WO2019082647A1 - Dispositif de commande de véhicule - Google Patents

Dispositif de commande de véhicule

Info

Publication number
WO2019082647A1
WO2019082647A1 PCT/JP2018/037657 JP2018037657W WO2019082647A1 WO 2019082647 A1 WO2019082647 A1 WO 2019082647A1 JP 2018037657 W JP2018037657 W JP 2018037657W WO 2019082647 A1 WO2019082647 A1 WO 2019082647A1
Authority
WO
WIPO (PCT)
Prior art keywords
cpu
microcomputer
current value
vehicle control
control device
Prior art date
Application number
PCT/JP2018/037657
Other languages
English (en)
Japanese (ja)
Inventor
文博 大澤
啓人 栗原
暢紀 長濱
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2019550964A priority Critical patent/JP6807467B2/ja
Publication of WO2019082647A1 publication Critical patent/WO2019082647A1/fr

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures

Definitions

  • the present invention relates to a vehicle control device that controls devices mounted on a vehicle.
  • a vehicle control device that controls devices mounted on the vehicle includes a microcomputer that performs control calculations.
  • the microcomputer generally includes a CPU (Central Processing Unit), a ROM (Read Only Memory) which is a non-volatile memory, and a RAM (Random Access Memory) which is a volatile memory.
  • the CPU is an arithmetic unit for calculating and controlling information stored in the RAM and the ROM. If the CPU fails, the microcomputer can not carry out the correct operation, causing a failure. Therefore, the vehicle control device has a function of diagnosing the CPU.
  • Patent Document 1 describes a failure diagnosis method of a control CPU.
  • a control CPU and a monitoring CPU are provided, and the control CPU and the monitoring CPU communicate with each other to confirm that they are in a normal state.
  • Patent Document 2 describes a method of collating output results to detect an abnormality when the same input is given to a plurality of CPUs.
  • failsafe processing when an abnormality occurs in the computer or the CPU, failsafe processing is performed so that the car is not in a dangerous state.
  • An example of failsafe processing is described below.
  • the control unit of the automatic transmission when the CPU of the control unit of the automatic transmission breaks down, the control unit of the automatic transmission is controlled to prevent the occurrence of an unintended shift, because the actuator for realizing the shift control of the automatic transmission does not operate properly.
  • JP 2003-97344 A Japanese Patent Application Laid-Open No. 2000-172521
  • the CPU failure diagnosis method described in Patent Documents 1 and 2 has a problem that it can not be determined as a CPU failure unless the CPU is completely broken. Another problem is that it is difficult to detect which CPU has failed. Also, when a CPU failure occurs, despite having a microcomputer or CPU that has not failed, transition to fail-safe processing is performed, and the vehicle as a whole still has the potential to be able to travel normally. There is also a problem that the driving performance is lowered.
  • An object of the present invention is a vehicle control apparatus capable of maintaining a driving performance by specifying a normal CPU which has not failed and effectively using a normal CPU which has not failed when a CPU abnormality occurs. It is to provide.
  • the vehicle control device connects a microcomputer having a main CPU and a sub CPU, a power supply unit, a first connection line connecting the power supply unit and the main CPU, and the power supply unit and the sub CPU A second connection line, and a current detection unit that detects a current value flowing through the first connection line and a current value flowing through the second connection line.
  • the current value flowing through one of the first connection line and the second connection line is larger than a set value
  • the current value flowing through the other of the first connection line and the second connection line is If it is less than the set value, the operation is continued using the main CPU or the sub CPU connected to the other.
  • the vehicle control device According to the vehicle control device according to the present invention, it is possible to maintain the driving performance by effectively using a normal CPU that is not broken even when an abnormality occurs in the CPU.
  • FIG. 1 is a diagram showing a vehicle control system according to a first embodiment. It is a figure showing an example of notional composition of a microcomputer. It is a figure which shows the conceptual structural example of a power supply part. It is a figure for demonstrating the structure of a current measurement part. It is a figure for demonstrating increase of leakage current. It is a figure for demonstrating the correction method of the increase part of leakage current. It is a figure which shows the structural example of the address space of ROM114, ROM124. 7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. 7 is a flowchart illustrating an example of a failure potential diagnosis procedure according to the first embodiment. FIG.
  • FIG. 7 is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment. It is a figure explaining the implementation timing of the failure potential diagnosis which concerns on the modification 1.
  • FIG. FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the second modification.
  • FIG. 18 is a diagram for explaining the execution timing of failure potential diagnosis according to the third modification.
  • FIG. 7 is a diagram for explaining a control procedure according to the first embodiment.
  • FIG. 7 is a diagram showing a vehicle control system according to a second embodiment.
  • FIG. 10 is a diagram for explaining a control procedure according to the second embodiment.
  • FIG. 18 is a diagram for explaining an example of change of assignment of control tasks according to the second embodiment.
  • FIG. 7 is a view showing a vehicle control system according to a third embodiment.
  • FIG. 13 is a diagram for explaining a control procedure according to a third embodiment.
  • the CPU included in the microcomputer of the vehicle control device causes the foreign matter mixed in the semiconductor manufacturing process to short-circuit the adjacent transistor or wiring, and the transistor deterioration failure due to long-term use, etc. There is a possibility of failure without depending on it.
  • a general CPU failure diagnosis method it is possible to detect a CPU failure when a transistor constituting the CPU completely fails and the CPU operation result comes to output a value different from the originally intended operation result. it can.
  • the general CPU failure diagnosis method has a problem that it can not be determined as a CPU failure unless the CPU is completely in failure.
  • the output result of the CPU is used in the same manner as in the normal operation, so the CPU erroneous operation
  • the result may be used.
  • the vehicle behaves in an unintended manner, for example, by giving an incorrect instruction to the actuator or transmitting an incorrect information to another unit.
  • failsafe control is performed such that the vehicle is in a safe state, and in general, the driving performance of the vehicle is reduced, or The vehicle can not run.
  • the adjacent transistor may be short-circuited to cause failure of the CPU.
  • the potential fluctuation caused by the short circuit may remain to such an extent that it does not reach the determination threshold.
  • a failure is diagnosed by a lock step method in which a plurality of CPUs are used and output values when the same input signal is given are compared.
  • this lock step method although it is possible to detect even if a failure occurs in either of the CPUs, there is a problem that it is difficult to detect which CPU has failed.
  • a CPU incorporated in a microcomputer detects a CPU failure as early as possible by judging a failure potential of the CPU caused by foreign particles mixed in during manufacturing or aging. Can.
  • a maintainable vehicle control system (100) can be provided.
  • the CPU (111, 112, 121, 122) is a power supply line (connection line: L1) supplying power to the CPU by shorting or aging of the transistor causing the failure of the CPU. , L 2, L 3, L 4)), and focus on the feature of increasing current (leakage current). Detecting and measuring the value of the leak current of the CPU using current measurement units (current detection units: 150, 160, 152, 162), and judging the deterioration state of the transistor from the value or amount of the measured leak current Can. That is, the failure potential of the CPU can be determined.
  • current measurement units current detection units: 150, 160, 152, 162
  • the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU, and excluding the drive current component of the CPU, the leak of the CPU It is necessary to measure only the current component.
  • the operation state of the CPU is a state in which the CPU is not driving (a non-calculation state), that is, a standby state
  • the driving current component of the CPU zero.
  • the CPU in the driven state is used to measure the current flowing to the CPU in the standby state.
  • This current is treated as CPU leak current (Ileak 2) for fault potential diagnosis.
  • Ileak 2 CPU leak current
  • the CPU leak current (Ileak 2) for fault potential diagnosis includes variations due to manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU, excluding these variation factors of the leak current, It is necessary to extract only the increase in CPU leak current due to transistor degradation. For this reason, it is necessary to correct the measured value of the CPU leak current for failure potential diagnosis. Correction of leak current variation due to manufacturing variation of microcomputer or CPU and leak current variation due to temperature change are corrected.
  • the CPU leak current value (Ileak1) for fault potential diagnosis As a method of correcting leak current variation due to manufacturing variation of microcomputer or CPU, measure CPU leak current value (Ileak1) for fault potential diagnosis at the time of microcomputer or CPU production, and store memory area (ROM: 114, 124) of microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes ( ⁇ Ileak) can be extracted. Let this be the increase amount of CPU leak current before temperature correction. Further, the CPU leak current value (Ileak1) for failure potential diagnosis may be stored by measuring the CPU leak current for failure potential diagnosis at the time of manufacture of the vehicle control device, not at the time of manufacture of the microcomputer or CPU.
