and the sub CPU 112 have no failure potential and the CPU is normal according to the failure potential diagnosis of FIG. 12, as shown in FIG. 13A, the main CPU 111 performs task A and task B as scheduled processing as shown in FIG. Execute and execute background job (hereinafter, BGJ) 1 in idle time. On the other hand, the sub CPU 112 executes task C and task D as scheduled processing, and executes BGJ 2 in idle time.
  • BGJ background job
  • the task D of the sub CPU 112 is allocated to the main CPU 111 as shown in FIG. .
  • the main CPU 111 executes task A, task B, and extended task D, and executes background job (hereinafter, BGJ) 1 in idle time.
  • the sub CPU 112 executes task C and executes BGJ 2 in idle time. That is, the task D being executed by the sub CPU 112 is in a state of being transferred to the main CPU 111.
  • the failure potential diagnosis of FIG. 12 is performed after the power supply signal 200 is turned off, and the task assignment change is performed when the vehicle control device 100a is activated by the key-on of the vehicle. For this reason, there is no influence on the vehicle behavior due to sudden change of control due to task assignment change during normal control.
  • the sub CPU 112 assigns the function of the task D to the main CPU 111 to reduce the operation load, it does not change that the failure potential is high.
  • the task C function, BGJ2 will be lost, so it is preferable to assign a function that does not affect the vehicle running even if it is lost in advance. In this case, even if the sub CPU 112 completely fails, the vehicle can continue traveling safely.
  • normal task operation setting for defining the task execution state of (A) of FIG. 13B is stored, for example, in the storage area of the ROM 114 of the main microcomputer 110.
  • the normal task operation setting is performed.
  • the normal task operation setting is changed to the abnormal task operation setting. As described above, the change from the normal task operation setting to the abnormal task operation setting 1 is made when the vehicle control device 100a is activated by the key-on of the vehicle.
  • the abnormal task operation setting 2 used when it is determined that the main CPU 111 has a failure potential may be provided in addition to the normal task operation setting and the abnormal task operation setting 1.
  • the abnormal task operation setting 2 may be stored in the storage area of the ROM 114 of the main microcomputer 110 together with the normal task operation setting and the abnormal task operation setting 1.
  • the operation control (task D) handled by the CPU (112) having a high failure potential is transferred to another CPU (111).
  • the CPU failure can be notified to the driver of the vehicle without degrading the function of the vehicle control device (100a), so that the movement for repairing the vehicle can be performed safely and smoothly.
  • the normal CPU (111) can be used even in the failure detection delay time until the failure is detected. Therefore, it is possible to prevent an unintended behavior of the vehicle due to sudden stop or malfunction of an actuator such as an engine or a transmission without sacrificing the original driving performance of the vehicle control device (100a). .
  • the task (D) to be calculated by the CPU (112) having a high failure potential is degenerated in advance.
  • the calculation load of the CPU (112) can be reduced, and therefore, the period until the CPU (112) completely fails can be extended.
  • FIG. 14 is a diagram showing a vehicle control system according to a third embodiment.
  • the vehicle control system 1b shown in FIG. 14 includes a vehicle control system 100b, which is an electronic control unit (ECU), as in FIG.
  • the vehicle control device 100 b is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 b of FIG. 14 has only the CPU 111 of the main microcomputer 110 and only the CPU 121 of the sub microcomputer 120. As a result of this change, the current measurement units SCM 160 and 162 are deleted.
  • the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are deleted.
  • a signal collating unit COMPb having a function as a comparator is provided in the vehicle control device 100b as a semiconductor integrated circuit device different from the main microcomputer 110 and the sub microcomputer 120.
  • the other configuration is the same as that of the first embodiment, and the description thereof is omitted.
  • the signal collating unit COMPb outputs an output signal Smmc of the main microcomputer (first microcomputer) 110 or CPU (first CPU) 111 and an output signal Ssmc of the sub microcomputer (second microcomputer) 120 or CPU (second CPU) 121. Compare whether they match.
  • the signal comparison unit COMPb is connected to the actuator (ACU) 202 connected to the signal comparison unit COMPb or the signal comparison.
  • a display device 203 and an electric power steering device (EPS) 204 connected to the unit COMPb via a CAN bus are driven.
  • EPS electric power steering device
  • the signal collating unit COMPb is also adapted to receive the diagnosis result DResult (121) of the failure potential from the main microcomputer 110 and the diagnosis result DResult (111) of the failure potential from the sub microcomputer 120, and these diagnosis signals DResult (121), the control procedure using the fault potential diagnosis result described in FIG. 15 is executed according to DResult (111).
  • FIG. 15 is a diagram for explaining a control procedure according to the third embodiment.
  • the control procedure of the third embodiment will be described with reference to FIG.
  • Step S500 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • Step S501 The signal collating unit COMPb compares whether the output signal Smmc of the main microcomputer 110 and the output signal Ssmc of the sub microcomputer 120 match, and determines whether the matching result matches. If the collation results of the signal collating unit COMPb match (YES), it is determined that there is no CPU failure, and the process proceeds to step S502. If the comparison result of the signal comparison unit COMPb does not match (NO), it is determined that there is a CPU failure, and the process proceeds to step S503.
  • Step S502 The signal comparison unit COMPb determines that the CPU 111 of the main microcomputer 110 has no failure, and uses the output signal Smmc of the main microcomputer 110 as it is. Alternatively, it may be determined that the CPU 121 of the submicrocomputer 120 has no failure, and the output signal Ssmc of the submicrocomputer 120 may be used.
  • Step S503 The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (111)) of the CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is normal, the process proceeds to step S504. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is abnormal, the process proceeds to step S507.
  • Step S504 The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (121)) of the CPU 121 of the sub microcomputer 120 stored in step S112 is normal. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S505. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S506.
  • Step S505 It is determined that there is a failure other than the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, and the process shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S506 The signal collating unit COMPb determines that the CPU 111 of the main microcomputer 110 is normal although there is a failure in the CPU 121 of the sub microcomputer 120, and uses the output signal Smmc of the main microcomputer 110 to perform normal processing (normal Continue the control operation).
  • Step S507 the same determination as in step S504 is performed. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S508. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S509.
  • Step S508 The signal collating unit COMPb determines that the CPU 121 of the sub microcomputer 120 is normal although there is a failure in the CPU 111 of the main microcomputer 110, and performs normal processing using the output signal Sscm of the main microcomputer 110 (normal to vehicle Continue the control operation).
  • Step S509 The signal comparison unit COMPb determines that there is a failure potential in both the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, transitions to a safe state such as stopping the vehicle control actuator 202, and performs failsafe processing. Transition.
  • the signal comparison unit COMPb may notify the other units of the information on the comparison failure as the CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S505 or step S509.
  • the CPU can normally calculate, but it is possible to detect in the early stage a state that may fail in the future. it can.
  • vehicle control is degenerated by effectively using a normal CPU that is not faulty at the time of CPU fault occurrence or CPU anomaly occurrence. It is possible to provide a vehicle control device (100b) capable of maintaining the driving performance without causing the vehicle control.
  • the present invention is not limited to the above-mentioned embodiment and an example, and it can not be overemphasized that it can change variously .
  • vehicle control device 110 main microcomputer (MMC) 111: main CPU (MCPU) 112: sub CPU (SCPU) 113: RAM 114: ROM 115: temperature sensor (TSEN) 116: comparator (COMP) 120: sub microcomputer (SMC) 130: main power supply IC (MPSP) 140: sub power supply IC (SPSP) 150: main CPU current measurement unit (MCM) 160: sub CPU current measurement unit (SCM) 200: power supply signal (PS) 201: battery (battery) BAT) 202: Actuator (ACU) 203: Display device (DISP) L1, L2, L3, L4: Connection line

Abstract

The purpose of the present invention is to provide a vehicle control device that can maintain driving performance in event of a CPU abnormality by identifying and effectively utilizing a normal CPU that is not malfunctioning. To achieve this purpose, this vehicle control device comprises: a microcomputer that has a main CPU and a sub CPU; a power supply unit; a first connection line that connects the power supply unit and the main CPU; a second connection line that connects the power supply unit and the sub CPU; and a current detection unit that detects the value of current passing through the first connection line and the value of current passing through the second connection line. If the value of the current passing through one of the first and second connection lines is greater than a preset value and the value of the current passing through the other of the first and second connection lines is at most the preset value, the microcomputer continues the driving using the main CPU or the sub CPU connected to the other connection line.