  • a correlation map (TCM) of the temperature of the CPU and the leak current of the CPU can be prepared in advance.
  • the temperature of the microcomputer or CPU can be measured by a temperature sensor (TSEN: 115, 125) built in the microcomputer. Alternatively, it may be estimated from temperature information from a temperature sensor disposed on the substrate of the vehicle control device (1). From the measured CPU temperature and the CPU leak current temperature change map (TCM), it is possible to calculate the amount of change in CPU leak current due to temperature.
  • the CPU leak current increase amount ( ⁇ Ileakc) after the temperature correction can be calculated using the CPU leak current increase amount ( ⁇ Ileak) before the temperature correction and the CPU leak current change amount (Icv) due to the temperature.
  • the increase amount ( ⁇ Ileakc) of the CPU leak current after the temperature correction is larger than the determination threshold (TH) of the increase amount of the current determined to have a predetermined failure potential, the CPU has not completely failed. However, it can be determined that it has a potential for failure in the future.
  • the determination threshold can be regarded as a set value or a predetermined value.
  • the measurement of the leak current and the CPU failure potential diagnosis can be performed at any timing, but it is effective to carry out at the time of starting or shutdown of the vehicle control device in order to put at least one CPU in the standby state. Also, the combination of CPUs to be diagnosed may be changed at each startup or every shutdown (FIGS. 9A, 9B, 9C, 9D).
  • the CPU can calculate normally at the present time, but can detect a state in which it may fail in the future at an early stage.
  • failure-safe processing such as stopping the vehicle control actuator is generally executed by degenerating the vehicle control even if there is another normal CPU.
  • the vehicle control is degenerated by using the normal CPU which is not failed when the failure of the CPU occurs.
  • the traveling performance of the vehicle can be maintained without causing
  • the operation control that the CPU having a high failure potential takes over is transferred to another CPU, and the vehicle control device does not degenerate functions. Since the driver can be notified of the CPU failure, it is possible to move safely and smoothly to repair the vehicle.
  • the normal CPU when the CPU completely fails, the normal CPU can be used even in the failure detection delay time until the failure is detected, so that the original operation performance is not sacrificed. It is possible to prevent the vehicle from acting unintended due to sudden stop or malfunction of an actuator such as a transmission or the like.
  • the CPU operation load is reduced by degenerating the task calculated by the CPU having a high failure potential in advance, thereby extending the time until the CPU completely fails. can do.
  • FIG. 1 is a diagram showing a vehicle control system according to a first embodiment.
  • the vehicle control device system 1 includes a vehicle control device 100 which is an electronic control unit (ECU: Electronic Control Unit).
  • the vehicle control device 100 is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 includes a main microcomputer (MMC) 110, a sub microcomputer (SMC) 120, a main power supply unit (MPSP) 130, a sub power supply unit (SPSP) 140, and a main CPU current measurement unit (MCM) 150, 152, A sub CPU current measurement unit (SMCM) 160, 162 and a temperature sensor 170 are provided.
  • the main microcomputer (MMC) 110 may be referred to as a first microcomputer
  • the sub microcomputer (SMC) 120 may be referred to as a second microcomputer.
  • the main microcomputer 110 is a microcomputer or a microcontroller that controls in-vehicle devices mounted on a vehicle.
  • the main microcomputer 110 controls on-vehicle equipment by controlling, for example, an actuator (ACU) 202.
  • ACU actuator
  • a message can be displayed via the display device (DISP) 203.
  • the message may be in any form, for example, a message such as a character or an image, a notification by lighting a lamp, or the like.
  • the main microcomputer (MMC) 110 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. .
  • the main microcomputer (MMC) 110 includes a main CPU (MCPU: first CPU) 111, a sub CPU (SCPU: second CPU) 112, a random access memory (RAM) 113 which is a volatile memory, and a ROM (read) which is a non-volatile memory. Only memory (114), a temperature sensor (TSEN) 115 capable of measuring the temperature of the main microcomputer 110, a comparator (COMP) 116, and an analog-to-digital converter (ADC) 117.
  • MCPU main CPU
  • SCPU sub CPU
  • RAM random access memory
  • ROM read
  • Only memory 114
  • TSEN temperature sensor
  • COMP comparator
  • ADC analog-to-digital converter
  • the main CPU 111 and the sub CPU 112 are arithmetic devices that perform control calculations necessary to control the in-vehicle device.
  • the RAM 113 temporarily stores data used by the main CPU 111 and the sub CPU 112.
  • the ROM 114 stores control programs executed by the main CPU 111 and the sub CPU 112, diagnostic processing glomograms described later, etc., and information received by the main CPU 111 and the sub CPU 112, received from the sub microcomputer 120 and other in-vehicle devices. Information can be stored.
  • the comparator 116 supplies the same input information to the main CPU 111 and the sub CPU 112, and collates the output results of the main CPU 111 and the sub CPU 112.
  • This configuration is a general lock step system.
  • a power supply line (first connection line) L1 provided between the main CPU 111 and the main power supply unit 130 includes a main current measurement unit (current detection unit) 150 that measures a drive current of the main CPU 111.
  • the power supply line (second connection line) L2 provided between the sub CPU 112 and the main power supply unit 130 includes a sub current measurement unit (current detection unit) 160 that measures the drive current of the sub CPU 112.
  • the analog-to-digital converter (ADC) 127 of the sub-microcomputer 120 which will be described later, is connected to the main current measuring unit 150 and the sub-current measuring unit 160 via the measurement wirings LM1 and LM2, Second connection line) Measure the current value of the drive current of the main CPU 111 and the sub CPU 112 flowing through the L1 and L2.
  • the sub microcomputer 120 has the same configuration as the main microcomputer 110. That is, submicrocomputer (SMC) 120 is a semiconductor integrated circuit device, and is formed, for example, by forming a plurality of CMOS transistors on a semiconductor chip such as single crystal silicon by a known CMOS semiconductor manufacturing technology. ing.
  • SMC submicrocomputer
  • the sub microcomputer (SMC) 120 includes a main CPU (MCPU) 121, a sub CPU (SCPU) 122, a random access memory (RAM) 123 which is a volatile memory, a read only memory (ROM) 124 which is a non-volatile memory, A temperature sensor (TSEN) 125 capable of measuring the temperature of the microcomputer 120, a comparator (COMP) 126, and an analog-to-digital converter (ADC) 127 are provided.
  • the main CPU 121 and the sub CPU 122 are arithmetic devices that perform control calculations necessary to control the in-vehicle device.
  • the RAM 123 temporarily stores data used by the main CPU 121 and the sub CPU 122.
  • the ROM 124 stores control programs executed by the main CPU 121 and the sub CPU 122, diagnostic processing glomograms to be described later, etc., and information received by the main CPU 121 and the sub CPU 122 and received from the main microcomputer 110 and other in-vehicle devices. Information can be stored.
  • the comparator 126 gives the same input information to the main CPU 121 and the sub CPU 122, and collates the output results of the main CPU 121 and the sub CPU 122. If there is no abnormality in the main CPU 121 and the sub CPU 122, the comparison results of the comparator 126 match. When the comparison result of the comparator 126 does not match, an abnormality of the main CPU 121 or the sub CPU 122 can be detected.
  • This configuration is a general lock step system.
  • the function of the sub microcomputer 120 may be limited to detecting the functional abnormality of the main microcomputer 110 only.
  • a power supply line (third connection line) L3 provided between the main CPU 121 and the sub power supply unit 140 includes a main current measurement unit (current detection unit) 152 that measures a drive current of the main CPU 121.
  • the power supply line (fourth connection line) L4 provided between the sub CPU 122 and the sub power supply unit 140 includes a sub current measurement unit (current detection unit) 162 that measures the drive current of the sub CPU 122.
  • the analog-to-digital converter (ADC) 117 of the main microcomputer 110 is connected to the main current measuring unit 152 and the sub current measuring unit 162 via the measurement wirings LM3 and LM4, and the power supply lines (third and fourth connections Current values of drive currents of the main CPU 121 and the sub CPU 122 flowing through the lines L3 and L4 are measured.
  • ADC analog-to-digital converter
  • the submicrocomputer 120 uses the current value from the main current measurement unit 150 and the subcurrent measurement unit 160 and the temperature information from the temperature sensor 115 and fails the main CPU 111 and the sub CPU 112 of the main microcomputer 110 according to the procedure described later.
  • the potential diagnosis is performed, and the diagnosis result is stored in a storage area such as the ROM 124 of the submicrocomputer 120.
  • the submicrocomputer 120 notifies the main microcomputer 110 of information on the diagnosis result when the main microcomputer 110 is activated next time.
  • the main microcomputer 110 uses the current value from the main current measurement unit 152 and the sub current measurement unit 162 and the temperature information from the temperature sensor 125 to follow the procedure described later for the main CPU 121 and the sub CPU 122 of the sub microcomputer 120. And the diagnosis result is stored in a storage area such as the ROM 114 of the main microcomputer 110. The main microcomputer 110 notifies the sub microcomputer 120 of information on the diagnosis result when the sub microcomputer 120 is started next time.