Description

車両制御装置Vehicle control device
 本発明は、車両が搭載する機器を制御する車両制御装置に関する。 The present invention relates to a vehicle control device that controls devices mounted on a vehicle.
 車両が搭載している機器を制御する車両制御装置(ECU:Electronic Control Unit)は、制御演算を実施するマイクロコンピュータを備える。マイクロコンピュータは、一般的に、CPU(中央処理装置:Central Processing Unit)、不揮発性メモリであるROM(Read Only Memory)、揮発性メモリであるRAM(Random Access Memory)などを備える。CPUは、RAM、ROMに格納された情報を演算、制御するための演算装置である。CPUが故障すると、マイクロコンピュータは正しい演算を実施することができず、不具合が生じる。その為、車両制御装置はCPUを診断する機能を備えている。 A vehicle control device (ECU: Electronic Control Unit) that controls devices mounted on the vehicle includes a microcomputer that performs control calculations. The microcomputer generally includes a CPU (Central Processing Unit), a ROM (Read Only Memory) which is a non-volatile memory, and a RAM (Random Access Memory) which is a volatile memory. The CPU is an arithmetic unit for calculating and controlling information stored in the RAM and the ROM. If the CPU fails, the microcomputer can not carry out the correct operation, causing a failure. Therefore, the vehicle control device has a function of diagnosing the CPU.
 複数のマイクロコンピュータを用いて、相互にCPUの異常を診断する手法や、マイクロコンピュータに内蔵された複数のCPUを用いて、各CPUの出力結果を照合し、その一致性から異常を診断する手法、いわゆるロックステップ方式などが一般的に存在する。 A method of mutually diagnosing CPU abnormality using a plurality of microcomputers, and a method of checking an output result of each CPU using a plurality of CPUs incorporated in the microcomputer and diagnosing an abnormality from the coincidence There is a so-called lockstep method generally.
 特開2003-97344号公報(特許文献1)は、制御CPUの故障診断手法を記載している。同文献において、制御CPUと監視CPUとを備え、制御CPUと監視CPUとは、相互に通信し、正常状態であることを確認している。 Japanese Patent Laid-Open No. 2003-97344 (Patent Document 1) describes a failure diagnosis method of a control CPU. In the document, a control CPU and a monitoring CPU are provided, and the control CPU and the monitoring CPU communicate with each other to confirm that they are in a normal state.
 特開2000-172521号公報(特許文献2)は、複数CPUに同じ入力を与えたとき、出力結果を照合して異常を検知する手法が記載されている。 Japanese Patent Laid-Open No. 2000-172521 (Patent Document 2) describes a method of collating output results to detect an abnormality when the same input is given to a plurality of CPUs.
 上記のように、コンピュータもしくはCPUに異常が発生した場合、自動車が危険な状態に陥らないようにフェールセーフ処理を実施する。フェールセーフ処理の一例を以下に記載する。たとえば、自動変速機の制御装置のCPUが故障した場合、自動変速機の変速制御を実現するアクチュエータが正しく動作せず、意図しない変速が発生することを防止するため、自動変速機の制御装置は、アクチュエータを固定させ、自動変速機の変速比を一定に維持させるというフェールセーフ処理を実施するものがある。 As described above, when an abnormality occurs in the computer or the CPU, failsafe processing is performed so that the car is not in a dangerous state. An example of failsafe processing is described below. For example, when the CPU of the control unit of the automatic transmission breaks down, the control unit of the automatic transmission is controlled to prevent the occurrence of an unintended shift, because the actuator for realizing the shift control of the automatic transmission does not operate properly. There is one that implements a fail-safe process of fixing the actuator and maintaining the transmission gear ratio of the automatic transmission constant.
特開2003-97344号公報JP 2003-97344 A 特開2000-172521号公報Japanese Patent Application Laid-Open No. 2000-172521
 特許文献1、2に記載のCPU故障診断方法は、CPUが完全に故障した状態でないと、CPUの故障と判断できないという課題がある。また、どちらのCPUが故障したかを検知することは困難であるという課題もある。また、CPU故障が発生した場合、故障していないマイクロコンピュータまたはCPUを有しているにも関わらず、フェールセーフ処理に移行するため、車両全体としては通常走行できるポテンシャルを残しているにも関わらず、運転性能を低下させてしまうという課題もある。 The CPU failure diagnosis method described in Patent Documents 1 and 2 has a problem that it can not be determined as a CPU failure unless the CPU is completely broken. Another problem is that it is difficult to detect which CPU has failed. Also, when a CPU failure occurs, despite having a microcomputer or CPU that has not failed, transition to fail-safe processing is performed, and the vehicle as a whole still has the potential to be able to travel normally. There is also a problem that the driving performance is lowered.
 本発明の目的は、CPUの異常発生時において、故障していない正常なCPUを特定し、故障していない正常なCPUを有効利用して、運転性能を維持することが可能な車両制御装置を提供することにある。 An object of the present invention is a vehicle control apparatus capable of maintaining a driving performance by specifying a normal CPU which has not failed and effectively using a normal CPU which has not failed when a CPU abnormality occurs. It is to provide.
 その他の課題と新規な特徴は、本明細書の記述および添付図面から明らかになるであろう。 Other problems and novel features will be apparent from the description of the present specification and the accompanying drawings.
 本発明のうち代表的なものの概要を簡単に説明すれば下記の通りである。 The outline of typical ones of the present invention will be briefly described as follows.
 すなわち、車両制御装置は、メインCPUとサブCPUとを有するマイクロコンピュータと、電源部と、前記電源部と前記メインCPUとを接続する第1接続線と、前記電源部と前記サブCPUとを接続する第2接続線と、前記第1接続線に流れる電流値と前記第2接続線に流れる電流値とを検出する電流検出部と、を有する。前記マクロコンピュータは、前記第1接続線と前記第2接続線の一方に流れる前記電流値が設定値より大きく、かつ、前記第1接続線と前記第2接続線の他方に流れる前記電流値が前記設定値以下の場合、前記他方に接続される前記メインCPU、又は前記サブCPUを用いて運転を継続する。 That is, the vehicle control device connects a microcomputer having a main CPU and a sub CPU, a power supply unit, a first connection line connecting the power supply unit and the main CPU, and the power supply unit and the sub CPU A second connection line, and a current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line. In the microcomputer, the current value flowing through one of the first connection line and the second connection line is larger than a set value, and the current value flowing through the other of the first connection line and the second connection line is If it is less than the set value, the operation is continued using the main CPU or the sub CPU connected to the other.
 本発明に係る車両制御装置によれば、CPUの異常発生時においても、故障していない正常なCPUを有効利用して、運転性能を維持することが可能である。 According to the vehicle control device according to the present invention, it is possible to maintain the driving performance by effectively using a normal CPU that is not broken even when an abnormality occurs in the CPU.
実施例1に係る車両制御装置システムを示す図である。FIG. 1 is a diagram showing a vehicle control system according to a first embodiment. マイクロコンピュータの概念的な構成例を示す図である。It is a figure showing an example of notional composition of a microcomputer. 電源供給部の概念的な構成例を示す図である。It is a figure which shows the conceptual structural example of a power supply part. 電流測定部の構成を説明するための図である。It is a figure for demonstrating the structure of a current measurement part. リーク電流の増加を説明するための図である。It is a figure for demonstrating increase of leakage current. リーク電流の増加分の補正方法を説明するための図である。It is a figure for demonstrating the correction method of the increase part of leakage current. ROM114、ROM124のアドレス空間の構成例を示す図である。It is a figure which shows the structural example of the address space of ROM114, ROM124. 実施例1に係る故障ポテンシャル診断手順の一例を示すフローチャートである。7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. 実施例1に係る故障ポテンシャル診断手順の一例を示すフローチャートである。7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. 実施例1に係る故障ポテンシャル診断の実施タイミングを説明する図である。FIG. 7 is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment. 変形例1に係る故障ポテンシャル診断の実施タイミングを説明する図である。It is a figure explaining the implementation timing of the failure potential diagnosis which concerns on the modification 1. FIG. 変形例2に係る故障ポテンシャル診断の実施タイミングを説明する図である。FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the second modification. 変形例3に係る故障ポテンシャル診断の実施タイミングを説明する図である。FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the third modification. 実施例1に係る制御手順を説明する図である。FIG. 7 is a diagram for explaining a control procedure according to the first embodiment. 実施例2に係る車両制御装置システムを示す図である。FIG. 7 is a diagram showing a vehicle control system according to a second embodiment. 実施例2に係る制御手順を説明する図である。FIG. 10 is a diagram for explaining a control procedure according to the second embodiment. 実施例2に係る制御タスクの割り当て変更の一例を説明する図である。FIG. 18 is a diagram for explaining an example of change of assignment of control tasks according to the second embodiment. 実施例3に係る車両制御装置システムを示す図である。FIG. 7 is a view showing a vehicle control system according to a third embodiment. 実施例3に係る制御手順を説明する図である。FIG. 13 is a diagram for explaining a control procedure according to a third embodiment.
 以下、本発明の課題について、詳細に説明する。 Hereinafter, the problems of the present invention will be described in detail.
 車両制御装置のマイクロコンピュータが備えるCPUは、半導体製造工程において混入した異物により隣接するトランジスタや配線がショートすることや、長期使用によるトランジスタ劣化不良などが原因となって、車両制御装置の動作状態によらずに故障する可能性がある。 The CPU included in the microcomputer of the vehicle control device causes the foreign matter mixed in the semiconductor manufacturing process to short-circuit the adjacent transistor or wiring, and the transistor deterioration failure due to long-term use, etc. There is a possibility of failure without depending on it.
 一般的に知られているCPUの故障モードとしては、例えば、以下のものがある。これらの故障モードが1つでも発生した場合、故障したCPUは正しく演算処理を実行することが不可能となる。
(故障その1)CPU内部の演算回路出力が「0」または「1」に固定される。
(故障その2)CPU内部の演算回路出力が本来の正しい演算結果と異なる結果を示す。 As a commonly known failure mode of a CPU, for example, there are the following. If even one of these failure modes occurs, the failed CPU can not execute arithmetic processing correctly.
(Failure 1) The output of the arithmetic circuit inside the CPU is fixed at "0" or "1".
(Failure 2) The output of the arithmetic circuit inside the CPU shows a result different from the original correct arithmetic result.
 一般的なCPU故障診断方法は、CPUを構成するトランジスタが完全に故障し、CPU演算結果が本来あるべき演算結果と異なる値を出力するように至った場合は、CPUの故障を検知することができる。言い換えると、一般的なCPU故障診断方法は、CPUが完全に故障した状態でないと、CPUの故障と判断できないという課題がある。 In a general CPU failure diagnosis method, it is possible to detect a CPU failure when a transistor constituting the CPU completely fails and the CPU operation result comes to output a value different from the originally intended operation result. it can. In other words, the general CPU failure diagnosis method has a problem that it can not be determined as a CPU failure unless the CPU is completely in failure.
 従って、CPUが完全に故障する前の不安定な状態や、CPU故障診断においてCPU故障が確定する前の状態においては、CPUの出力結果は通常時と同様に使用されるため、CPUの誤演算結果が使用される恐れがある。例えば、アクチュエータに誤指示をする、また、他ユニットに誤情報を送信するなどにより、車両が意図しない挙動となるリスクがある。また、一般的なCPU故障診断方法でCPU故障状態を診断した場合、車両が安全な状態となるようなフェールセーフ制御が実施され、一般的には車両の運転性能が低下した状態となる、または車両が走行できない状態となる。 Therefore, in an unstable state before the CPU completely fails, or in a state before the CPU failure is determined in the CPU failure diagnosis, the output result of the CPU is used in the same manner as in the normal operation, so the CPU erroneous operation The result may be used. For example, there is a risk that the vehicle behaves in an unintended manner, for example, by giving an incorrect instruction to the actuator or transmitting an incorrect information to another unit. In addition, when a CPU failure state is diagnosed by a general CPU failure diagnosis method, failsafe control is performed such that the vehicle is in a safe state, and in general, the driving performance of the vehicle is reduced, or The vehicle can not run.
 また、一般的なCPU故障診断方法は、完全に故障していないものの、将来、故障となるポテンシャルを持つCPUの検出はできないという課題がある。 Moreover, although the general CPU failure diagnosis method is not completely failed, there is a problem that it is impossible to detect a CPU having a potential for failure in the future.
 CPUを構成するトランジスタに異物が付着し、それが何らかの原因で移動し、隣接するトランジスタ間に異物が付着すると、その隣接するトランジスタが短絡し、CPUの故障を引き起こす場合がある。ただし、トランジスタ間の短絡状態によっては、短絡によって生じる電位変動が判定閾値に至らない程度にとどまる場合がある。この場合、トランジスタ間に短絡故障が生じていたとしても、一般的なCPU故障診断方法では、このような故障を検出することは困難である。同様の現象はトランジスタの経年劣化によっても発生することが知られている。 If foreign matter adheres to a transistor constituting a CPU and moves due to any cause and foreign matter adheres between adjacent transistors, the adjacent transistor may be short-circuited to cause failure of the CPU. However, depending on the short circuit state between the transistors, the potential fluctuation caused by the short circuit may remain to such an extent that it does not reach the determination threshold. In this case, even if a short circuit failure occurs between the transistors, it is difficult to detect such a failure by the general CPU failure diagnosis method. It is known that the same phenomenon also occurs due to the aging of the transistor.
 このようなトランジスタの短絡故障を放置すると、短絡状態が進行し、トランジスタ間が完全に短絡し、CPUの故障として診断されることになると想定される。このように、将来CPUの故障として顕出する潜在的な故障ポテンシャルは、できる限り早い時点で検出することが望ましい。 If such a short circuit failure of the transistor is left, it is assumed that a short circuit condition will progress, and the complete short circuit between the transistors will be diagnosed as a CPU failure. Thus, it is desirable to detect potential failure potential that appears as a failure of the CPU in the future as early as possible.
 また、一般的なCPU故障診断方法は、複数のCPUを使用し、同じ入力信号を与えたときの出力値を比較するロックステップ方式により故障を診断している。このロックステップ方式の場合、どちらかのCPUに故障が発生しても検知することは可能であるが、どちらのCPUが故障したかを検知することは困難であるという課題がある。 Further, in a general CPU failure diagnosis method, a failure is diagnosed by a lock step method in which a plurality of CPUs are used and output values when the same input signal is given are compared. In the case of this lock step method, although it is possible to detect even if a failure occurs in either of the CPUs, there is a problem that it is difficult to detect which CPU has failed.
 同様に、複数のマイクロコンピュータを使用してお互いに情報を送受信して、情報の中身から診断するマイクロコンピュータの相互監視方法においても、CPU故障により送信情報が破壊される、または、受信情報を誤演算するなどの故障が存在するため、どちらのCPUが故障したかを判断することは困難である。 Similarly, in a mutual monitoring method of microcomputers in which information is transmitted / received to / from each other using a plurality of microcomputers and diagnosis is made from the contents of the information, transmission information is destroyed due to CPU failure or erroneous reception information It is difficult to determine which CPU has failed because there is a failure such as calculation.
 上記のように、一般的なCPU故障診断では、故障したCPUを特定することが困難である。また、一般的には、複数のCPUのうち1つでもCPU故障を検知した場合は、フェールセーフ処理に移行する方式を取る。つまり、故障していないマイクロコンピュータまたはCPUを有しているにも関わらず、フェールセーフ処理に移行するため、車両全体としては通常走行できるポテンシャルを残しているにも関わらず、運転性能を低下させてしまっているのが現状である。 As described above, in general CPU fault diagnosis, it is difficult to identify a faulty CPU. Also, in general, when one of a plurality of CPUs detects a CPU failure, a method of shifting to fail-safe processing is adopted. In other words, despite having a microcomputer or CPU that has not failed, in order to shift to fail-safe processing, the driving performance is lowered despite the fact that the vehicle as a whole can still run normally. It is the current situation that has been
 <実施形態>
 次に、本発明の実施形態について説明する。 Embodiment
Next, an embodiment of the present invention will be described.
 本発明の実施形態では、マイクロコンピュータに内蔵されるCPUにおいて、製造時に混入した異物や経年劣化よって生じるCPUの故障ポテンシャルを判断することにより、CPUの故障を、できる限り早期の段階で検出することができる。また、CPUの故障発生時、または、CPUの異常発生時において、故障していない正常なCPUを特定することが可能であり、故障していない正常なCPUを有効利用することで、運転性能を維持可能な車両制御装置(100)を提供することが出来る。 In an embodiment of the present invention, a CPU incorporated in a microcomputer detects a CPU failure as early as possible by judging a failure potential of the CPU caused by foreign particles mixed in during manufacturing or aging. Can. In addition, it is possible to identify a normal CPU that has not failed and at the time of a failure of CPU or when an abnormality has occurred. By effectively using a normal CPU that has not failed, the operating performance can be calculated. A maintainable vehicle control system (100) can be provided.
 本発明の実施形態において、CPU(111、112、121、122)は、CPUの故障の原因となるトランジスタの短絡や経年劣化によって、CPUに電源を供給している電源供給ライン(接続線:L1、L2、L3、L4)を流れる電流(リーク電流)が増加していく特徴に着目する。CPUのリーク電流の値を電流測定部(電流検出部:150、160、152、162)を利用して検出および測定し、測定されたリーク電流の値ないし量からトランジスタの劣化状態を判断することができる。つまり、CPUの故障ポテンシャルを判断することができる。 In the embodiment of the present invention, the CPU (111, 112, 121, 122) is a power supply line (connection line: L1) supplying power to the CPU by shorting or aging of the transistor causing the failure of the CPU. , L 2, L 3, L 4)), and focus on the feature of increasing current (leakage current). Detecting and measuring the value of the leak current of the CPU using current measurement units (current detection units: 150, 160, 152, 162), and judging the deterioration state of the transistor from the value or amount of the measured leak current Can. That is, the failure potential of the CPU can be determined.
 ただし、CPUが駆動状態のときにおいて、CPUの電源供給ラインを流れる電流はCPUのリーク電流成分とCPUの駆動電流成分とを含んでおり、ここからCPUの駆動電流成分を除いて、CPUのリーク電流成分のみを測定する必要がある。ここで、CPUの動作状態を、CPUが駆動していない状態(非演算状態)、いわゆる、スタンバイ状態とすると、CPUの駆動電流成分をゼロとすることが可能である。さらに、スタンバイ状態のCPUとは別に、駆動状態のCPUを用いて、スタンバイ状態のCPUに流れる電流を測定する。この電流を故障ポテンシャル診断用のCPUリーク電流(Ileak2)として扱う。このように、故障ポテンシャル診断のために、被測定CPUをスタンバイ状態とし、測定用CPUを駆動状態とする。 However, when the CPU is in the drive state, the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU, and excluding the drive current component of the CPU, the leak of the CPU It is necessary to measure only the current component. Here, when the operation state of the CPU is a state in which the CPU is not driving (a non-calculation state), that is, a standby state, it is possible to make the driving current component of the CPU zero. Furthermore, separately from the CPU in the standby state, the CPU in the driven state is used to measure the current flowing to the CPU in the standby state. This current is treated as CPU leak current (Ileak 2) for fault potential diagnosis. As described above, in order to diagnose the failure potential, the CPU to be measured is in the standby state, and the measurement CPU is in the driving state.
 さらに、故障ポテンシャル診断用のCPUリーク電流(Ileak2)は、マイクロコンピュータまたはCPUの製造ばらつきと、マイクロコンピュータまたはCPUの温度変化によるばらつきを含んでいるため、これらリーク電流のばらつき要素を排除して、トランジスタ劣化によるCPUリーク電流の増加分のみを抽出する必要がある。このため、測定した故障ポテンシャル診断用のCPUリーク電流の値の補正が必要となる。マイクロコンピュータまたはCPUの製造ばらつきによるリーク電流ばらつきの補正と、温度変化によるリーク電流ばらつきの2つを補正する。 Furthermore, since the CPU leak current (Ileak 2) for fault potential diagnosis includes variations due to manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU, excluding these variation factors of the leak current, It is necessary to extract only the increase in CPU leak current due to transistor degradation. For this reason, it is necessary to correct the measured value of the CPU leak current for failure potential diagnosis. Correction of leak current variation due to manufacturing variation of microcomputer or CPU and leak current variation due to temperature change are corrected.
 マイクロコンピュータまたはCPUの製造ばらつきによるリーク電流ばらつきを補正する方法として、マイクロコンピュータまたはCPU製造時に故障ポテンシャル診断用のCPUリーク電流値(Ileak1)を計測し、マイクロコンピュータの記憶領域(ROM:114、124)にCPU製造時のリーク電流値として記憶させる。現在の故障ポテンシャル診断用のCPUリーク電流値(Ileak2)からマイクロコンピュータまたはCPU製造時のリーク電流値(Ileak1)を減算することで、マイクロコンピュータまたはCPU製造時から現在に至るまでのリーク電流の増加分(ΔIleak)を抽出することができる。これを温度補正前のCPUリーク電流の増加量とする。また、故障ポテンシャル診断用のCPUリーク電流値(Ileak1)は、マイクロコンピュータまたはCPUの製造時でなく、車両制御装置の製造時に故障ポテンシャル診断用のCPUリーク電流を計測し、記憶してもよい。 As a method of correcting leak current variation due to manufacturing variation of microcomputer or CPU, measure CPU leak current value (Ileak1) for fault potential diagnosis at the time of microcomputer or CPU production, and store memory area (ROM: 114, 124) of microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes (ΔIleak) can be extracted. Let this be the increase amount of CPU leak current before temperature correction. Further, the CPU leak current value (Ileak1) for failure potential diagnosis may be stored by measuring the CPU leak current for failure potential diagnosis at the time of manufacture of the vehicle control device, not at the time of manufacture of the microcomputer or CPU.
 次に、温度によるリーク電流の変化を補正する。一般的にCPUのリーク電流とCPUの温度は相関関係をもつことが知られている。よって、あらかじめCPUの温度とCPUのリーク電流の相関マップ(TCM)を用意することができる。マイクロコンピュータまたはCPUの温度は、マイクロコンピュータに内蔵している温度センサ(TSEN:115,125)により測定することができる。若しくは、車両用制御装置(1)の基板上に配した温度センサからの温度情報から推定しても良い。測定したCPUの温度と、CPUリーク電流温度変化マップ(TCM)から、温度によるCPUリーク電流の変化量を算出することができる。 Next, the change in leakage current due to temperature is corrected. Generally, it is known that CPU leakage current and CPU temperature have a correlation. Therefore, a correlation map (TCM) of the temperature of the CPU and the leak current of the CPU can be prepared in advance. The temperature of the microcomputer or CPU can be measured by a temperature sensor (TSEN: 115, 125) built in the microcomputer. Alternatively, it may be estimated from temperature information from a temperature sensor disposed on the substrate of the vehicle control device (1). From the measured CPU temperature and the CPU leak current temperature change map (TCM), it is possible to calculate the amount of change in CPU leak current due to temperature.
 前記温度補正前のCPUリーク電流増加量(ΔIleak)と前記温度によるCPUリーク電流変化量(Icv)を用いて、温度補正後のCPUリーク電流増加量(ΔIleakc)を算出することができる。前記温度補正後のCPUリーク電流の増加量(ΔIleakc)が、あらかじめ規定した故障ポテンシャルを有すると判断する電流の増加量の判定閾値(TH)よりも大きいとき、CPUは、完全に故障していないものの、将来、故障となるポテンシャルを有していると判断できる。判定閾値は、設定値ないし所定値と見做すことが出来る。 The CPU leak current increase amount (ΔIleakc) after the temperature correction can be calculated using the CPU leak current increase amount (ΔIleak) before the temperature correction and the CPU leak current change amount (Icv) due to the temperature. When the increase amount (ΔIleakc) of the CPU leak current after the temperature correction is larger than the determination threshold (TH) of the increase amount of the current determined to have a predetermined failure potential, the CPU has not completely failed. However, it can be determined that it has a potential for failure in the future. The determination threshold can be regarded as a set value or a predetermined value.
 リーク電流の測定とCPU故障ポテンシャル診断は任意のタイミングで実施することができるが、少なくとも1つのCPUをスタンバイ状態とするために、車両制御装置の起動時またはシャットダウン時に実施することが有効である。また、起動時毎やシャットダウン毎に、診断するCPUの組み合わせを変えてもよい(図9A、図9B,図9C,図9D)。 The measurement of the leak current and the CPU failure potential diagnosis can be performed at any timing, but it is effective to carry out at the time of starting or shutdown of the vehicle control device in order to put at least one CPU in the standby state. Also, the combination of CPUs to be diagnosed may be changed at each startup or every shutdown (FIGS. 9A, 9B, 9C, 9D).
 実施形態に係る車両制御装置によれば、現時点ではCPUは正常に演算できるが将来的に故障する可能性がある状態を早期の段階で検出することができる。 According to the vehicle control device according to the embodiment, the CPU can calculate normally at the present time, but can detect a state in which it may fail in the future at an early stage.
 前述の通り、複数のマイクロコンピュータや複数のCPUを使用して故障を検知しているが、故障発生したことは検知可能であるが、故障したCPUを特定することができなかった。そのため、CPU故障発生時は、他に正常なCPUがあったとしても車両制御を縮退させて、車両制御用アクチュエータを停止させるなどのフェールセーフ処理が一般的に実行される。 As described above, although the failure is detected using a plurality of microcomputers and a plurality of CPUs, although the occurrence of a failure can be detected, the failed CPU could not be identified. Therefore, when a CPU failure occurs, fail-safe processing such as stopping the vehicle control actuator is generally executed by degenerating the vehicle control even if there is another normal CPU.
 一方、実施形態によれば、CPUの故障ポテンシャル診断の結果から、故障したCPUを特定することができるので、CPUの故障発生時において、故障していない正常なCPUを使って、車両制御を縮退させることなく、車両の走行性能を維持することができる。 On the other hand, according to the embodiment, since the failed CPU can be identified from the result of the failure potential diagnosis of the CPU, the vehicle control is degenerated by using the normal CPU which is not failed when the failure of the CPU occurs. The traveling performance of the vehicle can be maintained without causing
 また、実施形態によれば、故障ポテンシャルが高いCPUが完全に故障する前に、故障ポテンシャルが高いCPUが受け持つ演算制御を他CPUに譲渡し、車両制御装置が持つ機能を縮退させることなく、自動車運転者にCPU故障を通知することができるため、安全かつスムーズに自動車を修理するための移動を行うことができる。 Further, according to the embodiment, before the CPU having a high failure potential completely fails, the operation control that the CPU having a high failure potential takes over is transferred to another CPU, and the vehicle control device does not degenerate functions. Since the driver can be notified of the CPU failure, it is possible to move safely and smoothly to repair the vehicle.
 また、実施形態によれば、CPUが完全に故障したとき、故障を検知するまでの故障検知ディレイ時間においても、正常なCPUを使用できるため、本来の運転性能を犠牲にすることが無く、エンジンやトランスミッション等のアクチュエータが急停止や誤作動し、車両が意図しない挙動をすることを防ぐことができる。 Further, according to the embodiment, when the CPU completely fails, the normal CPU can be used even in the failure detection delay time until the failure is detected, so that the original operation performance is not sacrificed. It is possible to prevent the vehicle from acting unintended due to sudden stop or malfunction of an actuator such as a transmission or the like.
 また、実施形態によれば、CPUが完全に故障する前に、あらかじめ故障ポテンシャルの高いCPUで演算するタスクを縮退させてCPU演算負荷を下げることで、CPUが完全に故障するまでの期間を延長することができる。 Further, according to the embodiment, before the CPU completely fails, the CPU operation load is reduced by degenerating the task calculated by the CPU having a high failure potential in advance, thereby extending the time until the CPU completely fails. can do.
 以下、実施例について、図面を用いて説明する。ただし、以下の説明において、同一構成要素には同一符号を付し繰り返しの説明を省略することがある。なお、図面は説明をより明確にするため、実際の態様に比べ、模式的に表される場合があるが、あくまで一例であって、本発明の解釈を限定するものではない。 Hereinafter, examples will be described using the drawings. However, in the following description, the same components may be assigned the same reference numerals and repeated descriptions may be omitted. In addition, although drawing may be represented typically compared with an actual aspect, in order to clarify description, it is an example to the last, and does not limit interpretation of this invention.
 以下、実施例1について、図面を用いて説明する。 Hereinafter, Example 1 will be described using the drawings.
 (車両制御装置システムの構成)
 図1は、実施例1に係る車両制御装置システムを示す図である。車両制御装置システム1は、電子制御装置(ECU:Electronic Control Unit)である車両制御装置100を有する。車両制御装置100は、車両が搭載する車載機器(例えば、自動変速機、エンジンなど)を電子的に制御する装置である。車両制御装置100は、メインマイクロコンピュータ(MMC)110、サブマイクロコンピュータ(SMC)120、メイン電源部(MPSP)130、サブ電源部(SPSP)140、メインCPU電流測定部(MCM)150,152、サブCPU電流測定部(SMCM)160,162、温度センサ170、を備える。メインマイクロコンピュータ(MMC)110は第1マイクロコンピュータと、サブマイクロコンピュータ(SMC)120は第2マイクロコンピュータと、いうこともできる。 (Configuration of vehicle control system)
FIG. 1 is a diagram showing a vehicle control system according to a first embodiment. The vehicle control device system 1 includes a vehicle control device 100 which is an electronic control unit (ECU: Electronic Control Unit). The vehicle control device 100 is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle. The vehicle control device 100 includes a main microcomputer (MMC) 110, a sub microcomputer (SMC) 120, a main power supply unit (MPSP) 130, a sub power supply unit (SPSP) 140, and a main CPU current measurement unit (MCM) 150, 152, A sub CPU current measurement unit (SMCM) 160, 162 and a temperature sensor 170 are provided. The main microcomputer (MMC) 110 may be referred to as a first microcomputer, and the sub microcomputer (SMC) 120 may be referred to as a second microcomputer.
 メインマイクロコンピュータ110は、車両が搭載する車載機器を制御するマイクロコンピュータまたはマイクロコントローラである。メインマイクロコンピュータ110は、例えばアクチュエータ(ACU)202を制御することによって車載機器を制御する。また、表示装置(DISP)203を介してメッセージを表示することができる。メッセージは、例えば文字や画像などのメッセージ、ランプ点灯による通知など、任意の形態のものを用いることができる。 The main microcomputer 110 is a microcomputer or a microcontroller that controls in-vehicle devices mounted on a vehicle. The main microcomputer 110 controls on-vehicle equipment by controlling, for example, an actuator (ACU) 202. Also, a message can be displayed via the display device (DISP) 203. The message may be in any form, for example, a message such as a character or an image, a notification by lighting a lamp, or the like.
 メインマイクロコンピュータ(MMC)110は、半導体集積回路装置であり、例えば、公知のCMOS半導体製造技術により、複数のCMOSトランジスタを単結晶シリコンの様な半導体チップ上に形成することにより、形成されている。メインマイクロコンピュータ(MMC)110は、メインCPU(MCPU:第1CPU)111、サブCPU(SCPU:第2CPU)112、揮発性メモリであるRAM(Random Access Memory)113、不揮発性メモリであるROM(Read Only Memory)114、メインマイクロコンピュータ110の温度を測定可能な温度センサ(TSEN)115、比較器(COMP)116、アナログデジタル変換回路(ADC)117、を備える。メインCPU111とサブCPU112は、車載機器を制御するために必要な制御演算を実施する演算装置である。RAM113は、メインCPU111とサブCPU112が使用するデータを一時的に格納する。ROM114は、メインCPU111とサブCPU112が実行する制御プログラムや、後述される診断処理グログラムなどを格納し、また、メインCPU111とサブCPU112が演算した情報やサブマイクロコンピュータ120やその他の車載機器から受信した情報を記憶することができる。比較器116は、メインCPU111とサブCPU112に同じ入力情報を与え、メインCPU111とサブCPU112の出力結果を照合する。メインCPU111とサブCPU112に異常が無ければ、比較器116の照合結果は一致する。比較器116の照合結果が不一致のとき、メインCPU111またはサブCPU112の異常を検知することができる。この構成は、一般的なロックステップ方式である。 The main microcomputer (MMC) 110 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. . The main microcomputer (MMC) 110 includes a main CPU (MCPU: first CPU) 111, a sub CPU (SCPU: second CPU) 112, a random access memory (RAM) 113 which is a volatile memory, and a ROM (read) which is a non-volatile memory. Only memory (114), a temperature sensor (TSEN) 115 capable of measuring the temperature of the main microcomputer 110, a comparator (COMP) 116, and an analog-to-digital converter (ADC) 117. The main CPU 111 and the sub CPU 112 are arithmetic devices that perform control calculations necessary to control the in-vehicle device. The RAM 113 temporarily stores data used by the main CPU 111 and the sub CPU 112. The ROM 114 stores control programs executed by the main CPU 111 and the sub CPU 112, diagnostic processing glomograms described later, etc., and information received by the main CPU 111 and the sub CPU 112, received from the sub microcomputer 120 and other in-vehicle devices. Information can be stored. The comparator 116 supplies the same input information to the main CPU 111 and the sub CPU 112, and collates the output results of the main CPU 111 and the sub CPU 112. If there is no abnormality in the main CPU 111 and the sub CPU 112, the comparison results of the comparator 116 match. When the comparison result of the comparator 116 does not match, an abnormality in the main CPU 111 or the sub CPU 112 can be detected. This configuration is a general lock step system.
 メインCPU111とメイン電源部130との間に設けられた電源供給ライン(第1接続線)L1は、メインCPU111の駆動電流を測定するメイン電流測定部(電流検出部)150を備える。サブCPU112とメイン電源部130との間に設けられた電源供給ライン(第2接続線)L2は、サブCPU112の駆動電流を測定するサブ電流測定部(電流検出部)160を備える。後述されるサブマイクロコンピュータ120のアナログデジタル変換回路(ADC)127は、メイン電流測定部150とサブ電流測定部160と、計測用配線LM1,LM2を介して接続され、電源供給ライン(第1、第2接続線)L1,L2に流れるメインCPU111およびサブCPU112の駆動電流の電流値を測定する。 A power supply line (first connection line) L1 provided between the main CPU 111 and the main power supply unit 130 includes a main current measurement unit (current detection unit) 150 that measures a drive current of the main CPU 111. The power supply line (second connection line) L2 provided between the sub CPU 112 and the main power supply unit 130 includes a sub current measurement unit (current detection unit) 160 that measures the drive current of the sub CPU 112. The analog-to-digital converter (ADC) 127 of the sub-microcomputer 120, which will be described later, is connected to the main current measuring unit 150 and the sub-current measuring unit 160 via the measurement wirings LM1 and LM2, Second connection line) Measure the current value of the drive current of the main CPU 111 and the sub CPU 112 flowing through the L1 and L2.
 サブマイクロコンピュータ120は、メインマイクロコンピュータ110と同様の構成を備える。すなわち、サブマイクロコンピュータ(SMC)120は、半導体集積回路装置であり、例えば、公知のCMOS半導体製造技術により、複数のCMOSトランジスタを単結晶シリコンの様な半導体チップ上に形成することにより、形成されている。サブマイクロコンピュータ(SMC)120は、メインCPU(MCPU)121、サブCPU(SCPU)122、揮発性メモリであるRAM(Random Access Memory)123、不揮発性メモリであるROM(Read Only Memory)124、サブマイクロコンピュータ120の温度を測定可能な温度センサ(TSEN)125、比較器(COMP)126、アナログデジタル変換回路(ADC)127、を備える。メインCPU121とサブCPU122は、車載機器を制御するために必要な制御演算を実施する演算装置である。RAM123は、メインCPU121とサブCPU122が使用するデータを一時的に格納する。ROM124は、メインCPU121とサブCPU122が実行する制御プログラムや、後述される診断処理グログラムなどを格納し、また、メインCPU121とサブCPU122が演算した情報やメインマイクロコンピュータ110やその他の車載機器から受信した情報を記憶することができる。比較器126は、メインCPU121とサブCPU122に同じ入力情報を与え、メインCPU121とサブCPU122の出力結果を照合する。メインCPU121とサブCPU122に異常が無ければ比較器126の照合結果は一致する。比較器126の照合結果が不一致のとき、メインCPU121またはサブCPU122の異常を検知することができる。この構成は、一般的なロックステップ方式である。なお、サブマイクロコンピュータ120はメインマイクロコンピュータ110の機能異常を検知するのみに機能を限定してもよい。 The sub microcomputer 120 has the same configuration as the main microcomputer 110. That is, submicrocomputer (SMC) 120 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. ing. The sub microcomputer (SMC) 120 includes a main CPU (MCPU) 121, a sub CPU (SCPU) 122, a random access memory (RAM) 123 which is a volatile memory, a read only memory (ROM) 124 which is a non-volatile memory, A temperature sensor (TSEN) 125 capable of measuring the temperature of the microcomputer 120, a comparator (COMP) 126, and an analog-to-digital converter (ADC) 127 are provided. The main CPU 121 and the sub CPU 122 are arithmetic devices that perform control calculations necessary to control the in-vehicle device. The RAM 123 temporarily stores data used by the main CPU 121 and the sub CPU 122. The ROM 124 stores control programs executed by the main CPU 121 and the sub CPU 122, diagnostic processing glomograms to be described later, etc., and information received by the main CPU 121 and the sub CPU 122 and received from the main microcomputer 110 and other in-vehicle devices. Information can be stored. The comparator 126 gives the same input information to the main CPU 121 and the sub CPU 122, and collates the output results of the main CPU 121 and the sub CPU 122. If there is no abnormality in the main CPU 121 and the sub CPU 122, the comparison results of the comparator 126 match. When the comparison result of the comparator 126 does not match, an abnormality of the main CPU 121 or the sub CPU 122 can be detected. This configuration is a general lock step system. The function of the sub microcomputer 120 may be limited to detecting the functional abnormality of the main microcomputer 110 only.
 メインCPU121とサブ電源部140との間に設けられた電源供給ライン(第3接続線)L3は、メインCPU121の駆動電流を測定するメイン電流測定部(電流検出部)152を備える。サブCPU122とサブ電源部140との間に設けられた電源供給ライン(第4接続線)L4は、サブCPU122の駆動電流を測定するサブ電流測定部(電流検出部)162を備える。メインマイクロコンピュータ110のアナログデジタル変換回路(ADC)117は、メイン電流測定部152とサブ電流測定部162と、計測用配線LM3,LM4を介して接続され、電源供給ライン(第3、第4接続線)L3,L4に流れるメインCPU121およびサブCPU122の駆動電流の電流値を測定する。 A power supply line (third connection line) L3 provided between the main CPU 121 and the sub power supply unit 140 includes a main current measurement unit (current detection unit) 152 that measures a drive current of the main CPU 121. The power supply line (fourth connection line) L4 provided between the sub CPU 122 and the sub power supply unit 140 includes a sub current measurement unit (current detection unit) 162 that measures the drive current of the sub CPU 122. The analog-to-digital converter (ADC) 117 of the main microcomputer 110 is connected to the main current measuring unit 152 and the sub current measuring unit 162 via the measurement wirings LM3 and LM4, and the power supply lines (third and fourth connections Current values of drive currents of the main CPU 121 and the sub CPU 122 flowing through the lines L3 and L4 are measured.
 サブマイクロコンピュータ120は、メイン電流測定部150とサブ電流測定部160からの電流値と温度センサ115からの温度情報を用いて、後述する手順により、メインマイクロコンピュータ110のメインCPU111およびサブCPU112の故障ポテンシャル診断を実施して、その診断結果をサブマイクロコンピュータ120のROM124等の記憶領域に格納する。サブマイクロコンピュータ120は、次回メインマイクロコンピュータ110の起動時に、診断結果の情報をメインマイクロコンピュータ110へ通知する。 The submicrocomputer 120 uses the current value from the main current measurement unit 150 and the subcurrent measurement unit 160 and the temperature information from the temperature sensor 115 and fails the main CPU 111 and the sub CPU 112 of the main microcomputer 110 according to the procedure described later. The potential diagnosis is performed, and the diagnosis result is stored in a storage area such as the ROM 124 of the submicrocomputer 120. The submicrocomputer 120 notifies the main microcomputer 110 of information on the diagnosis result when the main microcomputer 110 is activated next time.
 一方、メインマイクロコンピュータ110は、メイン電流測定部152とサブ電流測定部162からの電流値と温度センサ125からの温度情報を用いて、後述する手順により、サブマイクロコンピュータ120のメインCPU121およびサブCPU122の故障ポテンシャル診断を実施して、その診断結果をメインマイクロコンピュータ110のROM114等の記憶領域に格納する。メインマイクロコンピュータ110は、次回サブマイクロコンピュータ120の起動時に、診断結果の情報をサブマイクロコンピュータ120へ通知する。 On the other hand, the main microcomputer 110 uses the current value from the main current measurement unit 152 and the sub current measurement unit 162 and the temperature information from the temperature sensor 125 to follow the procedure described later for the main CPU 121 and the sub CPU 122 of the sub microcomputer 120. And the diagnosis result is stored in a storage area such as the ROM 114 of the main microcomputer 110. The main microcomputer 110 notifies the sub microcomputer 120 of information on the diagnosis result when the sub microcomputer 120 is started next time.
 このように、サブマイクロコンピュータ120がメインマイクロコンピュータ110の故障ポテンシャル診断を実施し、メインマイクロコンピュータ110がサブマイクロコンピュータ120の故障ポテンシャル診断を実施する。この理由は、前述の通り、CPUが駆動状態ではCPUのリーク電流とCPUの駆動電流を切り分けることができないため、CPUが駆動していない状態、いわゆるCPUスタンバイ状態とし、さらに別の通常駆動中のマイクロコンピュータがスタンバイ状態のCPUの駆動電流を測定することで、CPUのリーク電流を正確に測定することを可能とするためである。 Thus, the submicrocomputer 120 performs failure potential diagnosis of the main microcomputer 110, and the main microcomputer 110 performs failure potential diagnosis of the submicrocomputer 120. The reason for this is that, as described above, the CPU can not distinguish between the CPU leakage current and the CPU drive current in the driven state, so the CPU is not driven, so-called CPU standby state, and another normal drive is in progress. By measuring the drive current of the CPU in the standby state by the microcomputer, it is possible to accurately measure the leak current of the CPU.
 車両制御装置100は、車両が搭載するバッテリ201から電力の供給を受ける。メイン電源部130は、バッテリ201から受け取った電圧を昇圧ないし降圧し、メインマイクロコンピュータ110に対して供給する。サブ電源部140も同様に、バッテリ201から受け取った電圧を昇圧ないし降圧し、サブマイクロコンピュータ120に対して供給する。メイン電源部130およびサブ電源部140は、電源信号(PS)200の受信に従って、メインマイクロコンピュータ110およびサブマイクロコンピュータ120のそれぞれへの電力供給を開始するように構成されている。 The vehicle control device 100 receives supply of power from a battery 201 mounted on the vehicle. The main power supply unit 130 steps up or down the voltage received from the battery 201 and supplies the voltage to the main microcomputer 110. Similarly, the sub power supply unit 140 boosts or steps down the voltage received from the battery 201 and supplies the voltage to the sub microcomputer 120. Main power supply unit 130 and sub power supply unit 140 are configured to start power supply to main microcomputer 110 and sub microcomputer 120 according to the reception of power signal (PS) 200.
 メイン電源部130は、メインCPU111、サブCPU112、RAM113、ROM114のそれぞれに対して個別に電力を供給するように、内部的に回路が切り分けられている。これは、メインCPU111、サブCPU112に対して供給する駆動電流がRAM113やROM114の電流変動によって受ける影響を抑制するためである。また、サブメイン電源部140も同様に、メインCPU121、サブCPU122、RAM123、ROM124のそれぞれに対して個別に電力を供給するように、内部的に回路が切り分けられている。これは、メインCPU121、サブCPU122に対して供給する駆動電流がRAM123やROM124の電流変動によって受ける影響を抑制するためである。メイン電源部130およびサブメイン電源部140の構成は、図3を用いて、後で説明される。 The main power supply unit 130 is internally divided into circuits so as to individually supply power to the main CPU 111, the sub CPU 112, the RAM 113, and the ROM 114, respectively. This is to suppress the influence of the drive current supplied to the main CPU 111 and the sub CPU 112 from the current fluctuation of the RAM 113 and the ROM 114. Similarly, the sub main power supply unit 140 is internally divided into circuits so as to individually supply power to each of the main CPU 121, the sub CPU 122, the RAM 123, and the ROM 124. This is to suppress the influence of the drive current supplied to the main CPU 121 and the sub CPU 122 from the current fluctuation of the RAM 123 and the ROM 124. The configurations of the main power supply unit 130 and the sub main power supply unit 140 will be described later with reference to FIG.
 (マイクロコンピュータの構成)
 図2は、マイクロコンピュータMCの概念的な構成例を示す図である。マイクロコンピュータMCは、メインマイクロコンピュータ110およびメインマイクロコンピュータ120の構成を示している。マイクロコンピュータMCは、メインCPU(MCPU:111,121)、サブCPU(SCPU:112,121)、RAM(113,123)、ROM(114、124)および周辺回路PERIを含み、バスBUSにより相互に接続されている。周辺回路PERIは、例えば、温度センサTSEN(115,125),比較部COMP(116,126)、アナログデジタル変換回路ADC(117,127)、コントロールエリアネットワーク(Controller Area Network)インターフェイスCANIF、および、信号入出力ポートIOP等を有する。 (Configuration of microcomputer)
FIG. 2 is a view showing a conceptual configuration example of the microcomputer MC. The microcomputer MC shows the configurations of the main microcomputer 110 and the main microcomputer 120. The microcomputer MC includes main CPUs (MCPUs: 111, 121), sub CPUs (SCPUs: 112, 121), RAMs (113, 123), ROMs (114, 124) and a peripheral circuit PERI. It is connected. The peripheral circuit PERI includes, for example, a temperature sensor TSEN (115, 125), a comparator COMP (116, 126), an analog-to-digital converter ADC (117, 127), a control area network (Controller Area Network) interface CANIF, It has an input / output port IOP and the like.
 マイクロコンピュータMCは、MCPUへ電源電圧Vdd1を供給するための外部端子VDD1,SCPUへ電源電圧Vdd2を供給するための外部端子VDD2、RAMへ電源電圧Vdd3を供給するための外部端子VDD3、ROMへ電源電圧Vdd4を供給するための外部端子VDD4、および、例えば、0(ゼロ)ボルトの様な接地電圧または基準電圧Vssが供給される基準電位端子VSSを有する。マイクロコンピュータMCは、さらに、アナログデジタル変換回路ADCへアナログ用電源電圧Avddおよびアナログ用基準電圧Avssを供給ための外部端子AVDDおよびAVSS、温度センサTSEN、比較部COMP、CANIFや信号入出力ポートIOP等の周辺回路PERIへ電源電圧Vdd5を供給するための外部端子VDD5等を有する。電源電圧Vdd1、Vdd2,Vdd3,Vdd4,Vdd5は、それぞれ異なる電源電圧とすることが出来る。 The microcomputer MC has an external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU, an external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU, an external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM, and a power supply to the ROM. It has an external terminal VDD4 for supplying the voltage Vdd4 and a reference potential terminal VSS to which a ground voltage such as 0 (zero) volt or a reference voltage Vss is supplied. The microcomputer MC further includes external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-to-digital converter ADC, the temperature sensor TSEN, the comparator COMP, CANIF, the signal input / output port IOP, etc. And an external terminal VDD5 for supplying the power supply voltage Vdd5 to the peripheral circuit PERI. The power supply voltages Vdd1, Vdd2, Vdd3, Vdd4 and Vdd5 can be different power supply voltages.
 図2に示されるように、アナログデジタル変換回路ADCは、アナログ信号入力端子AN0,AN1、AN2,AN3を有している。マイクロコンピュータMCが、メインマイクロコンピュータ110とされる場合、アナログ信号入力端子AN0,AN1は、LM3を介して、MCM152に接続され、アナログ信号入力端子AN2,AN3は、LM4を介して、SCM162に接続される。また、マイクロコンピュータMCが、メインマイクロコンピュータ120とされる場合、アナログ信号入力端子AN0,AN1は、LM1を介して、MCM150に接続され、アナログ信号入力端子AN2,AN3は、LM2を介して、SCM160に接続される。なお、アナログデジタル変換回路ADCは、アナログ信号入力端子AN0,AN1、AN2,AN3の他に、アナログ信号入力端子AN4-ANnを有してもよい。アナログ信号入力端子AN4-ANnは、他のアナログセンサ等の出力と接続することが可能である。 As shown in FIG. 2, the analog-to-digital converter ADC has analog signal input terminals AN0, AN1, AN2, AN3. When the microcomputer MC is the main microcomputer 110, the analog signal input terminals AN0 and AN1 are connected to the MCM 152 via the LM3, and the analog signal input terminals AN2 and AN3 are connected to the SCM 162 via the LM4. Be done. When the microcomputer MC is the main microcomputer 120, the analog signal input terminals AN0 and AN1 are connected to the MCM 150 via the LM1, and the analog signal input terminals AN2 and AN3 are connected to the SCM 160 via the LM2. Connected to The analog-to-digital converter ADC may have analog signal input terminals AN4 to ANn in addition to the analog signal input terminals AN0, AN1, AN2, and AN3. The analog signal input terminals AN4-ANn can be connected to the output of another analog sensor or the like.
 また、CANIFは、CANバスに接続することが可能な入出力端子CAN0を有する。CANバスには、CANプロトコルに基づくCAN通信が可能な電動パワーステリングEPSや他の電子制御ユニット(ECU)などを接続することが可能である。信号入出力ポートIOPは、デジタル信号の入出力を可能とするポート端子PD0-PDNを有する。 The CANIF also has an input / output terminal CAN0 that can be connected to the CAN bus. The CAN bus can be connected to an electric power steering EPS or other electronic control unit (ECU) capable of CAN communication based on the CAN protocol. The signal input / output port IOP has port terminals PD0 to PDN that enable input and output of digital signals.
 (電源供給部の構成)
 図3は、電源供給部PSPの概念的な構成例を示す図である。電源供給部PSPは、メイン電源部(MPSP)130およびサブ電源部(SPSP)140の構成を示している。電源供給部PSPは、複数のレギュレータREG1-RG6を有する。レギュレータREG1は、MCPUへ電源電圧Vdd1を供給するための外部端子VDD1へ電源電圧を供給する。レギュレータREG2は、SCPUへ電源電圧Vdd2を供給するための外部端子VDD2へ電源電圧を供給する。レギュレータREG3は、RAMへ電源電圧Vdd3を供給するための外部端子VDD3へ電源電圧を供給する。レギュレータREG4は、ROMへ電源電圧Vdd4を供給するための外部端子VDD4へ電源電圧を供給する。レギュレータREG5は、周辺回路PERIへ電源電圧を供給するための外部端子VDD5へ電源電圧Vdd5を供給する。レギュレータREG6は、アナログデジタル変換回路ADCへアナログ用電源電圧Avddおよびアナログ用基準電圧Avssを供給ための外部端子AVDDおよびAVSSへアナログ用電源電圧Avddおよびアナログ用基準電圧Avssを供給する。複数のレギュレータREG1-RG6は、電源供給の開始を指示する電源信号200の受信に応答して、バッテリ(BAT)201から電圧を供給されて、各電源電圧Vdd1-Vdd5、Avdd、アナログ用電源電圧Avdd、およびアナログ用基準電圧Avssを生成する。 (Configuration of power supply unit)
FIG. 3 is a diagram showing a conceptual configuration example of the power supply unit PSP. The power supply unit PSP shows the configuration of the main power supply unit (MPSP) 130 and the sub power supply unit (SPSP) 140. The power supply unit PSP has a plurality of regulators REG1-RG6. The regulator REG1 supplies the power supply voltage to the external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU. The regulator REG2 supplies the power supply voltage to the external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU. The regulator REG3 supplies the power supply voltage to the external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM. The regulator REG4 supplies the power supply voltage to the external terminal VDD4 for supplying the power supply voltage Vdd4 to the ROM. The regulator REG5 supplies the power supply voltage Vdd5 to the external terminal VDD5 for supplying the power supply voltage to the peripheral circuit PERI. The regulator REG6 supplies the analog power supply voltage Avdd and the analog reference voltage Avss to the external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-digital conversion circuit ADC. The plurality of regulators REG1 to RG6 are supplied with voltages from the battery (BAT) 201 in response to the reception of the power supply signal 200 instructing start of power supply, and the power supply voltages Vdd1 to Vdd5, Avdd, and power supply voltages for analog are supplied. Generates Avdd and the analog reference voltage Avss.
 このように、電源供給部PSP(130、140)は、メインCPU(MCPU:111,121)、サブCPU(SCPU:112,122)、RAM(113,123)、ROM(114、124)、周辺回路PERI、アナログデジタル変換回路ADC(117,127)のそれぞれに対して個別に電力を供給可能とするように、複数レギュレータREG1-RG6を有する。これは、前述の様に、メインCPU111、サブCPU112に対して供給する駆動電流がRAM(113,123)、ROM114(114、124)、周辺回路PERI、アナログデジタル変換回路ADC(117,127)の電流変動によって受ける影響を抑制する為である。 Thus, the power supply unit PSP (130, 140) includes the main CPU (MCPU: 1111, 121), the sub CPU (SCPU: 112, 122), the RAM (113, 123), the ROM (114, 124), and the periphery. A plurality of regulators REG1 to RG6 are provided to enable power supply individually to each of the circuit PERI and the analog-to-digital converter ADC (117, 127). As described above, the drive current supplied to the main CPU 111 and the sub CPU 112 is the RAM (113, 123), the ROM 114 (114, 124), the peripheral circuit PERI, the analog-to-digital converter ADC (117, 127). This is to suppress the influence of the current fluctuation.
 なお、図2および図3において、周辺回路PERIへ電源電圧の供給する外部端子VDD5、および周辺回路PERIの電源電圧を生成するレギュレータREG5は、さらに、複数の外部端子、および複数のレギュレータとされても良い。これにより、周辺回路PERIに含まれる各回路ないし各機能モジュールの電源電位の要求仕様に従う様に、電源電位を供給出来る。 In FIG. 2 and FIG. 3, external terminal VDD5 for supplying power supply voltage to peripheral circuit PERI and regulator REG5 for generating power supply voltage for peripheral circuit PERI are further configured as a plurality of external terminals and a plurality of regulators. Also good. Thus, the power supply potential can be supplied according to the required specification of the power supply potential of each circuit or each functional module included in the peripheral circuit PERI.
 (電流測定部の構成)
 図4は、電流測定部の構成を説明するための図である。図4には、電流測定部として、メイン電流測定部150の構成を例示的に示している。電流測定部150の構成は、電流測定部160,152,162の構成と同一であり、他の接続構成は図1から容易に理解されるので、電流測定部160,152,162の構成の説明は省略する。電源測定部150は、抵抗値Rsの抵抗素子R1を有する。抵抗素子R1は、メイン電源部130のレギュレータREG1の出力とメインマイクロコンピュータ110のメインCPU111の外部端子VDD1との間に設けられた電源供給ラインL1に直列に挿入されるように、設けられる。抵抗素子R1の両端のノードVRHおよびVRLは、LM1を介して、サブマイクロコンピュータ120に内蔵されたアナログデジタル変換回路127のアナログ入力端子AN0,AN1にそれぞれ接続される。同様な構成により、電流測定部160は、LM2を介して、サブマイクロコンピュータ120に内蔵されたアナログデジタル変換回路127のアナログ入力端子AN2,AN3にそれぞれ接続される。また、電流測定部152,162は、LM3およびLM4を介して、メインマイクロコンピュータ110に内蔵されたアナログデジタル変換回路117のアナログ入力端子AN0,AN1、および、AN2,AN3にそれぞれ接続される。 (Configuration of current measurement unit)
FIG. 4 is a diagram for explaining the configuration of the current measurement unit. FIG. 4 exemplarily shows the configuration of the main current measurement unit 150 as a current measurement unit. The configuration of the current measurement unit 150 is the same as the configuration of the current measurement units 160, 152, 162, and the other connection configuration is easily understood from FIG. 1, so the description of the configuration of the current measurement units 160, 152, 162 Is omitted. The power supply measurement unit 150 includes a resistance element R1 having a resistance value Rs. The resistance element R1 is provided in series in the power supply line L1 provided between the output of the regulator REG1 of the main power supply unit 130 and the external terminal VDD1 of the main CPU 111 of the main microcomputer 110. The nodes VRH and VRL at both ends of the resistive element R1 are respectively connected to analog input terminals AN0 and AN1 of the analog-to-digital converter 127 built in the sub microcomputer 120 via the LM1. With the same configuration, the current measurement unit 160 is connected to the analog input terminals AN2 and AN3 of the analog-to-digital converter 127 built in the sub-microcomputer 120 via the LM2. The current measurement units 152 and 162 are connected to analog input terminals AN0 and AN1 and AN2 and AN3 of the analog-to-digital converter circuit 117 built in the main microcomputer 110 via the LM3 and the LM4, respectively.