  • the submicrocomputer 120 performs failure potential diagnosis of the main microcomputer 110, and the main microcomputer 110 performs failure potential diagnosis of the submicrocomputer 120.
  • the reason for this is that, as described above, the CPU can not distinguish between the CPU leakage current and the CPU drive current in the driven state, so the CPU is not driven, so-called CPU standby state, and another normal drive is in progress. By measuring the drive current of the CPU in the standby state by the microcomputer, it is possible to accurately measure the leak current of the CPU.
  • the vehicle control device 100 receives supply of power from a battery 201 mounted on the vehicle.
  • the main power supply unit 130 steps up or down the voltage received from the battery 201 and supplies the voltage to the main microcomputer 110.
  • the sub power supply unit 140 boosts or steps down the voltage received from the battery 201 and supplies the voltage to the sub microcomputer 120.
  • Main power supply unit 130 and sub power supply unit 140 are configured to start power supply to main microcomputer 110 and sub microcomputer 120 according to the reception of power signal (PS) 200.
  • PS power signal
  • the main power supply unit 130 is internally divided into circuits so as to individually supply power to the main CPU 111, the sub CPU 112, the RAM 113, and the ROM 114, respectively. This is to suppress the influence of the drive current supplied to the main CPU 111 and the sub CPU 112 from the current fluctuation of the RAM 113 and the ROM 114.
  • the sub main power supply unit 140 is internally divided into circuits so as to individually supply power to each of the main CPU 121, the sub CPU 122, the RAM 123, and the ROM 124. This is to suppress the influence of the drive current supplied to the main CPU 121 and the sub CPU 122 from the current fluctuation of the RAM 123 and the ROM 124.
  • the configurations of the main power supply unit 130 and the sub main power supply unit 140 will be described later with reference to FIG.
  • FIG. 2 is a view showing a conceptual configuration example of the microcomputer MC.
  • the microcomputer MC shows the configurations of the main microcomputer 110 and the main microcomputer 120.
  • the microcomputer MC includes main CPUs (MCPUs: 111, 121), sub CPUs (SCPUs: 112, 121), RAMs (113, 123), ROMs (114, 124) and a peripheral circuit PERI. It is connected.
  • the peripheral circuit PERI includes, for example, a temperature sensor TSEN (115, 125), a comparator COMP (116, 126), an analog-to-digital converter ADC (117, 127), a control area network (Controller Area Network) interface CANIF, It has an input / output port IOP and the like.
  • the microcomputer MC has an external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU, an external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU, an external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM, and a power supply to the ROM. It has an external terminal VDD4 for supplying the voltage Vdd4 and a reference potential terminal VSS to which a ground voltage such as 0 (zero) volt or a reference voltage Vss is supplied.
  • the microcomputer MC further includes external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-to-digital converter ADC, the temperature sensor TSEN, the comparator COMP, CANIF, the signal input / output port IOP, etc. And an external terminal VDD5 for supplying the power supply voltage Vdd5 to the peripheral circuit PERI.
  • the power supply voltages Vdd1, Vdd2, Vdd3, Vdd4 and Vdd5 can be different power supply voltages.
  • the analog-to-digital converter ADC has analog signal input terminals AN0, AN1, AN2, AN3.
  • the microcomputer MC is the main microcomputer 110
  • the analog signal input terminals AN0 and AN1 are connected to the MCM 152 via the LM3
  • the analog signal input terminals AN2 and AN3 are connected to the SCM 162 via the LM4. Be done.
  • the microcomputer MC is the main microcomputer 120
  • the analog signal input terminals AN0 and AN1 are connected to the MCM 150 via the LM1
  • the analog signal input terminals AN2 and AN3 are connected to the SCM 160 via the LM2.
  • the analog-to-digital converter ADC may have analog signal input terminals AN4 to ANn in addition to the analog signal input terminals AN0, AN1, AN2, and AN3.
  • the analog signal input terminals AN4-ANn can be connected to the output of another analog sensor or the like.
  • the CANIF also has an input / output terminal CAN0 that can be connected to the CAN bus.
  • the CAN bus can be connected to an electric power steering EPS or other electronic control unit (ECU) capable of CAN communication based on the CAN protocol.
  • ECU electronice control unit
  • the signal input / output port IOP has port terminals PD0 to PDN that enable input and output of digital signals.
  • FIG. 3 is a diagram showing a conceptual configuration example of the power supply unit PSP.
  • the power supply unit PSP shows the configuration of the main power supply unit (MPSP) 130 and the sub power supply unit (SPSP) 140.
  • the power supply unit PSP has a plurality of regulators REG1-RG6.
  • the regulator REG1 supplies the power supply voltage to the external terminal VDD1 for supplying the power supply voltage Vdd1 to the MCPU.
  • the regulator REG2 supplies the power supply voltage to the external terminal VDD2 for supplying the power supply voltage Vdd2 to the SCPU.
  • the regulator REG3 supplies the power supply voltage to the external terminal VDD3 for supplying the power supply voltage Vdd3 to the RAM.
  • the regulator REG4 supplies the power supply voltage to the external terminal VDD4 for supplying the power supply voltage Vdd4 to the ROM.
  • the regulator REG5 supplies the power supply voltage Vdd5 to the external terminal VDD5 for supplying the power supply voltage to the peripheral circuit PERI.
  • the regulator REG6 supplies the analog power supply voltage Avdd and the analog reference voltage Avss to the external terminals AVDD and AVSS for supplying the analog power supply voltage Avdd and the analog reference voltage Avss to the analog-digital conversion circuit ADC.
  • the plurality of regulators REG1 to RG6 are supplied with voltages from the battery (BAT) 201 in response to the reception of the power supply signal 200 instructing start of power supply, and the power supply voltages Vdd1 to Vdd5, Avdd, and power supply voltages for analog are supplied. Generates Avdd and the analog reference voltage Avss.
  • the power supply unit PSP includes the main CPU (MCPU: 1111, 121), the sub CPU (SCPU: 112, 122), the RAM (113, 123), the ROM (114, 124), and the periphery.
  • a plurality of regulators REG1 to RG6 are provided to enable power supply individually to each of the circuit PERI and the analog-to-digital converter ADC (117, 127).
  • the drive current supplied to the main CPU 111 and the sub CPU 112 is the RAM (113, 123), the ROM 114 (114, 124), the peripheral circuit PERI, the analog-to-digital converter ADC (117, 127). This is to suppress the influence of the current fluctuation.
  • external terminal VDD5 for supplying power supply voltage to peripheral circuit PERI and regulator REG5 for generating power supply voltage for peripheral circuit PERI are further configured as a plurality of external terminals and a plurality of regulators. Also good.
  • the power supply potential can be supplied according to the required specification of the power supply potential of each circuit or each functional module included in the peripheral circuit PERI.
  • FIG. 4 is a diagram for explaining the configuration of the current measurement unit.
  • FIG. 4 exemplarily shows the configuration of the main current measurement unit 150 as a current measurement unit.
  • the configuration of the current measurement unit 150 is the same as the configuration of the current measurement units 160, 152, 162, and the other connection configuration is easily understood from FIG. 1, so the description of the configuration of the current measurement units 160, 152, 162 Is omitted.
  • the power supply measurement unit 150 includes a resistance element R1 having a resistance value Rs.
  • the resistance element R1 is provided in series in the power supply line L1 provided between the output of the regulator REG1 of the main power supply unit 130 and the external terminal VDD1 of the main CPU 111 of the main microcomputer 110.
  • the nodes VRH and VRL at both ends of the resistive element R1 are respectively connected to analog input terminals AN0 and AN1 of the analog-to-digital converter 127 built in the sub microcomputer 120 via the LM1.
  • the current measurement unit 160 is connected to the analog input terminals AN2 and AN3 of the analog-to-digital converter 127 built in the sub-microcomputer 120 via the LM2.
  • the current measurement units 152 and 162 are connected to analog input terminals AN0 and AN1 and AN2 and AN3 of the analog-to-digital converter circuit 117 built in the main microcomputer 110 via the LM3 and the LM4, respectively.
  • the drive current Is including the leak current of the main CPU 111 flowing to the resistance element R1 can be obtained by the following equation.
  • Is Vs / Rs
  • Vs is a voltage value corresponding to the voltage difference between the node VRH and the node VRL at both ends of the resistive element R1.
  • the drive current Is including the leak current of the main CPU 111 can be obtained.
  • the output voltage value of the regulator REG1 of the main power supply unit 130 is the reference operating voltage of the main CPU 111 of the main microcomputer 110, the resistance value Rs of the resistance element R1, and the maximum current value of the drive current Is flowing through the resistance element R1. It may be determined so as to satisfy the reference operating voltage of the main CPU 111 of the main microcomputer 110 in consideration of the voltage drop (Vs) due to the drive current Is flowing through the resistance element R1.
  • the respective output voltage values of the regulator REG2 of the main power supply unit 130 and the regulators REG1 and REG2 of the sub power supply unit 140 are also the sub CPU 112 of the main microcomputer 110 and the main CPU 121 and sub CPU 122 of the sub microcomputer 120 based on the same idea as above. It should be determined so as to satisfy each of the reference operating voltages.