 このような構成により、抵抗素子R1に流れるメインCPU111のリーク電流を含む駆動電流Isは、以下の式により求められる。
  Is=Vs/Rs
 ここで、Vsは、抵抗素子R1の両端のノードVRHとノードVRLとの間の電圧差に対応する電圧値である。 With such a configuration, the drive current Is including the leak current of the main CPU 111 flowing to the resistance element R1 can be obtained by the following equation.
Is = Vs / Rs
Here, Vs is a voltage value corresponding to the voltage difference between the node VRH and the node VRL at both ends of the resistive element R1.
 すなわち、ノードVRHとノードVRLとの間の電圧値Vsを、アナログデジタル変換回路127によって計測することにより、メインCPU111のリーク電流を含む駆動電流Isが求められる。 That is, by measuring the voltage value Vs between the node VRH and the node VRL by the analog-to-digital converter 127, the drive current Is including the leak current of the main CPU 111 can be obtained.
 なお、メイン電源部130のレギュレータREG1の出力電圧値は、メインマイクロコンピュータ110のメインCPU111の基準動作電圧と、抵抗素子R1の抵抗値Rsと、抵抗素子R1に流れる駆動電流Isの最大電流値と、抵抗素子R1に流れる駆動電流Isによる電圧降下分(Vs)とを考慮し、メインマイクロコンピュータ110のメインCPU111の基準動作電圧を満足する様に、決めればよい。メイン電源部130のレギュレータREG2、サブ電源部140のレギュレータREG1,REG2のそれぞれの出力電圧値も、上記と同様の思想により、メインマイクロコンピュータ110のサブCPU112、サブマイクロコンピュータ120のメインCPU121、サブCPU122の各々の基準動作電圧を満足する様に、決定すればよい。 The output voltage value of the regulator REG1 of the main power supply unit 130 is the reference operating voltage of the main CPU 111 of the main microcomputer 110, the resistance value Rs of the resistance element R1, and the maximum current value of the drive current Is flowing through the resistance element R1. It may be determined so as to satisfy the reference operating voltage of the main CPU 111 of the main microcomputer 110 in consideration of the voltage drop (Vs) due to the drive current Is flowing through the resistance element R1. The respective output voltage values of the regulator REG2 of the main power supply unit 130 and the regulators REG1 and REG2 of the sub power supply unit 140 are also the sub CPU 112 of the main microcomputer 110 and the main CPU 121 and sub CPU 122 of the sub microcomputer 120 based on the same idea as above. It should be determined so as to satisfy each of the reference operating voltages.
 なお、上記では、マイクロコンピュータ110,120に内蔵されたアナログデジタル変換回路117、127を利用する例に関して説明したが、これに限定されない。アナログデジタル変換回路117、127の変換ビット数(例えば、10ビットや12ビット)より多い変換ビット数(例えば、100ビット)が必要な場合は、車両制御装置100に、変換ビット数の多い外付けの個別アナログデジタル変換回路を実装し、アナログデジタル変換回路117、127の代わりとして、その個別アナログデジタル変換回路を利用しても良い。リーク電流値の測定において、リーク電流値の値自体が小さいので、変換ビット数の多い個別アナログデジタル変換回路を用いれば、リーク電流値をより正確に計測することが出来る。 Although the example using the analog-to- digital converter circuits 117 and 127 built in the microcomputers 110 and 120 has been described above, the present invention is not limited to this. When a conversion bit number (for example, 100 bits) larger than the conversion bit number (for example, 10 bits or 12 bits) of the analog-to- digital converter circuits 117 and 127 is required, the vehicle control apparatus 100 externally adds a large number of conversion bits. The individual analog-to-digital converter circuit may be implemented and used instead of the analog-to- digital converter circuits 117 and 127. In the measurement of the leak current value, since the leak current value itself is small, the leak current value can be more accurately measured by using an individual analog-to-digital converter having a large number of conversion bits.
 (リーク電流およびその補正)
 図5は、リーク電流の増加を説明するための図である。メインマイクロコンピュータ110やサブマイクロコンピュータ120は、複数のCMOSトランジスタなどから構成されており、製造不良の顕在化や長期使用による経年劣化などの要因により、リーク電流が増加する場合がある。 (Leakage current and its correction)
FIG. 5 is a diagram for explaining the increase of the leak current. The main microcomputer 110 and the sub-microcomputer 120 are composed of a plurality of CMOS transistors and the like, and leakage current may increase due to factors such as the appearance of manufacturing defects and aged deterioration due to long-term use.
 図5において、縦軸はリーク電流値Ileakを示し、横軸は時間Timeを示す。一般的に、半導体集積回路装置の製造メーカは、半導体集積回路装置の出荷前に、出荷前検査を実施し、リーク電流を計測し、リーク電流Ileak1が所定の範囲内にある半導体集積回路装置を、正常品として出荷する。なお、図5において、リーク電流値Ileak1は、メインマイクロコンピュータ110やサブマイクロコンピュータ120の出荷前検査で計測したものを利用する例を説明するが、車両制御装置1の製造時にリーク電流値Ileak1を計測し、メインマイクロコンピュータ110やサブマイクロコンピュータ120のROM(114,124)に記憶させてもよい。 In FIG. 5, the vertical axis indicates the leak current value Ileak, and the horizontal axis indicates the time Time. Generally, a manufacturer of a semiconductor integrated circuit device performs a pre-shipment inspection before shipment of the semiconductor integrated circuit device, measures a leak current, and a semiconductor integrated circuit device in which the leak current Ileak1 is within a predetermined range. Ship as normal products. In FIG. 5, the leak current value Ileak1 will be described using an example measured by the pre-shipment inspection of the main microcomputer 110 and the sub microcomputer 120. However, the leak current value Ileak1 It may be measured and stored in the ROM (114, 124) of the main microcomputer 110 or the sub microcomputer 120.
 時間T1には、出荷前検査時における正常品のリーク電流値Ileak1が示されており、時間T2には、長期使用によりリーク電流Ileakが増加した異常品のリーク電流値Ileak2が示される。時間T1において、正常品のリーク電流の範囲は、たとえは、最小値(0mA(ミリアンペア))と最大値(M mA)との間の範囲とされており、出荷前検査によって計測されたメインマイクロコンピュータ110またはサブマイクロコンピュータ120のリーク電流値Ileak1が、例えば、TmAであったとする。 At time T1, the leak current value Ileak1 of the normal product at the time of inspection before shipment is shown, and at time T2, the leak current value Ileak2 of the abnormal product whose leak current Ileak increased due to long-term use is shown. At time T1, the range of the leak current of the normal product is, for example, the range between the minimum value (0 mA (milliamps)) and the maximum value (M mA), and the main micro-circuits measured by the pre-shipment inspection It is assumed that the leak current value Ileak1 of the computer 110 or the submicrocomputer 120 is, for example, TmA.
 時間T2において、メインマイクロコンピュータ110またはサブマイクロコンピュータ120のリーク電流値Ileak2がT+Y mAへ増加したものとする。すなわち、リーク電流IleakがYmA=ΔIleak=Ileak2―Ileak1の値だけ増加した状態である。 At time T2, it is assumed that the leak current value Ileak2 of the main microcomputer 110 or the sub microcomputer 120 has increased to T + Y mA. That is, the leak current Ileak is increased by the value of YmA = ΔIleak = Ileak2-Ileak1.
 ΔIleakの値は、経年劣化以外に、メインマイクロコンピュータ110またはサブマイクロコンピュータ120におけるリーク電流の温度特性の変動と、メインマイクロコンピュータ110またはサブマイクロコンピュータ120の製造ばらつきによるリーク電流の変動と、が含まれている。そのため、リーク電流の増加量ΔIleakの値は補正する必要がある。 The value of ΔIleak includes, in addition to deterioration over time, fluctuation of temperature characteristics of leakage current in main microcomputer 110 or sub microcomputer 120 and fluctuation of leakage current due to manufacturing variation of main microcomputer 110 or sub microcomputer 120. It is done. Therefore, it is necessary to correct the value of the increase amount ΔIleak of the leak current.
 図6は、リーク電流の増加分の補正方法を説明するための図である。リーク電流の増加量ΔIleakは、製造時のリーク電流値Ileak1と、計測時のリーク電流値Ileak2と、リーク電流値Ileak2の温度特性ないし温度依存性とを考慮して、補正される。リーク電流値Ileak2の温度特性ないし温度依存性は、メインマイクロコンピュータ110またはサブマイクロコンピュータ120の温度センサTSENにより計測された温度情報TMと、リーク電流の温度補正マップ(テーブル)TCMにより、補正される。温度補正マップ(テーブル)TCMは、メインマイクロコンピュータ110またはサブマイクロコンピュータ120のそれぞれで固有のものであり、例えば、半導体製造メーカから得ることが可能である。温度補正マップ(または温度補正テーブル)TCMは、各温度におけるリーク電流の補正電流値(Icv)が記述されている。 FIG. 6 is a diagram for explaining a correction method of an increase in leak current. The increase amount ΔIleak of the leak current is corrected in consideration of the leak current value Ileak1 at the time of manufacture, the leak current value Ileak2 at the time of measurement, and the temperature characteristics or temperature dependency of the leak current value Ileak2. The temperature characteristic or temperature dependency of the leak current value Ileak2 is corrected by the temperature information TM measured by the temperature sensor TSEN of the main microcomputer 110 or the sub microcomputer 120 and the temperature correction map (table) TCM of the leak current. . The temperature correction map (table) TCM is unique to each of the main microcomputer 110 or the sub microcomputer 120, and can be obtained from, for example, a semiconductor manufacturer. The temperature correction map (or temperature correction table) TCM describes the correction current value (Icv) of the leak current at each temperature.
 したがって、故障ポテンシャルの診断用として利用される補正されたリーク電流の増加量ΔIleakcは、次式で求められる。
  ΔIleakc=Ileak2+Icv-Ileak1
 ここで、Icvは、温度情報TMにおける温度補正マップ(テーブル)TCMに記載の補正電流値を示すものとする。 Therefore, the increase amount ΔIleakc of the corrected leak current used for diagnosing the failure potential can be obtained by the following equation.
ΔIleakc = Ileak2 + Icv-Ileak1
Here, Icv represents the correction current value described in the temperature correction map (table) TCM in the temperature information TM.
 これにより、リーク電流値の温度によるばらつきと、メインマイクロコンピュータ110またはサブマイクロコンピュータ120の製造ばらつきとが排除でき、経年劣化等によるリーク電流値の補正された増加量ΔIleakcを得ることができる。故障ポテンシャルの診断の際、この補正されたリーク電流の増加量ΔIleakcが、しきい値または所定値(TH)を超えたか否かにより、故障ポテンシャルの有無が判断される。このような構成により、CPU(111,112,121,122)が、完全に故障していないものの、将来、故障となるポテンシャルを有しているか否かを判断することが可能になる。しきい値または所定値(TH)は、設定値や規定値という事もできる。 As a result, it is possible to eliminate variations in the leak current value due to temperature and manufacturing variations of the main microcomputer 110 or the sub microcomputer 120, and to obtain the corrected increase amount ΔIleakc of the leak current value due to aging or the like. When diagnosing the failure potential, the presence or absence of the failure potential is determined depending on whether the corrected increase amount of leakage current ΔIleakc exceeds a threshold value or a predetermined value (TH). With such a configuration, it is possible to determine whether the CPU (111, 112, 121, 122) is not completely broken but has a potential to be broken in the future. The threshold value or predetermined value (TH) can also be referred to as a set value or a prescribed value.
 (ROM114、124のアドレス空間の構成例)
 図7は、ROM114、ROM124のアドレス空間の構成例を示す図である。図7(A)は、ROM114のアドレス空間の構成例を示し、図7(B)はROM124のアドレス空間の構成例を示す。 (Example of configuration of address space of ROMs 114 and 124)
FIG. 7 is a view showing a configuration example of the address spaces of the ROM 114 and the ROM 124. As shown in FIG. 7A shows an example of the configuration of the address space of the ROM 114, and FIG. 7B shows an example of the configuration of the address space of the ROM 124.
 図7(A)に示すように、メインマイクロコンピュータ110のROM114のアドレス空間には、メインCPU111およびサブCPU112により実行されるプログラム、プログラム実行時に参照されるデータ、マップないしテーブル、演算結果のデータなどが格納される。ROM114は、例えば、第1アドレス空間ADSP1aと、第2アドレス空間ADSP2aと、を有する。 As shown in FIG. 7A, in the address space of the ROM 114 of the main microcomputer 110, programs executed by the main CPU 111 and the sub CPU 112, data referred to at the time of program execution, maps or tables, data of operation results, etc. Is stored. The ROM 114 has, for example, a first address space ADSP1a and a second address space ADSP2a.
 第1アドレス空間ADSP1aには、制御プログラムCPROGおよび制御プログラムCPROGの実行時に参照される参照データ等が格納される。制御プログラムCPROGは、車両が搭載する車載機器(例えば、自動変速機、エンジンなど)を電子的に制御するための制御プログラムである。 The first address space ADSP1a stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed. The control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
 第2アドレス空間ADSP2aには、本発明に係る処理プログラムないしデータが格納されており、図8A,図8Bで説明される診断プログラムDPROG、図10で説明されるCPUの異常判断時に実行される制御プログラムCNTPROG、図6で説明されたリーク電流補正用の計算プログラムLCCPROGが格納される。第2アドレス空間ADSP2aには、さらに、メインマイクロコンピュータ110に関するリーク電流の温度補正マップ(テーブル)TCM、しきい値または所定値(TH)、リーク電流値Ileak1(110)、サブマイクロコンピュータ120のメインCPU121およびサブCPU122に関する計測されたリーク電流値Ileak2(121)、Ileak2(122)が、格納される。第2アドレス空間ADSP2aには、さらに、補正されたリーク電流の増加量ΔIleakc(121)、ΔIleakc(122)、サブマイクロコンピュータ120のメインCPU121およびサブCPU122に関する診断結果DResult(121)、DResult(122)、および、診断履歴を示す経験情報DHistが格納される。 The processing program or data according to the present invention is stored in the second address space ADSP 2a, and the diagnostic program DPROG described with reference to FIGS. 8A and 8B and the control executed when judging abnormality of the CPU described with FIG. A program CNTPROG, a calculation program LCCPROG for leak current correction described in FIG. 6 is stored. The second address space ADSP 2 a further includes a temperature correction map (table) TCM of the leak current related to the main microcomputer 110, a threshold value or a predetermined value (TH), a leak current value Ileak1 (110), and the main of the sub microcomputer 120. The measured leakage current values Ileak2 (121) and Ileak2 (122) for the CPU 121 and the sub CPU 122 are stored. In the second address space ADSP2a, the corrected leak current increase amounts ΔIleakc (121), ΔIleakc (122), and the diagnosis results DResult (121) and DResult (122) concerning the main CPU 121 and the sub CPU 122 of the submicrocomputer 120. And experience information DHist indicating a diagnosis history is stored.
 診断結果DResult(121)、DResult(122)は、診断プログラムDPROGによるサブマイクロコンピュータ120に関する診断の結果であり、サブマイクロコンピュータ120のメインCPU121およびサブCPU122の故障ポテンシャルの有無が格納される。経験情報DHistには、最後または先回診断されたメインマイクロコンピュータ110またはサブマイクロコンピュータ120のデータが格納される。 The diagnosis results DResult (121) and DResult (122) are the results of diagnosis regarding the submicrocomputer 120 by the diagnostic program DPROG, and the presence or absence of the failure potential of the main CPU 121 and the sub CPU 122 of the submicrocomputer 120 is stored. The experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
 図7(B)に示すように、サブマイクロコンピュータ120のROM124のアドレス空間には、メインCPU121およびサブCPU122により実行されるプログラム、プログラム実行時に参照されるデータ、マップないしテーブル、演算結果のデータなどが格納される。ROM124は、例えば、第1アドレス空間ADSP1bと、第2アドレス空間ADSP2bと、を有する。 As shown in FIG. 7B, in the address space of the ROM 124 of the submicrocomputer 120, programs executed by the main CPU 121 and the sub CPU 122, data referred to at the time of program execution, maps or tables, data of operation results, etc. Is stored. The ROM 124 has, for example, a first address space ADSP1b and a second address space ADSP2b.
 第1アドレス空間ADSP1bには、制御プログラムCPROGおよび制御プログラムCPROGの実行時に参照される参照データ等が格納される。制御プログラムCPROGは、車両が搭載する車載機器(例えば、自動変速機、エンジンなど)を電子的に制御するための制御プログラムである。 The first address space ADSP1b stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed. The control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
 第2アドレス空間ADSP2bには、本発明に係る処理プログラムないしデータが格納されており、図8で説明される診断プログラムDPROG、図10で説明されるCPUの異常判断時に実行される制御プログラムCNTPROG、図6で説明されたリーク電流補正のための計算プログラムLCCPROGが格納される。第2アドレス空間ADSP2bには、さらに、サブマイクロコンピュータ120に関するリーク電流の温度補正マップ(テーブル)TCM、しきい値または所定値(TH)、リーク電流値Ileak1(120)、メインマイクロコンピュータ110のメインCPU111およびサブCPU112に関する計測されたリーク電流値Ileak2(111)、Ileak2(112)が、格納される。第2アドレス空間ADSP2bには、さらに、補正されたリーク電流の増加量ΔIleakc(111)、ΔIleakc(112)、メインマイクロコンピュータ110のメインCPU111およびサブCPU112に関する診断結果DResult(111)、DResult(112)、および、診断履歴を示す経験情報DHistが格納される。 The second address space ADSP 2b stores the processing program or data according to the present invention, and the diagnostic program DPROG described in FIG. 8, the control program CNTPROG executed at the time of abnormality judgment of the CPU described in FIG. A calculation program LCCPROG for leak current correction described in FIG. 6 is stored. The second address space ADSP 2 b further includes a temperature correction map (table) TCM of the leak current related to the submicrocomputer 120, a threshold value or a predetermined value (TH), a leak current value Ileak 1 (120), and the main microcomputer 110. The measured leakage current values Ileak2 (111) and Ileak2 (112) for the CPU 111 and the sub CPU 112 are stored. In the second address space ADSP2b, the corrected leak current increase amounts ΔIleakc (111), ΔIleakc (112), and the diagnosis results DResult (111) and DResult (112) concerning the main CPU 111 and the sub CPU 112 of the main microcomputer 110. And experience information DHist indicating a diagnosis history is stored.
 診断結果DResult(111)、DResult(112)は、診断プログラムDPROGによるメインマイクロコンピュータ110に関する診断の結果であり、メインマイクロコンピュータ110のメインCPU111およびサブCPU112の故障ポテンシャルの有無が格納される。経験情報DHistには、最後または先回診断されたメインマイクロコンピュータ110またはサブマイクロコンピュータ120のデータが格納される。 The diagnosis results DResult (111) and DResult (112) are the results of diagnosis regarding the main microcomputer 110 by the diagnosis program DPROG, and the presence or absence of the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 is stored. The experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
 なお、図7(A)、図7(B)では、計測されたリーク電流値Ileak2(111)、Ileak2(112)、Ileak2(121)、Ileak2(122)や、補正後のリーク電流の増加量ΔIleakc(111)、ΔIleakc(112)、ΔIleakc(121)、ΔIleakc(122)を、ROM114、124のアドレス空間に格納する例を示したが、これらの値は、ROM114、124のアドレス空間に格納せずに、診断時において、RAM113,123に一時的に格納することも可能である。 In FIGS. 7A and 7B, the measured leak current values Ileak 2 (111), Ileak 2 (112), Ileak 2 (121), Ileak 2 (122), and the increase amount of the leak current after correction. Although an example of storing ΔIleakc (111), ΔIleakc (112), ΔIleakc (121), ΔIleakc (122) in the address space of the ROMs 114 and 124 has been shown, store these values in the address spaces of the ROMs 114 and 124. Instead, it is also possible to temporarily store in the RAMs 113 and 123 at the time of diagnosis.
 (故障ポテンシャル診断手順の例)
 図8A、図8Bは、実施例1に係るCPUの故障ポテンシャル診断手順の一例を示すフローチャートである。なお、図8Aの下側のAと、図8Bの上側のAとは接続される。図8A、図8Bは、車両制御装置100がシャットダウンするとき、メインマイクロコンピュータ110のメインCPU111とサブCPU112の故障ポテンシャルを、サブマイクロコンピュータ120を用いて、診断する手順を説明するフローチャートである。サブマイクロコンピュータ120のメインCPU121とサブCPU122の故障ポテンシャルを、メインマイクロコンピュータ110を用いて診断するフローチャートは、図8A,図8Bから容易に理解されると思われるので、その記載は省略される。以下、図8A、図8Bの各ステップについて説明する。 (Example of failure potential diagnosis procedure)
FIGS. 8A and 8B are flowcharts illustrating an example of the failure potential diagnosis procedure of the CPU according to the first embodiment. The lower A in FIG. 8A and the upper A in FIG. 8B are connected. FIGS. 8A and 8B are flowcharts illustrating a procedure for diagnosing the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 using the sub microcomputer 120 when the vehicle control device 100 shuts down. A flowchart for diagnosing the failure potential of the main CPU 121 and the sub CPU 122 of the sub microcomputer 120 using the main microcomputer 110 is considered to be easily understood from FIGS. 8A and 8B, and thus the description thereof is omitted. Hereinafter, each step of FIG. 8A and FIG. 8B is demonstrated.
 (ステップS100)
 メインマイクロコンピュータ110及びサブマイクロコンピュータ120は、電源が投入されたことを示す電源信号200を受信すると、本フローチャートを開始する。本フローチャートを開始する時点において、メイン電源IC130とサブ電源IC140はそれぞれ電源信号200に従って電力供給を開始済みであるものとする。なお、このフローチャートは、図7の診断プログラムDPROGに対応するものである。 (Step S100)
When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively. This flowchart corresponds to the diagnostic program DPROG shown in FIG.
 (ステップS101)
 メインマイクロコンピュータ110及びサブマイクロコンピュータ120は、それぞれの記憶領域(ROM114,124)からメインマイクロコンピュータ110及びサブマイクロコンピュータ120の製造時のリーク電流値(Ileak1)と、故障ポテンシャル実施経験情報(DHist)を読みだす。上記のリーク電流値(Ileak1)は、メインマイクロコンピュータ110及びサブマイクロコンピュータ120の製造時だけでなく、車両制御装置100の製造時に、メインマイクロコンピュータ110及びサブマイクロコンピュータ120のリーク電流を測定し、それぞれの記憶領域(ROM114,124)に記憶してもよい。 (Step S101)
The main microcomputer 110 and the sub-microcomputer 120 are provided with leak current values (Ileak1) at the time of manufacture of the main microcomputer 110 and the sub-microcomputer 120 from respective storage areas (ROMs 114 and 124) and failure potential operation experience information (DHist) Read out. The leak current value (Ileak1) described above measures the leak current of the main microcomputer 110 and the sub-microcomputer 120 not only at the time of manufacturing the main microcomputer 110 and the sub-microcomputer 120 but also at the time of manufacturing the vehicle control device 100. It may be stored in each storage area (ROMs 114 and 124).
 (ステップS102)
 メインマイクロコンピュータ110は故障ポテンシャル診断の実施条件が成立するまでは、本故障ポテンシャル診断は実施しない。故障ポテンシャル診断の実施条件は、電源信号200がオフされた後に実施されるセルフシャット処理が全て完了したことで条件成立とする。 (Step S102)
The main microcomputer 110 does not carry out the failure potential diagnosis until the condition for carrying out the failure potential diagnosis is established. The execution condition of the failure potential diagnosis is satisfied when all the self shut processing performed after the power supply signal 200 is turned off is completed.
 (ステップS103)
 メインマイクロコンピュータ110は、ステップS101で読み出だしたメインマイクロコンピュータ110及びサブマイクロコンピュータ120の故障ポテンシャル実施経験情報から、今回の故障ポテンシャルの診断対象マイクロコンピュータを決定し、被測定マイクロコンピュータとする。たとえば、前回の故障ポテンシャル診断で、メインマイクロコンピュータ110内蔵のメインCPU111とサブCPU112の故障ポテンシャルを診断した場合、今回の故障ポテンシャル診断では、サブマイクロコンピュータ120内蔵のメインCPU121およびサブCPU122を診断対象とする。上記のように、本例では、セルフシャット処理実施毎に診断するマイクロコンピュータを切り替えているのは、診断対象マイクロコンピュータ内蔵のメインCPUおよびサブCPUを停止状態(スタンバイ状態)とする必要があるためである。詳細は、図9Aの説明にて記載する。本例では、被測定マイクロコンピュータをメインマイクロコンピュータ110として、メインマイクロコンピュータ110に内蔵されるメインCPU111とサブCPU112の故障ポテンシャルを診断するものとして記載する。 (Step S103)
The main microcomputer 110 determines a microcomputer to be diagnosed with the failure potential of this time from the failure potential implementation experience information of the main microcomputer 110 and the sub microcomputer 120 read out in step S101, and sets it as a microcomputer to be measured. For example, when the failure potential of main CPU 111 and sub CPU 112 in main microcomputer 110 is diagnosed in the previous failure potential diagnosis, main CPU 121 and sub CPU 122 in sub microcomputer 120 are regarded as diagnosis targets in this failure potential diagnosis. Do. As described above, in this example, the reason for switching the microcomputer to be diagnosed each time self-shut processing is performed is that the main CPU and the sub CPU built in the microcomputer to be diagnosed need to be in the stop state (standby state). It is. Details will be described in the description of FIG. 9A. In this example, the microcomputer to be measured is described as the main microcomputer 110, which diagnoses the failure potential of the main CPU 111 and the sub CPU 112 built in the main microcomputer 110.
 (ステップS104)
 被測定マイクロコンピュータ110のメインCPU111及びサブCPU112の温度を推定するため、メインマイクロコンピュータ110に内蔵されている温度センサ115からメインマイクロコンピュータ110の温度を測定する。本例では、メインマイクロコンピュータ110に内蔵されている温度センサ115を使用しているが、温度センサは、車両制御装置100に搭載されている温度センサ170を使用してもよい。また、外界の温度状態や車両制御装置100の運転時間による推定温度値を使用してもよい。 (Step S104)
In order to estimate the temperatures of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110, the temperature of the main microcomputer 110 is measured from the temperature sensor 115 built in the main microcomputer 110. In this example, the temperature sensor 115 built in the main microcomputer 110 is used, but the temperature sensor may be the temperature sensor 170 mounted in the vehicle control device 100. Moreover, you may use the temperature value estimated by the temperature condition of the external world, and the operating time of the vehicle control apparatus 100. FIG.
 (ステップS105)
 被測定マイクロコンピュータ110のメインCPU111及びサブCPU112は、ステップS104で取得したメインマイクロコンピュータ110の温度情報から、温度によるCPU111,112のリーク電流Ileak2の値の変化を補正するために、リーク電流の温度補正マップTCMからリーク電流の温度補正値Icvを算出する。リーク電流の温度補正マップTCMは被測定マイクロコンピュータの種別毎に事前に規定する。リーク電流の温度補正マップTCMは、図7に示されるように、メインマイクロコンピュータ110及びサブマイクロコンピュータ120が備えるROM114,124にあらかじめ格納しておくことができる。 (Step S105)
From the temperature information of the main microcomputer 110 acquired in step S104, the main CPU 111 and the sub CPU 112 of the measured microcomputer 110 correct the temperature change of the leakage current Ileak2 of the CPUs 111 and 112 due to the temperature. The temperature correction value Icv of the leakage current is calculated from the correction map TCM. The temperature correction map TCM of the leak current is defined in advance for each type of microcomputer to be measured. The temperature correction map TCM of the leakage current can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
 (ステップS106)
 ステップS105で算出したリーク電流の温度補正値Icvをサブマイクロコンピュータ120に通知する。 (Step S106)
The sub-microcomputer 120 is notified of the temperature correction value Icv of the leakage current calculated in step S105.
 (ステップS107)
 被測定マイクロコンピュータ110のメインCPU111及びサブCPU112を、停止状態(スタンバイ状態)に移行させ、以降の演算はサブマイクロコンピュータ120を使用してする。 (Step S107)
The main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 are shifted to the stop state (standby state), and the subsequent calculations are performed using the sub microcomputer 120.
 (ステップS108)
 被測定マイクロコンピュータ110がスタンバイ状態モードに移行完了するまで待機する。移行完了の判定は規定時間、または被測定マイクロコンピュータ110の出力がOFFとなったことをもって判断する。 (Step S108)
It waits for the measured microcomputer 110 to complete transition to the standby state mode. The determination of the completion of the transition is made based on a specified time or that the output of the measured microcomputer 110 is turned off.
 (ステップS109)
 サブマイクロコンピュータ120は、メイン電流測定部150及びサブ電流測定部160にて、被測定マイクロコンピュータ110のメインCPU111及びサブCPU112の現在のリーク電流値(Ileak2(111)、Ileak2(112))を計測する。 (Step S109)
The submicrocomputer 120 measures the current leakage current values (Ileak2 (111), Ileak2 (112)) of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 by the main current measurement unit 150 and the subcurrent measurement unit 160. Do.
 (ステップS110)