  • the present invention is not limited to this.
  • a conversion bit number for example, 100 bits
  • the conversion bit number for example, 10 bits or 12 bits
  • the vehicle control apparatus 100 externally adds a large number of conversion bits.
  • the individual analog-to-digital converter circuit may be implemented and used instead of the analog-to-digital converter circuits 117 and 127. In the measurement of the leak current value, since the leak current value itself is small, the leak current value can be more accurately measured by using an individual analog-to-digital converter having a large number of conversion bits.
  • FIG. 5 is a diagram for explaining the increase of the leak current.
  • the main microcomputer 110 and the sub-microcomputer 120 are composed of a plurality of CMOS transistors and the like, and leakage current may increase due to factors such as the appearance of manufacturing defects and aged deterioration due to long-term use.
  • the vertical axis indicates the leak current value Ileak
  • the horizontal axis indicates the time Time.
  • a manufacturer of a semiconductor integrated circuit device performs a pre-shipment inspection before shipment of the semiconductor integrated circuit device, measures a leak current, and a semiconductor integrated circuit device in which the leak current Ileak1 is within a predetermined range. Ship as normal products.
  • the leak current value Ileak1 will be described using an example measured by the pre-shipment inspection of the main microcomputer 110 and the sub microcomputer 120. However, the leak current value Ileak1 It may be measured and stored in the ROM (114, 124) of the main microcomputer 110 or the sub microcomputer 120.
  • the leak current value Ileak1 of the normal product at the time of inspection before shipment is shown, and at time T2, the leak current value Ileak2 of the abnormal product whose leak current Ileak increased due to long-term use is shown.
  • the range of the leak current of the normal product is, for example, the range between the minimum value (0 mA (milliamps)) and the maximum value (M mA), and the main micro-circuits measured by the pre-shipment inspection It is assumed that the leak current value Ileak1 of the computer 110 or the submicrocomputer 120 is, for example, TmA.
  • the value of ⁇ Ileak includes, in addition to deterioration over time, fluctuation of temperature characteristics of leakage current in main microcomputer 110 or sub microcomputer 120 and fluctuation of leakage current due to manufacturing variation of main microcomputer 110 or sub microcomputer 120. It is done. Therefore, it is necessary to correct the value of the increase amount ⁇ Ileak of the leak current.
  • FIG. 6 is a diagram for explaining a correction method of an increase in leak current.
  • the increase amount ⁇ Ileak of the leak current is corrected in consideration of the leak current value Ileak1 at the time of manufacture, the leak current value Ileak2 at the time of measurement, and the temperature characteristics or temperature dependency of the leak current value Ileak2.
  • the temperature characteristic or temperature dependency of the leak current value Ileak2 is corrected by the temperature information TM measured by the temperature sensor TSEN of the main microcomputer 110 or the sub microcomputer 120 and the temperature correction map (table) TCM of the leak current. .
  • the temperature correction map (table) TCM is unique to each of the main microcomputer 110 or the sub microcomputer 120, and can be obtained from, for example, a semiconductor manufacturer.
  • the temperature correction map (or temperature correction table) TCM describes the correction current value (Icv) of the leak current at each temperature.
  • the increase amount ⁇ Ileakc of the corrected leak current used for diagnosing the failure potential can be obtained by the following equation.
  • ⁇ Ileakc Ileak2 + Icv-Ileak1
  • Icv represents the correction current value described in the temperature correction map (table) TCM in the temperature information TM.
  • the presence or absence of the failure potential is determined depending on whether the corrected increase amount of leakage current ⁇ Ileakc exceeds a threshold value or a predetermined value (TH).
  • TH a predetermined value
  • the threshold value or predetermined value (TH) can also be referred to as a set value or a prescribed value.
  • FIG. 7 is a view showing a configuration example of the address spaces of the ROM 114 and the ROM 124. As shown in FIG. 7A shows an example of the configuration of the address space of the ROM 114, and FIG. 7B shows an example of the configuration of the address space of the ROM 124.
  • the ROM 114 has, for example, a first address space ADSP1a and a second address space ADSP2a.
  • the first address space ADSP1a stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed.
  • the control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
  • the processing program or data according to the present invention is stored in the second address space ADSP 2a, and the diagnostic program DPROG described with reference to FIGS. 8A and 8B and the control executed when judging abnormality of the CPU described with FIG.
  • a program CNTPROG, a calculation program LCCPROG for leak current correction described in FIG. 6 is stored.
  • the second address space ADSP 2 a further includes a temperature correction map (table) TCM of the leak current related to the main microcomputer 110, a threshold value or a predetermined value (TH), a leak current value Ileak1 (110), and the main of the sub microcomputer 120.
  • the measured leakage current values Ileak2 (121) and Ileak2 (122) for the CPU 121 and the sub CPU 122 are stored.
  • the diagnosis results DResult (121) and DResult (122) are the results of diagnosis regarding the submicrocomputer 120 by the diagnostic program DPROG, and the presence or absence of the failure potential of the main CPU 121 and the sub CPU 122 of the submicrocomputer 120 is stored.
  • the experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
  • the ROM 124 has, for example, a first address space ADSP1b and a second address space ADSP2b.
  • the first address space ADSP1b stores the control program CPROG and reference data or the like referred to when the control program CPROG is executed.
  • the control program CPROG is a control program for electronically controlling on-vehicle devices (for example, an automatic transmission, an engine, etc.) mounted on a vehicle.
  • the second address space ADSP 2b stores the processing program or data according to the present invention, and the diagnostic program DPROG described in FIG. 8, the control program CNTPROG executed at the time of abnormality judgment of the CPU described in FIG.
  • a calculation program LCCPROG for leak current correction described in FIG. 6 is stored.
  • the second address space ADSP 2 b further includes a temperature correction map (table) TCM of the leak current related to the submicrocomputer 120, a threshold value or a predetermined value (TH), a leak current value Ileak 1 (120), and the main microcomputer 110.
  • the measured leakage current values Ileak2 (111) and Ileak2 (112) for the CPU 111 and the sub CPU 112 are stored.
  • the diagnosis results DResult (111) and DResult (112) are the results of diagnosis regarding the main microcomputer 110 by the diagnosis program DPROG, and the presence or absence of the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 is stored.
  • the experience information DHist stores data of the main microcomputer 110 or the sub-microcomputer 120 last or previously diagnosed.
  • the measured leak current values Ileak 2 (111), Ileak 2 (112), Ileak 2 (121), Ileak 2 (122), and the increase amount of the leak current after correction Although an example of storing ⁇ Ileakc (111), ⁇ Ileakc (112), ⁇ Ileakc (121), ⁇ Ileakc (122) in the address space of the ROMs 114 and 124 has been shown, store these values in the address spaces of the ROMs 114 and 124. Instead, it is also possible to temporarily store in the RAMs 113 and 123 at the time of diagnosis.
  • FIGS. 8A and 8B are flowcharts illustrating an example of the failure potential diagnosis procedure of the CPU according to the first embodiment.
  • the lower A in FIG. 8A and the upper A in FIG. 8B are connected.
  • FIGS. 8A and 8B are flowcharts illustrating a procedure for diagnosing the failure potential of the main CPU 111 and the sub CPU 112 of the main microcomputer 110 using the sub microcomputer 120 when the vehicle control device 100 shuts down.
  • a flowchart for diagnosing the failure potential of the main CPU 121 and the sub CPU 122 of the sub microcomputer 120 using the main microcomputer 110 is considered to be easily understood from FIGS. 8A and 8B, and thus the description thereof is omitted.
  • each step of FIG. 8A and FIG. 8B is demonstrated.
  • Step S100 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • This flowchart corresponds to the diagnostic program DPROG shown in FIG.
  • Step S101 The main microcomputer 110 and the sub-microcomputer 120 are provided with leak current values (Ileak1) at the time of manufacture of the main microcomputer 110 and the sub-microcomputer 120 from respective storage areas (ROMs 114 and 124) and failure potential operation experience information (DHist) Read out.
  • the leak current value (Ileak1) described above measures the leak current of the main microcomputer 110 and the sub-microcomputer 120 not only at the time of manufacturing the main microcomputer 110 and the sub-microcomputer 120 but also at the time of manufacturing the vehicle control device 100. It may be stored in each storage area (ROMs 114 and 124).
  • Step S102 The main microcomputer 110 does not carry out the failure potential diagnosis until the condition for carrying out the failure potential diagnosis is established.
  • the execution condition of the failure potential diagnosis is satisfied when all the self shut processing performed after the power supply signal 200 is turned off is completed.