 サブマイクロコンピュータ120は、メインCPU111及びサブCPU112それぞれについて、ステップS101で取得した製造時のリーク電流(Ileak1)とステップS109で取得した現在のリーク電流(Ileak2(111)、Ileak2(112))とステップS106で取得したリーク電流温度補正値(Icv)から診断用リーク電流値(ΔIleakc(111)、ΔIleakc(112))を算出する。すなわち、図7の計算プログラムLCCPROGが実行され、図6で説明されたリーク電流値の補正のための計算が実行される。 (Step S110)
The submicrocomputer 120 processes the leak current (Ileak1) at the time of manufacture acquired in step S101 and the current leak current (Ileak2 (111), Ileak2 (112)) acquired in step S109 for each of the main CPU 111 and the sub CPU 112 From the leak current temperature correction value (Icv) acquired in S106, the diagnostic leak current values (ΔIleakc (111), ΔIleakc (112)) are calculated. That is, the calculation program LCCPROG of FIG. 7 is executed, and the calculation for correcting the leakage current value described in FIG. 6 is executed.
 (ステップS111)
 サブマイクロコンピュータ120は、メインCPU111及びサブCPU112それぞれについて、診断用リーク電流値(ΔIleakc(111)、 ΔIleakc(112))が、しきい値(TH)以下であるか否かを判定する。メインCPU111及びサブCPU112どちらの診断用リーク電流値(ΔIleakc(111)、 ΔIleakc(112))も、しきい値(TH)を下回る場合は、メインCPU111及びサブCPU112は正常であると判断して、ステップS113に進む。診断用リーク電流値(ΔIleakc(111)、 ΔIleakc(112))がしきい値(HT)を上回る場合は、故障ポテンシャル有りとしてステップS112に進む。しきい値(TH)は、図7に示されるように、メインマイクロコンピュータ110及びサブマイクロコンピュータ120が備えるROM114,124などにあらかじめ格納しておくことができる。 (Step S111)
The submicrocomputer 120 determines, for each of the main CPU 111 and the sub CPU 112, whether or not the diagnostic leak current value (ΔIleakc (111), ΔIleakc (112)) is equal to or less than the threshold value (TH). If the diagnostic leak current value (ΔIleakc (111), ΔIleakc (112)) of either the main CPU 111 or the sub CPU 112 falls below the threshold (TH), the main CPU 111 and the sub CPU 112 judge that they are normal. The process proceeds to step S113. If the diagnostic leak current value (ΔIleakc (111), ΔIleakc (112)) exceeds the threshold value (HT), it is determined that there is a failure potential, and the process proceeds to step S112. The threshold value (TH) can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
 (ステップS112)
 サブマイクロコンピュータ120は、ステップS111にて故障ポテンシャル有りと判断した結果を、判断結果DResult(111)、DResult(112)として、サブマイクロコンピュータ120内の記憶領域(ROM124)に格納する。 (Step S112)
The submicrocomputer 120 stores the result of having determined that there is a failure potential in step S111 in the storage area (ROM 124) in the submicrocomputer 120 as the determination results DResult (111) and DResult (112).
 (ステップS113)
 サブマイクロコンピュータ120は、サブマイクロコンピュータ120内の記憶領域(ROM124)に、故障ポテンシャル診断の実施経験情報(DHist)を格納する。故障ポテンシャル実施経験情報(DHist)は、ステップS101で記憶領域(ROM114、124)から読み出され、ステップ103の故障ポテンシャル診断の対象マイクロコンピュータを決定する情報として使用する。 (Step S113)
The submicrocomputer 120 stores the execution experience information (DHist) of the failure potential diagnosis in the storage area (ROM 124) in the submicrocomputer 120. The failure potential execution experience information (DHist) is read from the storage area (ROMs 114 and 124) in step S101, and is used as information for determining a target microcomputer for failure potential diagnosis in step 103.
 (故障ポテンシャル診断の実施タイミング)
 図9Aは、実施例1に係る故障ポテンシャル診断の実施のタイミングを説明する図である。図9Aは、図8Aのステップ103で説明された様に、車両制御装置100のシャットダウン毎に、故障ポテンシャルの診断対象マイクロコンピュータが切り替えられることを説明する図である。すなわち、例えば、メインマイクロコンピュータ110およびサブマイクロコンピュータ120が通常制御を実施しており、その後、電源信号200がオフされたものとする。この場合、第1回目のシャットダウンとして、電源信号200がオフされた後にセルフシャット処理へ移行する。セルフシャット処理が実施され、セルフシャット処理が全て完了した後、メインマイクロコンピュータ110がスタンバイ状態とされて、駆動状態のサブマイクロコンピュータ120がスタンバイ状態のメインマイクロコンピュータ110に対して故障ポテンシャル診断を実施し、故障ポテンシャル診断の実施後に、メインマイクロコンピュータ110およびサブマイクロコンピュータ120がシャットオフされる。 (Execution timing of failure potential diagnosis)
FIG. 9A is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment. FIG. 9A is a diagram for explaining that the microcomputer to be diagnosed with the failure potential is switched at each shutdown of the vehicle control device 100 as described in step 103 of FIG. 8A. That is, for example, it is assumed that the main microcomputer 110 and the submicrocomputer 120 perform normal control, and then the power supply signal 200 is turned off. In this case, as the first shutdown, after the power supply signal 200 is turned off, the processing shifts to the self shut processing. After self-shut processing is completed and all self-shut processing is completed, the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driving state performs fault potential diagnosis for the main microcomputer 110 in the standby state. After execution of the fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
 一方、例えば、2回目のシャットダウン時には、セルフシャット処理が全て完了した後、サブマイクロコンピュータ120がスタンバイ状態とされて、駆動状態のメインマイクロコンピュータ110がスタンバイ状態のサブマイクロコンピュータ120に対して故障ポテンシャル診断を実施し、故障ポテンシャル診断の実施後に、メインマイクロコンピュータ110およびサブマイクロコンピュータ120がシャットオフされる。 On the other hand, for example, at the time of the second shutdown, after all the self-shut processing is completed, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state has a failure potential with respect to the submicrocomputer 120 in the standby state. After performing diagnosis and performing fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
 以上の様に、シャットオフ毎に診断対象のマイクロコンピュータを切り替えることにより、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の各々の故障ポテンシャル診断を、均一に行うことが可能である。 As described above, the failure potential diagnosis of each of the main microcomputer 110 and the sub microcomputer 120 can be uniformly performed by switching the microcomputer to be diagnosed every shutoff.
 (実施タイミングの変形例1)
 図9Bは、故障ポテンシャル診断の実施タイミングの変形例1を説明する図である。図9Aでは、シャットオフ毎に診断対象のマイクロコンピュータを切り替える例を示した。
図9Bでは、電源信号200がオフされた後にセルフシャット処理へ移行し、その後、セルフシャット処理が実施され、セルフシャット処理が全て完了した後、メインマイクロコンピュータ110がスタンバイ状態とされて、サブマイクロコンピュータ120がスタンバイ状態のメインマイクロコンピュータ110に対して故障ポテンシャル診断を実施する。その後、サブマイクロコンピュータ120がスタンバイ状態とされて、メインマイクロコンピュータ110がスタンバイ状態のサブマイクロコンピュータ120に対して故障ポテンシャル診断を実施し、故障ポテンシャル診断を実施する。 (Modification 1 of implementation timing)
FIG. 9B is a diagram for explaining a modification 1 of the execution timing of failure potential diagnosis. FIG. 9A shows an example in which the microcomputer to be diagnosed is switched every shutoff.
In FIG. 9B, after the power supply signal 200 is turned off, the process proceeds to the self shut process, and then the self shut process is performed. After all the self shut process is completed, the main microcomputer 110 is put into the standby state. The computer 120 executes fault potential diagnosis for the main microcomputer 110 in the standby state. Thereafter, the sub-microcomputer 120 is put into the standby state, and the main microcomputer 110 performs fault potential diagnosis on the sub-microcomputer 120 in the standby state, and performs fault potential diagnosis.
 このような故障ポテンシャル診断の実施タイミングでも、より短い時間間隔で、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の両方の故障ポテンシャルの判断を行うことが可能である。 It is possible to judge the failure potential of both the main microcomputer 110 and the sub microcomputer 120 at shorter time intervals even at the timing of execution of such failure potential diagnosis.
 (実施タイミングの変形例2)
 図9Cは、故障ポテンシャル診断の実施タイミングの変形例2を説明する図である。図9Aおよび図9Bでは、電源信号200がオフされた後、故障ポテンシャル診断が実施される例を示した。図9Cでは、電源信号200がオンされた後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の起動毎に、故障ポテンシャルの診断対象のマイクロコンピュータが切り替えられ、故障ポテンシャル診断が実施される例を示している。すなわち、例えば、電源信号200が第1回目にオンされた後、サブマイクロコンピュータ120がスタンバイ状態とされて、駆動状態のメインマイクロコンピュータ110がスタンバイ状態のサブマイクロコンピュータ120に対して故障ポテンシャル診断を実施する。その後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120がリセットされる。この例では、メインマイクロコンピュータ110は、サブマイクロコンピュータ120がリセットの完了まで待機(wait)状態とされ、その後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の同期がとられ、メインマイクロコンピュータ110およびサブマイクロコンピュータ120が通常制御に移行する。 (Modified example 2 of implementation timing)
FIG. 9C is a diagram for explaining a modification 2 of the execution timing of the failure potential diagnosis. 9A and 9B show an example in which the failure potential diagnosis is performed after the power supply signal 200 is turned off. FIG. 9C shows an example in which the microcomputer as the diagnosis target of the failure potential is switched every time the main microcomputer 110 and the sub microcomputer 120 are activated after the power supply signal 200 is turned on, and the failure potential diagnosis is performed. There is. That is, for example, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis to the submicrocomputer 120 in the standby state. carry out. Thereafter, the main microcomputer 110 and the sub microcomputer 120 are reset. In this example, in the main microcomputer 110, the sub microcomputer 120 is put in a wait state until the reset is completed, and then the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 are synchronized. The microcomputer 120 shifts to normal control.
 次に、図示されないが、電源信号200が第2回目にオンされた後、メインマイクロコンピュータ110がスタンバイ状態とされて、駆動状態のサブマイクロコンピュータ120がスタンバイ状態のメインマイクロコンピュータ110に対して故障ポテンシャル診断を実施する。その後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120がリセットされ、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の同期がとられ、メインマイクロコンピュータ110およびサブマイクロコンピュータ120が通常制御に移行する。 Next, although not shown, after the power supply signal 200 is turned on for the second time, the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state fails to the main microcomputer 110 in the standby state. Conduct a potential diagnosis. After that, the main microcomputer 110 and the sub microcomputer 120 are reset, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to the normal control.
 このような故障ポテンシャル診断の実施タイミングでも、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の故障ポテンシャルを診断することが出来る。 The failure potential of the main microcomputer 110 and the sub microcomputer 120 can also be diagnosed at such an execution timing of the failure potential diagnosis.
 (実施タイミングの変形例3)
 図9Dは、故障ポテンシャル診断の実施タイミングの変形例3を説明する図である。図9Cでは、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の起動毎に、故障ポテンシャルの診断対象のマイクロコンピュータが切り替えられ、故障ポテンシャル診断が実施される例を示した。図9Dでは、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の起動毎に、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の両方の故障ポテンシャルを診断実施する例を示している。すなわち、電源信号200が第1回目にオンされた後、サブマイクロコンピュータ120がスタンバイ状態とされて、駆動状態のメインマイクロコンピュータ110がスタンバイ状態のサブマイクロコンピュータ120に対して故障ポテンシャル診断を実施し、故障ポテンシャル診断を実施する。その後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120がリセットされ、メインマイクロコンピュータ110がスタンバイ状態とされて、駆動状態のサブマイクロコンピュータ120がスタンバイ状態のメインマイクロコンピュータ110に対して故障ポテンシャル診断を実施する。その後、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の同期がとられ、メインマイクロコンピュータ110およびサブマイクロコンピュータ120が通常制御に移行する。 (Modification 3 of implementation timing)
FIG. 9D is a diagram for explaining a third modification of the execution timing of failure potential diagnosis. FIG. 9C shows an example in which the microcomputer to be diagnosed with the failure potential is switched at each activation of the main microcomputer 110 and the sub-microcomputer 120, and the failure potential diagnosis is performed. FIG. 9D shows an example in which the failure potentials of both the main microcomputer 110 and the sub microcomputer 120 are diagnosed and implemented each time the main microcomputer 110 and the sub microcomputer 120 are started. That is, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis for the submicrocomputer 120 in the standby state. Perform fault potential diagnosis. After that, the main microcomputer 110 and the sub microcomputer 120 are reset, and the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state performs fault potential diagnosis for the main microcomputer 110 in the standby state. . Thereafter, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to normal control.
 (実施タイミングの変形例4)
 故障ポテンシャル診断の実施タイミングとしては、図9Cに示された実施タイミングと、図9Aに示された実施タイミングと、を組み合わせでもよい。すなわち、起動時(電源信号200がオン)に、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の一方の故障ポテンシャル診断を実施し、シャットオフ時(電源信号200がオフ)に、メインマイクロコンピュータ110およびサブマイクロコンピュータ120の他方の故障ポテンシャル診断を実施する。起動毎またはシャットオフ時毎に、診断対象のマイクロコンピュータが切り替えされる。 (Modification 4 of implementation timing)
The execution timing of the failure potential diagnosis may be a combination of the execution timing shown in FIG. 9C and the execution timing shown in FIG. 9A. That is, at start-up (power supply signal 200 is on), fault potential diagnosis of one of main microcomputer 110 and sub-microcomputer 120 is performed, and at shut-off (power supply signal 200 is off), main microcomputer 110 and sub- The other fault potential diagnosis of the microcomputer 120 is performed. The microcomputer to be diagnosed is switched each time the power is turned on or shut off.
 なお、図9Bと図9Dとを組み合わせて、故障ポテンシャル診断を実施しても、もちろんよい。 Of course, fault potential diagnosis may be performed by combining FIG. 9B and FIG. 9D.
 (故障ポテンシャル診断結果を用いた制御手順)
 図10は、実施例1に係る制御手順を説明する図である。図10は、車両制御装置100において、メインCPU111とサブCPU112の出力が比較器116で照合不一致となったとき、故障ポテンシャル診断結果を利用して、故障していないCPU情報を使用するための手段を説明するフローチャートの一例である。このフローチャートは、図7の制御プログラムCNTPROGに対応するものである。 (Control procedure using fault potential diagnosis result)
FIG. 10 is a diagram for explaining a control procedure according to the first embodiment. FIG. 10 shows a means for using unfailed CPU information using failure potential diagnosis results when the outputs of the main CPU 111 and the sub CPU 112 in the vehicle control apparatus 100 do not match in the comparator 116. It is an example of the flowchart explaining FIG. This flowchart corresponds to the control program CNTPROG shown in FIG.
 (ステップS300)
 メインマイクロコンピュータ110及びサブマイクロコンピュータ120は、電源が投入されたことを示す電源信号200を受信すると、本フローチャートを開始する。本フローチャートを開始する時点において、メイン電源IC130とサブ電源IC140はそれぞれ電源信号200に従って電力供給を開始済みであるものとする。以下は、一例として、メインマイクロコンピュータ110の動作について記載する。なお、図1において説明された様に、サブマイクロコンピュータ120は、メインマイクロコンピュータ110の起動時に、診断結果(DResult(111)、DResult(112))の情報をメインマイクロコンピュータ110へ通知しており、また、メインマイクロコンピュータ110は、サブマイクロコンピュータ120の起動時に、診断結果(DResult(121)、DResult(122))の情報をサブマイクロコンピュータ120へ通知しているものとする。 (Step S300)
When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively. The following describes the operation of the main microcomputer 110 as an example. As described in FIG. 1, the submicrocomputer 120 notifies the main microcomputer 110 of the information of the diagnosis results (DResult (111), DResult (112)) when the main microcomputer 110 is activated. Also, it is assumed that the main microcomputer 110 notifies the sub microcomputer 120 of the information of the diagnostic results (DResult (121), DResult (122)) when the sub microcomputer 120 is activated.
 (ステップS301)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112と、それぞれの出力結果を比較する比較器116を備えており、比較器116での照合結果が一致するか否かを判定する。比較器116の照合結果が一致する場合は、CPU故障無しとしてステップS302に進む。比較器116の照合結果が不一致の場合は、CPU故障有りとしてステップS303に進む。 (Step S301)
The main microcomputer 110 is provided with a main CPU 111 and a sub CPU 112, and a comparator 116 for comparing the output results of each, and determines whether or not the comparison results in the comparator 116 match. If the comparison results of the comparator 116 match, there is no CPU failure, and the process proceeds to step S302. If the comparison results of the comparator 116 do not match, it is determined that there is a CPU failure, and the process proceeds to step S303.
 (ステップS302)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112に故障が無いと判定し、メインCPU111の出力信号を使用する。または、サブCPU112の出力値を使用してもよい。 (Step S302)
The main microcomputer 110 determines that there is no failure in the main CPU 111 and the sub CPU 112, and uses the output signal of the main CPU 111. Alternatively, the output value of the sub CPU 112 may be used.
 (ステップS303)
 メインマイクロコンピュータ110は、ステップS112で格納したメインCPU111の故障ポテンシャル診断結果(DResult(111))が、正常か否かを判定する。メインCPU111の故障ポテンシャル診断結果(DResult(111))が正常の場合、ステップS304に進む。メインCPU111の故障ポテンシャル診断結果(DResult(111))が異常の場合は、ステップS307に進む。 (Step S303)
The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (111)) of the main CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is normal, the process proceeds to step S304. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is abnormal, the process proceeds to step S307.
 (ステップS304)
 メインマイクロコンピュータ110は、ステップS112で格納したサブCPU112の故障ポテンシャル診断結果(DResult(112))が、正常か否かを判定する。
サブCPU112の故障ポテンシャル診断結果(DResult(112))が正常の場合、ステップS305に進む。サブCPU112の故障ポテンシャル診断結果(DResult(112))が異常の場合は、ステップS306に進む。 (Step S304)
The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (112)) of the sub CPU 112 stored in step S112 is normal.
If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S305. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S306.
 (ステップS305)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112以外に故障があると判断し、車両制御用アクチュエータ202を停止させるなどのフェールセーフ処理に移行する。 (Step S305)
The main microcomputer 110 determines that there is a failure other than the main CPU 111 and the sub CPU 112, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
 (ステップS306)
 メインマイクロコンピュータ110は、サブCPU112に故障があるものの、メインCPU111は正常であると判断し、メインCPU111の出力信号を使用して通常処理(車両の通常制御の動作)を継続する。 (Step S306)
The main microcomputer 110 determines that the main CPU 111 is normal although there is a failure in the sub CPU 112, and continues the normal processing (the operation of the normal control of the vehicle) using the output signal of the main CPU 111.
 (ステップS307)
 ステップS307はステップS304と同様の判定を実施する。サブCPU112の故障ポテンシャル診断結果(DResult(112))が正常の場合、ステップS308に進む。サブCPU112の故障ポテンシャル診断結果(DResult(112))が異常の場合は、ステップS309に進む。 (Step S307)
In step S307, the same determination as in step S304 is performed. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S308. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S309.
 (ステップS308)
 メインマイクロコンピュータ110は、メインCPU111に故障があるものの、サブCPU112は正常であると判断し、サブCPU112の出力信号を使用して通常処理(車両の通常制御の動作)を継続する。 (Step S308)
The main microcomputer 110 determines that the sub CPU 112 is normal although there is a failure in the main CPU 111, and continues normal processing (normal control operation of the vehicle) using an output signal of the sub CPU 112.
 (ステップS309)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112どちらにも故障ポテンシャルがあると判断し、車両制御用アクチュエータ202を停止させるなどのフェールセーフ処理に移行する。 (Step S309)
The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
 (ステップS310)
 メインマイクロコンピュータ110は、比較器116の照合不一致の情報を、CPU故障情報として、他ユニットに通知する。また、ステップS305またはステップS309に移行したときのみ、CPU故障情報を他ユニットに通知するとしてもよい。 (Step S310)
The main microcomputer 110 notifies other units of the information on the comparison of the comparison in the comparator 116 as CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S305 or step S309.
 以上により、CPUの故障発生時、または、CPUの異常発生時において、故障していない正常なCPUを特定することが可能であり、また、故障していない正常なCPUを有効利用することで、運転性能を維持可能な車両制御装置100を提供することが出来る。 As described above, it is possible to identify a normal CPU that has not failed and to effectively use a normal CPU that has not failed, at the time of CPU failure or CPU abnormality. The vehicle control device 100 capable of maintaining the driving performance can be provided.
 実施例1によれば、マイクロコンピュータ(110,120)に内蔵されるCPU(111,112,121,122)において、製造時に混入した異物や経年劣化よって生じるCPUの故障ポテンシャルを判断することにより、CPUの故障を、できる限り早期の段階で検出することができる。また、CPUの故障発生時、または、CPUの異常発生時において、故障していない正常なCPUを特定することが可能であり、故障していない正常なCPUを有効利用することで、運転性能を維持可能な車両制御装置100を提供することが出来る。 According to the first embodiment, the CPU (111, 112, 121, 122) incorporated in the microcomputer (110, 120) determines the CPU's failure potential caused by foreign matter mixed in at the time of manufacture or aged deterioration, CPU failure can be detected as early as possible. In addition, it is possible to identify a normal CPU that has not failed and at the time of a failure of CPU or when an abnormality has occurred. By effectively using a normal CPU that has not failed, the operating performance can be calculated. A maintainable vehicle control device 100 can be provided.
 実施例1によれば、CPU(111、112、121、122)に電源を供給している電源供給ライン(接続線:L1、L2、L3、L4)を流れるCPUの電流(リーク電流)の値が、電流測定部(電流検出部:150、160、152、162)を利用して検出および測定される。これにより、測定されたリーク電流の値ないし量からトランジスタの劣化状態を判断することができる。つまり、測定されたリーク電流の値ないし量によって、CPUの故障ポテンシャルを判断することができる。 According to the first embodiment, the value of the current (leakage current) of the CPU flowing through the power supply line (connection line: L1, L2, L3, L4) supplying power to the CPU (111, 112, 121, 122) Are detected and measured using current measurement units (current detection units: 150, 160, 152, 162). Thus, the deterioration state of the transistor can be determined from the value or amount of the measured leakage current. That is, the failure potential of the CPU can be determined by the value or amount of the measured leakage current.
 実施例1において、CPUの電流(リーク電流)の値の測定は、駆動状態のCPUを用いて、スタンバイ状態のCPUに電源を供給している電源供給ラインに流れる電流を測定する。CPUが駆動状態のときにおいて、CPUの電源供給ラインを流れる電流はCPUのリーク電流成分とCPUの駆動電流成分とを含んでいる。被測定CPUをスタンバイ状態とすることにより、CPUの駆動電流成分を除いて、CPUのリーク電流成分(Ileak2)のみを測定することが出来る。 In the first embodiment, in the measurement of the value of the current (leakage current) of the CPU, the current flowing in the power supply line supplying power to the CPU in the standby state is measured using the CPU in the drive state. When the CPU is in the drive state, the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU. By setting the CPU under measurement to the standby state, it is possible to measure only the leak current component (Ileak2) of the CPU excluding the drive current component of the CPU.
 故障ポテンシャル診断用のCPUリーク電流(Ileak2)は、マイクロコンピュータまたはCPUの製造ばらつきと、マイクロコンピュータまたはCPUの温度変化によるばらつきと、を含んでいる。これらリーク電流のばらつき要素を排除して、トランジスタ劣化によるCPUリーク電流の増加分のみを抽出するため、測定した故障ポテンシャル診断用のCPUリーク電流の値の補正を行う。補正の対象は、マイクロコンピュータまたはCPUの製造ばらつきによるリーク電流ばらつきの補正と、温度変化によるリーク電流ばらつきの補正との2つの補正である。 The CPU leak current (Ileak2) for fault potential diagnosis includes manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU. In order to extract these variations in leak current and extract only the increase in CPU leak current due to transistor deterioration, correction of the measured value of CPU leak current for failure potential diagnosis is performed. There are two correction targets: correction of leak current variation due to manufacturing variation of microcomputer or CPU, and correction of leak current variation due to temperature change.
 マイクロコンピュータまたはCPUの製造ばらつきによるリーク電流ばらつきを補正する方法は、マイクロコンピュータまたはCPU製造時に故障ポテンシャル診断用のCPUリーク電流値(Ileak1)を計測し、マイクロコンピュータの記憶領域(ROM:114、124)にCPU製造時のリーク電流値として記憶させる。現在の故障ポテンシャル診断用のCPUリーク電流値(Ileak2)からマイクロコンピュータまたはCPU製造時のリーク電流値(Ileak1)を減算することで、マイクロコンピュータまたはCPU製造時から現在に至るまでのリーク電流の増加分(ΔIleak)を抽出することができる。 The method of correcting the leak current variation due to the manufacturing variation of the microcomputer or CPU is to measure the CPU leak current value (Ileak1) for fault potential diagnosis at the time of manufacturing the microcomputer or CPU, and to store the storage area (ROM: 114, 124) of the microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes (ΔIleak) can be extracted.
 温度によるリーク電流の変化の補正は、あらかじめCPUの温度とCPUのリーク電流の相関マップ(TCM)を用意することで、可能である。マイクロコンピュータまたはCPUの温度は、マイクロコンピュータに内蔵している温度センサ(TSEN:115,125)によりマイクロコンピュータまたはCPUの温度の測定し、測定したCPUの温度とCPUリーク電流の相関マップないし温度変化マップ(TCM)から、温度によるCPUリーク電流の変化量(Icv)を算出する。 Correction of the change of the leak current due to the temperature is possible by preparing in advance a correlation map (TCM) of the CPU temperature and the CPU leak current. Temperature of microcomputer or CPU is measured temperature of microcomputer or CPU by temperature sensor (TSEN: 115, 125) built in microcomputer, correlation map of CPU temperature and CPU leak current or temperature change measured From the map (TCM), the amount of change (Icv) in CPU leak current with temperature is calculated.
 温度補正前のCPUリーク電流増加量(ΔIleak)と、相関マップ(TCM)を利用した温度によるCPUリーク電流の変化量(Icv)とを用いて、温度補正後のCPUリーク電流増加量(ΔIleakc)が算出される。温度補正後のCPUリーク電流の増加量(ΔIleakc)が、あらかじめ規定した故障ポテンシャルを有すると判断する電流の増加量(ΔIleakc)の判定閾値(TH)よりも大きい場合、CPUは、完全に故障していないものの、将来、故障となるポテンシャルを有していると判断する。 CPU leak current increase (ΔIleakc) after temperature correction using CPU leak current increase (ΔIleak) before temperature correction and change (Icv) of CPU leak current due to temperature using correlation map (TCM) Is calculated. If the increase amount (ΔIleakc) of CPU leak current after temperature correction is larger than the determination threshold (TH) of the increase amount (ΔIleakc) of the current determined to have a predetermined failure potential, the CPU completely fails. Although it is not, it is judged that it has the potential to become a failure in the future.
 これにより、現時点ではCPUは正常に演算できるが将来的に故障する可能性がある状態を早期の段階で検出することができる。すなわち、CPUの故障ポテンシャル診断の結果から、故障したCPUを特定することができるので、CPUの故障発生時において、故障していない正常なCPUを使って、車両制御を縮退させることなく、車両の走行性能を維持することができる。 As a result, at this point in time, the CPU can correctly calculate, but can detect a state that may fail in the future at an early stage. That is, since the failed CPU can be identified from the result of the failure potential diagnosis of the CPU, when the failure of the CPU occurs, the vehicle control is not degenerated using a normal CPU that is not broken. Driving performance can be maintained.