  • the main microcomputer 110 determines a microcomputer to be diagnosed with the failure potential of this time from the failure potential implementation experience information of the main microcomputer 110 and the sub microcomputer 120 read out in step S101, and sets it as a microcomputer to be measured. For example, when the failure potential of main CPU 111 and sub CPU 112 in main microcomputer 110 is diagnosed in the previous failure potential diagnosis, main CPU 121 and sub CPU 122 in sub microcomputer 120 are regarded as diagnosis targets in this failure potential diagnosis. Do. As described above, in this example, the reason for switching the microcomputer to be diagnosed each time self-shut processing is performed is that the main CPU and the sub CPU built in the microcomputer to be diagnosed need to be in the stop state (standby state). It is. Details will be described in the description of FIG. 9A. In this example, the microcomputer to be measured is described as the main microcomputer 110, which diagnoses the failure potential of the main CPU 111 and the sub CPU 112 built in the main microcomputer 110.
  • Step S104 In order to estimate the temperatures of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110, the temperature of the main microcomputer 110 is measured from the temperature sensor 115 built in the main microcomputer 110.
  • the temperature sensor 115 built in the main microcomputer 110 is used, but the temperature sensor may be the temperature sensor 170 mounted in the vehicle control device 100.
  • Step S105 From the temperature information of the main microcomputer 110 acquired in step S104, the main CPU 111 and the sub CPU 112 of the measured microcomputer 110 correct the temperature change of the leakage current Ileak2 of the CPUs 111 and 112 due to the temperature.
  • the temperature correction value Icv of the leakage current is calculated from the correction map TCM.
  • the temperature correction map TCM of the leak current is defined in advance for each type of microcomputer to be measured.
  • the temperature correction map TCM of the leakage current can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
  • Step S106 The sub-microcomputer 120 is notified of the temperature correction value Icv of the leakage current calculated in step S105.
  • Step S107 The main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 are shifted to the stop state (standby state), and the subsequent calculations are performed using the sub microcomputer 120.
  • Step S108 It waits for the measured microcomputer 110 to complete transition to the standby state mode.
  • the determination of the completion of the transition is made based on a specified time or that the output of the measured microcomputer 110 is turned off.
  • Step S109 The submicrocomputer 120 measures the current leakage current values (Ileak2 (111), Ileak2 (112)) of the main CPU 111 and the sub CPU 112 of the microcomputer to be measured 110 by the main current measurement unit 150 and the subcurrent measurement unit 160. Do.
  • Step S110 The submicrocomputer 120 processes the leak current (Ileak1) at the time of manufacture acquired in step S101 and the current leak current (Ileak2 (111), Ileak2 (112)) acquired in step S109 for each of the main CPU 111 and the sub CPU 112 From the leak current temperature correction value (Icv) acquired in S106, the diagnostic leak current values ( ⁇ Ileakc (111), ⁇ Ileakc (112)) are calculated. That is, the calculation program LCCPROG of FIG. 7 is executed, and the calculation for correcting the leakage current value described in FIG. 6 is executed.
  • Step S111 The submicrocomputer 120 determines, for each of the main CPU 111 and the sub CPU 112, whether or not the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) is equal to or less than the threshold value (TH). If the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) of either the main CPU 111 or the sub CPU 112 falls below the threshold (TH), the main CPU 111 and the sub CPU 112 judge that they are normal. The process proceeds to step S113. If the diagnostic leak current value ( ⁇ Ileakc (111), ⁇ Ileakc (112)) exceeds the threshold value (HT), it is determined that there is a failure potential, and the process proceeds to step S112.
  • the threshold value (TH) can be stored in advance in the ROMs 114 and 124 provided in the main microcomputer 110 and the sub microcomputer 120, as shown in FIG.
  • Step S112 The submicrocomputer 120 stores the result of having determined that there is a failure potential in step S111 in the storage area (ROM 124) in the submicrocomputer 120 as the determination results DResult (111) and DResult (112).
  • Step S113 The submicrocomputer 120 stores the execution experience information (DHist) of the failure potential diagnosis in the storage area (ROM 124) in the submicrocomputer 120.
  • the failure potential execution experience information (DHist) is read from the storage area (ROMs 114 and 124) in step S101, and is used as information for determining a target microcomputer for failure potential diagnosis in step 103.
  • FIG. 9A is a diagram for explaining the execution timing of fault potential diagnosis according to the first embodiment.
  • FIG. 9A is a diagram for explaining that the microcomputer to be diagnosed with the failure potential is switched at each shutdown of the vehicle control device 100 as described in step 103 of FIG. 8A. That is, for example, it is assumed that the main microcomputer 110 and the submicrocomputer 120 perform normal control, and then the power supply signal 200 is turned off. In this case, as the first shutdown, after the power supply signal 200 is turned off, the processing shifts to the self shut processing.
  • the main microcomputer 110 After self-shut processing is completed and all self-shut processing is completed, the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driving state performs fault potential diagnosis for the main microcomputer 110 in the standby state. After execution of the fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
  • the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state has a failure potential with respect to the submicrocomputer 120 in the standby state. After performing diagnosis and performing fault potential diagnosis, the main microcomputer 110 and the submicrocomputer 120 are shut off.
  • the failure potential diagnosis of each of the main microcomputer 110 and the sub microcomputer 120 can be uniformly performed by switching the microcomputer to be diagnosed every shutoff.
  • FIG. 9B is a diagram for explaining a modification 1 of the execution timing of failure potential diagnosis.
  • FIG. 9A shows an example in which the microcomputer to be diagnosed is switched every shutoff.
  • the process proceeds to the self shut process, and then the self shut process is performed.
  • the main microcomputer 110 is put into the standby state.
  • the computer 120 executes fault potential diagnosis for the main microcomputer 110 in the standby state.
  • the sub-microcomputer 120 is put into the standby state, and the main microcomputer 110 performs fault potential diagnosis on the sub-microcomputer 120 in the standby state, and performs fault potential diagnosis.
  • FIG. 9C is a diagram for explaining a modification 2 of the execution timing of the failure potential diagnosis.
  • 9A and 9B show an example in which the failure potential diagnosis is performed after the power supply signal 200 is turned off.
  • FIG. 9C shows an example in which the microcomputer as the diagnosis target of the failure potential is switched every time the main microcomputer 110 and the sub microcomputer 120 are activated after the power supply signal 200 is turned on, and the failure potential diagnosis is performed. There is. That is, for example, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis to the submicrocomputer 120 in the standby state. carry out.
  • the main microcomputer 110 and the sub microcomputer 120 are reset.
  • the sub microcomputer 120 is put in a wait state until the reset is completed, and then the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 are synchronized.
  • the microcomputer 120 shifts to normal control.
  • the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state fails to the main microcomputer 110 in the standby state.
  • Conduct a potential diagnosis After that, the main microcomputer 110 and the sub microcomputer 120 are reset, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to the normal control.
  • the failure potential of the main microcomputer 110 and the sub microcomputer 120 can also be diagnosed at such an execution timing of the failure potential diagnosis.
  • FIG. 9D is a diagram for explaining a third modification of the execution timing of failure potential diagnosis.
  • FIG. 9C shows an example in which the microcomputer to be diagnosed with the failure potential is switched at each activation of the main microcomputer 110 and the sub-microcomputer 120, and the failure potential diagnosis is performed.
  • FIG. 9D shows an example in which the failure potentials of both the main microcomputer 110 and the sub microcomputer 120 are diagnosed and implemented each time the main microcomputer 110 and the sub microcomputer 120 are started. That is, after the power supply signal 200 is turned on for the first time, the submicrocomputer 120 is put into the standby state, and the main microcomputer 110 in the driven state performs fault potential diagnosis for the submicrocomputer 120 in the standby state. Perform fault potential diagnosis.
  • the main microcomputer 110 and the sub microcomputer 120 are reset, and the main microcomputer 110 is put into the standby state, and the sub microcomputer 120 in the driven state performs fault potential diagnosis for the main microcomputer 110 in the standby state. . Thereafter, the main microcomputer 110 and the sub microcomputer 120 are synchronized, and the main microcomputer 110 and the sub microcomputer 120 shift to normal control.
  • fault potential diagnosis may be performed by combining FIG. 9B and FIG. 9D.
  • FIG. 10 is a diagram for explaining a control procedure according to the first embodiment.
  • FIG. 10 shows a means for using unfailed CPU information using failure potential diagnosis results when the outputs of the main CPU 111 and the sub CPU 112 in the vehicle control apparatus 100 do not match in the comparator 116. It is an example of the flowchart explaining FIG. This flowchart corresponds to the control program CNTPROG shown in FIG.