 リーク電流の測定とCPU故障ポテンシャル診断は、少なくとも1つのCPUをスタンバイ状態とするために、車両制御装置の起動時またはシャットダウン時に実施することが有効である。また、起動時毎やシャットダウン毎に、診断するCPUの組み合わせを変えてもよい(図9A、図9B,図9C,図9Dを参照)。 It is effective to carry out the measurement of the leak current and the CPU failure potential diagnosis at the time of startup or shutdown of the vehicle control device in order to put at least one CPU in the standby state. Also, the combination of CPUs to be diagnosed may be changed at each startup or each shutdown (see FIGS. 9A, 9B, 9C, and 9D).
 図11は、実施例2に係る車両制御装置システムを示す図である。図11に示される車両制御装置システム1aは、図1と同様に、電子制御装置(ECU:Electronic Control Unit)である車両制御装置100aを有する。車両制御装置100aは、車両が搭載する車載機器(例えば、自動変速機、エンジンなど)を電子的に制御する装置である。図11の車両制御装置100aは、図1の車両制御装置100と比較して、メインマイクロコンピュータ110内の比較器116およびサブマイクロコンピュータ120内の比較器126を排除した構成となっている。車両制御装置100aのメインマイクロコンピュータ110は、メインCPU111とサブCPU112で別の制御を同時実行する並列処理型の方式とする。上記以外は車両制御装置100と同じため、その説明は省略する。 FIG. 11 is a diagram illustrating a vehicle control system according to a second embodiment. The vehicle control device system 1a shown in FIG. 11 includes a vehicle control device 100a that is an electronic control unit (ECU: Electronic Control Unit), as in FIG. The vehicle control device 100a is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle. The vehicle control device 100 a of FIG. 11 is configured such that the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are eliminated as compared with the vehicle control device 100 of FIG. 1. The main microcomputer 110 of the vehicle control device 100a has a parallel processing type in which the main CPU 111 and the sub CPU 112 simultaneously execute different controls. Other than the above, the vehicle control device 100 is the same as the vehicle control device 100, so the description thereof is omitted.
 図12は、実施例2に係る制御手順を説明する図である。実施例2の制御手順では、車両制御装置100aにおいて、故障ポテンシャル診断の結果が正常か否かを判定し、異常時は本来実施していた制御機能を縮退させる。これにより、完全にCPUが故障するまでの期間を延長させるとともに、完全にCPUが故障しても、車両制御装置100aが本来もつ機能を維持させることが出来る。 FIG. 12 is a diagram for explaining a control procedure according to the second embodiment. In the control procedure of the second embodiment, the vehicle control device 100a determines whether the result of the failure potential diagnosis is normal or not, and degenerates the control function originally implemented when it is abnormal. As a result, it is possible to extend the time until the CPU completely fails, and to maintain the functions originally possessed by the vehicle control device 100a even if the CPU completely fails.
 (ステップS400)
 メインマイクロコンピュータ110及びサブマイクロコンピュータ120は、電源が投入されたことを示す電源信号200を受信すると、本フローチャートを開始する。本フローチャートを開始する時点において、メイン電源IC130とサブ電源IC140はそれぞれ電源信号200に従って電力供給を開始済みであるものとする。以下は、一例として、メインマイクロコンピュータ110の動作について記載する。また、故障ポテンシャル診断は、前述通りであり、同様のため、その説明は省略する。 (Step S400)
When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively. The following describes the operation of the main microcomputer 110 as an example. In addition, the failure potential diagnosis is as described above, and the description thereof will be omitted because it is the same.
 (ステップS401)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112の故障ポテンシャル診断の実施経験(DHist)があるか否かを判定する。故障ポテンシャル診断の実施経験(DHist)が無い場合は、制御終了し、実施経験(DHist)がある場合は、ステップS402に進む。 (Step S401)
The main microcomputer 110 determines whether or not there is execution experience (DHist) of failure potential diagnosis of the main CPU 111 and the sub CPU 112. If there is no implementation experience (DHist) of failure potential diagnosis, the control is ended, and if there is implementation experience (DHist), the process proceeds to step S402.
 (ステップS402)
 メインマイクロコンピュータ110は、メインCPU111の故障ポテンシャル診断結果(DRsult(111))が正常か否かを判定する。メインCPU111の故障ポテンシャル診断結果(DRsult(111))が正常の場合、ステップS403に進む。故障ポテンシャル診断結果(DRsult(111))が異常の場合、ステップS407へ進む。 (Step S402)
The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal. If the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal, the process proceeds to step S403. If the failure potential diagnosis result (DRsult (111)) is abnormal, the process proceeds to step S407.
 (ステップS403)
 メインマイクロコンピュータ110は、サブCPU112の故障ポテンシャル診断結果(DRsult(112))が正常か否かを判定する。サブCPU112の故障ポテンシャル診断結果(DRsult(112))が正常の場合、ステップS404に進む。故障ポテンシャル診断結果(DRsult(112))が異常の場合、ステップS405へ進む。 (Step S403)
The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal. If the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal, the process proceeds to step S404. If the failure potential diagnosis result (DRsult (112)) is abnormal, the process proceeds to step S405.
 (ステップS404)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112のどちらにも故障ポテンシャルが無いと判断し、通常タスク動作設定に従う通常動作を継続させる。 (Step S404)
The main microcomputer 110 determines that neither the main CPU 111 nor the sub CPU 112 has a failure potential, and continues the normal operation according to the normal task operation setting.
 (ステップS405、ステップS406)
 メインマイクロコンピュータ110は、メインCPU111に故障ポテンシャル無し、サブCPU112に故障ポテンシャル有りと判断する。そして、サブCPU112の制御タスクに割り当てられていた機能(タスクD)を縮小し、サブCPU112の演算負荷を低下させる。これにより、サブCPU112が完全に故障するまでの時間を延長させる。同時に、ステップS406で、メインCPU111の制御タスクに割り当てられていた機能(タスクD)を拡張させる。結果として、メインCPU111とサブCPU112の演算の分担割合が変化するものの、車両制御装置100aのトータルで演算される制御タスクは変わらない状況を作り出すことが可能となる。ただし、メインCPU111の演算負荷限界を超える機能は、メインCPU111に割り当てることはできないことから、メインCPU111に割り当てる機能と、サブCPU112から縮小させる機能は、あらかじめ決定しておく必要がある。図13に、サブCPU112の故障ポテンシャルが高いことを検知したときの制御タスクの割り当て変更の一例を示す、詳細は図13の説明に記す。 (Step S405, Step S406)
The main microcomputer 110 determines that there is no failure potential in the main CPU 111 and that there is a failure potential in the sub CPU 112. Then, the function (task D) assigned to the control task of the sub CPU 112 is reduced, and the calculation load of the sub CPU 112 is reduced. This extends the time until the sub CPU 112 completely fails. At the same time, in step S406, the function (task D) assigned to the control task of the main CPU 111 is expanded. As a result, although the sharing ratio of calculation of the main CPU 111 and the sub CPU 112 changes, it is possible to create a situation in which the control task calculated in total of the vehicle control device 100a does not change. However, since the function exceeding the operation load limit of the main CPU 111 can not be assigned to the main CPU 111, it is necessary to determine in advance the function to be assigned to the main CPU 111 and the function to reduce from the sub CPU 112. FIG. 13 shows an example of the change in assignment of the control task when it is detected that the failure potential of the sub CPU 112 is high. Details will be described in FIG.
 (ステップS407)
 ステップS403と同様のため省略する。 (Step S407)
It is omitted because it is the same as step S403.
 (ステップS408、ステップS409)
 ステップS405、ステップS406と同様の手段とし、メインCPU111の制御タスクの機能(タスク)を縮小し、サブCPU112の制御タスクの機能(タスク)を拡張させる。 (Step S408, Step S409)
As a means similar to steps S405 and S406, the function (task) of the control task of the main CPU 111 is reduced, and the function (task) of the control task of the sub CPU 112 is expanded.
 (ステップS410)
 メインマイクロコンピュータ110は、メインCPU111及びサブCPU112のどちらにも故障ポテンシャルがあると判断し、通常タスク動作設定に従う通常動作を継続させる。なお、ここでいう通常タスク動作設定とは、タスク変更を実施しない通常動作のためのタスク設定の意味合いである。 (Step S410)
The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and continues the normal operation according to the normal task operation setting. Here, the normal task operation setting is the meaning of task setting for the normal operation in which the task change is not performed.
 (制御タスクの割り当て変更の一例)
 図13は、実施例2に係る制御タスクの割り当て変更の一例を説明する図である。図13は、サブCPU112の故障ポテンシャルが高いことを検知したときの制御タスクの割り当て変更の一例である。図12の故障ポテンシャル診断によって、メインCPU111及びサブCPU112に故障ポテンシャルが無く、CPUが正常な状態では、図13の(A)に示す様に、メインCPU111は、定時処理としてタスクAとタスクBを実行し、空き時間でバックグラウンドジョブ(以下、BGJ)1を実行する。一方、サブCPU112は定時処理としてタスクCとタスクDを実行し、空き時間でBGJ2を実行する。 (Example of control task assignment change)
FIG. 13 is a diagram for explaining an example of change in assignment of control tasks according to the second embodiment. FIG. 13 is an example of change in assignment of control tasks when it is detected that the failure potential of the sub CPU 112 is high. If the main CPU 111 and the sub CPU 112 have no failure potential and the CPU is normal according to the failure potential diagnosis of FIG. 12, as shown in FIG. 13A, the main CPU 111 performs task A and task B as scheduled processing as shown in FIG. Execute and execute background job (hereinafter, BGJ) 1 in idle time. On the other hand, the sub CPU 112 executes task C and task D as scheduled processing, and executes BGJ 2 in idle time.
 ここで、図12の故障ポテンシャル診断によって、サブCPU112に故障ポテンシャル有りと判定された場合、図13の(B)に示す様に、サブCPU112のタスクDをメインCPU111に割り当てるという一例を示している。メインCPU111は、タスクAとタスクBと拡張されたタスクDとを実行し、空き時間でバックグラウンドジョブ(以下、BGJ)1を実行する。一方、サブCPU112はタスクCを実行し、空き時間でBGJ2を実行する。すなわち、サブCPU112で実行されていたタスクDが、メインCPU111へ譲渡された状態である。 Here, when it is determined by the fault potential diagnosis in FIG. 12 that there is a fault potential in the sub CPU 112, an example is shown in which the task D of the sub CPU 112 is allocated to the main CPU 111 as shown in FIG. . The main CPU 111 executes task A, task B, and extended task D, and executes background job (hereinafter, BGJ) 1 in idle time. On the other hand, the sub CPU 112 executes task C and executes BGJ 2 in idle time. That is, the task D being executed by the sub CPU 112 is in a state of being transferred to the main CPU 111.
 図12の故障ポテンシャル診断は電源信号200がオフされた後に実施され、タスク割り当て変更は車両のキーオンにより車両制御装置100aが起動した際に実施される。このため、通常制御中のタスク割り当て変更による制御の急変による車両挙動への影響は無い。 The failure potential diagnosis of FIG. 12 is performed after the power supply signal 200 is turned off, and the task assignment change is performed when the vehicle control device 100a is activated by the key-on of the vehicle. For this reason, there is no influence on the vehicle behavior due to sudden change of control due to task assignment change during normal control.
 また、サブCPU112は、タスクDの機能をメインCPU111に割り当てて、演算負荷を下げたとはいえ、故障ポテンシャルが高い状態であることは変わらない。サブCPU112が完全に故障した際は、タスクC機能、BGJ2は失われることになるため、予め失われても車両走行に影響のない機能を割り当てるのが良い。この場合、サブCPU112が完全に故障したとしても、車両は安全に走行を継続することができるからである。 Further, although the sub CPU 112 assigns the function of the task D to the main CPU 111 to reduce the operation load, it does not change that the failure potential is high. When the sub CPU 112 completely fails, the task C function, BGJ2, will be lost, so it is preferable to assign a function that does not affect the vehicle running even if it is lost in advance. In this case, even if the sub CPU 112 completely fails, the vehicle can continue traveling safely.
 なお、図13の(A)のタスク実行状態から、図13の(B)のタスク実行状態からへ変更する場合には、図13の(A)のタスク実行状態を定義する通常タスク動作設定と、図13の(B)のタスク実行状態を定義する異常時タスク動作設定1とを、例えば、メインマイクロコンピュータ110のROM114の記憶領域に格納する。メインCPU111及びサブCPU112に故障ポテンシャルが無く、CPU111,112が正常な状態では、通常タスク動作設定を実行する様にする。一方、サブCPU112に故障ポテンシャルが有ると判定された場合、通常タスク動作設定から、異常時タスク動作設定へ変更する。この通常タスク動作設定から異常時タスク動作設定1への変更は、前述の様に、車両のキーオンにより車両制御装置100aが起動した際に変更するようにする。 When changing from the task execution state of (A) of FIG. 13 to the task execution state of (B) of FIG. 13, normal task operation setting for defining the task execution state of (A) of FIG. The abnormal time task operation setting 1 defining the task execution state of FIG. 13B is stored, for example, in the storage area of the ROM 114 of the main microcomputer 110. When there is no failure potential in the main CPU 111 and the sub CPU 112 and the CPUs 111 and 112 are normal, the normal task operation setting is performed. On the other hand, when it is determined that the sub CPU 112 has a failure potential, the normal task operation setting is changed to the abnormal task operation setting. As described above, the change from the normal task operation setting to the abnormal task operation setting 1 is made when the vehicle control device 100a is activated by the key-on of the vehicle.
 なお、メインCPU111に故障ポテンシャルが有ると判定された場合には、上記と同様な思想により、例えば、メインCPU111で実行されていたタスクBを、サブCPU112へ譲渡する様な、タスクの変更を行うことが出来る。この場合、メインCPU111に故障ポテンシャルが有ると判定された場合に利用される異常時タスク動作設定2を、通常タスク動作設定、異常時タスク動作設定1の他に、設ければよい。この異常時タスク動作設定2は、メインマイクロコンピュータ110のROM114の記憶領域に、通常タスク動作設定、異常時タスク動作設定1とともに格納すればよい。 When it is determined that the main CPU 111 has a failure potential, for example, the task is changed such that the task B executed by the main CPU 111 is transferred to the sub CPU 112 based on the same idea as described above. I can do it. In this case, the abnormal task operation setting 2 used when it is determined that the main CPU 111 has a failure potential may be provided in addition to the normal task operation setting and the abnormal task operation setting 1. The abnormal task operation setting 2 may be stored in the storage area of the ROM 114 of the main microcomputer 110 together with the normal task operation setting and the abnormal task operation setting 1.
 実施例2によれば、故障ポテンシャルが高いCPU(112)が完全に故障する前に、故障ポテンシャルが高いCPU(112)が受け持つ演算制御(タスクD)を他のCPU(111)に譲渡し、車両制御装置(100a)が持つ機能を縮退させることなく、自動車の運転者にCPU故障を通知することができるため、安全かつスムーズに自動車を修理するための移動を行うことができる。 According to the second embodiment, before the CPU (112) having a high failure potential completely fails, the operation control (task D) handled by the CPU (112) having a high failure potential is transferred to another CPU (111). The CPU failure can be notified to the driver of the vehicle without degrading the function of the vehicle control device (100a), so that the movement for repairing the vehicle can be performed safely and smoothly.
 また、実施例2によれば、CPU(112)が完全に故障したとき、故障を検知するまでの故障検知ディレイ時間においても、正常なCPU(111)を使用できる。このため、車両制御装置(100a)の有する本来の運転性能を犠牲にすることが無く、エンジンやトランスミッション等のアクチュエータが急停止や誤作動し、車両が意図しない挙動をすることを防ぐことができる。 Further, according to the second embodiment, when the CPU (112) completely fails, the normal CPU (111) can be used even in the failure detection delay time until the failure is detected. Therefore, it is possible to prevent an unintended behavior of the vehicle due to sudden stop or malfunction of an actuator such as an engine or a transmission without sacrificing the original driving performance of the vehicle control device (100a). .
 また、実施例2によれば、CPU(112)が完全に故障する前に、あらかじめ故障ポテンシャルの高いCPU(112)で演算するタスク(D)を縮退させる。これにより、CPU(112)の演算負荷を下げることかできので、CPU(112)が完全に故障するまでの期間を延長することができる。 Further, according to the second embodiment, before the CPU (112) completely fails, the task (D) to be calculated by the CPU (112) having a high failure potential is degenerated in advance. As a result, the calculation load of the CPU (112) can be reduced, and therefore, the period until the CPU (112) completely fails can be extended.
 図14は、実施例3に係る車両制御装置システムを示す図である。図14に示される車両制御装置システム1bは、図1と同様に、電子制御装置(ECU:Electronic Control Unit)である車両制御装置100bを有する。車両制御装置100bは、車両が搭載する車載機器(例えば、自動変速機、エンジンなど)を電子的に制御する装置である。図14の車両制御装置100bは、図1の車両制御装置100と比較して、メインマイクロコンピュータ110はCPU111のみ有し、サブマイクロコンピュータ120はCPU121のみ有する。この変更に伴い、電流測定部SCM160,162が削除されている。また、メインマイクロコンピュータ110内の比較器116およびサブマイクロコンピュータ120内の比較器126が削除されている。比較器116,126の代わりとして、比較器としての機能を有する信号照合部COMPbが、メインマイクロコンピュータ110およびサブマイクロコンピュータ120とは別の半導体集積回路装置として、車両制御装置100bに設けられる。他の構成は、実施例1と同様であり、その説明は省略される。 FIG. 14 is a diagram showing a vehicle control system according to a third embodiment. The vehicle control system 1b shown in FIG. 14 includes a vehicle control system 100b, which is an electronic control unit (ECU), as in FIG. The vehicle control device 100 b is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle. Compared with the vehicle control device 100 of FIG. 1, the vehicle control device 100 b of FIG. 14 has only the CPU 111 of the main microcomputer 110 and only the CPU 121 of the sub microcomputer 120. As a result of this change, the current measurement units SCM 160 and 162 are deleted. In addition, the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are deleted. As a substitute for the comparators 116 and 126, a signal collating unit COMPb having a function as a comparator is provided in the vehicle control device 100b as a semiconductor integrated circuit device different from the main microcomputer 110 and the sub microcomputer 120. The other configuration is the same as that of the first embodiment, and the description thereof is omitted.
 信号照合部COMPbは、メインマイクロコンピュータ(第1マイクロコンピュータ)110またはCPU(第1CPU)111の出力信号Smmcとサブマイクロコンピュータ(第2マイクロコンピュータ)120またはCPU(第2CPU)121の出力信号Ssmcとが一致しているか否かを比較する。出力信号Smmcと出力信号Ssmcとが一致の場合、例えば、メインマイクロコンピュータ110の出力信号Smmcが利用されて、信号照合部COMPbは、信号照合部COMPbに接続されるアクチュエータ(ACU)202や信号照合部COMPbにCANバス(CAN bus)を介して接続される表示装置203および電動パワーステアリング装置(EPS)204を駆動する。 The signal collating unit COMPb outputs an output signal Smmc of the main microcomputer (first microcomputer) 110 or CPU (first CPU) 111 and an output signal Ssmc of the sub microcomputer (second microcomputer) 120 or CPU (second CPU) 121. Compare whether they match. When the output signal Smmc and the output signal Ssmc match, for example, the output signal Smmc of the main microcomputer 110 is used, and the signal comparison unit COMPb is connected to the actuator (ACU) 202 connected to the signal comparison unit COMPb or the signal comparison. A display device 203 and an electric power steering device (EPS) 204 connected to the unit COMPb via a CAN bus are driven.
 信号照合部COMPbは、また、メインマイクロコンピュータ110から故障ポテンシャルの診断結果DResult(121)とサブマイクロコンピュータ120から故障ポテンシャルの診断結果DResult(111)とを受けるようにされており、これら診断信号DResult(121)、DResult(111)に従って、図15で説明される故障ポテンシャル診断結果を用いた制御手順が実行される。 The signal collating unit COMPb is also adapted to receive the diagnosis result DResult (121) of the failure potential from the main microcomputer 110 and the diagnosis result DResult (111) of the failure potential from the sub microcomputer 120, and these diagnosis signals DResult (121), the control procedure using the fault potential diagnosis result described in FIG. 15 is executed according to DResult (111).
 図15は、実施例3に係る制御手順を説明する図である。以下、図15を用いて、実施例3の制御手順を説明する。 FIG. 15 is a diagram for explaining a control procedure according to the third embodiment. Hereinafter, the control procedure of the third embodiment will be described with reference to FIG.
 (ステップS500)
 メインマイクロコンピュータ110及びサブマイクロコンピュータ120は、電源が投入されたことを示す電源信号200を受信すると、本フローチャートを開始する。本フローチャートを開始する時点において、メイン電源IC130とサブ電源IC140はそれぞれ電源信号200に従って電力供給を開始済みであるものとする。 (Step S500)
When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
 (ステップS501)
 信号照合部COMPbは、メインマイクロコンピュータ110の出力信号Smmcとサブマイクロコンピュータ120の出力信号Ssmcとが一致しているか否かを比較し、照合結果が一致するか否かを判定する。信号照合部COMPbの照合結果が一致する場合(YES)は、CPU故障無しとしてステップS502に進む。信号照合部COMPbの照合結果が不一致(NO)の場合は、CPU故障有りとしてステップS503に進む。 (Step S501)
The signal collating unit COMPb compares whether the output signal Smmc of the main microcomputer 110 and the output signal Ssmc of the sub microcomputer 120 match, and determines whether the matching result matches. If the collation results of the signal collating unit COMPb match (YES), it is determined that there is no CPU failure, and the process proceeds to step S502. If the comparison result of the signal comparison unit COMPb does not match (NO), it is determined that there is a CPU failure, and the process proceeds to step S503.
 (ステップS502)
 信号照合部COMPbは、メインマイクロコンピュータ110のCPU111に故障が無いと判定し、メインマイクロコンピュータ110の出力信号Smmcをそのまま使用する。または、サブマイクロコンピュータ120のCPU121に故障が無いと判定し、サブマイクロコンピュータ120の出力信号Ssmcを使用してもよい。 (Step S502)
The signal comparison unit COMPb determines that the CPU 111 of the main microcomputer 110 has no failure, and uses the output signal Smmc of the main microcomputer 110 as it is. Alternatively, it may be determined that the CPU 121 of the submicrocomputer 120 has no failure, and the output signal Ssmc of the submicrocomputer 120 may be used.
 (ステップS503)
 信号照合部COMPbは、ステップS112で格納したCPU111の故障ポテンシャル診断結果(DResult(111))が、正常か否かを判定する。CPU111の故障ポテンシャル診断結果(DResult(111))が正常の場合、ステップS504に進む。CPU111の故障ポテンシャル診断結果(DResult(111))が異常の場合は、ステップS507に進む。 (Step S503)
The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (111)) of the CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is normal, the process proceeds to step S504. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is abnormal, the process proceeds to step S507.
 (ステップS504)
 信号照合部COMPbは、ステップS112で格納したサブマイクロコンピュータ120のCPU121の故障ポテンシャル診断結果(DResult(121))が、正常か否かを判定する。CPU121の故障ポテンシャル診断結果(DResult(121))が正常の場合、ステップS505に進む。CPU121の故障ポテンシャル診断結果(DResult(121))が異常の場合は、ステップS506に進む。 (Step S504)
The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (121)) of the CPU 121 of the sub microcomputer 120 stored in step S112 is normal. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S505. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S506.
 (ステップS505)
 メインマイクロコンピュータ110のCPU111及びサブマイクロコンピュータ120のCPU121以外に故障があると判断し、車両制御用アクチュエータ202を停止させるなどのフェールセーフ処理に移行する。 (Step S505)
It is determined that there is a failure other than the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, and the process shifts to fail-safe processing such as stopping the vehicle control actuator 202.
 (ステップS506)
 信号照合部COMPbは、サブマイクロコンピュータ120のCPU121に故障があるものの、メインマイクロコンピュータ110のCPU111は正常であると判断し、メインマイクロコンピュータ110の出力信号Smmcを使用して通常処理(車両の通常制御の動作)を継続する。 (Step S506)
The signal collating unit COMPb determines that the CPU 111 of the main microcomputer 110 is normal although there is a failure in the CPU 121 of the sub microcomputer 120, and uses the output signal Smmc of the main microcomputer 110 to perform normal processing (normal Continue the control operation).
 (ステップS507)
 ステップS507はステップS504と同様の判定を実施する。CPU121の故障ポテンシャル診断結果(DResult(121))が正常の場合、ステップS508に進む。CPU121の故障ポテンシャル診断結果(DResult(121))が異常の場合は、ステップS509に進む。 (Step S507)
In step S507, the same determination as in step S504 is performed. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S508. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S509.
 (ステップS508)
 信号照合部COMPbは、メインマイクロコンピュータ110のCPU111に故障があるものの、サブマイクロコンピュータ120のCPU121は正常であると判断し、メインマイクロコンピュータ110の出力信号Sscmを使用して通常処理(車両の通常制御の動作)を継続する。 (Step S508)
The signal collating unit COMPb determines that the CPU 121 of the sub microcomputer 120 is normal although there is a failure in the CPU 111 of the main microcomputer 110, and performs normal processing using the output signal Sscm of the main microcomputer 110 (normal to vehicle Continue the control operation).
 (ステップS509)
 信号照合部COMPbは、メインマイクロコンピュータ110のCPU111及びサブマイクロコンピュータ120のCPU121どちらにも故障ポテンシャルがあると判断し、車両制御用アクチュエータ202を停止させるなどの安全状態に遷移し、フェールセーフ処理に移行する。 (Step S509)
The signal comparison unit COMPb determines that there is a failure potential in both the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, transitions to a safe state such as stopping the vehicle control actuator 202, and performs failsafe processing. Transition.
 なお、信号照合部COMPbは、照合不一致の情報をCPU故障情報として、他ユニットに通知しても良い。また、ステップS505またはステップS509に移行したときのみ、CPU故障情報を他ユニットに通知するとしてもよい。 Note that the signal comparison unit COMPb may notify the other units of the information on the comparison failure as the CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S505 or step S509.
 実施例3によれば、実施例1と同様な効果を得る事が可能であり、現時点ではCPUは正常に演算できるが将来的に故障する可能性がある状態を早期の段階で検出することができる。 According to the third embodiment, it is possible to obtain the same effect as that of the first embodiment, and at the present stage, the CPU can normally calculate, but it is possible to detect in the early stage a state that may fail in the future. it can.
 CPU故障ポテンシャル診断の結果から、故障したCPUを特定することができるので、CPUの故障発生時やCPUの異常発生時において、故障していない正常なCPUを有効に利用して、車両制御を縮退させることなく、運転性能を維持可能な車両制御装置(100b)を提供することが出来る。 Since a faulty CPU can be identified from the result of the CPU fault potential diagnosis, vehicle control is degenerated by effectively using a normal CPU that is not faulty at the time of CPU fault occurrence or CPU anomaly occurrence. It is possible to provide a vehicle control device (100b) capable of maintaining the driving performance without causing the vehicle control.
 以上、本発明者によってなされた発明を実施例に基づき具体的に説明したが、本発明は、上記実施形態および実施例に限定されるものではなく、種々変更可能であることはいうまでもない。 As mentioned above, although the invention made by the present inventor was concretely explained based on an example, the present invention is not limited to the above-mentioned embodiment and an example, and it can not be overemphasized that it can change variously .
100:車両制御装置110:メインマイクロコンピュータ(MMC)111:メインCPU(MCPU)112:サブCPU(SCPU)113:RAM114:ROM115:温度センサ(TSEN)116:比較器(COMP)120:サブマイクロコンピュータ(SMC)130:メイン電源IC(MPSP)140:サブ電源IC(SPSP)150:メインCPU電流測定部(MCM)160:サブCPU電流測定部(SCM)200:電源信号(PS)201:バッテリ(BAT)202:アクチュエータ(ACU)203:表示装置(DISP)L1,L2,L3,L4:接続線 100: vehicle control device 110: main microcomputer (MMC) 111: main CPU (MCPU) 112: sub CPU (SCPU) 113: RAM 114: ROM 115: temperature sensor (TSEN) 116: comparator (COMP) 120: sub microcomputer (SMC) 130: main power supply IC (MPSP) 140: sub power supply IC (SPSP) 150: main CPU current measurement unit (MCM) 160: sub CPU current measurement unit (SCM) 200: power supply signal (PS) 201: battery (battery) BAT) 202: Actuator (ACU) 203: Display device (DISP) L1, L2, L3, L4: Connection line