  • Step S300 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • the following describes the operation of the main microcomputer 110 as an example. As described in FIG. 1, the submicrocomputer 120 notifies the main microcomputer 110 of the information of the diagnosis results (DResult (111), DResult (112)) when the main microcomputer 110 is activated. Also, it is assumed that the main microcomputer 110 notifies the sub microcomputer 120 of the information of the diagnostic results (DResult (121), DResult (122)) when the sub microcomputer 120 is activated.
  • Step S301 The main microcomputer 110 is provided with a main CPU 111 and a sub CPU 112, and a comparator 116 for comparing the output results of each, and determines whether or not the comparison results in the comparator 116 match. If the comparison results of the comparator 116 match, there is no CPU failure, and the process proceeds to step S302. If the comparison results of the comparator 116 do not match, it is determined that there is a CPU failure, and the process proceeds to step S303.
  • Step S302 The main microcomputer 110 determines that there is no failure in the main CPU 111 and the sub CPU 112, and uses the output signal of the main CPU 111. Alternatively, the output value of the sub CPU 112 may be used.
  • Step S303 The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (111)) of the main CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is normal, the process proceeds to step S304. If the failure potential diagnosis result (DResult (111)) of the main CPU 111 is abnormal, the process proceeds to step S307.
  • Step S304 The main microcomputer 110 determines whether the failure potential diagnosis result (DResult (112)) of the sub CPU 112 stored in step S112 is normal. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S305. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S306.
  • Step S305 The main microcomputer 110 determines that there is a failure other than the main CPU 111 and the sub CPU 112, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S306 The main microcomputer 110 determines that the main CPU 111 is normal although there is a failure in the sub CPU 112, and continues the normal processing (the operation of the normal control of the vehicle) using the output signal of the main CPU 111.
  • Step S307 In step S307, the same determination as in step S304 is performed. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is normal, the process proceeds to step S308. If the failure potential diagnosis result (DResult (112)) of the sub CPU 112 is abnormal, the process proceeds to step S309.
  • Step S308 The main microcomputer 110 determines that the sub CPU 112 is normal although there is a failure in the main CPU 111, and continues normal processing (normal control operation of the vehicle) using an output signal of the sub CPU 112.
  • Step S309 The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S310 The main microcomputer 110 notifies other units of the information on the comparison of the comparison in the comparator 116 as CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S305 or step S309.
  • the vehicle control device 100 capable of maintaining the driving performance can be provided.
  • the CPU determines the CPU's failure potential caused by foreign matter mixed in at the time of manufacture or aged deterioration, CPU failure can be detected as early as possible.
  • a maintainable vehicle control device 100 can be provided.
  • the value of the current (leakage current) of the CPU flowing through the power supply line (connection line: L1, L2, L3, L4) supplying power to the CPU (111, 112, 121, 122) are detected and measured using current measurement units (current detection units: 150, 160, 152, 162).
  • current detection units current detection units: 150, 160, 152, 162
  • the failure potential of the CPU can be determined by the value or amount of the measured leakage current.
  • the current flowing in the power supply line supplying power to the CPU in the standby state is measured using the CPU in the drive state.
  • the current flowing through the power supply line of the CPU includes the leak current component of the CPU and the drive current component of the CPU.
  • the CPU leak current (Ileak2) for fault potential diagnosis includes manufacturing variations of the microcomputer or CPU and variations due to temperature changes of the microcomputer or CPU. In order to extract these variations in leak current and extract only the increase in CPU leak current due to transistor deterioration, correction of the measured value of CPU leak current for failure potential diagnosis is performed. There are two correction targets: correction of leak current variation due to manufacturing variation of microcomputer or CPU, and correction of leak current variation due to temperature change.
  • the method of correcting the leak current variation due to the manufacturing variation of the microcomputer or CPU is to measure the CPU leak current value (Ileak1) for fault potential diagnosis at the time of manufacturing the microcomputer or CPU, and to store the storage area (ROM: 114, 124) of the microcomputer. ) Is stored as a leak current value at the time of CPU manufacture. By subtracting the leak current value (Ileak1) at the time of microcomputer manufacture or CPU manufacturing from CPU leak current value (Ileak2) for current failure potential diagnosis, increase in leak current from manufacture time of microcomputer or CPU to the present The minutes ( ⁇ Ileak) can be extracted.
  • TCM correlation map
  • the CPU can correctly calculate, but can detect a state that may fail in the future at an early stage. That is, since the failed CPU can be identified from the result of the failure potential diagnosis of the CPU, when the failure of the CPU occurs, the vehicle control is not degenerated using a normal CPU that is not broken. Driving performance can be maintained.
  • FIG. 11 is a diagram illustrating a vehicle control system according to a second embodiment.
  • the vehicle control device system 1a shown in FIG. 11 includes a vehicle control device 100a that is an electronic control unit (ECU: Electronic Control Unit), as in FIG.
  • the vehicle control device 100a is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 a of FIG. 11 is configured such that the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are eliminated as compared with the vehicle control device 100 of FIG. 1.
  • the main microcomputer 110 of the vehicle control device 100a has a parallel processing type in which the main CPU 111 and the sub CPU 112 simultaneously execute different controls.
  • the vehicle control device 100 is the same as the vehicle control device 100, so the description thereof is omitted.
  • FIG. 12 is a diagram for explaining a control procedure according to the second embodiment.
  • the vehicle control device 100a determines whether the result of the failure potential diagnosis is normal or not, and degenerates the control function originally implemented when it is abnormal. As a result, it is possible to extend the time until the CPU completely fails, and to maintain the functions originally possessed by the vehicle control device 100a even if the CPU completely fails.
  • Step S400 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively. The following describes the operation of the main microcomputer 110 as an example. In addition, the failure potential diagnosis is as described above, and the description thereof will be omitted because it is the same.
  • Step S401 The main microcomputer 110 determines whether or not there is execution experience (DHist) of failure potential diagnosis of the main CPU 111 and the sub CPU 112. If there is no implementation experience (DHist) of failure potential diagnosis, the control is ended, and if there is implementation experience (DHist), the process proceeds to step S402.
  • DHist execution experience
  • Step S402 The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal. If the failure potential diagnosis result (DRsult (111)) of the main CPU 111 is normal, the process proceeds to step S403. If the failure potential diagnosis result (DRsult (111)) is abnormal, the process proceeds to step S407.
  • Step S403 The main microcomputer 110 determines whether the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal. If the failure potential diagnosis result (DRsult (112)) of the sub CPU 112 is normal, the process proceeds to step S404. If the failure potential diagnosis result (DRsult (112)) is abnormal, the process proceeds to step S405.
  • Step S404 The main microcomputer 110 determines that neither the main CPU 111 nor the sub CPU 112 has a failure potential, and continues the normal operation according to the normal task operation setting.
  • Step S405, Step S406 The main microcomputer 110 determines that there is no failure potential in the main CPU 111 and that there is a failure potential in the sub CPU 112. Then, the function (task D) assigned to the control task of the sub CPU 112 is reduced, and the calculation load of the sub CPU 112 is reduced. This extends the time until the sub CPU 112 completely fails. At the same time, in step S406, the function (task D) assigned to the control task of the main CPU 111 is expanded. As a result, although the sharing ratio of calculation of the main CPU 111 and the sub CPU 112 changes, it is possible to create a situation in which the control task calculated in total of the vehicle control device 100a does not change.
  • FIG. 13 shows an example of the change in assignment of the control task when it is detected that the failure potential of the sub CPU 112 is high. Details will be described in FIG.
  • Step S407 It is omitted because it is the same as step S403.
  • Step S408, Step S409) As a means similar to steps S405 and S406, the function (task) of the control task of the main CPU 111 is reduced, and the function (task) of the control task of the sub CPU 112 is expanded.
  • Step S410 The main microcomputer 110 determines that both the main CPU 111 and the sub CPU 112 have a failure potential, and continues the normal operation according to the normal task operation setting.
  • the normal task operation setting is the meaning of task setting for the normal operation in which the task change is not performed.
  • FIG. 13 is a diagram for explaining an example of change in assignment of control tasks according to the second embodiment.