Claims (17)

  1.  メインCPUとサブCPUとを有するマイクロコンピュータと、
     電源部と、
     前記電源部と前記メインCPUとを接続する第1接続線と、
     前記電源部と前記サブCPUとを接続する第2接続線と、
     前記第1接続線に流れる電流値と前記第2接続線に流れる電流値とを検出する電流検出部と、を有し、
     前記マイクロコンピュータは、前記第1接続線と前記第2接続線の一方に流れる前記電流値が設定値より大きく、かつ、前記第1接続線と前記第2接続線の他方に流れる前記電流値が前記設定値以下の場合、前記他方に接続される前記メインCPU、又は前記サブCPUを用いて運転を継続する、車両制御装置。     A microcomputer having a main CPU and a sub CPU;
    A power supply unit,
    A first connection line connecting the power supply unit and the main CPU;
    A second connection line connecting the power supply unit and the sub CPU;
    A current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line;
    In the microcomputer, the current value flowing to one of the first connection line and the second connection line is larger than a set value, and the current value flowing to the other of the first connection line and the second connection line is The vehicle control apparatus which continues driving | running | working using the said main CPU or said sub CPU connected to said other, when below the said setting value.
  2.  請求項1の車両制御装置において、
     前記マイクロコンピュータは、前記メインCPUからの出力信号と前記サブCPUからの出力信号とを比較する比較部と、を有し、
     前記マイクロコンピュータは、前記比較部の比較結果が不一致の場合、前記メインCPUおよび前記サブCPUのうち、前記電流値が前記設定値以下の前記メインCPU又は前記サブCPUを用いて車両の運転を継続する、車両制御装置。     In the vehicle control device according to claim 1,
    The microcomputer includes a comparison unit that compares an output signal from the main CPU with an output signal from the sub CPU.
    The microcomputer continues the driving of the vehicle using the main CPU or the sub CPU having the current value equal to or less than the set value among the main CPU and the sub CPU when the comparison result of the comparing unit is not identical. Vehicle control device.
  3.  請求項1の車両制御装置において、
     前記電流値は、リーク電流値である、車両制御装置。     In the vehicle control device according to claim 1,
    The vehicle control device, wherein the current value is a leak current value.
  4.  請求項3の車両制御装置において、
     温度センサを有し、
     前記リーク電流値は、前記温度センサからの温度情報と前記マイクロコンピュータの製造時のリーク電流値とにより、補正されたリーク電流値である、車両制御装置。     In the vehicle control device according to claim 3,
    Has a temperature sensor,
    The vehicle control device according to claim 1, wherein the leak current value is a leak current value corrected by the temperature information from the temperature sensor and the leak current value at the time of manufacture of the microcomputer.
  5.  請求項4の車両制御装置において、
     前記電流検出部は、前記マイクロコンピュータがスタンバイ状態とされる時、前記電流値を検出し、
     前記補正されたリーク電流値は、前記電流値と、前記温度情報と、リーク電流と温度との相関を表す温度補正マップと、前記マイクロコンピュータの製造時のリーク電流値と、により算出される、車両制御装置。     In the vehicle control device according to claim 4,
    The current detection unit detects the current value when the microcomputer is in the standby state,
    The corrected leak current value is calculated from the current value, the temperature information, a temperature correction map representing the correlation between the leak current and the temperature, and the leak current value at the time of manufacturing the microcomputer. Vehicle control device.
  6.  メインCPUとサブCPUとを有するマイクロコンピュータと、
     電源部と、
     前記電源部と前記メインCPUとを接続する第1接続線と、
     前記電源部と前記サブCPUとを接続する第2接続線と、
     前記第1接続線に流れる電流値と前記第2接続線に流れる電流値とを検出する電流検出部と、を有し、
     前記マイクロコンピュータは、前記第1接続線と前記第2接続線の一方に流れる前記電流値が設定値より大きく、かつ、前記第1接続線と前記第2接続線の他方の接続線を流れる前記電流値が前記設定値以下の場合、前記他方の接続線に接続される前記メインCPU、又は前記サブCPUに割り当てる機能を変更する、車両制御装置。     A microcomputer having a main CPU and a sub CPU;
    A power supply unit,
    A first connection line connecting the power supply unit and the main CPU;
    A second connection line connecting the power supply unit and the sub CPU;
    A current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line;
    In the microcomputer, the current value flowing through one of the first connection line and the second connection line is larger than a set value, and the microcomputer flows through the other connection line of the first connection line and the second connection line. The vehicle control device which changes the function assigned to the main CPU or the sub CPU connected to the other connection line when the current value is equal to or less than the set value.
  7.  第1CPUと、
     第2CPUと、
     前記第1CPUからの出力信号と前記第2CPUからの出力信号とを比較する比較部と、
    を含み、
     前記第1CPUのリーク電流値と前記第2CPUのリーク電流値とを、しきい値と比較し、前記第1CPUおよび前記第2CPUの故障ポテンシャルを判断し、
     前記比較部の比較結果が不一致の場合、前記第1CPUおよび前記第2CPUのうち、前記故障ポテンシャルの低い前記第1CPUまたは前記第2CPUを用いて、車両の運転を継続させる、車両制御装置。     The first CPU,
    The second CPU,
    A comparison unit that compares an output signal from the first CPU with an output signal from the second CPU;
    Including
    Comparing the leak current value of the first CPU and the leak current value of the second CPU with a threshold to determine the failure potential of the first CPU and the second CPU;
    A vehicle control device which continues driving of a vehicle using the first CPU or the second CPU having the low failure potential among the first CPU and the second CPU when the comparison result of the comparing unit is not identical.
  8.  請求項7の車両制御装置において、
     前記第1CPU、前記第2CPU、および、前記比較部を内蔵するマイクロコンピュータと、
     電源部と、
     前記電源部と前記第1CPUとを接続する第1接続線と、
     前記電源部と前記第2CPUとを接続する第2接続線と、
     前記第1接続線に流れる電流値と前記第2接続線に流れる電流値とを検出する電流測定部と、
     温度センサと、を有する、車両制御装置。     In the vehicle control device according to claim 7,
    A microcomputer incorporating the first CPU, the second CPU, and the comparison unit;
    A power supply unit,
    A first connection line connecting the power supply unit and the first CPU;
    A second connection line connecting the power supply unit and the second CPU;
    A current measuring unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line;
    And a temperature sensor.
  9.  請求項8の車両制御装置において、
     前記第1CPUのリーク電流値と前記第2CPUのリーク電流値とは、前記電流測定部により測定された前記電流値を、前記マイクロコンピュータの製造時のリーク電流値と、前記温度センサからの温度情報と、リーク電流と温度との相関を表す温度補正マップとにより、補正されたリーク電流値である、車両制御装置。     In the vehicle control device according to claim 8,
    The leak current value of the first CPU and the leak current value of the second CPU are the current value measured by the current measurement unit, the leak current value at the time of manufacture of the microcomputer, and temperature information from the temperature sensor. The vehicle control device, which is a leak current value corrected by the temperature correction map that represents the correlation between the leak current and the temperature.
  10.  請求項9の車両制御装置において、
     前記電流測定部は、前記マイクロコンピュータがスタンバイ状態とされる時、前記電流値を検出する、車両制御装置。     In the vehicle control device according to claim 9,
    The vehicle control device, wherein the current measuring unit detects the current value when the microcomputer is in a standby state.
  11.  請求項7の車両制御装置において、
     前記第1CPUを内蔵する第1マイクロコンピュータと、
     前記第2CPUを内蔵する第2マイクロコンピュータと、
     電源部と、
     前記電源部と前記第1CPUとを接続する第1接続線と、
     前記電源部と前記第2CPUとを接続する第2接続線と、
     前記第1接続線に流れる第1電流値を検出する第1電流測定部と、
     前記第2接続線に流れる第2電流値と検出する第2電流測定部と、
     温度センサと、を有する、車両制御装置。     In the vehicle control device according to claim 7,
    A first microcomputer incorporating the first CPU;
    A second microcomputer incorporating the second CPU;
    A power supply unit,
    A first connection line connecting the power supply unit and the first CPU;
    A second connection line connecting the power supply unit and the second CPU;
    A first current measurement unit that detects a first current value flowing through the first connection line;
    A second current measurement unit that detects a second current value flowing to the second connection line;
    And a temperature sensor.
  12.  請求項11の車両制御装置において、
     前記第1CPUのリーク電流値は、前記第1電流値を、前記第1マイクロコンピュータの製造時のリーク電流値と、前記温度センサからの温度情報と、リーク電流と温度との相関を表す温度補正マップとにより、補正されたリーク電流値であり、
     前記第2CPUのリーク電流値は、前記第2電流値を、前記第2マイクロコンピュータの製造時のリーク電流値と、前記温度センサからの温度情報と、リーク電流と温度との相関を表す温度補正マップとにより、補正されたリーク電流値である、車両制御装置。     In the vehicle control device according to claim 11,
    The leak current value of the first CPU is a temperature correction that represents the first current value, the leak current value at the time of manufacturing the first microcomputer, the temperature information from the temperature sensor, and the correlation between the leak current and the temperature. It is the leak current value corrected by the map and
    The leak current value of the second CPU is a temperature correction that represents the correlation between the leak current value at the time of manufacturing the second microcomputer, the temperature information from the temperature sensor, the leak current and the temperature of the second current value. The vehicle control device which is the leak current value corrected by the map.
  13.  請求項12の車両制御装置において、
     前記第1マイクロコンピュータは、前記第2電流測定部に接続された第1アナログデジタル変換回路を有し、
     前記第2マイクロコンピュータは、前記第1電流測定部に接続された第2アナログデジタル変換回路を有する、車両制御装置。     In the vehicle control device according to claim 12,
    The first microcomputer has a first analog-to-digital converter circuit connected to the second current measurement unit,
    The vehicle control device, wherein the second microcomputer includes a second analog-to-digital converter connected to the first current measurement unit.
  14.  請求項13の車両制御装置において、
     前記第1アナログデジタル変換回路は、前記第2マイクロコンピュータがスタンバイ状態のとき、前記第2電流測定部を用いて、前記第2電流値を計測し、
     前記第2アナログデジタル変換回路は、前記第1マイクロコンピュータがスタンバイ状態のとき、前記第1電流測定部を用いて、前記第1電流値を計測する、車両制御装置。     In the vehicle control device according to claim 13,
    The first analog-to-digital converter circuit measures the second current value using the second current measurement unit when the second microcomputer is in the standby state.
    The vehicle control device, wherein the second analog-to-digital converter circuit measures the first current value using the first current measuring unit when the first microcomputer is in the standby state.
  15.  請求項14の車両制御装置において、
     前記第1マイクロコンピュータと前記第2マイクロコンピュータの一方がスタンバイ状態とされ、前記第1マイクロコンピュータと前記第2マイクロコンピュータの他方が起動状態とされ、
     前記起動状態とされた前記第1マイクロコンピュータまたは前記第2マイクロコンピュータにより、前記スタンバイ状態とされた前記第1マイクロコンピュータの前記第1電流値または前記第2マイクロコンピュータの前記第2電流値が計測される、車両制御装置。     In the vehicle control device according to claim 14,
    One of the first microcomputer and the second microcomputer is in the standby state, and the other of the first microcomputer and the second microcomputer is in the activation state.
    The first current value of the first microcomputer or the second current value of the second microcomputer of the first microcomputer in the standby state is measured by the first microcomputer or the second microcomputer in the activated state. Vehicle control device to be done.
  16.  請求項15の車両制御装置において、
     前記スタンバイ状態とされた前記第1マイクロコンピュータの前記第1電流値または前記第2マイクロコンピュータの前記第2電流値の計測は、前記第1マイクロコンピュータおよび前記第2マイクロコンピュータがセルフシャット処理を完了した後、行われる、車両制御装置。     In the vehicle control device according to claim 15,
    In the measurement of the first current value of the first microcomputer or the second current value of the second microcomputer in the standby state, the first microcomputer and the second microcomputer complete the self shut process. Vehicle control device to be done after.
  17.  請求項16の車両制御装置において、
     前記セルフシャット処理毎に、前記第1マイクロコンピュータと前記第2マイクロコンピュータの前記スタンバイ状態および前記起動状態が切り替えられる、車両制御装置。     In the vehicle control device according to claim 16,
    The vehicle control device, wherein the standby state and the activation state of the first microcomputer and the second microcomputer are switched every time the self shut processing.
PCT/JP2018/037657 2017-10-24 2018-10-10 Vehicle control device WO2019082647A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2019550964A JP6807467B2 (en) 2017-10-24 2018-10-10 Vehicle control device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017205116 2017-10-24
JP2017-205116 2017-10-24

Publications (1)

Publication Number Publication Date
WO2019082647A1 true WO2019082647A1 (en) 2019-05-02

Family

ID=66246924

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/037657 WO2019082647A1 (en) 2017-10-24 2018-10-10 Vehicle control device

Country Status (2)

Country Link
JP (1) JP6807467B2 (en)
WO (1) WO2019082647A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233937A1 (en) * 2019-05-17 2020-11-26 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Device and method for controlling the current of an actuator
KR102191169B1 (en) * 2019-11-26 2020-12-16 주식회사 오비고 Method for preventing possible malfunctions of dcu occuring during autonomous driving by referring to ads using outputs of heterogeneous dcus and method using the same
WO2021111554A1 (en) * 2019-12-04 2021-06-10 三菱電機株式会社 Vehicle control device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102537986B1 (en) * 2021-11-19 2023-05-31 주식회사 모베이스전자 Redundancy control system for autonomous vehicles

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007125950A (en) * 2005-11-02 2007-05-24 Toyota Motor Corp Power supply management system for electronic control device for vehicle
JP2012073748A (en) * 2010-09-28 2012-04-12 Denso Corp Control device
JP2015035073A (en) * 2013-08-08 2015-02-19 ルネサスエレクトロニクス株式会社 Semiconductor device and semiconductor device control method
JP2017134717A (en) * 2016-01-29 2017-08-03 矢崎総業株式会社 Power supply control system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007125950A (en) * 2005-11-02 2007-05-24 Toyota Motor Corp Power supply management system for electronic control device for vehicle
JP2012073748A (en) * 2010-09-28 2012-04-12 Denso Corp Control device
JP2015035073A (en) * 2013-08-08 2015-02-19 ルネサスエレクトロニクス株式会社 Semiconductor device and semiconductor device control method
JP2017134717A (en) * 2016-01-29 2017-08-03 矢崎総業株式会社 Power supply control system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233937A1 (en) * 2019-05-17 2020-11-26 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Device and method for controlling the current of an actuator
CN113841313A (en) * 2019-05-17 2021-12-24 克诺尔商用车制动系统有限公司 Apparatus and method for current control of an actuator
CN113841313B (en) * 2019-05-17 2023-09-22 克诺尔商用车制动系统有限公司 Apparatus and method for current control of an actuator
US11791618B2 (en) 2019-05-17 2023-10-17 Knorr-Bremse Systeme Fuer Nutzfahrzeuge Gmbh Device and method for controlling the current of an actuator
KR102191169B1 (en) * 2019-11-26 2020-12-16 주식회사 오비고 Method for preventing possible malfunctions of dcu occuring during autonomous driving by referring to ads using outputs of heterogeneous dcus and method using the same
WO2021111554A1 (en) * 2019-12-04 2021-06-10 三菱電機株式会社 Vehicle control device
JPWO2021111554A1 (en) * 2019-12-04 2021-06-10
JP7199572B2 (en) 2019-12-04 2023-01-05 三菱電機株式会社 vehicle controller

Also Published As

Publication number Publication date
JP6807467B2 (en) 2021-01-06
JPWO2019082647A1 (en) 2020-08-06

Similar Documents

Publication Publication Date Title
JP6807467B2 (en) Vehicle control device
US9952948B2 (en) Fault-tolerance pattern and switching protocol for multiple hot and cold standby redundancies
KR0158132B1 (en) Self-diagnosing system and method for engine electronic controller
US20190217867A1 (en) Method for operating an electrical system of a motor vehicle
US6901350B2 (en) Method and device for monitoring the functioning of a system
KR102071404B1 (en) Apparatus and Method for implementing fail safe in Battery Management System
JP5541246B2 (en) Electronic control unit
US20180238959A1 (en) Method for detecting electrical faults in a current supply of a consumer
CN114968646A (en) Functional fault processing system and method
JP2022509565A (en) Methods and Devices for Monitoring Power Semiconductor Gate Signals
JP4748181B2 (en) Semiconductor device test apparatus and test method
US11820252B2 (en) Battery diagnostic device, battery diagnostic method, battery diagnostic program, and vehicle
JP7099793B2 (en) Abnormality diagnosis system and method of main control unit
US20160335818A1 (en) System and method for controlling, by engine control unit, fault code
JP2021160397A (en) Failure cause estimation method and device for power supply system in vehicle
EP4280217A2 (en) Defect detecting system of automotive apparatus
WO2018079163A1 (en) Vehicle control unit
KR20180053155A (en) An Apparatus And A Method For Detecting Short Circuit Of A Controller
EP4145150B1 (en) On-chip checker for on-chip safety area
KR102238158B1 (en) Method for functional test of vehicle multi controller
US20240072639A1 (en) Junction Box Having Parallel Switch Failure Detection
Oswald et al. Design Considerations for an On-Board Computer System
JP2021120234A (en) On-vehicle control device
JP2021097489A (en) Voltage monitoring circuit and power unit
CN109690333B (en) Electronic control device and method for diagnosing connection state of electronic control device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18871695

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019550964

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18871695

Country of ref document: EP

Kind code of ref document: A1