  • FIG. 13 is an example of change in assignment of control tasks when it is detected that the failure potential of the sub CPU 112 is high. If the main CPU 111 and the sub CPU 112 have no failure potential and the CPU is normal according to the failure potential diagnosis of FIG. 12, as shown in FIG. 13A, the main CPU 111 performs task A and task B as scheduled processing as shown in FIG. Execute and execute background job (hereinafter, BGJ) 1 in idle time. On the other hand, the sub CPU 112 executes task C and task D as scheduled processing, and executes BGJ 2 in idle time.
  • BGJ background job
  • the task D of the sub CPU 112 is allocated to the main CPU 111 as shown in FIG. .
  • the main CPU 111 executes task A, task B, and extended task D, and executes background job (hereinafter, BGJ) 1 in idle time.
  • the sub CPU 112 executes task C and executes BGJ 2 in idle time. That is, the task D being executed by the sub CPU 112 is in a state of being transferred to the main CPU 111.
  • the failure potential diagnosis of FIG. 12 is performed after the power supply signal 200 is turned off, and the task assignment change is performed when the vehicle control device 100a is activated by the key-on of the vehicle. For this reason, there is no influence on the vehicle behavior due to sudden change of control due to task assignment change during normal control.
  • the sub CPU 112 assigns the function of the task D to the main CPU 111 to reduce the operation load, it does not change that the failure potential is high.
  • the task C function, BGJ2 will be lost, so it is preferable to assign a function that does not affect the vehicle running even if it is lost in advance. In this case, even if the sub CPU 112 completely fails, the vehicle can continue traveling safely.
  • normal task operation setting for defining the task execution state of (A) of FIG. 13B is stored, for example, in the storage area of the ROM 114 of the main microcomputer 110.
  • the normal task operation setting is performed.
  • the normal task operation setting is changed to the abnormal task operation setting. As described above, the change from the normal task operation setting to the abnormal task operation setting 1 is made when the vehicle control device 100a is activated by the key-on of the vehicle.
  • the abnormal task operation setting 2 used when it is determined that the main CPU 111 has a failure potential may be provided in addition to the normal task operation setting and the abnormal task operation setting 1.
  • the abnormal task operation setting 2 may be stored in the storage area of the ROM 114 of the main microcomputer 110 together with the normal task operation setting and the abnormal task operation setting 1.
  • the operation control (task D) handled by the CPU (112) having a high failure potential is transferred to another CPU (111).
  • the CPU failure can be notified to the driver of the vehicle without degrading the function of the vehicle control device (100a), so that the movement for repairing the vehicle can be performed safely and smoothly.
  • the normal CPU (111) can be used even in the failure detection delay time until the failure is detected. Therefore, it is possible to prevent an unintended behavior of the vehicle due to sudden stop or malfunction of an actuator such as an engine or a transmission without sacrificing the original driving performance of the vehicle control device (100a). .
  • the task (D) to be calculated by the CPU (112) having a high failure potential is degenerated in advance.
  • the calculation load of the CPU (112) can be reduced, and therefore, the period until the CPU (112) completely fails can be extended.
  • FIG. 14 is a diagram showing a vehicle control system according to a third embodiment.
  • the vehicle control system 1b shown in FIG. 14 includes a vehicle control system 100b, which is an electronic control unit (ECU), as in FIG.
  • the vehicle control device 100 b is a device that electronically controls on-vehicle devices (for example, an automatic transmission, an engine, and the like) mounted on the vehicle.
  • the vehicle control device 100 b of FIG. 14 has only the CPU 111 of the main microcomputer 110 and only the CPU 121 of the sub microcomputer 120. As a result of this change, the current measurement units SCM 160 and 162 are deleted.
  • the comparator 116 in the main microcomputer 110 and the comparator 126 in the sub microcomputer 120 are deleted.
  • a signal collating unit COMPb having a function as a comparator is provided in the vehicle control device 100b as a semiconductor integrated circuit device different from the main microcomputer 110 and the sub microcomputer 120.
  • the other configuration is the same as that of the first embodiment, and the description thereof is omitted.
  • the signal collating unit COMPb outputs an output signal Smmc of the main microcomputer (first microcomputer) 110 or CPU (first CPU) 111 and an output signal Ssmc of the sub microcomputer (second microcomputer) 120 or CPU (second CPU) 121. Compare whether they match.
  • the signal comparison unit COMPb is connected to the actuator (ACU) 202 connected to the signal comparison unit COMPb or the signal comparison.
  • a display device 203 and an electric power steering device (EPS) 204 connected to the unit COMPb via a CAN bus are driven.
  • EPS electric power steering device
  • the signal collating unit COMPb is also adapted to receive the diagnosis result DResult (121) of the failure potential from the main microcomputer 110 and the diagnosis result DResult (111) of the failure potential from the sub microcomputer 120, and these diagnosis signals DResult (121), the control procedure using the fault potential diagnosis result described in FIG. 15 is executed according to DResult (111).
  • FIG. 15 is a diagram for explaining a control procedure according to the third embodiment.
  • the control procedure of the third embodiment will be described with reference to FIG.
  • Step S500 When the main microcomputer 110 and the sub microcomputer 120 receive the power supply signal 200 indicating that the power is turned on, this flowchart is started. At the time of starting this flowchart, it is assumed that the main power supply IC 130 and the sub power supply IC 140 have started to supply power according to the power supply signal 200 respectively.
  • Step S501 The signal collating unit COMPb compares whether the output signal Smmc of the main microcomputer 110 and the output signal Ssmc of the sub microcomputer 120 match, and determines whether the matching result matches. If the collation results of the signal collating unit COMPb match (YES), it is determined that there is no CPU failure, and the process proceeds to step S502. If the comparison result of the signal comparison unit COMPb does not match (NO), it is determined that there is a CPU failure, and the process proceeds to step S503.
  • Step S502 The signal comparison unit COMPb determines that the CPU 111 of the main microcomputer 110 has no failure, and uses the output signal Smmc of the main microcomputer 110 as it is. Alternatively, it may be determined that the CPU 121 of the submicrocomputer 120 has no failure, and the output signal Ssmc of the submicrocomputer 120 may be used.
  • Step S503 The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (111)) of the CPU 111 stored in step S112 is normal. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is normal, the process proceeds to step S504. If the failure potential diagnosis result (DResult (111)) of the CPU 111 is abnormal, the process proceeds to step S507.
  • Step S504 The signal comparison unit COMPb determines whether the failure potential diagnosis result (DResult (121)) of the CPU 121 of the sub microcomputer 120 stored in step S112 is normal. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S505. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S506.
  • Step S505 It is determined that there is a failure other than the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, and the process shifts to fail-safe processing such as stopping the vehicle control actuator 202.
  • Step S506 The signal collating unit COMPb determines that the CPU 111 of the main microcomputer 110 is normal although there is a failure in the CPU 121 of the sub microcomputer 120, and uses the output signal Smmc of the main microcomputer 110 to perform normal processing (normal Continue the control operation).
  • Step S507 the same determination as in step S504 is performed. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is normal, the process proceeds to step S508. If the failure potential diagnosis result (DResult (121)) of the CPU 121 is abnormal, the process proceeds to step S509.
  • Step S508 The signal collating unit COMPb determines that the CPU 121 of the sub microcomputer 120 is normal although there is a failure in the CPU 111 of the main microcomputer 110, and performs normal processing using the output signal Sscm of the main microcomputer 110 (normal to vehicle Continue the control operation).
  • Step S509 The signal comparison unit COMPb determines that there is a failure potential in both the CPU 111 of the main microcomputer 110 and the CPU 121 of the sub microcomputer 120, transitions to a safe state such as stopping the vehicle control actuator 202, and performs failsafe processing. Transition.
  • the signal comparison unit COMPb may notify the other units of the information on the comparison failure as the CPU failure information. Further, CPU failure information may be notified to other units only when the process proceeds to step S505 or step S509.
  • the CPU can normally calculate, but it is possible to detect in the early stage a state that may fail in the future. it can.
  • vehicle control is degenerated by effectively using a normal CPU that is not faulty at the time of CPU fault occurrence or CPU anomaly occurrence. It is possible to provide a vehicle control device (100b) capable of maintaining the driving performance without causing the vehicle control.
  • the present invention is not limited to the above-mentioned embodiment and an example, and it can not be overemphasized that it can change variously .
  • vehicle control device 110 main microcomputer (MMC) 111: main CPU (MCPU) 112: sub CPU (SCPU) 113: RAM 114: ROM 115: temperature sensor (TSEN) 116: comparator (COMP) 120: sub microcomputer (SMC) 130: main power supply IC (MPSP) 140: sub power supply IC (SPSP) 150: main CPU current measurement unit (MCM) 160: sub CPU current measurement unit (SCM) 200: power supply signal (PS) 201: battery (battery) BAT) 202: Actuator (ACU) 203: Display device (DISP) L1, L2, L3, L4: Connection line

Abstract

L'objet de la présente invention est de fournir un dispositif de commande de véhicule qui peut maintenir une performance de conduite en cas d'anomalie d'UCT par identification et utilisation efficace d'une UCT normale qui n'est pas défectueuse. À cet effet, ce dispositif de commande de véhicule comprend : un micro-ordinateur qui comporte une UCT principale et une sous-unité centrale; une unité d'alimentation électrique; une première ligne de connexion qui connecte l'unité d'alimentation électrique et l'UCT principale; une seconde ligne de connexion qui connecte l'unité d'alimentation électrique et la sous-unité centrale; et une unité de détection de courant qui détecte la valeur de courant traversant la première ligne de connexion et la valeur de courant traversant la seconde ligne de connexion. Si la valeur du courant traversant l'une des première et seconde lignes de connexion est supérieure à une valeur prédéfinie et que la valeur du courant traversant l'autre des première et seconde lignes de connexion représente au plus la valeur prédéfinie, le micro-ordinateur poursuit la conduite à l'aide de l'UCT principale ou de la sous-unité centrale connectée à l'autre ligne de connexion.
PCT/JP2018/037657 2017-10-24 2018-10-10 Dispositif de commande de véhicule WO2019082647A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2019550964A JP6807467B2 (ja) 2017-10-24 2018-10-10 車両制御装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017205116 2017-10-24
JP2017-205116 2017-10-24

Publications (1)

Publication Number Publication Date
WO2019082647A1 true WO2019082647A1 (fr) 2019-05-02

Family

ID=66246924

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/037657 WO2019082647A1 (fr) 2017-10-24 2018-10-10 Dispositif de commande de véhicule

Country Status (2)

Country Link
JP (1) JP6807467B2 (fr)
WO (1) WO2019082647A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233937A1 (fr) * 2019-05-17 2020-11-26 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Dispositif et procédé de commande de courant d'un actionneur
KR102191169B1 (ko) * 2019-11-26 2020-12-16 주식회사 오비고 이종 dcu의 출력 값을 사용하는 ads를 통해 자율 주행에서 발생할 수 있는 dcu들의 오판 상황을 방지하는 방법 및 이를 이용한 장치
JPWO2021111554A1 (fr) * 2019-12-04 2021-06-10

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102537986B1 (ko) * 2021-11-19 2023-05-31 주식회사 모베이스전자 자율주행차량의 리던던시 제어 시스템

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007125950A (ja) * 2005-11-02 2007-05-24 Toyota Motor Corp 車両用電子制御装置の電源管理システム
JP2012073748A (ja) * 2010-09-28 2012-04-12 Denso Corp 制御装置
JP2015035073A (ja) * 2013-08-08 2015-02-19 ルネサスエレクトロニクス株式会社 半導体装置及び半導体装置の制御方法
JP2017134717A (ja) * 2016-01-29 2017-08-03 矢崎総業株式会社 電源制御システム

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007125950A (ja) * 2005-11-02 2007-05-24 Toyota Motor Corp 車両用電子制御装置の電源管理システム
JP2012073748A (ja) * 2010-09-28 2012-04-12 Denso Corp 制御装置
JP2015035073A (ja) * 2013-08-08 2015-02-19 ルネサスエレクトロニクス株式会社 半導体装置及び半導体装置の制御方法
JP2017134717A (ja) * 2016-01-29 2017-08-03 矢崎総業株式会社 電源制御システム

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233937A1 (fr) * 2019-05-17 2020-11-26 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Dispositif et procédé de commande de courant d'un actionneur
CN113841313A (zh) * 2019-05-17 2021-12-24 克诺尔商用车制动系统有限公司 用于致动器的电流控制的设备和方法
CN113841313B (zh) * 2019-05-17 2023-09-22 克诺尔商用车制动系统有限公司 用于致动器的电流控制的设备和方法
US11791618B2 (en) 2019-05-17 2023-10-17 Knorr-Bremse Systeme Fuer Nutzfahrzeuge Gmbh Device and method for controlling the current of an actuator
KR102191169B1 (ko) * 2019-11-26 2020-12-16 주식회사 오비고 이종 dcu의 출력 값을 사용하는 ads를 통해 자율 주행에서 발생할 수 있는 dcu들의 오판 상황을 방지하는 방법 및 이를 이용한 장치
JPWO2021111554A1 (fr) * 2019-12-04 2021-06-10
WO2021111554A1 (fr) * 2019-12-04 2021-06-10 三菱電機株式会社 Dispositif de commande de véhicule
JP7199572B2 (ja) 2019-12-04 2023-01-05 三菱電機株式会社 車両制御装置

Also Published As

Publication number Publication date
JP6807467B2 (ja) 2021-01-06
JPWO2019082647A1 (ja) 2020-08-06

Similar Documents

Publication Publication Date Title
JP6807467B2 (ja) 車両制御装置
KR0158132B1 (ko) 전자 제어장치의 자기 진단 시스템 및 그 진단방법
US20170277607A1 (en) Fault-tolerance pattern and switching protocol for multiple hot and cold standby redundancies
US8836341B2 (en) Semiconductor circuit, semiconductor device, method of diagnosing abnormality of wire, and computer readable storage medium
US20190217867A1 (en) Method for operating an electrical system of a motor vehicle
KR102071404B1 (ko) Bms의 페일 세이프 장치 및 방법
JP5541246B2 (ja) 電子制御ユニット
US20030023407A1 (en) Method and device for monitoring the functioning of a system
US20180238959A1 (en) Method for detecting electrical faults in a current supply of a consumer
CN114968646A (zh) 一种功能故障处理系统及其方法
JP2022509565A (ja) パワー半導体のゲート信号をモニタリングする方法及びデバイス
US10585772B2 (en) Power supply diagnostic strategy
JP4748181B2 (ja) 半導体装置の試験装置および試験方法
JP5582748B2 (ja) 車両用電子制御装置
JP2009058400A (ja) 電動パワーステアリング装置の検査装置
US11820252B2 (en) Battery diagnostic device, battery diagnostic method, battery diagnostic program, and vehicle
US10186092B2 (en) System and method for controlling, by engine control unit, fault code
JP7099793B2 (ja) メイン制御部の異常診断システムおよび方法
JP2021160397A (ja) 車両における電源系の故障原因推定方法および装置
EP4280217A2 (fr) Système de détection de défauts d'un appareil automobile
KR20180053155A (ko) 제어기 단락 이상 감지 장치 및 방법
EP4145150B1 (fr) Contrôleur sur puce pour zone de sécurité sur puce
US20190118828A1 (en) Runtime verification of shutoff control line integrity in a hybrid vehicle system
US20240072639A1 (en) Junction Box Having Parallel Switch Failure Detection
Oswald et al. Design Considerations for an On-Board Computer System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18871695

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019550964

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18871695

Country of ref document: EP

Kind code of ref document: A1